diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile new file mode 100644 index 000000000..202ccbac7 --- /dev/null +++ b/.devcontainer/Dockerfile @@ -0,0 +1,121 @@ +#------------------------------------------------------------------------------------------------------------- +# Copyright (c) Microsoft Corporation. All rights reserved. +# Licensed under the MIT License. See https://go.microsoft.com/fwlink/?linkid=2090316 for license information. +#------------------------------------------------------------------------------------------------------------- + +FROM golang:1.15 + +# Avoid warnings by switching to noninteractive +ENV DEBIAN_FRONTEND=noninteractive + +# This Dockerfile adds a non-root user with sudo access. Use the "remoteUser" +# property in devcontainer.json to use it. On Linux, the container user's GID/UIDs +# will be updated to match your local UID/GID (when using the dockerFile property). +# See https://aka.ms/vscode-remote/containers/non-root-user for details. +ARG USERNAME=vscode +ARG USER_UID=1000 +ARG USER_GID=$USER_UID + +# Configure apt, install packages and tools +RUN apt-get update \ + && apt-get -y install --no-install-recommends apt-utils dialog unzip bash-completion vim 2>&1 \ + # + # Verify git, process tools, lsb-release (common in install instructions for CLIs) installed + && apt-get -y install git openssh-client less iproute2 procps lsb-release \ + # + # Build Go tools w/module support + && mkdir -p /tmp/gotools \ + && cd /tmp/gotools \ + && GOPATH=/tmp/gotools GO111MODULE=on go get -v golang.org/x/tools/gopls@latest 2>&1 \ + && GOPATH=/tmp/gotools GO111MODULE=on go get -v \ + honnef.co/go/tools/...@latest \ + golang.org/x/tools/cmd/gorename@latest \ + golang.org/x/tools/cmd/goimports@latest \ + golang.org/x/tools/cmd/guru@latest \ + golang.org/x/lint/golint@latest \ + github.com/mdempsky/gocode@latest \ + github.com/cweill/gotests/...@latest \ + github.com/haya14busa/goplay/cmd/goplay@latest \ + github.com/sqs/goreturns@latest \ + github.com/josharian/impl@latest \ + github.com/davidrjenni/reftools/cmd/fillstruct@latest \ + github.com/uudashr/gopkgs/v2/cmd/gopkgs@latest \ + github.com/ramya-rao-a/go-outline@latest \ + github.com/acroca/go-symbols@latest \ + github.com/godoctor/godoctor@latest \ + github.com/rogpeppe/godef@latest \ + github.com/zmb3/gogetdoc@latest \ + github.com/fatih/gomodifytags@latest \ + github.com/mgechev/revive@latest \ + github.com/go-delve/delve/cmd/dlv@latest 2>&1 \ + # + # Build Go tools w/o module support + && GOPATH=/tmp/gotools go get -v github.com/alecthomas/gometalinter 2>&1 \ + # + # Build gocode-gomod + && GOPATH=/tmp/gotools go get -x -d github.com/stamblerre/gocode 2>&1 \ + && GOPATH=/tmp/gotools go build -o gocode-gomod github.com/stamblerre/gocode \ + # + # Install Go tools + && mv /tmp/gotools/bin/* /usr/local/bin/ \ + && mv gocode-gomod /usr/local/bin/ \ + # + # Install golangci-lint + # && curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b /usr/local/bin 2>&1 \ + # Fails on OSX. Problem seems to be the SSL certs are not correct in this local docker installation + # + # Create a non-root user to use if preferred - see https://aka.ms/vscode-remote/containers/non-root-user. + && groupadd --gid $USER_GID $USERNAME \ + && useradd -s /bin/bash --uid $USER_UID --gid $USER_GID -m $USERNAME \ + # [Optional] Add sudo support + && apt-get install -y sudo \ + && echo $USERNAME ALL=\(root\) NOPASSWD:ALL > /etc/sudoers.d/$USERNAME \ + && chmod 0440 /etc/sudoers.d/$USERNAME \ + # + # Clean up + && apt-get autoremove -y \ + && apt-get clean -y \ + && rm -rf /var/lib/apt/lists/* /tmp/gotools + +# Manually installing golangci-lint +RUN wget --no-check-certificate https://github.com/golangci/golangci-lint/releases/download/v1.30.0/golangci-lint-1.30.0-linux-amd64.deb +RUN dpkg -i golangci-lint-1.30.0-linux-amd64.deb + +# Update this to "on" or "off" as appropriate +ENV GO111MODULE=auto + +# Switch back to dialog for any ad-hoc use of apt-get +ENV DEBIAN_FRONTEND=dialog + +# Install kubectl +RUN sudo apt-get update && sudo apt-get install -y apt-transport-https gnupg2 curl +RUN curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | sudo apt-key add - +RUN echo "deb https://apt.kubernetes.io/ kubernetes-xenial main" | sudo tee -a /etc/apt/sources.list.d/kubernetes.list +RUN sudo apt-get update +RUN sudo apt-get install -y kubectl + +# Install Terraform +WORKDIR /tmp +RUN wget https://releases.hashicorp.com/terraform/0.15.0/terraform_0.15.0_linux_amd64.zip +RUN unzip terraform_0.15.0_linux_amd64.zip +RUN cp /tmp/terraform /usr/local/bin/terraform + +# Install Terragrunt +RUN wget https://github.com/gruntwork-io/terragrunt/releases/download/v0.26.7/terragrunt_linux_amd64 +RUN chmod 755 ./terragrunt_linux_amd64 +RUN cp terragrunt_linux_amd64 /usr/local/bin/terragrunt + +# Install saml2aws +RUN wget https://github.com/Versent/saml2aws/releases/download/v2.27.1/saml2aws_2.27.1_linux_amd64.tar.gz +RUN tar -zxvf saml2aws_2.27.1_linux_amd64.tar.gz +RUN cp saml2aws /usr/local/bin/saml2aws + +# Install aws cli +RUN curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" +RUN unzip awscliv2.zip +RUN ./aws/install + +# Install helm +RUN wget https://get.helm.sh/helm-v3.5.4-linux-amd64.tar.gz +RUN tar -zxvf helm-v3.5.4-linux-amd64.tar.gz +RUN cp linux-amd64/helm /usr/local/bin/helm diff --git a/.devcontainer/README.md b/.devcontainer/README.md new file mode 100644 index 000000000..380533fbf --- /dev/null +++ b/.devcontainer/README.md @@ -0,0 +1 @@ +Source: https://github.com/microsoft/vscode-remote-try-go diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json new file mode 100644 index 000000000..314b79ad6 --- /dev/null +++ b/.devcontainer/devcontainer.json @@ -0,0 +1,42 @@ +// Doc config: https://code.visualstudio.com/docs/remote/containers +// Config reference: https://code.visualstudio.com/docs/remote/devcontainerjson-reference#_attached-container-configuration-reference +// Host network mode: https://docs.microsoft.com/en-us/visualstudio/codespaces/reference/configuring#host-network-mode +{ + "name": "ManagedKube", + "dockerFile": "Dockerfile", + "runArgs": [ "--cap-add=SYS_PTRACE", "--security-opt", "seccomp=unconfined", "--network=host" ], + + // Use 'forwardPorts' to make a list of ports inside the container available locally. + "forwardPorts": [9000], + + // Use 'settings' to set *default* container specific settings.json values on container create. + // You can edit these settings after create using File > Preferences > Settings > Remote. + "settings": { + "terminal.integrated.shell.linux": "/bin/bash", + "go.gopath": "/go", + "go.inferGopath": true, + "go.useLanguageServer": true + }, + + // Add the IDs of extensions you want installed when the container is created in the array below. + "extensions": [ + "golang.Go", + "4ops.terraform" + ], + + // Uncomment the next line to run commands after the container is created. + // "postCreateCommand": "go version", + + // Comment out the next line to run as root + "remoteUser": "vscode", + + // https://code.visualstudio.com/docs/remote/containers-advanced#_adding-another-local-file-mount + "mounts": [ + // Mounting local kubeconfig into the container + "source=${localEnv:HOME}/.kube/config,target=/home/vscode/.kube/config,type=bind,consistency=cached", + // Mounting local saml2aws into the container + "source=${localEnv:HOME}/.saml2aws,target=/home/vscode/.saml2aws,type=bind,consistency=cached", + // Mounting the local terraform cloud login token into the container + "source=${localEnv:HOME}/.terraform.d,target=/home/vscode/.terraform.d,type=bind,consistency=cached", + ] +} \ No newline at end of file diff --git a/.dockerignore b/.dockerignore new file mode 100644 index 000000000..a01e96bee --- /dev/null +++ b/.dockerignore @@ -0,0 +1,24 @@ +# Local .terraform directories +**/.terraform/* + +# .tfstate files +*.tfstate +*.tfstate.* + +*.terragrunt-cache + +# Crash log files +crash.log + +# Ignore any .tfvars files that are generated automatically for each Terraform run. Most +# .tfvars files are managed as part of configuration and so should be included in +# version control. +# +# example.tfvars + +# Ignore override files as they are usually used to override resources locally and so +# are not checked in +override.tf +override.tf.json +*_override.tf +*_override.tf.json diff --git a/.github/workflows/terraform-pipeline-dev.yaml b/.github/workflows/terraform-pipeline-dev.yaml new file mode 100644 index 000000000..05a55ce41 --- /dev/null +++ b/.github/workflows/terraform-pipeline-dev.yaml @@ -0,0 +1,154 @@ +# The name of the pipeline. Must be unique. +name: "Terraform - AWS" + +on: + push: + # only run when files in this path changes + # https://docs.github.com/en/free-pro-team@latest/actions/reference/workflow-syntax-for-github-actions#example-using-positive-and-negative-patterns-1 + paths: + - 'terraform-environments/aws/dev/**' + branches: + - main + pull_request: + # only run when files in this path changes + # https://docs.github.com/en/free-pro-team@latest/actions/reference/workflow-syntax-for-github-actions#example-using-positive-and-negative-patterns-1 + paths: + - 'terraform-environments/aws/dev/**' + +jobs: + ## This generates a matrix of changed directory to run Terraform on + generate_matrix: + runs-on: ubuntu-latest + env: + # The path that you want to construct the matrix on. Only files in this + # path that has changed will be included in. + TERRAFORM_CHECK_PATH: terraform-environments/aws/dev + outputs: + matrix: ${{ steps.set-matrix.outputs.matrix }} + steps: + - name: Checkout + uses: actions/checkout@v2 + with: + fetch-depth: 2 + + - name: get parent directory and set matrix + id: set-matrix + run: | + # A list of files that changed + git diff --name-only HEAD^ HEAD $TERRAFORM_CHECK_PATH > files1.txt + + # Output a list of parent folder stripping out the file name + # leaving only the parent dir name + while IFS= read -r file + do + parent_dir=$(dirname -- "$file") + echo $parent_dir >> file2.txt + done < files1.txt + + echo "## All changed directories" + cat file2.txt + + # There can be duplicates in the parent dir name if multiple + # files changed in that parent dir. This is to output a list + # that is unqiue so that we don't run the plan on the same + # folder multiple times. + cat file2.txt | uniq > file3.txt + + echo "## Unique list of changed dirs only" + cat file3.txt + echo "##" + + # Set the parent dir into the Github Actions json matrix + # https://docs.github.com/en/actions/reference/context-and-expression-syntax-for-github-actions#fromjson + tf_config='' + while IFS= read -r file + do + echo "file = $file" + # parent_dir=$(dirname -- "$file") + # echo "parent_dir = $parent_dir" + + if [[ -z $tf_config ]]; then + tf_config="{\"tf_config\":\"$file\"}" + else + tf_config="$tf_config, {\"tf_config\":\"$file\"}" + fi + done < file3.txt + + tf_config="{\"include\":[$tf_config]}" + echo "::set-output name=matrix::$tf_config" + + terraform: + name: "Terraform" + needs: [generate_matrix] + strategy: + matrix: ${{fromJson(needs.generate_matrix.outputs.matrix)}} + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v2 + + - name: Setup Terraform + uses: hashicorp/setup-terraform@v1 + with: + # terraform_version: 0.13.0: + cli_config_credentials_token: ${{ secrets.TF_API_TOKEN_DEV }} + + # - name: debug1 + # id: debug1 + # working-directory: ${{matrix.tf_config}} + # run: | + # pwd + # ls -l + + - name: Terraform Format + id: fmt + working-directory: ${{matrix.tf_config}} + run: terraform fmt -check + + - name: Terraform Init + id: init + working-directory: ${{matrix.tf_config}} + run: terraform init + + - name: Terraform Plan + id: plan + working-directory: ${{matrix.tf_config}} + if: github.event_name == 'pull_request' + run: terraform plan -no-color + continue-on-error: true + + - uses: actions/github-script@0.9.0 + if: github.event_name == 'pull_request' + env: + PLAN: "terraform\n${{ steps.plan.outputs.stdout }}" + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + script: | + const output = `#### Terraform Format and Style 🖌\`${{ steps.fmt.outcome }}\` + #### Terraform Initialization ⚙️\`${{ steps.init.outcome }}\` + #### Terraform Plan 📖\`${{ steps.plan.outcome }}\` + +
Show Plan + + \`\`\`\n + ${process.env.PLAN} + \`\`\`\n + +
+ + *Pusher: @${{ github.actor }}, Action: \`${{ github.event_name }}\`*`; + + github.issues.createComment({ + issue_number: context.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + body: output + }) + - name: Terraform Plan Status + if: steps.plan.outcome == 'failure' + run: exit 1 + + - name: Terraform Apply + working-directory: ${{matrix.tf_config}} + if: github.ref == 'refs/heads/main' && github.event_name == 'push' + run: terraform apply -auto-approve diff --git a/.github/workflows/terraform-pipeline-staging.yaml b/.github/workflows/terraform-pipeline-staging.yaml new file mode 100644 index 000000000..d92b119af --- /dev/null +++ b/.github/workflows/terraform-pipeline-staging.yaml @@ -0,0 +1,154 @@ +# The name of the pipeline. Must be unique. +name: "Terraform - AWS" + +on: + push: + # only run when files in this path changes + # https://docs.github.com/en/free-pro-team@latest/actions/reference/workflow-syntax-for-github-actions#example-using-positive-and-negative-patterns-1 + paths: + - 'terraform-environments/aws/staging/**' + branches: + - main + pull_request: + # only run when files in this path changes + # https://docs.github.com/en/free-pro-team@latest/actions/reference/workflow-syntax-for-github-actions#example-using-positive-and-negative-patterns-1 + paths: + - 'terraform-environments/aws/staging/**' + +jobs: + ## This generates a matrix of changed directory to run Terraform on + generate_matrix: + runs-on: ubuntu-latest + env: + # The path that you want to construct the matrix on. Only files in this + # path that has changed will be included in. + TERRAFORM_CHECK_PATH: terraform-environments/aws/staging + outputs: + matrix: ${{ steps.set-matrix.outputs.matrix }} + steps: + - name: Checkout + uses: actions/checkout@v2 + with: + fetch-depth: 2 + + - name: get parent directory and set matrix + id: set-matrix + run: | + # A list of files that changed + git diff --name-only HEAD^ HEAD $TERRAFORM_CHECK_PATH > files1.txt + + # Output a list of parent folder stripping out the file name + # leaving only the parent dir name + while IFS= read -r file + do + parent_dir=$(dirname -- "$file") + echo $parent_dir >> file2.txt + done < files1.txt + + echo "## All changed directories" + cat file2.txt + + # There can be duplicates in the parent dir name if multiple + # files changed in that parent dir. This is to output a list + # that is unqiue so that we don't run the plan on the same + # folder multiple times. + cat file2.txt | uniq > file3.txt + + echo "## Unique list of changed dirs only" + cat file3.txt + echo "##" + + # Set the parent dir into the Github Actions json matrix + # https://docs.github.com/en/actions/reference/context-and-expression-syntax-for-github-actions#fromjson + tf_config='' + while IFS= read -r file + do + echo "file = $file" + # parent_dir=$(dirname -- "$file") + # echo "parent_dir = $parent_dir" + + if [[ -z $tf_config ]]; then + tf_config="{\"tf_config\":\"$file\"}" + else + tf_config="$tf_config, {\"tf_config\":\"$file\"}" + fi + done < file3.txt + + tf_config="{\"include\":[$tf_config]}" + echo "::set-output name=matrix::$tf_config" + + terraform: + name: "Terraform" + needs: [generate_matrix] + strategy: + matrix: ${{fromJson(needs.generate_matrix.outputs.matrix)}} + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v2 + + - name: Setup Terraform + uses: hashicorp/setup-terraform@v1 + with: + # terraform_version: 0.13.0: + cli_config_credentials_token: ${{ secrets.TF_API_TOKEN_STAGING }} + + # - name: debug1 + # id: debug1 + # working-directory: ${{matrix.tf_config}} + # run: | + # pwd + # ls -l + + - name: Terraform Format + id: fmt + working-directory: ${{matrix.tf_config}} + run: terraform fmt -check + + - name: Terraform Init + id: init + working-directory: ${{matrix.tf_config}} + run: terraform init + + - name: Terraform Plan + id: plan + working-directory: ${{matrix.tf_config}} + if: github.event_name == 'pull_request' + run: terraform plan -no-color + continue-on-error: true + + - uses: actions/github-script@0.9.0 + if: github.event_name == 'pull_request' + env: + PLAN: "terraform\n${{ steps.plan.outputs.stdout }}" + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + script: | + const output = `#### Terraform Format and Style 🖌\`${{ steps.fmt.outcome }}\` + #### Terraform Initialization ⚙️\`${{ steps.init.outcome }}\` + #### Terraform Plan 📖\`${{ steps.plan.outcome }}\` + +
Show Plan + + \`\`\`\n + ${process.env.PLAN} + \`\`\`\n + +
+ + *Pusher: @${{ github.actor }}, Action: \`${{ github.event_name }}\`*`; + + github.issues.createComment({ + issue_number: context.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + body: output + }) + - name: Terraform Plan Status + if: steps.plan.outcome == 'failure' + run: exit 1 + + - name: Terraform Apply + working-directory: ${{matrix.tf_config}} + if: github.ref == 'refs/heads/main' && github.event_name == 'push' + run: terraform apply -auto-approve diff --git a/.github/workflows/terragrunt-dev-destroy.yaml b/.github/workflows/terragrunt-dev-destroy.yaml new file mode 100644 index 000000000..4ec9fff5c --- /dev/null +++ b/.github/workflows/terragrunt-dev-destroy.yaml @@ -0,0 +1,54 @@ +name: "Terragrunt-dev - AWS - destroy" + +on: + workflow_dispatch: + inputs: + pathToRunDestroyOn: + description: 'The path from the root of the repo to run terragrunt destroy on' + required: true + default: 'null' + +env: + AWS_REGION: us-east-1 + tf_version: '1.0.11' + tg_version: 'v0.35.13' + kg_version: 'v0.7.11' + +# Used for getting permissions to AWS resources through an OIDC federation +permissions: + id-token: write + contents: read # This is required for actions/checkout@v1 + +jobs: + terragrunt: + runs-on: ubuntu-latest + steps: + - name: 'Checkout' + uses: actions/checkout@master + + - name: 'Download kubergrunt' + run: | + wget https://github.com/gruntwork-io/kubergrunt/releases/download/v0.7.11/kubergrunt_linux_amd64 + chmod 755 kubergrunt_linux_amd64 + mkdir ${{ github.workspace }}/tmp_bin + cp kubergrunt_linux_amd64 ${{ github.workspace }}/tmp_bin/kubergrunt + + - name: 'Configure AWS credentials from p1 account' + uses: aws-actions/configure-aws-credentials@v1 + with: + role-to-assume: ${{ secrets.AWS_GITHUB_OIDC_TERRAFORM_DEV }} + role-session-name: githubAWSSession + role-duration-seconds: 900 + aws-region: ${{ env.AWS_REGION }} + + - name: 'Terragrunt Destroy' + uses: the-commons-project/terragrunt-github-actions@master + with: + tf_actions_version: ${{ env.tf_version }} + tg_actions_version: ${{ env.tg_version }} + tf_actions_subcommand: 'destroy' + tf_actions_working_dir: ${{ github.event.inputs.pathToRunDestroyOn }} + tf_actions_comment: true + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + KUBERGRUNT_EXEC: ${{ github.workspace }}/tmp_bin/kubergrunt diff --git a/.github/workflows/terragrunt-dev.yaml b/.github/workflows/terragrunt-dev.yaml new file mode 100644 index 000000000..785d41b38 --- /dev/null +++ b/.github/workflows/terragrunt-dev.yaml @@ -0,0 +1,234 @@ +# The name of the pipeline. Must be unique. +name: "Terragrunt-dev - AWS" + +on: + push: + # only run when files in this path changes + # https://docs.github.com/en/free-pro-team@latest/actions/reference/workflow-syntax-for-github-actions#example-using-positive-and-negative-patterns-1 + paths: + - 'terraform-environments/aws/terragrunt-dev/**/*.hcl' + - 'terraform-environments/aws/terragrunt-dev/**/*.yaml' + - '!terraform-environments/aws/terragrunt-dev/terragrunt.hcl' + - '!terraform-environments/aws/terragrunt-dev/common.hcl' + - '!terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/us-east-1/region.hcl' + - '!terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/us-east-1/terragrunt-dev/environment.hcl' + branches: + - main + pull_request: + # only run when files in this path changes + # https://docs.github.com/en/free-pro-team@latest/actions/reference/workflow-syntax-for-github-actions#example-using-positive-and-negative-patterns-1 + paths: + - 'terraform-environments/aws/terragrunt-dev/**/*.hcl' + - 'terraform-environments/aws/terragrunt-dev/**/*.yaml' + - '!terraform-environments/aws/terragrunt-dev/terragrunt.hcl' + - '!terraform-environments/aws/terragrunt-dev/common.hcl' + - '!terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/us-east-1/region.hcl' + - '!terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/us-east-1/terragrunt-dev/environment.hcl' + +env: + AWS_REGION: us-east-1 + tf_version: '1.2.3' + tg_version: 'v0.37.4' + ENVIRONMENT_NAME: terragrunt-dev + +# Used for getting permissions to AWS resources through an OIDC federation +permissions: + id-token: write + contents: read # This is required for actions/checkout@v1 + +jobs: + ## This generates a matrix of changed directory to run Terraform on + generate_matrix: + runs-on: ubuntu-latest + env: + # The path that you want to construct the matrix on. Only files in this + # path that has changed will be included in. + TERRAFORM_CHECK_PATH: terraform-environments/aws/terragrunt-dev + outputs: + matrix: ${{ steps.set-matrix.outputs.matrix }} + steps: + - name: Checkout + uses: actions/checkout@v2 + with: + fetch-depth: 2 + + - name: get parent directory and set matrix + id: set-matrix + run: | + # A list of files that changed + git diff --name-only HEAD^ HEAD $TERRAFORM_CHECK_PATH > files1.txt + # Output a list of parent folder stripping out the file name + # leaving only the parent dir name + while IFS= read -r file + do + parent_dir=$(dirname -- "$file") + + echo "xx parent_dir: $parent_dir" + echo "xx file: $file" + + if [[ "$parent_dir" != "terraform-environments/aws/terragrunt-dev/us-west-2/dev01" ]] && [[ "$parent_dir" != "terraform-environments/aws/terragrunt-dev" ]] && [[ "$parent_dir" != "terraform-environments/aws/terragrunt-dev/us-west-2" ]]; then + echo "aa: $parent_dir" + echo $parent_dir >> file2.txt + fi + + + done < files1.txt + echo "## All changed directories" + cat file2.txt + # There can be duplicates in the parent dir name if multiple + # files changed in that parent dir. This is to output a list + # that is unqiue so that we don't run the plan on the same + # folder multiple times. + cat file2.txt | uniq > file3.txt + echo "## Unique list of changed dirs only" + cat file3.txt + echo "##" + # Set the parent dir into the Github Actions json matrix + # https://docs.github.com/en/actions/reference/context-and-expression-syntax-for-github-actions#fromjson + tf_config='' + while IFS= read -r file + do + echo "file = $file" + # parent_dir=$(dirname -- "$file") + # echo "parent_dir = $parent_dir" + + if [[ -z $tf_config ]]; then + tf_config="{\"tf_config\":\"$file\"}" + else + tf_config="$tf_config, {\"tf_config\":\"$file\"}" + fi + done < file3.txt + tf_config="{\"include\":[$tf_config]}" + echo "::set-output name=matrix::$tf_config" + terragrunt: + name: 'Terragrunt' + needs: [generate_matrix] + strategy: + matrix: ${{fromJson(needs.generate_matrix.outputs.matrix)}} + ## https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstrategyfail-fast + ## Prevents the entire matrix to stop when one fails + ## If Github Actions stops a run mid-run, the TF state file sometime might not be written out before it fails or stops + fail-fast: false + runs-on: ubuntu-latest + env: + tf_working_dir: ${{matrix.tf_config}} + TF_VAR_key_name: ${{ secrets.KEY_NAME }} + steps: + - name: 'Checkout' + uses: actions/checkout@master + + - name: 'Download kubergrunt' + run: | + wget https://github.com/gruntwork-io/kubergrunt/releases/download/v0.9.0/kubergrunt_linux_amd64 + chmod 755 kubergrunt_linux_amd64 + mkdir ${{ github.workspace }}/tmp_bin + cp kubergrunt_linux_amd64 ${{ github.workspace }}/tmp_bin/kubergrunt + + - name: 'Download kubectl' + run: | + curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" + chmod 755 kubectl + + - name: 'Configure AWS credentials' + uses: aws-actions/configure-aws-credentials@v1.6.1 + with: + ############################################################################ + ## This role is an output from the 050-github-aws-permissions Terraform/Terragrunt + ## instantitation/apply. + ## + ## It will be in the form of: arn:aws:iam::xxxxxxxxx:role/github_oidc_ + ############################################################################ + role-to-assume: ${{ secrets.AWS_GITHUB_OIDC_TERRAFORM_DEV }} + role-session-name: githubAWSSession + role-duration-seconds: 900 + aws-region: ${{ env.AWS_REGION }} + + - name: 'Terragrunt Format' + uses: the-commons-project/terragrunt-github-actions@master + with: + tf_actions_version: ${{ env.tf_version }} + tg_actions_version: ${{ env.tg_version }} + tf_actions_cli_credentials_token: ${{ secrets.TF_API_TOKEN_DEV }} + tf_actions_binary: 'terraform' + tf_actions_subcommand: 'fmt' + tf_actions_working_dir: ${{ env.tf_working_dir }} + tf_actions_comment: true + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: 'Terragrunt Init' + uses: the-commons-project/terragrunt-github-actions@master + with: + tf_actions_version: ${{ env.tf_version }} + tg_actions_version: ${{ env.tg_version }} + tf_actions_cli_credentials_token: ${{ secrets.TF_API_TOKEN_DEV }} + tf_actions_subcommand: 'init' + tf_actions_working_dir: ${{ env.tf_working_dir }} + # This will answer yes to all the terragrunt questions, such as do you want to create + # the S3 bucket + # args: --terragrunt-non-interactive + tf_actions_comment: true + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: 'Output .terraform.lock.hcl file' + run: | + cd ${{ env.tf_working_dir }} + cat .terraform.lock.hcl + + # - name: 'Terragrunt Validate' + # uses: the-commons-project/terragrunt-github-actions@master + # with: + # tf_actions_version: ${{ env.tf_version }} + # tg_actions_version: ${{ env.tg_version }} + # tf_actions_cli_credentials_token: ${{ secrets.TF_API_TOKEN_DEV }} + # tf_actions_binary: 'terraform' + # tf_actions_subcommand: 'validate' + # tf_actions_working_dir: ${{ env.tf_working_dir }} + # tf_actions_comment: true + # env: + # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: 'Terragrunt Plan' + uses: the-commons-project/terragrunt-github-actions@master + with: + tf_actions_version: ${{ env.tf_version }} + tg_actions_version: ${{ env.tg_version }} + tf_actions_cli_credentials_token: ${{ secrets.TF_API_TOKEN_DEV }} + tf_actions_subcommand: 'plan' + tf_actions_working_dir: ${{ env.tf_working_dir }} + tf_actions_comment: true + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + KUBERGRUNT_EXEC: ${{ github.workspace }}/tmp_bin/kubergrunt + # TF_LOG: DEBUG + + # - name: Testkube Pre-Apply + # if: github.ref == 'refs/heads/master' && github.event_name == 'push' + # id: testkube + # uses: ManagedKube/github-action-testkube@v1.0.14 + # with: + # test-suite-name: 'infra-base' + # cluster-name: ${{ env.ENVIRONMENT_NAME }} + + - name: Terragrunt Apply + if: github.ref == 'refs/heads/main' && github.event_name == 'push' + uses: the-commons-project/terragrunt-github-actions@master + with: + tf_actions_version: ${{ env.tf_version }} + tg_actions_version: ${{ env.tg_version }} + tf_actions_cli_credentials_token: ${{ secrets.TF_API_TOKEN_DEV }} + tf_actions_subcommand: 'apply' + tf_actions_working_dir: ${{ env.tf_working_dir }} + tf_actions_comment: true + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + KUBERGRUNT_EXEC: ${{ github.workspace }}/tmp_bin/kubergrunt + + # - name: Testkube Post-Apply + # if: github.ref == 'refs/heads/master' && github.event_name == 'push' + # id: testkube + # uses: ManagedKube/github-action-testkube@v1.0.14 + # with: + # test-suite-name: 'infra-base' + # cluster-name: ${{ env.ENVIRONMENT_NAME }} diff --git a/.gitignore b/.gitignore index 52ceb3a8b..a01e96bee 100644 --- a/.gitignore +++ b/.gitignore @@ -5,6 +5,8 @@ *.tfstate *.tfstate.* +*.terragrunt-cache + # Crash log files crash.log diff --git a/.vscode/launch.json b/.vscode/launch.json new file mode 100644 index 000000000..c23774cdd --- /dev/null +++ b/.vscode/launch.json @@ -0,0 +1,17 @@ +{ + // Use IntelliSense to learn about possible attributes. + // Hover to view descriptions of existing attributes. + // For more information, visit: https://go.microsoft.com/fwlink/?linkid=830387 + "version": "0.2.0", + "configurations": [ + { + "name": "Launch", + "type": "go", + "request": "launch", + "mode": "auto", + "program": "${fileDirname}", + "env": {}, + "args": [] + } + ] +} \ No newline at end of file diff --git a/.vscode/settings.json b/.vscode/settings.json new file mode 100644 index 000000000..a46064559 --- /dev/null +++ b/.vscode/settings.json @@ -0,0 +1,3 @@ +{ + "go.inferGopath": false +} \ No newline at end of file diff --git a/LICENSE b/LICENSE new file mode 100644 index 000000000..8dada3eda --- /dev/null +++ b/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "{}" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright {yyyy} {name of copyright owner} + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/README.md b/README.md index d99901f19..45c583079 100644 --- a/README.md +++ b/README.md @@ -1 +1,210 @@ -# kubernetes-ops +# ToC +- [What is kubernetes-ops](#what-is-kubernetes-ops) +- [The stack this will create](#the-stack-this-will-create) +- [Whys](#whys) + * [Why do all of this?](#why-do-all-of-this-) + * [GitOps workflow, how does that play into this project?](#gitops-workflow--how-does-that-play-into-this-project-) + * [Why an entire repository?](#why-an-entire-repository-) +- [What tools do we use](#what-tools-do-we-use) + * [Supported built in services](#supported-built-in-services) +- [Who is using this](#who-is-using-this) +- [Topology](#topology) + * [The AWS EKS topology](#the-aws-eks-topology) + * [GCP GKE](#gcp-gke) +- [How do I start using this?](#how-do-i-start-using-this-) + * [Read the setup](#read-the-setup) +- [Need a DevOps consultant?](#need-a-devops-consultant-) +- [License](#license) + +Table of contents generated with markdown-toc + +# What is kubernetes-ops + +TL;DR kubernetes-ops is a way to run Kubernetes and applications on it in a GitOps way using Terraform and Github Actions. We have tried to minimuze the number of tools sets used to keep what is already complex from being even more complex. + +The long version + +Kubernetes Ops has been a culmination of how we have been helping clients use +Kubernetes over the years. There has been a lot of trial an error as we have +grown up with Kubernetes. This represents how we are currently helping our clients +use Kubernetes and how we help them maintain their infrastructure. You can view +this as a reference implementation of a fully productionalized Kubernetes setup. + +We lean towards the immutable infrastructure and Gitops Flow methodologies and use +no configuration management tools. Everything starts out in Git as either code +or configuration. Items are manipulated to what we want the desired state to be +and that is applied onto the infrastructure. + +One of the biggest problem that this repository helps out with is what people are +starting to refer to as "day 2" problems (where "day 1" is creation). The "day 1" +problems are well documented and there are plenty of tutorials out there for it. +The problem with these tutorials and examples are that they mostly leave you hanging +on how to move forward with the infrastructure pieces. Day 2 problems are: what is the upgrade, patching, +and modification strategy, how do I manage the infrastructure git repository, etc? + +This is where we think we can provide some contribution. +With our experience in managing many Kubernetes clusters over the years, we think +we can provide this information. Creation of your cluster is about 10 to maybe +20 percent of the infrastructure activity (if that), making changes to the infrastructure +to suit your needs as time moves on is the bulk of the activity and finally +deletion of the entire or parts of the infrastructure as new items comes into play. + +If you follow through the instructions, you might think this is overly complex. +If this is your first time playing around with Kubernetes, it probably is overly +complex and this project is probably not well suited for you at this time. When +you want to take Kubernetes into production, this is where we think this set of +methodologies starts to shine. For example, this gives you an example of how +to lay out a repository for you infrastructure. It gives you the process and +workflow to create and update infrastructure pieces. From working with many +clients, we have come to a place where managing the infrastructure in this way +has made sense and has worked out really well in large and small teams. + +# The stack this will create + +![the stack](/docs/images/the-stack/kubernetes-managed-service-stack-v2.png) + +# Whys + +## Why do all of this? +Isn't there already projects that bring up Kubernetes for me? Why don't I just use GKE, EKS, AKS, \*KS? + +Yes, there is and we use all of that. You can use anyone of those services and +go to the respective web console and bring up a Kubernetes cluster. In our opinion +and from our experience this is fine if you are testing out Kubernetes or just trying +out something new. It is fast and easy to understand what is going on. However, +when you want to bring that "new thing" into production, managing it that way +is not ideal. It is hard to reproduce from dev to qa to prod. Making manual +changes are hard to track and very error prone. + +We stress that this project does not represent the "easy" way of managing infrastructure. +This project represents a way to manage infrastructure in a Gitops flow kinda way and +in a sane way where a team of people can work on it together. + +## GitOps workflow, how does that play into this project? +This project mainly follow a Gitops workflow methodology. Changes are made in +this repository to code or configs in a branch. A PR can be opened on that branch +where other team members can review the changes. Then depending on your merging +techniques and automation it can be applied or merged then applied to any one +environment. + +## Why an entire repository? +We have found that having an "infrastructure" repository makes sense. You need +these items to live somewhere. It is usually not application code and it is an +entity all to itself. The infrastructure repository also usually gets fairly large +overtime as new items gets added into the software stack and new requirements for +services comes along. + +As an organization grows, it also tends to be a different set of people that +maintains the infrastructure and this repository. You have application developers +and DevOps or infrastructure groups. Even if you have those two teams in the same +group having this separate is a good delineation on what is actually being changed. +If items in here are changed, it is clearly an infrastructure related item. + +# What tools do we use +We mainly only use open source tools. There might be some paid tools eventually +ending up in this repository and we will explicitly label those. + +Infrastructure building: +* Terraform + +Kubernetes clusters: +* GKE +* EKS + +Kubernetes tools: +* Helm +* Helm Charts from their repository + +## Supported built in services +These are the list of services that are maintained for each cloud + +| Service Name | Supported in AWS | Supported in GCP | source | +|--- |--- |--- |--- | +| cert-manager | yes | yes | helm/stable | +| cluster-autoscaler | yes | no | helm/stable | +| external-dns | yes | yes | helm/stable | +| graylog | yes | yes | helm/stable | +| jenkins | yes | yes | helm/stable | +| kube-bench | yes | yes | helm/stable | +| kube-downscaler | yes | yes | helm/stable | +| loki | yes | yes | loki | +| nginx-ingress | yes | yes | helm/stable | +| prometheus blackbox exporter | yes | yes | helm/stable | +| prometheus operator | yes | yes | helm/stable | +| sumologic-fluentd | yes | yes | helm/stable | +| threatstack | yes | yes | Threatstack | +| helm tiller -rbac enabled | yes | yes | - | +| vault-helm | yes | yes | Hashicorp | + +# Who is using this + +| | +|-------------------------------------------| +| [Parsable.com](https://www.parsable.com/) | +| [up.audio](https://up.audio/) | +| [karunalabs.com](https://karunalabs.com/) | +| Many more! | + +If you too are using kubernetes-common-services; please submit a PR to add your organization to the list! + +# Topology + +## The AWS EKS topology + +![aws kops topology](docs/images/aws-kops/Topology-aws-kops.png) + +* A very isolated VPC with only a few public IP address exposed to the internet +* Dedicated subnets for each item types. This allows you to segregate items better. +* Redundant Kubernetes worker nodes in 3 availability zones + +## GCP GKE +Kubernetes on GCP via GKE clusters + +![aws kops topology](docs/images/gcp-gke/topology-gcp-gke.png) + +* A very isolated VPC with only a few public IP address exposed to the internet +* Dedicated subnets for each item types. This allows you to segregate items better. +* Redundant Kubernetes masters in 3 availability zones +* Redundant Kubernetes worker nodes in 3 availability zones + +# How do I start using this? + +There are various docs and guides in the `docs` directory. + +## Read the setup +This is the first thing you should read. This has all of the setup information +that you will need to get started. + +[main doc](docs/) + +This doc will walk you through setting up a Kubernetes EKS infrastructure on AWS: `docs/terraform-github-action-pipeline.md` + +# Need a DevOps consultant? + +ManagedKube is a boutique DevOps consulting firm that helps companies run large-scale, reliable applications in a GitOps workflow. + +We work side-by-side with our client's development team to architect, design, build, optimize, and operate infrastructure in the cloud (AWS and GCP). + +We specialize in Docker/Kubernetes containerized infrastructure. + +Check us out at: [https://managedkube.com/](https://managedkube.com/) + +Or email us at: support@managedkube.com + +# License + +``` +Copyright 2019 ManagedKube + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +``` diff --git a/clusters/aws/kops/ssh-keys/.gitignore b/clusters/aws/kops/ssh-keys/.gitignore deleted file mode 100644 index 3a1f63e04..000000000 --- a/clusters/aws/kops/ssh-keys/.gitignore +++ /dev/null @@ -1,2 +0,0 @@ -id_rsa* -kubernetes-ops.pem diff --git a/docs/README.md b/docs/README.md index c81cf9dcd..fc9b30bf1 100644 --- a/docs/README.md +++ b/docs/README.md @@ -1,276 +1,133 @@ kubernetes-ops ================== -This repository represents an opinionated way to structure a repository that -holds the infrastructure level items. -# Download CLIs -We will be using various CLIs and tools to help create this infrastructure. -## Terraform -Currently you must use a version in the `v0.11.xx` releases. +# The cloud +Every cloud has a concept of a "network". AWS and GCP calls it the VPC. The VPC +will hold everything that you will ever run or create in the cloud. Items such as instances, +subnets, firewall rules, databases, queues, load balancers, etc. Since it is +such a foundational piece that sits at pretty much the bottom of the stack it +is very important to get this correct because trying to make changes to this later +with everything running on it could turn out to be very difficult or impossible +without downtime and/or a lot of reconfiguration of items that are running in +this VPC. -There are some major changes in `v0.12.xx` that don't seem backward compatible. +We also want to take control of creation and managing this VPC exclusively. A lot +of tools that creates Kubernetes clusters for you has the option of creating the +VPC, subnets, NATs, etc for you but in practice this is generally a bad idea. If +Kubernetes was the only item in this VPC, then that is ok but usually we don't just +run a Kubernetes cluster. Our workload/application will want to use cloud databases +such as RDS, SQS, Lambda, other instances that are not Kubernetes nodes, etc. We +will need to create subnets and other items for them to live in. For that reason +we create our own VPC and tell the Kubernetes cluster to use our VPCs and our +settings (and not the other way around). -## Terragrunt +## CIDR / IP Scheme +This is probably one of the most important decision when getting started. What +will my IP scheme be? Not thinking about this in the beginning can have big +repercussions down the road. If you use the same CIDR for two VPC now and sometime +in the future you want to peer them so that the two VPC can communicate with each +other directly, you are pretty much out of luck here. You will either need to +re-IP one of the VPCs (which sounds like a lot of work) or setup a NAT between +them and translate (which also sound like a lot of work) instead of a 30 minute +peering job, it turns into days if not more for the alternatives. -Currently, you must use a version in the `v0.18.x` release. +We might think that in this day and age, we don't need to worry about IPs. I +wish we were. This is the underpinning of the entire infrastructure. -## AWS CLI +This is why we have setup a CIDR/IP Scheme for you that you can use. -``` -aws-cli/1.16.xx -``` - -# Setup your IP CIDR -This document contains how your IP CIDRs are going to be laided out for your -entire infrastructure. Care should be taken to review this and to make sure -this fits your needs. - -While getting started quick you can just go with any IP CIDR scheme just to test -it out but if you were to roll out a real world setup where people will consume -this infrastructure, not thinking this out a little bit might make it difficult -to do certain things later. It is unfortunate that this has to come so early in -the process. The IP CIDR is pretty much at the bottom of the stack which means -it touches everything. Making changes to this later will probably be very difficult -and require some kind of large scale migration or cut over. - -We suggest you take the `cidr-ranges.md` file as a good place to start. - -# VPC Creation - -Directory: /tf-environment - -## Easy route - -Change directory to: '/tf-environments/dev-example/aws/vpc' - -You will have to change the `bucket` in the '/tf-environments/dev-example/aws/terraform.tfvars` -file. S3 bucket names has to be globally unique which means it can only exist once -in the all of AWS. The easiest way is to change the `123` in the bucket name to -some other random number. +[cidr-ranges.md](cidr-ranges.md) -Run: -``` -terragrunt init -terragrunt plan -terragrunt apply -``` - -This will create the VPC. +# What does the stack look like? -## Custom production route + -Copy the directory `dev-example` to a name of the environment you want to create. -If this is the first environment, `dev` is a good name. +# Tools you will need +[tools.md](tools.md) -### Update parameters -Now we have to update some parameter values in the files that we just copied in -the `dev` directory. +# Setting up the S3 buckets +In the configs, S3 buckets are used for Terraform and Kops as the state store. +This allows you to not hold the state of what you launched local to your machine and +on a remote machine. This is useful if you accidentally remove the files from your +local machine or if multiple people or machines will be updating these resources. -#### `_env_defaults/main.tf` -Update the parameter -- `environment_name` to `dev` -- `vpc_cidr` to the CIDR you chose -- `aws_availability_zone_1` and the availability zones if this needs to be updated +One problem is that S3 bucket names are global meaning only one can exist. If I +used a bucket name, that means you can not use that same name. -#### `terraform.tfvars` -This specifies where to store the Terraform remote state store. -- `bucket` - this has to be globally unique to S3. Easiest way is to change the number to some other arbitrary number -- `key` - change `dev-example` to `dev` or whatever you named this environment to +For you to use this, you will need to update the bucket names in this repository +to what you want to use. We are using the bucket name `kubernetes-ops-1234-terraform-state` -#### `aws/vpc/main.tf` -Update the parameters: -- `public_cidrs` to the CIDR range you choose -- `private_cidrs` to the CIDR range you choose +The following is a way to replace all of the occurrences of `kubernetes-ops-1234` +with `kubernetes-ops-xxxxxx`. A suggestion would be to replace the +`xxxxxx` with another random number. Try `123456` or `333333`, etc. -## Launch - -Run: +Linux: ``` -terragrunt init -terragrunt plan -terragrunt apply +find . -name '*' -exec sed -i -e 's/kubernetes-ops-1234/kubernetes-ops-xxxxxx/g' {} \; ``` -## Post launch -The Terraform output would have given you a VPC ID - +OSX: ``` -... -... -module.main.aws_route.private[0]: Creation complete after 1s (ID: r-rtb-015ee00a4ceb2c77b1080289494) -module.main.aws_route.private[2]: Creation complete after 1s (ID: r-rtb-0f342ec1f38c7dd7f1080289494) -module.main.aws_route.private[1]: Creation complete after 1s (ID: r-rtb-089e933a218c235121080289494) - -Apply complete! Resources: 29 added, 0 changed, 0 destroyed. - -Outputs: - -aws_vpc_id = vpc-01262c04bc41f2f1f +find . -type f | xargs sed -i '' 's/kubernetes-ops-1234/kubernetes-ops-xxxxxx/g' ``` -Copy this VPC id and put it into the `_env_defaults/main.tf` file in the `vpc_id` parameter +You can alternatively use your IDE to search and replace this string -This ID will be used by other Terraform modules/items that are launched into this VPC. +## Create the S3 buckets for Terraform +Terraform will create it's own bucket during the Terraform run. It will ask you +if you want to create it. -We will use this ID in the Kops creation because we are putting the Kubernetes -cluster in this VPC. +## Create the S3 buckets for kops +You will have to create the S3 bucket that Kops uses manually. -# Kubernetes Cluster creation - -## Change directory -From the root directory of this repo change directory to here: ``` -cd clusters/aws/kops/ +export KOPS_S3_BUCKET=kubernetes-ops-xxxxxx-kops-state-store ``` -## Create an AWS EC2 key pair -This will create the key, change the permissions so you can only read it, and -add it to your shell environment for usage. - -``` -aws ec2 create-key-pair --key-name kubernetes_ops --query 'KeyMaterial' --output text > ./ssh-keys/kubernetes-ops.pem -chmod 400 ./ssh-keys/kubernetes-ops.pem -ssh-add ./ssh-keys/kubernetes-ops.pem -``` - -## Kops on AWS - -Kops is an open source tool to help you create Kubernetes cluster. We are going -to use this tool to help us create a cluster on AWS. - -Source project: https://github.com/kubernetes/kops - -### Download the kops tool -Using kops cli is very version specific. This will determine what version -of Kubernetes will be installed. - -We are currently using version 1.11.x. You can download the `kops` CLI here: - -https://github.com/kubernetes/kops/releases/tag/1.11.1 - -### Creating the cluster -There is a sample cluster named `dev-example` that you can launch as is. - -Put the `vpc-id` into the file: `./clusters/dev-example/values.yaml` - -Set the state store. The kops state store is where kops writes information about -the cluster during creation. The entire state of the cluster is here. It -writes the information out to an AWS S3 bucket. Since buckets are globally -unique, you need to select a name that is unique to you. You can simply change -the `2345` string to something else or another number to make it unique. - -``` -export KOPS_STATE_STORE=s3://kubernetes-ops-2345-kops-state-store -``` - -Put the same bucket name in this case `kubernetes-ops-2345-kops-state-store` in -the file `./clusters/dev-example/values.yaml` in the `s3BucketName` values field. - Run this command to create the S3 bucket ``` aws s3api create-bucket \ - --bucket kubernetes-ops-2345-kops-state-store \ - --region us-east-1 \ - --versioning-configuration Status=Enabled + --bucket ${KOPS_S3_BUCKET} \ + --region us-east-1 ``` Enable versioning on the bucket: ``` -aws s3api put-bucket-versioning --bucket kubernetes-ops-2345-kops-state-store --versioning-configuration Status=Enabled +aws s3api put-bucket-versioning --bucket ${KOPS_S3_BUCKET} --versioning-configuration Status=Enabled ``` -Now, export out your AWS keys to the local shell: - +Using default encryption: ``` -export AWS_ACCESS_KEY_ID="foo" -export AWS_SECRET_ACCESS_KEY="bar" -export AWS_DEFAULT_REGION=us-east-1 +aws s3api put-bucket-encryption --bucket ${KOPS_S3_BUCKET} --server-side-encryption-configuration '{"Rules":[{"ApplyServerSideEncryptionByDefault":{"SSEAlgorithm":"AES256"}}]}' ``` -You can now run this command to output the templated values: +# Environments -``` -kops toolbox template --template ./template/cluster.yml --values ./clusters/dev-example/values.yaml > /tmp/output.yaml -``` +Environments are a self contained VPC for your application. Usually you would have +at least a `dev` and a `prod` environment if not a full series from `dev` -> +`qa` -> `staging` -> `prod`. -Run this command to create the cluster: -``` -kops create -f /tmp/output.yaml -``` - -At this point, it just created the configs for this cluster in S3. - -Get cluster name: -``` -kops get clusters -``` - -Set the cluster name from the output -``` - -export cluster_name=dev-example.us-east-1.k8s.local -``` - -Create ssh keys to be able to ssh into the cluster. You don't have to enter a -passphrase for the key if you do not want to. Just hit enter. - -``` -ssh-keygen -t rsa -b 4096 -C "your_email@example.com" -f ./ssh-keys/id_rsa -``` - -Add the ssh keys into kops so it can put it on the machines. -``` -kops create secret --name ${cluster_name} sshpublickey admin -i ./ssh-keys/id_rsa.pub -``` - -Create the cluster. This will launch EC2 nodes and start configuring the kubernetes -cluster: -``` -kops --name ${cluster_name} update cluster --yes -``` - -By default, kops will place the `kubeconfig` on your local system. The kubeconfig -has information on how to reach this Kubernetes cluster and authentication for it. - -It is placed in: `~/.kube/config` - -#### Accessing the cluster -This cluster only has private IP addresses. You will not be able to reach it directly. -In the `dev-example` a bastion host is created for access. - -There is an easy tool to use to ssh and tunnel into a remote network called `sshuttle` +Ideally each environment are mostly the same. It is created via the same method, +has the same items in it, operates the same way, updated the same way, runs the +same infrastructure and application in it. -Here is the source project: https://github.com/sshuttle/sshuttle +The difference usually are the the sizes of the nodes, data stores, numbers of nodes. +For example, `dev` might be a 3 node cluster while `prod` might be double that to +account for high availability or extra load on the systems. -There are binaries and installs for Windows, OSX, and Linux. - -Using this you would run the this command to tunnel traffic to this VPC. - -In the AWS console find the load balancer that is pointed to the bastion host. In the -EC2 Dashboard, got to "Load Balancer" and search for "bastion". The DNS name will -point to your bastion host: - -DNS name: bastion-dev-example-us-ea-3gprsr-2140616004.us-east-1.elb.amazonaws.com - -Add the ssh private key you just generated to your local store so you can ssh in: -``` -ssh-add ./ssh-keys/kubernetes-ops.pem -``` - -Run the sshuttle command: -``` -sshuttle -r ec2-user@bastion-dev-example-us-ea-3gprsr-2140616004.us-east-1.elb.amazonaws.com 10.10.0.0/16 -v -``` - -This will forward all traffic destined for `10.10.0.0/16` through this tunnel. - -In another shell, run a `kubectl` command to check connectivity: - -``` -kubectl get nodes -``` +Another difference might be security levels or access. In the `dev` or `qa` +environments, there is no customer data, no private data of any kind which means +generally any developer can have access to it without much worries. On a `prod` +environment running live applications that your customers interact with and putting +personal information onto, these systems might be a little bit more sensitive and +not everyone has access to it. Depending on your requirements, you might limit +access or even have to go through some approvals to get access to any parts of this +infrastructure. -# References +### Why so many? -Kops setup: https://github.com/kubernetes/kops/blob/master/docs/aws.md +By doing this you have environments like `dev` where developers and delivering +new application code into it while they are working and testing it. This code +can be not fully functional and tested. You want this environment and other non +`prod` environments to vet out the code before your end customer uses it. diff --git a/docs/accessing-private-vpc-from-ci-system.md b/docs/accessing-private-vpc-from-ci-system.md new file mode 100644 index 000000000..284e3c9b5 --- /dev/null +++ b/docs/accessing-private-vpc-from-ci-system.md @@ -0,0 +1,132 @@ +# Accessing a Private VPC from a CI/CD System + +A lot of the popular CI/CD systems that are hosted and are on the internet: + +* Github Actions +* Gitlab +* CircleCI +* CodeFresh + +The best practice for our VPCs and Kubernetes cluster is to have only an internal addresses. + +The problem is how do these CI/CD systems get access to our private VPC and Kubernetes clusters +which do not any any public IPs it can reach? + +The following are some ideas on how we can address the problem. + +## Bastion host +This seems like a common way and this seems to be the way that network operators has solved this +problem for a long time now. You basically are given access to a bastion host which sits between +the internet and the internal network. + +``` +Internet <---> (Public IP) Bastion Host (Internal IP) <---> Internal Network (can reach items on the internal network) +``` + +This is nice if you already have a Bastion host setup and this is the standard way you are doing things. This not +so great, if you have to stand up a bastion host for CI/CD purposes. The reason is that now, someone will have to manage +and secure this machine going forward. In companies that have higher security requirements turning on a bastion host +might not be a trivial thing and can cause a lot of questions to be asked and you would have to go through a lot +of process to get this in place. + +If there was a bastion host, using something like [sshuttle](https://github.com/sshuttle/sshuttle) becomes very easy +to use and to gain access to a remote network like it was directly connected locally. + +## AWS System Manager Session +This is an AWS service that helps you get access to machines and private VPCs in your accounts. + +Doc: [https://aws.amazon.com/blogs/aws/new-port-forwarding-using-aws-system-manager-sessions-manager/](https://aws.amazon.com/blogs/aws/new-port-forwarding-using-aws-system-manager-sessions-manager/) + +This can potentially span access from the CI/CD system to a private VPC network. + +This is however, a uniquely an AWS only solution since other cloud providers do not have something like this. + +## Slack overlay network +This is an interesting idea on how to span networks: [https://slack.engineering/introducing-nebula-the-open-source-global-overlay-network-from-slack-884110a5579](https://slack.engineering/introducing-nebula-the-open-source-global-overlay-network-from-slack-884110a5579) + +I think a little bit more research have to be done on this first on how to use this. This requires a machine on the internet that +all hosts trying to connect into the overlay to know. This also might be a problem to setup, secure, and continue on going maintenance on it. Which +can cause a lot of overhead just for the CI/CD use case. + + +## Running containers in the VPC via Fargate/CloudRun/etc +What we really want is to just run a "process" in the remote private VPC and get back the output from it like: +* What happened? +* Did it succeed/fail/etc? +* The log output + +We can have the CI/CD system launch a container in the remote private VPC which it then would have access to the +private VPC's network and cloud resources (whatever permissions was given to it). Then this container would run +the process/program to perform some kind of updates or sequence just like the CI/CD system would and then report +back the output. + +![aws fargate ci-cd runner](/docs/images/ci-cd-fargate-runner/ci-cd-fargate-runner.png) + +1) The CI/CD system is instructed to run this Fargate container + +2) Launching the Fargate container +* This "step" should have the appropriate AWS IAM access to launch this. +* It will launch the predetermined container on Fargate in the targeted private VPC. +* This step will call the AWS API with the appropriate information to launch the Fargate task. + +3) Fargate container launches +* The Fargate container launches inside the VPC that was targeted. +* This container runs. + +4) The Kubernetes update process +* The container runs through to update Kubernetes and whatever else this container is programmed to do. + +5) Fargate container logs +* Logs from the Fargate container is extracted and outputted to the CI/CD systems output. +* This allows someone to inspect this pipeline run from the CI/CD system on what happened. + +There are some pros and cons to this solution: + +Pros: +* Does not require any VPN type connections between the CI/CD system and the remote private VPC. +* A developer can test the update logic (#4) locally. Generally these pipelines cannot be tested locally because the CI/CD system has to run the pipeline. Since it is disconnected, this means the developer can run this locally to test if it is working as expected. +* This scheme would work on most major cloud provider that has a "container as a service" offering. + +Cons: +* This disconnects the CI/CD system from the actual run. +* Changing the update logic (#4) will mean having to push a new container to the Fargate runner. + +Example Github Action: + +```yaml + steps: + # Checkout the repository + - name: Checkout + uses: actions/checkout@v1 + - name: Launch Fargate Task + run: | + FARGATE_TASK_ID=aws fargate launch task \ + --image=managedkube.com/update-kops-cluster:0.1.1 + --env=foo=bar \ + --env=foo2=bar2 + - name: Wait for Fargate task + run: | + # Wait for Fargate task + - name: Get Fargate tasks logs + run: | + aws fargate get logs ${FARGATE_TASK_ID} + # output to stdout so that the CI/CD system can show the log to the operator +``` + +Example of what the `managedkube.com/update-kops-cluster:0.1.1` will do: + +```bash +#!/bin/bash -ex + +# [DRY RUN] Run the kops update +./kops.sh --name dev --update true --dry-run true + +# [Not DRY RUN] Run the kops update +./kops.sh --name dev --update true --dry-run false + +# Run e2e tests +./e2e-test.sh --name dev + +# Roll the nodes with testing on each node group +./kops.sh --name dev --rolling-update --run-tests true --dry-run false +``` \ No newline at end of file diff --git a/docs/aws-transit-gateway/transit-gateway-network.drawio b/docs/aws-transit-gateway/transit-gateway-network.drawio new file mode 100644 index 000000000..fab463255 --- /dev/null +++ b/docs/aws-transit-gateway/transit-gateway-network.drawio @@ -0,0 +1 @@ +7Vxtc6I6FP41fsRJCAT4aO22u3fm7nq3+/7lToSozCI4EGt7f/1N5D1BpYpWuzrTFkII5JznnOfknNgeGs6f7mOymP0deTTo6cB76qHbnq5DA9j8j2h5Tls03claprHvZb3Khgf/P5o1gqx16Xs0qXVkURQwf1FvdKMwpC6rtZE4jlb1bpMoqD91QaZUaXhwSaC2fvc9NktbbROU7e+pP53lT4YguzIneeesIZkRL1pVmtC7HhrGUcTSo/nTkAZCerlc0vvuNlwtXiymIWtzgzNzFj+/33/6tvpq4qcvo78sJ9R0nA7zSIJlNuNPoRg2pnP+59voYypblz8kJiyKs7mw51xAcbQMPSqeAXvoZjXzGX1YEFdcXXFM8LYZmwfZ5YkfBMMo4MOIe5FHqD1xeXvC4ug3rVzBrk3HE35FnWU28UcaM/pUacpmfU+jOWXxM++SX7X09JYMg9AGVtqwKjUKczXNKtrEWRvJQDQtxi7lzA8yUb9E7JYi9sH3h56OyVxILBwni/XcccDf5GbMpY6n4uhLTMLEZ9qUMLoiz2qHZaKtaMI0ffdYhJsGn5rL5T8Q7xtOYsL1sHTZMqZq98HDx7QjNjBAncJgMpnobiMMPDzGJu4GBoZt9M06ECxHV4FgmioQnKMBwVaAoIiWht5AeDJ+5gYkSfxUVCRmanNFyPTJZz8qxz/5MeASSM9uhVRAfvKcn3Arf/5RPancJU7L29Zn+X0b1ZNEy9ilLRwQn86UshYmQ72aw1bVXdGl2WDTeVtMA8L8x7qbb9Jv9oRR5PO5FWhC2JKcimnVx0innt1W9cvSSAaURwLSSKlslJHWgCsmfgAGHQWDa78vwZCbGasjLKaJ/x8ZrzsIFCzEG67f2bzpmbfCxwT+NBQA5big3KZvhLn6nF0H2YW573ni/puAjGlwQ9zf07UnqXsH/mkE2XaTkj1DESRkr1zj4SaPoYE+0pFd044GD4NP3iWaTBJ6FHUiXVHnIo687VyxnRvS+zv1+BRv8PiWMwZbXcoLPH7O6Znu+AfnFPBq1I9Ua+uM+ilppc4XUb3KR+dP9RAZdc1Dy24I+XAD0xfxe+eKz1/pz6V6S6V665e1+PBoR1owIth8jyka3Wn6WTE9RhI/O3BPpreRhEpbl8B2ZKY3cksqIZi5Fd54v8mxjCiN/XB6sQFBYXhdBAQ88EN1UukEZNINnUQH22zraOwDu2UfqKDu/NnHATL5nHKZ2ah19OdQzzbU71xk5sHZmVAPhFIECx1Lgkhb7oHIBnL6QxmsO/pp1ILxxtlnq+ldyedOMxUAiJUlJwI/CjUm1qKPC/eQheoubhl+uP287lnnO8gX+lYf9LkC7iDumHJOsdKV/QS3baBSTtN6x0JHohy1sNA15YC+mFFJO7CfX91AO/xkxJ0Jn58w/gMpBZoqpzRzDzwrTjGVakgenbyUUuSRdGC0S1xy7QpPX3TLHPXGVzYsCd0A1Epd/CAdslNnpZZovo34SODSCSk3zIMJidufbUtgOgyix2cgtdzSloE6Wt1sYSDzkhnIcuRca1OR9aQMpCZaX6Tro0Yb+JJ1DXVTPzdlw+NnV7naatEGQPl5+3ijXPr2TUOvLn95eA92LYDXZx2GMK0TssZZhTAQ2Fz6QFrN2pbdd2yn+Nj7RTUOcvo8kjEdAwILWYa04AItU7abY5yuKQ2qSd23EajAzvK2lxipQP0UDg3Cl7m0ivtKu1bdF/cne/ivjpdlTlufZp6XT0MO7jv1vQbQxmbfONylQaR4MSjx8Ot7MTVF/Ua8WG7Hf6YXU1N+bFcp6XO0ZDyaBl/WglEuz3kMLwSmxNXSwFosxtFS8croSWZkIQ65+kgQ0CCaxmQuMFNxRLVrFQ91ljG5kZcuCt/RsONBz8HY9U6XZt2rKcC1SXelb+J5Gpumak7evoZteYFtqSneEytYTZFdjfsoqsdSGfAMjFvNpF2N+4D0mWFI1t1QwDmxhtX82dW6j5JOQ0oq49WVr6vptKt5H5IxhWdn3/qmvBFhjLizOV0vEQrFpb87NPmp5otVWEgCLX1imo5/81CQNoGWtfvXQ4K6MeeKhBNwvi35BGi8OhLU5foVCScpqMlO4ZRQ0P759WwPbMP7MLy9wysS/jv42rBR+N1QNGj85xJ35UJpV65uYFXER/sqUKOIm3bl1g2iFPklfuOWwxpLMm/IWZxW5irVlTLWL1DGtgLrVxexyiGKXA8uXFX3/RVVql0lKwMZvUrJqih3HaXivs2p7ixO5anTcylOyblHw5DA07YUpcvRL5K/89DdHvRGDZxiW+pe4DRr0NwBy/0RaLRFoH1WCLRNKVY25e9ptv4SHsZ9AOqFVh1ZsO9YZaEVnxSTahq9e0waRWW/Xq3vHJp7l/O3hUi7q/ngrOAKdXk7pCHTbevivVL4QbLz3Rue/LT8/0Np9/LfOKF3/wM= \ No newline at end of file diff --git a/docs/aws-transit-gateway/transit-gateway-network.png b/docs/aws-transit-gateway/transit-gateway-network.png new file mode 100644 index 000000000..44431fb25 Binary files /dev/null and b/docs/aws-transit-gateway/transit-gateway-network.png differ diff --git a/docs/cidr-ranges.md b/docs/cidr-ranges.md index 17833ef5b..9c553ef4f 100644 --- a/docs/cidr-ranges.md +++ b/docs/cidr-ranges.md @@ -4,7 +4,8 @@ CIDR Ranges # IP Calculator Here is a very good online IP CIDR calculator -http://www.subnet-calculator.com/cidr.php +* http://www.subnet-calculator.com/cidr.php +* http://jodies.de/ipcalc # Global @@ -12,27 +13,27 @@ http://www.subnet-calculator.com/cidr.php | Name | CIDR | |-----------------------------------|---------------| | docker0 | 172.26.0.0/16 | -| Kubernetes - dev-example | 10.9.0.0/16 | -| Kubernetes - dev | 10.10.0.0/16 | -| Kubernetes - qa | 10.11.0.0/16 | -| Kubernetes - staging | 10.12.0.0/16 | -| Kubernetes - prod | 10.13.0.0/16 | -| Kubernetes - xxx | 10.14.0.0/16 | -| Kubernetes - xxx | 10.15.0.0/16 | -| Kubernetes - xxx | 10.16.0.0/16 | -| Kubernetes - xxx | 10.17.0.0/16 | +| Kubernetes aws - dev | 10.10.0.0/16 | +| Kubernetes aws - qa | 10.11.0.0/16 | +| Kubernetes aws - staging | 10.12.0.0/16 | +| Kubernetes aws - prod | 10.13.0.0/16 | +| Kubernetes gcp - dev | 10.32.0.0/12 - 10.47.0.0/12 | +| Kubernetes gcp - qa | 10.48.0.0/12 - 10.63.255.255 | +| Kubernetes gcp - staging | 10.64.0.0/12 - 10.79.255.255 | +| Kubernetes gcp - prod | 10.80.0.0/12 - 10.95.255.255 | + ## Reserved ranged for each environment -Each envrionment has a bunch of initial reserved ranges to bring up the entire +Each environment has a bunch of initial reserved ranges to bring up the entire application. The following defines these ranges in a generic sense that can be applied to any of the above CIDRs. -## Kops +## EKS | Name | CIDR | Address Range | |------------------|--------------|---------------| | xxx | 10.xx.0.0/16 | xxxxx - xxxxx | -## Services Subnets +## AWS Services Subnets | Name | CIDR | Address Range | |---------------------------------------|------------------|-----------------------------| | RDS - subnet 1 | 10.xx.100.0/28 | 10.xx.100.0 - 10.xx.100.15 | @@ -43,3 +44,19 @@ be applied to any of the above CIDRs. | app one - subnet 2 | 10.xx.100.64/28 | 10.xx.100.64 - 10.xx.100.79 | | app two - subnet 1 | 10.xx.100.64/28 | 10.xx.100.64 - 10.xx.100.79 | | app two - subnet 2 | 10.xx.100.64/28 | 10.xx.100.64 - 10.xx.100.79 | +| Transit Gateway - subnet1 | 10.xx.104.16/28 | 10.xx.104.16 - 10.xx.104.31 | +| Transit Gateway - subnet2 | 10.xx.104.32/28 | 10.xx.104.32 - 10.xx.104.47 | +| Transit Gateway - subnet3 | 10.xx.104.48/28 | 10.xx.104.48 - 10.xx.104.63 | + +## GCP Subnets + +### Dev +| Name | CIDR | Address Range | +|---------------------------------------|------------------|-----------------------------| +| VPC - default public subnet | 10.32.1.0/24 | 10.32.1.0 - 10.32.1.255 | +| VPC - default private subnet | 10.32.5.0/24 | 10.32.5.0 - 10.32.5.255 | +| GKE master CIDR block | 10.32.11.0/28 | 10.32.11.0 - 10.32.11.15 | +| GKE cluster public subnet | 10.32.16.0/20 | 10.32.16.0 - 10.32.31.255 | +| GKE cluster private subnet | 10.32.32.0/20 | 10.32.32.0 - 10.32.47.255 | +| GKE service CIDR range | 10.32.64.0/19 | 10.32.64.0 - 10.32.95.255 | +| GKE pod CIDR range | 10.36.0.0/14 | 10.36.0.0 - 10.39.255.255 | diff --git a/docs/cluster-operations.md b/docs/cluster-operations.md new file mode 100644 index 000000000..af1b4cb24 --- /dev/null +++ b/docs/cluster-operations.md @@ -0,0 +1,126 @@ +# Cluster operations + +## How to install and upgrade the certs +Currently there are not certificates to install or update + +## the IAM provisioning - what policies and roles are setup and how will it be maintained + +### EKS cluster +The EKS cluster uses roles and policies. The EKS module handles it's own requirements internally to the module and we as users of this module don't need to specifically worry about what roles and policies it needs. + +### Access to the EKS clusters +The EKS cluster defines a set of roles and users that can be mapped into the EKS cluster: https://github.com/ManagedKube/kubernetes-ops/blob/main/terraform-environments/aws/dev/20-eks/main.tf + +``` + map_roles = [ + { + rolearn = "arn:aws:iam::66666666666:role/role1" + username = "role1" + groups = ["system:masters"] + }, + ] + map_users = [ + { + userarn = "arn:aws:iam::725654443526:user/username" + username = "username" + groups = ["system:masters"] + }, + ] +``` + +These roles are mapped from an AWS IAM user into the EKS cluster's groups and from there we can define Kubernetes RBAC policies on what a user can do or not. + +Kubernetes RBAC documentation: https://kubernetes.io/docs/reference/access-authn-authz/rbac/ + +## How to scale up or scale down a POD +This is done by setting the `replicaCount` in each of the application deployment file. + +For example for `nginx-ingress`, you would change the number of replica count here: https://github.com/ManagedKube/kubernetes-ops/blob/main/terraform-environments/aws/dev/helm/40-ingress-nginx-external/helm_values.tpl.yaml + +This determines how many pods will run in this environment for this service. + +## Restarting a POD +To restart a pod, you will have to use the `kubectl` command line tool. + +First list the pods: + +```bash +kubectl get pods + +NAME READY STATUS RESTARTS AGE +my-app1-8584f857df-kgfpg 2/2 Running 0 30m +my-app1-bdc4894d8-ggtx8 2/2 Running 0 4d15h +my-app2-86b5968549-slsdb 2/2 Running 0 64m + +``` + +Select one to restart by deleting it: +```bash +kubectl delete pods my-app1-8584f857df-kgfpg +``` + +## How to give a pod certain IAM role/permissions +Running in Kubernetes allows you to associate an IAM role to a pod. This allows you to give a pod and the containers within it certain permissions to your AWS cloud. This is the same mechanism as associating an IAM role to an EC2 instance. Since a pod can run on any number of nodes in the cluster and the nodes are running multiple pods, for most access, you most likely do not want to give every pod running on the node the same access. This allows you to selectively provide access to the pod that needs it. + +Documentation: https://docs.aws.amazon.com/eks/latest/userguide/specify-service-account-role.html + +Here is an example the the EKS cluster-autoscaler. The cluster-autoscaler needs access to the AWS ASG (auto scaling groups) so that it can scale the number of nodes in the cluster up and down based on it's needs. It needs to do perform activities such as listing the nodes in the ASG group and being able to make changes to it. + +Here is the cluster-autoscaler module: https://github.com/ManagedKube/kubernetes-ops/tree/main/terraform-modules/aws/cluster-autoscaler + +We'll go through some parts of this config. + +``` +module "iam_assumable_role_admin" { + source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc" + version = "3.6.0" + create_role = true + role_name = "cluster-autoscaler-${var.cluster_name}" + provider_url = replace(var.eks_cluster_oidc_issuer_url, "https://", "") + role_policy_arns = [aws_iam_policy.cluster_autoscaler.arn] + oidc_fully_qualified_subjects = ["system:serviceaccount:${var.k8s_service_account_namespace}:${var.k8s_service_account_name}"] +} + +resource "aws_iam_policy" "cluster_autoscaler" { + name_prefix = "cluster-autoscaler-${var.cluster_name}" + description = "EKS cluster-autoscaler policy for cluster ${var.eks_cluster_id}" + policy = data.aws_iam_policy_document.cluster_autoscaler.json +} + +data "aws_iam_policy_document" "cluster_autoscaler" { + statement { + sid = "clusterAutoscalerAll" + effect = "Allow" + + actions = [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations", + "autoscaling:DescribeTags", + "ec2:DescribeLaunchTemplateVersions", + ] + + resources = ["*"] +... +... +... +``` + +We are creating a policy and then a role that binds this policy to it. + +In the cluster-autoscaler's Helm chart we give it the kubernetes service account that we want this pod to use which has the AWS identity mapped to the authorizing this user/service account and then we add in the annotation of the role that we want to assume. +```yaml +rbac: + create: true + serviceAccount: + # This value should match local.k8s_service_account_name in locals.tf + name: ${serviceAccountName} + annotations: + # This value should match the ARN of the role created by module.iam_assumable_role_admin in irsa.tf + eks.amazonaws.com/role-arn: "arn:aws:iam::${awsAccountID}:role/cluster-autoscaler-${clusterName}" +``` + +Suffice it to say, all of these names has to match up exactly or the authentication will fail. + + +## How to give a pod access to the RDS database via a pod IAM role? diff --git a/docs/deployment.md b/docs/deployment.md new file mode 100644 index 000000000..20db47591 --- /dev/null +++ b/docs/deployment.md @@ -0,0 +1,6 @@ +# Deployment + +![alt text](./diagrams/x2-image-build-pipeline.jpeg "Title") + +How to deploy to dev, test, pre-prod, prod?? + diff --git a/docs/diagrams/images/AWS-Secrets-Configuration-Provider-2021-1.png b/docs/diagrams/images/AWS-Secrets-Configuration-Provider-2021-1.png new file mode 100644 index 000000000..c3570ad69 Binary files /dev/null and b/docs/diagrams/images/AWS-Secrets-Configuration-Provider-2021-1.png differ diff --git a/docs/diagrams/images/external-secrets.png b/docs/diagrams/images/external-secrets.png new file mode 100644 index 000000000..e01503a78 Binary files /dev/null and b/docs/diagrams/images/external-secrets.png differ diff --git a/docs/diagrams/images/loki-explore.png b/docs/diagrams/images/loki-explore.png new file mode 100644 index 000000000..468368c7c Binary files /dev/null and b/docs/diagrams/images/loki-explore.png differ diff --git a/docs/diagrams/images/loki-logs-nginx.png b/docs/diagrams/images/loki-logs-nginx.png new file mode 100644 index 000000000..e2cc6f557 Binary files /dev/null and b/docs/diagrams/images/loki-logs-nginx.png differ diff --git a/docs/diagrams/images/loki-search-by-dropdown.png b/docs/diagrams/images/loki-search-by-dropdown.png new file mode 100644 index 000000000..e3939ad89 Binary files /dev/null and b/docs/diagrams/images/loki-search-by-dropdown.png differ diff --git a/docs/diagrams/images/loki-search-help.png b/docs/diagrams/images/loki-search-help.png new file mode 100644 index 000000000..4c486c541 Binary files /dev/null and b/docs/diagrams/images/loki-search-help.png differ diff --git a/docs/diagrams/images/loki-select-datasource.png b/docs/diagrams/images/loki-select-datasource.png new file mode 100644 index 000000000..08efaacbb Binary files /dev/null and b/docs/diagrams/images/loki-select-datasource.png differ diff --git a/docs/diagrams/istio-k8s.drawio b/docs/diagrams/istio-k8s.drawio new file mode 100644 index 000000000..c772e88f8 --- /dev/null +++ b/docs/diagrams/istio-k8s.drawio @@ -0,0 +1 @@ +5Vxdc6M2FP01nmk7Yw/iy+bR8Wa3mXrbzHhntvvUIUbB6mLkYnnj9NdXAoRBF68JaxBJ8xIjQIijo6urcy8aWYvt8UPi7zYfaYCjkWkEx5H1bmSayJha/J8oec5LZtYsKwkTEuRlp4IV+RfLW/PSAwnwvnIhozRiZFctXNM4xmtWKfOThD5VL3ukUfWpOz/EoGC19iNY+pkEbJOVzhzjVP4rJuFGPhkZ+ZmtLy/OC/YbP6BPpSLrdmQtEkpZ9mt7XOBIoCdxye57f+Zs0bAEx6zJDclx9fdflITR4Y9p+CkMlnehOZa98c2PDvkb561lzxKChB7iAIta0Mi6edoQhlc7fy3OPvFe52Ubto3y03l1OGH4eLahqHh9ThxMt5glz/wSeYMp0c1JM7by46dTDxTXbErom7O80M97PSwqPwHDf+TYvASn6fBw8qaDgwkBlOafV9qBsqs4uQbEaTqtwcntCiYTwPQ7FVZuYEA5pm6gLADUb4cHnMSYDQ8t29aNlg1p5W/xPsNgLhpujgP8bWjAWVMInG30CZw7POOuTIGm7QCMkN2rzTKGB5KrgORoBwlOgNpBUrwE09UOEpz+uGHydzv9Jn2mYDXVjhWcAUemG/HH3gSEW3I3FD/9HRmHPsNP/rM8y59WukA7sANkIZwta5C92zNC+VUfqug+JCdkXwXeyNCOt9ME79vla0F0bGlHFLotdzFLvWOAFq+O7Pb84Ga/8XeicB3RQ9ATck4VObMOOrMGus7WqSZczh/F8ZrGzCcxTrTTDRmKl1yzFqvFrDu6QalIWsf7hB6fhwcZcnRjZkFXBw7NOJgLoTIdk/5+T9ZilDI/YbC4BBgHJXn+kx8YE0cefimfeydgMYqjZ3l0JKx0Gz/6UjpzukkcyHuyNuMASKVK1/D3oodkjRuwiL9fiNnFIQo7u9SXddqWLEtw5DPyrdrguv7Nn3BPCX+Vs9oaUk1R9qL5XSeWgIqQYSo1WUpNGRKgppRvxXv/AAWhBzk0U2dZAzN1FvQNB2bqVMgGYOrq/Lv/tamTLLpo6rIhqsvUIVVGaW/rLKTZ1kGPePtpCQMQbXlYyyf0XT615a6OKTcjrD4eqrqw2ZaHpqfqOM14yHtfrPGLy3bigv13mlxEe5UHnR8hZ1p2GghZG647LDwwLO5pAEYFn45YlfB7ltCveEEjmvCSmMZiAflIokgp8iMSxmLUYLH+5AViciNrP5rnJ7YkCMRjaqfG0+RpXGd29FQZD8HJsW6lrvLteoEZqJ2/6Q5AQO7T3gMNhPmevZPmFv7yWkmr4bZUpUJquy+12xZYdCkVdew+2MNbrV+TJM6QSFII0i8mieVNqnqiSreuWVIXkrk+Syo0MSaec4Ep6dE9Tgh/PzEFDGEFJDX/y9x0tXITUGrc2oTBqpDdMz/PB7YeadrWE1Hdfw5Unhjv0+RLkSeCZrvj6aQMwaQui/GO+GHib0tRmqzWM2GaN+PTeLbar3XZBl4NS7vL94GSi5Lws6UxYTQhcQg6pvekH0VlqMv6seoGeXfwQbVgSb8S/UipyxftsXIbhsvuE1H3Bh/0J2245/xPfXjBUJlI8OQlt8cdTdgARHcVtEL00wcaVCl+xywij/rldjUf3TR1M0y2qFsn1PDMqhfqTH/IDZVS6ZeKS9q5GyqZNXA31EQqzWyFPk29UFXRHxeCaE8+qAPllvcJdxM5JQFN346HqIJem9cM6dOZ6OVAPWN+f/d2O8BSae/p7gAoFSxpqN9jQq7qYuqOHjtw0Vr2MI39OhFpa4MDTn/c3Wkbd68LbL5gfi7chMJnKN3VT2BTDq+hB9hdJUqoRiMbxzVd9auQnmf1Bt/JtKPatB3XzEGSTW8U3VXcENXwNCabKtioFXVNtgZf3PZp1y6ufK7JtcaZQ8Pi2rSlao5sx5sYdnVm9aYTA3mnv1m/9GvwYXwX9GvOosHPeqqr1DamwtlxIUGtay5AZUqmgy4II+meF7odU6SgbWt36WXFVxlB+VT/wpQ7bZ5p45S7jFraxqihjCwbtfUWDCV3w27oLrw45Q48yOkhg85tmz5Uy+VpCy7rW2U1TmPWzGXbuhaX1QCc1RWXCyPdK5fNGi6XPsQ0pKp3ygCI8COD+QALPmHt0zhz/Qebber8hV87ZwzvWfoanKyECUhpnA42P2HXfpp4i5HYrin2Q7zFaf/8lFDGuUhj3nkLMY7Y+ufWn/7+uLyaNl63uIqQVU2AcGpyOosvNnuRV10or65WS8EgsemQMV98BJ0hv37l7+1HEY5omsti3exKEavKuVIo65Ib90iOWO5gdq1UADWmULPHTM9eXV12UcuZUFM4UG8ipLqYGbedphxFVRz3m2bmQt05G3YrvE4wg0GOVzb0kAWi/nUpEv0OvjoBFuyhkObpNZ2s4I4Xc241jXsakXXTzUReW8/aaqDd1d6x11SbJs7ULFnWsTEx0IVVBj8AORunNBDbmFVXH97MurD+qE0DuaINt5ousF2txh45Npp4rmLwZ+Z3lc3m4SB1BjB7/t7ShcJYjUV5TwSF58XU0NgUpdXuWzve0iwFdH1IHfuLxuYhc5qXD53uZtrU2nS2+4lUUDQqcxMXTcs2RRipi9G8ro2K2/RzBVev0gEyjdTsruYfbNuqM6qmnLW2ICOR8SX3Ns4uP20Rbd3+Bw== \ No newline at end of file diff --git a/docs/diagrams/istio-k8s.png b/docs/diagrams/istio-k8s.png new file mode 100644 index 000000000..974b55e2f Binary files /dev/null and b/docs/diagrams/istio-k8s.png differ diff --git a/docs/eks.md b/docs/eks.md new file mode 100644 index 000000000..bda1afe41 --- /dev/null +++ b/docs/eks.md @@ -0,0 +1,59 @@ +# EKS + +## EKS permissions + +For each EKS cluster you want to access you will need to add your user to the list of people that has access. + +For `staging` it is located here: `/terraform-environments/aws/staging/20-eks/main.tf` + +Under these keys: +* `map_roles` +* `map_users` + +## Local setup to access an EKS cluster + +### Install +On your local computer, you will need to setup your credentials to authenticate to the EKS cluster via the cli tools + +Required local CLI tools: +* AWS CLI - https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html +* kubectl - https://kubernetes.io/docs/tasks/tools/#kubectl + +### AWS Authentication +The CLI tool `kubectl` uses a config file called the `kubeconfig` to tell it where the Kubernetes API endpoint is and how to authenticate to it. Since EKS is on AWS, the `aws` CLI tool can help you to produce this file and place it locally on your system. By default, running the following commands will place the config file on your system at this path: `~/.kube/config`. You can override this path by setting the envar `KUBECONFIG`. The CLI `kubectl` will first read this envar to find the location of the `kubeconfig` and then default back to `~/.kube/config` path. + +List the EKS clusters: +``` +aws eks --region us-east-1 list-clusters +``` + +Get the `kubeconfig` of a cluster: +``` +aws eks --region us-east-1 update-kubeconfig --name +``` + +### Mapping SSO roles +You can map an assumed SSO role in the AWS account where the EKS cluster was launched in. This will give +`cluster-admin` permission to this role: + +``` + map_roles = [ + { + rolearn = "arn:aws:iam::1234xxxx:role/AWSReservedSSO_AdministratorAccess_4a1e6f8139bcedae" + username = "kubernetes-ops:aws:admin" + groups = ["system:masters"] + }, + ] +``` + +## EKS Logs + +### Control plane logs + +Ensure that you have the control plane logs enabled: + +![alt text](./images/eks-logs-setting.png "Title") + +Viewing logs in AWS CloudWatch + +![alt text](./images/eks-logs-cloudwatch-log-groups.png "Title") diff --git a/docs/how-to-add-in-a-new-app.md b/docs/how-to-add-in-a-new-app.md new file mode 100644 index 000000000..640f98b56 --- /dev/null +++ b/docs/how-to-add-in-a-new-app.md @@ -0,0 +1,4 @@ +# How to add in a new app + + +If a new github repo is added, what all activities need to be done to deploy its code in production \ No newline at end of file diff --git a/docs/images/aws-kops/Topology-aws-kops.png b/docs/images/aws-kops/Topology-aws-kops.png new file mode 100644 index 000000000..9bc0f2943 Binary files /dev/null and b/docs/images/aws-kops/Topology-aws-kops.png differ diff --git a/docs/images/aws-kops/Topology-aws-kops.xml b/docs/images/aws-kops/Topology-aws-kops.xml new file mode 100644 index 000000000..4912782b8 --- /dev/null +++ b/docs/images/aws-kops/Topology-aws-kops.xml @@ -0,0 +1,2 @@ + +7V3fc9o4EP5r8hhGa9mS9RiStte55i5zmbnO9SVjjAueGswZE5L7608Gi2CvAJPBtiDuQ5MIW5j99od29Wm5oreTly+JNxvfx8MgurLI8OWK3l1ZFjCbyR/ZyGs+IlyxHhkl4TAfext4DP8L8kGSjy7CYTAvXJjGcZSGs+KgH0+ngZ8WxrwkiZfFy37GUfFdZ94oQAOPvhfh0e/hMB2vR12HvI3/FoSjsXpnIPkrE09dnA/Mx94wXm4N0U9X9DaJ43T92+TlNogy6Sm5rO/7vOPVzYMlwTStcsOX1+fhfRz8+c/vP3w2+25f//rr+ZquZ3n2okX+gfOHTV+VBJJ4MR0G2SRwRfte4ucgSYRof+jNx6vXsj/maRL/Cm7jKE5Wt1Ky+idf+RlGkRqfxlN5e3+UeMNQPnppeD2HErUUUj9/wiBJg5edHx02ApWqGMSTIE1e5SUvCq71HbkS0hyR5Rug4LD8mnEBTZFf6uVqNNrM/SZp+Usu7CMEDy6S/M2zF0beIIzCNHv2H5lALHKdvfs7QQEdKJ8dceewo0DJJnzw0jRIpnJQPjmxtVB5UTjKrvDlFIG8v5+hFkpjuslfGMRpGk9OAyoAK6AKgiFYbcfGqApm1wSqfdiaCgYzTieRgmnszbJLJi+jzJP2vOWc9p7DJF140dMsCZ+9NHjyo3gxLCG3QtR1KNsP3+Y9TyB5i4qC5K8dJHiFxbbceV22JA6LPV6kUTiVZqCiBHJeSlW/eYMgeojnYRrGBZUt63Iaz3QqfwhTfzGX8wXJ00giuvRed8Bp74bzFA7RsnoYNCY0oFl1OUBAqD0uBtNAvu+NHL735pk8TQtGzXo4u2hnlis0qFG14tiGbRPjTo+bdWInNwuSSTifS2ubY1u4EzfchuZcG7CSyJX+FwSO5U2dusTNkbj/fpBTkT+8VP7/JXci63XCMpTPmC0DWZRmsoyn6WpprMTJ/l1kq81+5mQ+r6xha4iNsp8Pi0EU+vKurw9qGvnc65nWVxjsW59n/tPUSw+41j2R8hTBkdvFZQnDq81GHS3F4fFTJL3rCuVvsTeUP6Sovamf+duVHj2s1xu5FhgLd7D+GE+R/BBPg9VHCKej4wPqchymwePM87N3WMr5T+RLVJKo0g4Ha4LjYk1waF3L0wqueyQj7Gznh8+zbG+gLifHCqVsHpRiBys2Ya6YjNUlF3ZO60dvkcZPcznPu1S9klrvUR6M6xZuXIsbZ726giOOjetl41wO3kg5PeZiknHyTa2NRDWcztPMA2uWQM1Dmk9DN3DmtqrxX0yzFmK1+a+zMlQVncJZKymeRdyioxUUofdmmoXcAerCD9tr4/GH2rSk1czWlC8ajkBQoQ5rjma3FoK4eSEIcM3va+7Lr7I9jZU2k0xiGZqbeDTq4lF1fI2NR8dnVh82NT+zXI2BRrc41q3acjX1PF3W3rImcEdTKG9UE3Ch/AzQbWvVq8oJyo4Z0ZTMG173OhXqLh2CCkG7iCB3mQEIOgjBv+4eDQYxGWpWbtYnTvturehRRe/J0RNUa38Wxs6tDTtcNbgPJr7nZ6iYi+Bk84xt4Ai8nCYL29VtGTe53nYwZwYBWHf9AGxaEIvj2Bqx2ASwXKhdl4ozvFisQTB7MNmbkzcsDMC+eptYsJWd50Xh1eL5e5z8CpLrFyS3C2Mc7NEfDKLawnQrKrhVW32sQuXXZNLBUVLfFHCR1BtlHjBc3di2o8nOGHphFnMgHlC3HCg1pQNwNchtBk+/L1YhHphsLocydKdnc5mXMyCCWw4vip9oxE97NmNUxhxmO67rWJr8HUTPISAvkxk/c4Rbmy9Ti98ddpWt3D+0RVFqnj1V2J45X3uijuiJM7YnvAPTzyoYMiv74DV3tYnTSh3H5sU6qkUE0qNGs0eO84LdJy4G7/TBF33igtm8tNYBoSvONXzqguPkoGOSl5BzSQk5S+jSi0aZ5LwCHeR8oyonSORcd+ii0ZyO4wpaxybfpU4msMld4pRdrnZHq1FGOe8Y5e3sTTMXStpAHZ02NMoqdxspPh9rJpTqnG3TvD61qXUeO79t8frcHYXQNnl9Lq7SdNzyE2BqKpfPPSsGbsscDY7go4K2z9JwK5y/rz0S8aJgmO2YEIdw7cNg7W4tDtkGxiFc3Oj45SfG19iYhAskHb/8UjI3Bto8vklmsYurQV0e3442cEe3TGhWG86qjU7bK2CGjhEyaHv9KypUYjoEFYKI4cpVvG0RQVwv6njmOvSEVd5dEVRjfxbGrjaeudBUjDqe+cFdsjLLvGWWgKhQB6q7hsC4Xc5ENIfQGqZVi0aKK3swMYljLjqO+bHJt9iRfBvDMReXyDHfJXVDOOYCVzg6jrkmHhSpdEJbOmiYEysqHMYy2VwOZehsPydWB4BJrFix//TGh2eZu4yVEwgTrGrTPv4yzcoVsP/ohulmBQRn6LtZxP47beyiWcQAdqlDavuN24Hg5L3jEJdx40VzNaMdNbnoszkAoiT01htSE1wI6DjEu5TJBA4xUOXdTGlJDQTXT7qdx0a6WwEvtQVtuyk1kAp1l9q7epRNxIS21EAqHJAxR/PbYm3lCmQWbQsILo90/OFToGoqWQsIrrgYDGrLu+9g0eK3dxnQnhqgQu2l/kjEEVPMhAbVmq9rMli7W4tFYOBRFtB8ZVPHIT41wsbGJU1v+Y5FfCHZW+ttqkHT/77L5FvRhdYbVYOm8+IZ4NvaCliFAZNaVUOVTosdhhsMS8wMI5pVg+Y7IzsWsb6ZL5R2oNtvVw2abwbveMSHLZGU02YDGlYDVKgJ1V5RAA4FwRjRshqsRoot+2AxiVAMFq6vdIziAzBaxretVjp9ruSE4+RuCKkYLFzx6FjFmrigo0Ai6JomQFoVzpmYbDKHhO7SAgOymMMb32wXrP0nXz48rxioWk2aZFNnfrTlYAt+XiDrG2NT8s8kzqrjm9e+ZDK8j4dBdsX/ \ No newline at end of file diff --git a/docs/images/ci-cd-fargate-runner/ci-cd-fargate-runner.drawio b/docs/images/ci-cd-fargate-runner/ci-cd-fargate-runner.drawio new file mode 100644 index 000000000..63bf271a0 --- /dev/null +++ b/docs/images/ci-cd-fargate-runner/ci-cd-fargate-runner.drawio @@ -0,0 +1 @@ +5Vpdc5s4FP01fulMdxACbD86tN22u53J1JPN7KMCitFUIEYS/thfv1IQGCTSOBnbOIlfjK8uEjpHuvdc4QmM8+2fHJXZD5ZiOvG9dDuBnya+DwJvpr60ZVdbZp5fG1acpMZpb1iS/7AxesZakRSLnqNkjEpS9o0JKwqcyJ4Ncc42fbd7RvujlmiFHcMyQdS13pJUZmYWobe3f8VklTUjA8+05KhxNgaRoZRtOib4eQJjzpisr/JtjKkGr8Glvu/LI63tg3FcyENuuNlsv3+/iXYAVT9uhJh+/be4/Qiiups1opWZsXlauWsg4KwqUqx7ARN4tcmIxMsSJbp1o0hXtkzm1DSb7jCXePvog4J2+mrdYJZjyXfKxdwQNBC2S6b+udnjD+fGlnWwhw3SyHC+arvew6IuDDLPQWkApIiqYa/u1MVKX8RE9RyrJm+5ExLnjYOytj4Osgoj2YdPSM5+4ZhRxpWlYIXyvLonlFomRMmqUD8ThSlW9iuNOFHLdmEacpKmephBvvaMesehzO8z5ruMgWiIsVMR5juELSVWM1+0vPGGlJsyRRIr57+qO8wLLHW0GfDDxfrB7qV47bYqqFBe3+ht1Wf0TRT2GQFDlPgDlESnogQ+HWhwkS50yNbrmiIhSDIEC06diP0kKJ1ZhwOTbmwcUyTJut/9EBJmhGtG1MAt5sCb/xFaG8GCU7CKJ9jc1w3WdlfA2lGh1ZFEfIWl09EDNe3EX85W4LBFUVUkmU6hauR6x/BK5Vx+aUvdn4691MOn08Xidvm+MkQILyxFHCB8OvHIgJoikbUr+xVFplZD7Sw2nhuX7I5syXXisDRzSLvmZF1Ho3+u47e7faCF+3zs7TN3mHgIad7i+tvoCaHNAG1GCB20pr/ZbMevHzwHrY7a9L2YVkJeQCaNbNU4tMzOmkqBW3r9/LS8OKDg6PIauCXPl1aoxayQiGitNlTZfOgXP75XNSVRyVmChRgd7sC3ZPXoEg+8g3LGt85h4EuLGVuhOx2dWDUAt5p5c2TByMp58/nLyArsytPu6NRkDVVPb4ys0BYo8xfurMiuqoIz76ypQxZw2aKUlOIxqdyhDYmyPsK/J1udXY6ROoCNEHBTx1DmON1ZslvDDCzwMSHzrQgAR4fMLTbgZUEGpxcGWdNxB7LgsiCL7DwzoOnOC5lbavzNVsrAKllWOujec5arL5lpbTykrnVikJXS0al2Y61v/K15OSTMy6GRBbUlyILQxf68erqJgW856wfzWT9I2Mn6YD1tCfNgdljWV+ihXcet1A7idw88td5nNCPtqa77PKqo8F0FGF5W7LJP44KBc5Lzxq7nnWa/yu1jvxKD9nHd4e/WQJ+9o4lm9XP/f47aff+vGPj5fw== \ No newline at end of file diff --git a/docs/images/ci-cd-fargate-runner/ci-cd-fargate-runner.png b/docs/images/ci-cd-fargate-runner/ci-cd-fargate-runner.png new file mode 100644 index 000000000..72023c0ac Binary files /dev/null and b/docs/images/ci-cd-fargate-runner/ci-cd-fargate-runner.png differ diff --git a/docs/images/eks-logs-cloudwatch-log-groups.png b/docs/images/eks-logs-cloudwatch-log-groups.png new file mode 100644 index 000000000..763a40c59 Binary files /dev/null and b/docs/images/eks-logs-cloudwatch-log-groups.png differ diff --git a/docs/images/eks-logs-setting.png b/docs/images/eks-logs-setting.png new file mode 100644 index 000000000..447033f14 Binary files /dev/null and b/docs/images/eks-logs-setting.png differ diff --git a/docs/images/gcp-gke/topology-gcp-gke.png b/docs/images/gcp-gke/topology-gcp-gke.png new file mode 100644 index 000000000..3b84bbb08 Binary files /dev/null and b/docs/images/gcp-gke/topology-gcp-gke.png differ diff --git a/docs/images/gcp-gke/topology-gcp-gke.xml b/docs/images/gcp-gke/topology-gcp-gke.xml new file mode 100644 index 000000000..2e07c723a --- /dev/null +++ b/docs/images/gcp-gke/topology-gcp-gke.xml @@ -0,0 +1,2 @@ + +7V1tb6M4EP41/dgVxmDgY9M2e6t9UU5d3Un3pXLATdASnAOnzd6vP5uX8DIkbdoA2a4jVUkGMGaex+PxzDi9wNer7ceErpdfecCiC9MIthf45sI0EbGIfFOSn7nEdb1csEjCoDipEtyF/7FCaBTSTRiwtHGi4DwS4bop9HkcM180ZDRJ+FPztAceNe+6pgsGBHc+jaD07zAQy+IpbKOS/8HCxbK8MzKKIytanlwI0iUN+FNNhG8v8HXCucg/rbbXLFLKK/WSXzfdc3TXsYTF4iUXOPblx/DzwiP3wfebyYT/yb5+uyxaeaTRpnjgorPiZ6mBhG/igKlG0AWe0MQvQJII4UlA0+XuWCoS/oNd84gn2aXYyF7yyEMYRaU85rG8fLJIaBDKrrfEqsEZFYIlsRS6sitY/qHsvbxDCYRU4aToP0sE2+5VDNqpW/KU8RUTyU95yrZJtYKhyC2+P1V4IxsXwmUDbKuQ0oJli13jFRDyQ4HFEbhgGwDzT6agK3W3N2B0rH6VZkM5HK6icKGumHMh+KoLbEKmU0JOAwluQoIdCIlldyDikt4AsQAgd5t5zEQOyVeaSpWecuxMp27fY2cvtidAkJAGgju0agiajgURNL2+EDTd523dUqyiApC62iUcNnKtKQZAFZpva1LwtZRGdM6iGU9DEXIl9aXuJEmq07+0TtgBQIt2dleka+qH8eK7avfmUo2yBx6Lkk2o/F48Sfm91n8ve6mWlnStzlltF2rG/rDw1+aHJdt+8lUXJusk/3Dj89V6I9g9ixehfMa3M8K0nAYlPAt9sAEpSt7UOWG75YknJwXCR5GCpuvcyXgIt2rodrNhN9MbXVB2c6VFNzxxb6ZoH1x+xDfBfcqSx9LmvG0CJF4DGdvw4AxodJlbry9YoLX9vJlLu8aEdAYrcyt7KDso35ahYFEohcGFcoNIJIohkLmGpVrJvxvlbU0y85q5JjURWaj32WYehb686tOs1pJ8iLyx/CTq+yxNAVEkAupojS+d9Ogw6M+SZBUGgbrNJHvSO2kN1D2fJCWkrJpljBN5RF6TEATDgWp18MHsy3Yj6A5p2z2k7SZNh8wj1uiWmxw0EfIo3l5JpdzWdKDZ0s2WWFCpo+R0fNnNFqX7540/0zsHHfgnnvzQDnwNQsttIOga0IHHDoYQYgf1hSB04L/xQNLVmHGurr7Men9CCCemWtT+shAS3IQQYwih6XRM457TF4SeNtpna7S9ps12jdHn+NKfrNHlWi19pOgLp0Hpnc+T0jGXyNBYIVFYg5OtBDqXAZqfB/iZLVEjidL9vALlBI6F1XREDXv8IIIJo+jH0XSWhI9UsAbXXkNZeCfN3HNlLjI6PKqhiQt94ut86ajn4lGX225rue2NThVsAqoASrA4uFIp12wQ0TSVs6ciAU0EFNfok7fDApCIfVZdNXV0ZYNKWcIiKsLHZvNdGiruMONhZnt30bB28KMV5kr5JvFZcZVZy8C2Gtp1aF9DUlULJkBDGWC7x34Dhi8Idr9XDN1m8gEZpvdKEK3nWuobRRj4+itMxIZGNaNdeRSFJ6Kt9z7r/Zgr736dq+zerxT2tgkfN5ffyEajG/GO+b5wVL9RoUmynyQBe2QRX8vl9ponQg21t0/yplkCXZY5lEN7PIZYcMVd1Z3MAUPeW92Jjb02Jg4ctQOXnlgvcL30UO3PG3ds0iKFZ5njRx0sXbogde64LWxsBNdKwxYvWLp4YcziBcdoU4J0zKuDli9YunxhXAtO2tO6R8a337qA4WR8OXkujBhtxlje+M65LmE4zpu3nRaIrgG9+YGrGCxdxXAkik57neximJkeuJDB0oUM52u8ba9tvF1j9One1rUMvyxF+8kIE4TbXqlBxo8rlGFqXc2guXsEd5HR4VsNTV0YKdX1DOew/nbB+tsbnyy/bzacAAfJI61GXpoOd+xnm+o5H27DcOvvg2M7M4EM/MriFJjlgG31jSQMk+r09Fjpaaes+Nolp53RLTaMmFbJaR/w470lp6vxWEJCXADJwLlpW2+qH9WzQmBXfVXBMOJAhdGxQ6x4n6lpBLfVQws6bGaawBiUzkwPuK0e7quHO/IGTUwTGOvR5ntQ8w021ptjG++yBzq1cYapDQR31kMTMjRhYCBFp6UP+vGtvfWOB/34gbPSBAZRdFb6MIhgd31HacGwSWkC4yfacp+N5TbA/vrxp3oYUNE56V+EoT3tUoYb7PH48QSyf9+STklr6u6jbodbNTRxYXhUJ6TPYt3d3mHvjs+VFwRN32keE4Et9mVe4dgsJgJ77Nst9ZzDdGCI9fdBEW6yd14LI9xl7wyL4/4qOJ2LHjoXjbr2So/+62QODJTqn4Q/qpDfKpMd4/0qvHM4eKlBhHEvczgM5dfqH6Tkpr36NzP49n8= \ No newline at end of file diff --git a/docs/images/gcp-groups/GCP-Groups.png b/docs/images/gcp-groups/GCP-Groups.png new file mode 100644 index 000000000..1b0189690 Binary files /dev/null and b/docs/images/gcp-groups/GCP-Groups.png differ diff --git a/docs/images/gcp-groups/GCP-Groups.xml b/docs/images/gcp-groups/GCP-Groups.xml new file mode 100644 index 000000000..94cfbad74 --- /dev/null +++ b/docs/images/gcp-groups/GCP-Groups.xml @@ -0,0 +1 @@ +7Vtbc6M2FP41ftkZOtxtPzreJDuzbTfTTGe3jyzIWBuBqJBv/fWVQBiE5fgGmCR2Mgk+EgJ936dzdIQYWNNo/Ui8ZP4HDgAamHqwHlifB6Zp6qbB/nHLJrcYY2OYW0ICA2ErDc/wPyCMurAuYABSqSLFGFGYyEYfxzHwqWTzCMErudoMI/mqiReCHcOz76Fd63cY0HluHTl6af8CYDgvrmzooiTyisrCkM69AK8qJut+YE0JxjQ/itZTgDh6BS75eQ97Src3RkBMjzlh9i2Z/PPt+2bzY+l+GU60P61fSDMFG0sPLUSPxd3STQEBwYs4ALwVY2DdreaQgufE83npirHObHMaIVE8gwhNMcIkO9eaOfyH2VNK8AuolLjZh5+BY1qx5x9m3+2f6PISEArWFZPo7yPAEaBkw6qIUs2wBfhCfmN7lH9flVwyxkSleYVI07GFiISAwm3rJcbsQMB8CuTu+4bckSF33R5A7nwoyK2he33I7Q8FuXE05MawNcit9w25K0OuGSP7SMwtqy3MDQXkLmKXvQvgkh2GNOt9buLoSHS4/y5wUaCl2dxnwioYbrIuC4tWQj/RArDEbOLDo1reJLvpvFX5SsysuH7jtwTWXpQg8JuPoxNv6BJZNiAmY1wbvsX3ipS2Ezdp9BbG5kfv60o6l6JmiH4i+BefXZ+tuuve/n0AKfNJoq2fRHHjZ4iWkcqyEHBYsF6a5KnJDK65yJtQsFmb2dr2roKNbhWsivhNsPey+AlIDChINe78rEn4AjQfLVIKiOYFEYz38lhjjKVgCT+cM8cV4phVSQCBrPeAlNanwmR244pGMpFDQ+GKXOVEoi0iVQlKi0EtZN4/Yf7vFtUulJLjOn2LaqOWfALB7CzzYQnBCpBmmjwnPLzqba4aH5xagmJbV48PhWPrJkAUXuUNhwbH7l1oMPYnPJdx+IhxyIe0/sh5O2Es1nhk0FKZCDlbjXEMaqmtMHkIhoz3zz4jjJN+x4mCvocmoiCCQYD2DefS1+vNkL+T7249d3UEjxTstzeA9+coF5I/fWJlf2U+/VWX25mHf7+qqscFxRyhY1Wplq2aoPvrNiywKvmEQY+9CHQupo+useHQubbG2spNJY1N85yUHU3yrJQB+lD+nu19rjqRdMf9m0iqHuc0webfKSDpbbwqppkdD9cDKxCn86sXmJdGBGa0rQXH32HKz8Yz9ud1UbWwctpxX7U9n4uXW98UCCxbTHFsDGxdsXx0HQha6N+Pw4t0PVl7OzVSFnLJRNLQwq68GlduRqmm747KrzqtOVbVdp+3NM5ujvVD+tUjHg505Xd2YW8mj+zKP9/c9mkL571w2209RpHSVyahCKYpxHHaJ2mf4+9u6y9yPqfK2bvN6MYtKfiifQCBR71nikm2B7yLZ/317cijXV4s5abBcVvEFIz3c98RX65Nc0Z4pUPP9HqeRFUdbFbt08VzuZ4Iu/6ksg/CVsXMPXAhGL8ciQkIpPdFdhGp9Fg1SShsBCCPwiWQGleBIK7whGEmPQG4Xd/AaDqW3EaKF8QH4rQSy4MtaWb94TH1SAjoTksZK9uOq4hiX8vXW/Lq5VtC1v3/ \ No newline at end of file diff --git a/docs/images/istio-networking.png b/docs/images/istio-networking.png new file mode 100644 index 000000000..eb83947cf Binary files /dev/null and b/docs/images/istio-networking.png differ diff --git a/docs/images/the-stack/kubernetes-managed-service-stack-v1.png b/docs/images/the-stack/kubernetes-managed-service-stack-v1.png new file mode 100644 index 000000000..9d080ba46 Binary files /dev/null and b/docs/images/the-stack/kubernetes-managed-service-stack-v1.png differ diff --git a/docs/images/the-stack/kubernetes-managed-service-stack-v1.xml b/docs/images/the-stack/kubernetes-managed-service-stack-v1.xml new file mode 100644 index 000000000..962ef9344 --- /dev/null +++ b/docs/images/the-stack/kubernetes-managed-service-stack-v1.xml @@ -0,0 +1 @@ +5Zvdc6M2EMD/Gk/vHjoDCAR+dGxfepOPu6mnk2nfZJBtJhhRIWLn/vpKfNjAKm1uDuyD5iHGKwnBT6vV7kqeoPn+eMtJsntgAY0mlhEcJ2gxsSzTtLD8UJLXQuKapWDLw6CsdBaswm+0FBqlNAsDmjYqCsYiESZNoc/imPqiISOcs0Oz2oZFzV4TsqVAsPJJBKVPYSB2hdRzjLP8Nxpud1XPplGWrIn/vOUsi8v+Jhba5H9F8Z5U9yrrpzsSsENNhJYTNOeMieJqf5zTSLGtsBXtPr1RenpuTmPxngbOtGjxQqKMVo+cP5h4rWDkr0NVA3OCbg67UNBVQnxVepDDL2U7sY/K4k0YRXMWMZ63VS9v+b6Up4KzZ1orCfAaO1iWwEcu3+KFckGPNVH5CreU7angr7JKWTottavUtgru4Tx0ruUVsl192LyyIinVZXu68xmZvCip6QkiZxQErSZBEyL0DA1Cx+4AoY36RkjxGwjd6VpO3U4QmthpMXQAQ1xxrTNEU6cDNbRHoYbTBkIX69TQhAitaQdqaAGCs6fVEBXRtRsUpx6k6Ew1ioi7MIcQ4gsJI7IOo1Coh/yLxVR+mGMAq7GSZl9g4fzWgx2i6UTXBAvXbz1YNECwzjXBYgB2OR+idranvWdDiH0xdEfC0LoiQ28kDNtW8pIMYZg4TIY2nl6NYWV7Bw+xvapcFKI5Eoj4mpoIQ50vsfy+oHsSBxOVP/kk//9OU8pf6FmwSpiQH5/jVJDYp+kAsZuu28SuC448F3K3uuAOo6MvqwmaSdEf6ywW2Yn0nHEqi4pr+bZfxhCIuu4FA1ETBkwL5j9TPkSQuKm0rvFOkKgLkDBAusvWlMdUDNMCtAwv1iSZ+oMJg6I6TOOR7GmqeI2CrCYR3x9ZGCpR4QcDxHh6lRKjo9vP6MtqQkd/qBQRalJEl6NoQSd1oBSR06J4QV20oJc6VIr4iroIfc76ioMj2ddNEL7Iy626fCCpoPxUIm9fKxwie7fFXhNn9cYe+qD3bLsN423u9AP2y/u78XCvFvqSu23B7dDeuEOX9YHFoWD8TfRfuepmR7MRaX5rBJBzwRGAfu4skk+u+A+fpKVJGvRGEvq1f7JMRrHGLEmi0CciZPGH9GOnWANCvY0WK/Y9ut50lIz1vCZWFyqolqtldAFWsy9wlEtfTFSt5f0Qp7zVUlQTaYh6PWkqgl7vLBNsLzXUl+J7Kn5RIe4y9vlrovKIc2UQNkqFBxnuWtOmZ3FJq4Cgb/w53nKaDhKk1wKpcY/t6nRV13kDBP3jAZNsq6TG2e2NZNVXjeQ8YpkM2IxVQn010wFS+V6iya3JJ1ZnL5owSxGJwm0sv/qSFpXyG0VJ2pJoVhbswyBQ3WgH6jyUXeW+zGbuS7evYGuXsg7AQ8P7ryHeShD/+Z1u7ogGqHk807bh0tjbAOkOZxb4NywWDeL474xVBb+m+cl4tT9k4uR4LjxFLSyoxyvFzX7qkUwoDyU/ylWtPBrLH6WLAW55k7Zuk0SzsdeJ6ev6EHhA0t2prmZIulgrWrtzpuZsmGNoZoTdhfdtQu97oMk9y26l6y+YYHL0yT0pWTwOccfYMZu/5LhkotSBRrpk+UjFgfHnYeYusG1fDymc5PmReuNppg42fDjQterhnMeQ3zYhpwcSRR81jstiwVTrr5wJ6hf1R5KrO8WOVa5O4z32Fbdj6LffM6Lcdrnyq3M+XOdE5geF9PShw0n9jOeHqf9nPqfV9Dmnl4sJMEwQNA4arAhRU4klahrpxrcSrXlb8p/D/QNNC/OwvFu9u8XtfClb3H5Hi9m3jCuzPvuONncs+ak2BoAOajT1TbV0W8bG0Xh+umMaTheuMoYuSy3tOrtW2vWHgDotoLq0q+nZnZhv+fX88+C8rPYbbLT8Bw== \ No newline at end of file diff --git a/docs/images/the-stack/kubernetes-managed-service-stack-v2.png b/docs/images/the-stack/kubernetes-managed-service-stack-v2.png new file mode 100644 index 000000000..aaad8abf1 Binary files /dev/null and b/docs/images/the-stack/kubernetes-managed-service-stack-v2.png differ diff --git a/docs/images/the-stack/kubernetes-managed-service-stack-v2.xml b/docs/images/the-stack/kubernetes-managed-service-stack-v2.xml new file mode 100644 index 000000000..67fc8fcde --- /dev/null +++ b/docs/images/the-stack/kubernetes-managed-service-stack-v2.xml @@ -0,0 +1,158 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/docs/kubernetes-secrets.md b/docs/kubernetes-secrets.md new file mode 100644 index 000000000..e0ce74895 --- /dev/null +++ b/docs/kubernetes-secrets.md @@ -0,0 +1,166 @@ +# Kubernetes Secrets + +## Comparison and trade offs on secret tools + +1. https://github.com/external-secrets/kubernetes-external-secrets +2. https://aws.amazon.com/blogs/security/how-to-use-aws-secrets-configuration-provider-with-kubernetes-secrets-store-csi-driver/ + +Both of these tools can retrieve secrets from AWS secrets. The main difference are how the secrets are +accessed and presented to the pod. + +| Feature | kubernetes-external-secrets | kubernetes-secrets-store-csi-driver | +|-------------------------------------------------|-----------------------------|-------------------------------------| +| Can mount secret to a specific pod | no | yes | +| Authentication and authorization to AWS Secrets | IAM Role | IAM Role | +| Can add secret to Kubernetes secret | yes | yes | +| Can get secrets from Vault | yes | no | + +*secret store csi can leverage vault https://github.com/hashicorp/vault-csi-provider as long as orgs have kube 1.16+ + + +### kubernetes-secrets-store-csi-driver +![alt text](./diagrams/images/AWS-Secrets-Configuration-Provider-2021-1.png "Title") + +While it seems that the `kubernetes-secrets-store-csi-driver` is more secure because it can mount the secret directly +into a pod, we should look at the mechanism that enables this to evaluate how secure it is. + +With the `kubernetes-secrets-store-csi-driver` the pod is given access to a `serviceAccountName`. This `ServiceAccount` +has the identity that is given the AWS IAM permissions to get this secret: + +```yaml +kind: Pod +apiVersion: v1 +metadata: + name: nginx-secrets-store-inline +spec: + serviceAccountName: aws-node + containers: + - image: nginx + name: nginx + volumeMounts: + - name: mysecret2 + mountPath: "/mnt/secrets-store" + readOnly: true + volumes: + - name: mysecret2 + csi: + driver: secrets-store.csi.k8s.io + readOnly: true + volumeAttributes: +``` + +The pod uses this `ServiceAccount` as the identity to assume the IAM role. It then uses this to fetch +the AWS Secret and mounts it as a storage volume inside the pod's container via an in memory storage +volume. This secret never gets written to the underlying node's disk. + +This sounds good and checks off a few boxes: +1. It is never written to the disk +1. Only this pod has the secret storage volume attached to the pod +1. Makes it harder for kubernetes cluster-admins or namespace admins to read this secret but not impossible +1. It is not using Kubernetes secret where any items in the same namespace can read + +Let's dig into: `Makes it harder for kubernetes cluster-admins or namespace admins to read this secret but not impossible` + +You can't just do a `kubectl get secret mysecret -o yaml` and get the secret. + +You can `kubectl exec` into the pod to get the secret. + +No shell? You can then just launch another pod in the namespace to go and fetch the secret. A little bit harder +but not by much. + +Let's dig into: `It is not using Kubernetes secret where any items in the same namespace can read` + +Sure, other pods can't easily go and get the secret from the kubernetes secrets and read it like the last statement. + +However, a secret is only as secure as your first inital access point and this first initial access point for +either solution is the Kubernetes `ServiceAccount` in the same namespace. If you have this and know where +the secret is, you can use this identity and assume the IAM role to get the secret value. + +You can say this is security by obscurity but that isn't really security at all. Just because you can't easily +see the open window, it doesn't mean it is not there. + + +### external-secrets +Let's run through how `external-secrets` retrieves the secret. + +![alt text](./diagrams/images/external-secrets.png "Title") + +The External Secrets Controller has fetches your secrets and places them into the Kubernetes +secrets. This means that this items will have to be able to assume various IAM roles. + +To tell `external-secrets` to get an AWS secret you add in an `ExternalSecret` CRD to your +namespace. The `external-secrets` controller is responsible for handling these resources: + +```yaml +apiVersion: kubernetes-client.io/v1 +kind: ExternalSecret +metadata: + name: hello-service +spec: + backendType: secretsManager + # optional: specify role to assume when retrieving the data + roleArn: arn:aws:iam::123456789012:role/test-role + # optional: specify region + region: us-east-1 + data: + - key: hello-service/credentials + name: password + property: password +``` + +You pass it a `roleArn` and it will assume this role to try and fetch your secret with. If +successful, it will write it to a Kubernetes secret. + +Kubernetes secret's attributes: +* They are stored in the Kubernetes etcd database and it has encryption at rest +* Envelope encryption can be added on with your own decryption key if desired: https://aws.amazon.com/blogs/containers/using-eks-encryption-provider-support-for-defense-in-depth/ + +This makes it reasonably secure and you are mainly worried about access to it. + +To further limit access to what IAM roles a namespace can retrieve, you can set and +enforce annotations on the namespace level to a set of roles. This will allow you +to scope access more granulary: + +```yaml +kind: Namespace +metadata: + name: iam-example + annotations: + # annotation key is configurable + iam.amazonaws.com/permitted: "arn:aws:iam::123456789012:role/.*" +``` + +This sounds good and checks off a few boxes: +1. It is written to the disk via Kubernetes secrets but it can be encrypted a few times +1. Only valid users/accounts can access this secret in AWS Secret + +However, it doesnt check off these boxes like the other one: +1. Only this pod has the secret storage volume attached to the pod +1. Makes it harder for kubernetes cluster-admins or namespace admins to read this secret but not impossible +1. It is not using Kubernetes secret where any items in the same namespace can read + +`Only this pod has the secret storage volume attached to the pod` +* We outlined this above. While this sounds nice it is really just a few indirections from the actual secret +* You can still get to the secret just like this pod did by using the same Kubernetes `ServiceAccount` + +`Makes it harder for kubernetes cluster-admins or namespace admins to read this secret but not impossible` +* Yes, this method it is easier to read the actual secret +* This is just security by obscurity check box + +`It is not using Kubernetes secret where any items in the same namespace can read` +* True, however, just like the above points, you can still get at the secret via the Kubernetes `ServiceAccount` + +## Overall assessment +Both of these methods are about the same since they both start from the source which is +the Kubernetes `ServiceAccount` and from there that has the identity to assum IAM roles to get +at the secret. + +Both method has the same "initial unlock" flow to it. + +For either method to secure from anyone or pod having access to the initial `ServiceAccount` you will have to isolate +the pod into it's own namespace and then control who has access to this namespace. By doing this, you control who +has access the namespace which means you can restrict who has access to the `ServiceAccount` in that namespace that +is used to assume the role that has access to get the AWS secret. + +The benefit of the `external-secret` is that it can support various secret backends and not just AWS Secrets and it +is slightly easier to use from a secret's users perspective. It is all Kubernetes resources. diff --git a/docs/kubernetes-security/README.md b/docs/kubernetes-security/README.md new file mode 100644 index 000000000..99bdf681b --- /dev/null +++ b/docs/kubernetes-security/README.md @@ -0,0 +1,26 @@ +# Kubernetes Security +This page is here to describe security challenges and possible solutions to various security concerns in a +Kubernetes deployment. + +## Traditional n-tier architecture +This diagram represents a non-containerized n-tier architecture: + +![the stack](/docs/kubernetes-security/images/n-tier-application-architecture.png) + +## Control plane + +![the stack](/docs/kubernetes-security/images/kubernetes-controle-plane.png) + +### 1 +All pieces communicates with the Kubernetes API via the same interface through a RESTful API. + +## Example application + +![the stack](/docs/kubernetes-security/images/example-application.png) + +### 1 +This is the only external entry point into the Kubernetes cluster from the internet. + +## Deployment workflow + +![the stack](/docs/kubernetes-security/images/deployment-workflow.png) \ No newline at end of file diff --git a/docs/kubernetes-security/images/deployment-workflow.drawio b/docs/kubernetes-security/images/deployment-workflow.drawio new file mode 100644 index 000000000..1f3d179e9 --- /dev/null +++ b/docs/kubernetes-security/images/deployment-workflow.drawio @@ -0,0 +1 @@ +5Vpdl6I4EP01Ps45QBD10dbZ2a/Zdacf5jkN1ZDTgbAhtLq/fisSRIh9mHVb4di+GIqkSO5NVaqSTMgq3X2RNE++igj4xHOi3YSsJ57n+s4c/7RkX0nmjlcJYskiU6kRPLJ/wAgdIy1ZBEWrohKCK5a3haHIMghVS0alFNt2tWfB21/NaQyW4DGk3JZ+Z5FKzCimTiP/GVic1F92HfMmpXVlIygSGontiYh8npCVFEJVpXS3Aq7Bq3Gp2v30xttjxyRk6kcazN18Ln79w5drP8jg226eFC+fiF+peaW8NCM2vVX7GgIpyiwCrcWZkIdtwhQ85jTUb7dIOsoSlXJ8crFo1IFUsHuzo+5x+DhvQKSg5B6r1A0WNWRmztRgbxsCZnWV5AR8b2aE1JAeH3U3uGDBQPNfYPLGB5Pn96LkThc3hcm1UFrDK3CRg7TgQnPIdbFM+TJUQiIoGg6Gpvc7fQK+EQVTTGRY5UkoJVKswPWLBxq+xAewV4LrdqiNPB9+JzqWnMW6rRId5EWpOMtgdfQXzjvNWqdNh0tsPsgZNoKrkeFYbHxh6uAq01QX3py/7m3m77QfMPecmV8PMXv+/plDhpLNt8Hh8hejg8t2imV2mGEKClXgvyyzYnDgZsHogCMWcEvOMTbQsY0OHUBiUDI0bq43PuDsaGUNORf7GjlcbobHbTE+xzbtwe2v5eCwNSH/eGALemDbSBEND5wfTMcG3MwCzoIJsmip8zN8CjktChaeQwYiKz3rxeVk2NMzo65lEjhV7LWt/hwU5gsbwTJ1YuZd79hFsxClDMG0Os3LOoq6cbylSFFcDpSl6MDMcdj/g6z5/ZNFusHTdHEZWf6sR9G1yVrcP1lBd/281LJmZFjLqn3uPZPV3au5mCzMnwdmy87+7o4td9632PwwXb3EX5suO/u8O7rQKDqh3aXrFjLfo+nadNk57/3RRbqR+MV0+f7AdNmZ9tdx7EpYEdjg2Y5nZ9fVRquicQzDJ4huMLqtQ8/OrO/OG7hW0nHxWmvN+VuvtR8in+/uP11Ml2Vvt6bLzuhXEqhC7+2sRfiiT+P0gbmiLDuUaRZpKsoimZidLQm5Pn8TxtYHdV9ON9Ic3H2Rj5AqWBtclwYzrrXDdeNghpyLPQOOeD08i0NPG96Cv0tRv/hUHK6jLLGCR/Jd8xJLsf5f/YL9WWEr53FfKEjxaSNFCEVR60dJ9YmqgTVL0CxUe14USooXqI+2M5GB7g3jvCOi5oA7xOkCp6fn9cl3yqJIf+asibYvK7yDlc463vNofCez1Zufu41wNSO1w7L3Yf238glkBgo+Hsv6Qleb5tn1aMbH5nZU5QuaO2bk878= \ No newline at end of file diff --git a/docs/kubernetes-security/images/deployment-workflow.png b/docs/kubernetes-security/images/deployment-workflow.png new file mode 100644 index 000000000..5f013c128 Binary files /dev/null and b/docs/kubernetes-security/images/deployment-workflow.png differ diff --git a/docs/kubernetes-security/images/example-application.drawio b/docs/kubernetes-security/images/example-application.drawio new file mode 100644 index 000000000..c3047359e --- /dev/null +++ b/docs/kubernetes-security/images/example-application.drawio @@ -0,0 +1 @@ +7Vxdk6I4FP01PtpFCOHjse2enZ3d2arZ6tramccIUalBQkFsdX/9BgkKSRzRbiJt91ObYEc49yT33JsbRvBhufmc42zxF41IMrKtaDOCjyPbBo7l8z9lz7bq8S276pjncSS+dOh4iv8jotMSvas4IkXri4zShMVZuzOkaUpC1urDeU7X7a/NaNL+1QzPidLxFOJE7f03jthCPAWyDv2/k3i+qH8ZWOLKEtdfFh3FAkd03eiCn0bwIaeUVZ+WmweSlODVuFT/99uRq/sby0nKuvzD7NMq3YbW/efZH1Nvvcy//PiHjF1hjWecrMQTi7tl2xqCnK7SiJSjWCM4WS9iRp4yHJZX19zovG/BlglvAf5RvStxo88kZ2TT6BJ3+ZnQJWH5ln9FXPVqcAVlHNFcH/AHVo3qogG+54pOLIw+3499wIV/ENCcAxM8ByZgBqagDROfbApOtqeBCXqoL5is4bHJcVAbJlcDE0IqTI7VF0yOyqYvKSN5SpgCFx+OL3W8MeHrR1Z2hgldRWagaxMMOoE6EXXz0O9rGjqOAtzDDg3b+kpxNMEJTkOSX31qKsihjsj1toDVk6CBXDqP0804Tuc5KYrKg7KcJskA8EMADQ0/T8Hvz9WU8J5vNLo6Xr5/eo0zjJf/lvCC6Op4BW8JL+fqeKEOSoOk0X0ZAex8Ji6KOCy9KMM5U7sbeJFNzL6X8uTO50Kpav/YtevW40aol11j22h8I3nMH5AvoaKPL6nb781GY6SyeRhq16rHOmqzgq7ykHTQFvwx54R18KUkagVAKgcaNkYaE9d9OUkwi5/bYZPO7uIXvtGYP9vBZVptl4lg0B6ienLxX80wRx5Ijh58aaAKGWWgHQ33j/0CZtazqz9mgnNYaZ6BTlcGokExEMrEcf07KQLoykHHRaeG6puFHeL622Yh6spCb1AsdG37ThYn8FIeetA7PVjfTOyQOvlgYlMzD4SJyH619dCFV18P1czBBwt/GYkMhIVADj3sC3UhlASmMlDfDFQzMAvGeKx2zzvLjJmbcOQm05x/mrMdxVi5x1FedmpV32ArD91Ym4gFy+lP8kATWoYfKU3LrOEsThKpCyfxPC3ZTNJdpDIpA8E4xMm9uLCMo6j8GW1k2c7fHiVk9+ASeJKLCtRkjy6NbfcWW7ofluqUSoeBmgYwayk1K9e0VJ2HvkVb+JJ31qX8zNpCzfi9V1vo0olmbaFmE9+rLZxrr1Gumg9K8ZIUFQ6lQfZbMLdqE2QFLZu4jqvYBNiaLdj+jKKGA48kS+h2uXvK0io4i8cFyZ9jDs3NWsZHbY+OdBttus3x/iyjymQFftPbH2BfjVTDpKJkutJC1agD2i8C0GrzClgaXhndMHIHvYGrAqYJggwDNugdXAUw+/qAvV/RBeSCF918N6q66h/7MIZ+LTFrDFUCv1tjQHhtY9iKMWTpm5OQLnkzwiym6e2rYGBLKUjH0tS3GJXB3gALjoFco+EEahynJzPqDSc1kBuSSrEDKb7SRr4mVYqnxldDBsyFVwfsVzlmCC33ltdFKMW9GvqadV6/SjK/M2PopoZRY/iqxi4YZmS2SgoipMRf26e/v/K/j5NbtgySy2w8oFm2jAoIX41GpbQzzrKEg1ZKvBu2jSVJO8/V5AmMWiZQp42C/6WlKBeWlVxSwnLUOCdLUdyuJcp1LnggpSiuJH/dulTm7HIoqdIUBdJAPZeiBD2WKO8ZeCDdj+a1Vy9s8t4om5DszuU69a5sQr6sCwyz6WgI9kTCXAgBFy/L9T2dFtnO2nIJTYQZnuKCjDNOqjXN1VCkPv4Y0XBVpSpOxSPTypl8nb5mgIKkU7fA1vgTo4ciAzWi+1nhH9J0Fs8r/I/hLb4zULTlJRfV1drXQ1vdeBNoFw22S2izpBiHpQ6alYKLqFv9w4BbPnaJdGkws2ir8V43T/UKLulwDqx1CqwnUVTz6q2dmpHdGPAudGOO5MZsw/W5gRownU+1mjJn6Og9PcGdxedbW7fzEP8EScuWfOrwBSzsenZrYGIKuBIN98fwzqUhkOXUWBqoZxru3x9zPR6eFzu+gGxdjyTUEn+oZHPAhWueQjbHNbvoAatDKGj6jS0AwrYMqU8PnXpjC6jL+l5dh4D6rVUNnBLCijFJw3ybsdGgXp8BpBgFeR1jlN42UYClBolSOrINp4Tg7eQjvTa3XVeTKK6DHCPpSGCpG1znO5w3kXjcz+KTHqdW4wPxOI5UROLJbqKzyJZWBk/2XL37GzWgE+FzRvIiLhjZ3e4zTXgcfDxOXpANnlM+fSdZQ/uK3r0cts2stkpe2O+4Z91b2LwvvzMtIl8yN/2Oc3NwalA6ceLL2fzOatD1pJHkDYa+ZydQY4+3Pzul2n1XU7RkeHYCVXQDBczDi/9OgISLrHrx6SzelFKlpYJGNowQ8SNHkUz8im9Poeu+Es5SJAOhmjuEGpTh+Sjz5uGtqRX3D++ehZ/+Bw== \ No newline at end of file diff --git a/docs/kubernetes-security/images/example-application.png b/docs/kubernetes-security/images/example-application.png new file mode 100644 index 000000000..01dedd0f8 Binary files /dev/null and b/docs/kubernetes-security/images/example-application.png differ diff --git a/docs/kubernetes-security/images/kubernetes-controle-plane.drawio b/docs/kubernetes-security/images/kubernetes-controle-plane.drawio new file mode 100644 index 000000000..63cafef15 --- /dev/null +++ b/docs/kubernetes-security/images/kubernetes-controle-plane.drawio @@ -0,0 +1 @@ +3ZzbcqM4EIafxpdJAeJ4mXiyx8xuqlI7s3OJQbHZyJYLRGzv069kxEktH+JgIDs3Aw0I+PR302rJmaDpcvtzGq4XX2mMycQy4u0EfZlYlmkbPv9PWHbSEhhWYZmnSSxtteE5+RdLoyGteRLjrHUio5SwZN02RnS1whFr2cI0pZv2aS+UtO+6DucYGJ6jkEDr9yRmi8LqO0Zt/wUn80V5Z9OQR5ZhebI0ZIswppuGCT1M0DSllBVby+0UE0Gv5FJc99OBo9WDpXjFzrkAGb/a1A3vkuflXw/WH5uX3xZvN7J73kKSyxeWD8t2JYGU5qsYi0aMCbrfLBKGn9dhJI5ueKdz24ItCd8z+aZsDqcMbw8+p1m9PdcNpkvM0h0/RV5gS15SMTem4UvLptEB5VmLBny37JVQdvq8arzmwjckmndgCt6DyewFk2MFbU6+BzFZhgaT5V4LU+m0DU6v+QzfcOdkKSUEpwAb94q12IxplC/3r36K3awA/TjrEGbltbXobEjTtDQ0/avBND8rTBPARIPDtD4rTARgmoPDRABmRGgej58mgtIc3s/tT0vTGqGjO5+WJvR0a3Carj5shuskw+nbaFlWKU6VHLmDo/Q+KUpPRekMjhKOWlSUbrgUbFazbL3H4BKBbyaOzNkeGhMDyDveim2jsaL3VfTDf6zgSGiPPosWOM5HHFzVUaU3eBZV3qyBErOIGyKSZ+wIyWhHEg4ovYDkLIxe5/uR6p85463g7gifFSZ0w9HrAYYDKMAUr+I7USUSWEmYZUnEaWQsTBk0N8DibcL+5tvGre0juf9jv+/7vtz/IsAY5c6usfOE04S/oujBwsYzk13RnOWU+z+aB+u29ntlY8Xr4BiUsJRO469M8zTCxxxbsuGvPsfsZEoAZdDoZkfTy6UtxSRkyVv7gXVdL+/wRBP+Kkc+7Kp8ijeVl1mNcpjSEhgKBEhpqUABWuLCCHeN09bihOzwI5u+rzxy0CrU8Y2iyVrpFdYPiB8OeDsTfy1XB6GWXm99F53Q7H4PeEDlT27Ln26MW6NwiXc5VJd+4Z7rF86QfmGrg4eqGvhev7DVpCOwruMXKLCVGxl9+AWsXVzDLxSv8JyPeYXT/MYcdYcupR+cK31/SOmDKoRnXPpJUHMYT51QOCD9zsQJS0Hdi7MtzZPClBo0mwq8PR6SO9Rg2bcjT0tMoJxLNWgBNfetQVhAm4oCGhQiIck6w0J95cBkf14fk1/VTF9dKxu8KmHBWtkVviyGp3xb3I9lXGYjwSoaRMPmW86ZDm8Nmm85ar4VXDoOcdR8qy6i9+XxsDL5ez7DBDOg394nuR0lR9RWFXT9bF/NzQ8UH9cp3e5GCMwYHBgsGT7RODuCqp91JgCVp6muukdCSOekSr8fGykXjY4ULO2NghTQlKtZu9QvKVgHGgUpoKnhSZ1RGeg9nCN1kZdmHrPnRV4IDlJHky646tdPN2HW69cPweHUmNIFFZgXDA4MDqNGEbAgKs1al34DFszbR0HKtUdHCubsoyAFNOVq1vD2S2qkyTrQ1OCkbJisDx/ObTVd0AyX9enC1cpiNkzVR5MueGq6oFu+2OvXz4bp+pjSBRWYp0naewYGs/ZRBCyISrOYs9+ABfP2UZByQR1mcFIwZx8FKaApVzMa7JfUSJN1oKnhScFkHVD64GK09hTtBdM4l84RFy/SzfSPzNRPTv/YBwTQ03IbMN8bKMI5e/pHne/11U/llWd/bDg2kvO9xrev4uIVV+CKd5qqVu6drC3EjKX0FU8poUJRKyqWl96/JIQoppAk85VQM5fHfhmr8PUkCsmdPLBM4ljcRhsp2rGki7AaOEqw0M2ZGC5Uk7oyqrtoEcDgwN3rWe7SlC3onK5C8lBbFTD1OY+UrmUP/YMZ28kfWYc5o7rA24kfF34GkX90+ac6WeqpZc4re0sZPxrekmdirbaRZ8lqDn9oILL3iBHQneWaiXxJ7iJGm17wGPLh0RPNEpZQ4Q0zyhhd8hOIOHBfLeEuvWpioZf9P40nMap8XGmx7nta/Vy+IyfyVR/yHOBDSBOQr1amduC489vT9P8bxWxT6QFbk/LofjV/tSDmwLGsCfjXq4hOZIVhti4E+5JsBbdWl3AXiB3sxzboP37Et2bIdbuhDH/mYJ+nc3VNxxmU+W791yGKAFb/kQ308B8= \ No newline at end of file diff --git a/docs/kubernetes-security/images/kubernetes-controle-plane.png b/docs/kubernetes-security/images/kubernetes-controle-plane.png new file mode 100644 index 000000000..56b05a0b2 Binary files /dev/null and b/docs/kubernetes-security/images/kubernetes-controle-plane.png differ diff --git a/docs/kubernetes-security/images/n-tier-application-architecture.drawio b/docs/kubernetes-security/images/n-tier-application-architecture.drawio new file mode 100644 index 000000000..fdba7d25f --- /dev/null +++ b/docs/kubernetes-security/images/n-tier-application-architecture.drawio @@ -0,0 +1 @@ +7Vttb9s2EP41BrYPCUhRsuSPcdKtGxKsQ7C125eBsRibKC26Ep3Y+fUjReqNVGrFtS01DRAg4h15op57jkcekxG6XG5+TfFqccNjwkYeiDcjdDXyPOiDSP5Skq2WRMDTgnlKY9OpEtzSJ2KEwEjXNCZZo6PgnAm6agpnPEnITDRkOE35Y7PbPWfNt67wnDiC2xlmrvQjjcXCfEUAKvl7QueL4s0QGM0SF52NIFvgmD/WROjdCF2mnAv9tNxcEqbAK3DR4355RltOLCWJ6DLgCU4/8WkW3Wx+fwroX/+t3n/ZnKGxNvOA2dp8sZmt2BYQpHydxERZgSM0fVxQQW5XeKa0j9LpUrYQS2bUxhxJBdk8O1FYfr7kDeFLItKt7GIG+EGgh2wLTH3dfqwcEBYOWNTBH5uO2Dh9XtqucJEPBpoXwAQdlH5LBEkTIhy0pDXJTdmYSoevlHDG+Do+CXIF1QxwHooc4KDXAlwEjoSb5+B2zXE8xQwnM5L2zjQPWYD5HQEbHwsw5AB2S1L5jZm09vdN1jtiAWwiBr1xz4j5DmIfyZ3KErSFYPLDRROTTKT8M7nkjKdSkvBERe49ZcwSYUbniQpmogJfChSMVOaJC6NY0jhWr2l1QuUmcCA/WMwNgeOGqMUL3rG8EAydt9bSCFHfvHUT78AQsxgG/b4RCx3EpuuMJiTLXn24h9HOcJ+cMtwnAydvOB5amiry5nAhC4e2QkJ31z0wyKKhLZHQ3XBfYYEzwVPi4vVqlkcIwmGtj9Ddx99sb/+8HnljpiDPVjhp+GL8Za3qANOZxvlCKtP5Hf5JTlD+yEmA1qef1aOCENzzRJzd4yVlWz1c2sTLVa5EyFduJuyBKCc5mtKeo8Epxez5/hlOsrOMpPS+OY8sL+OoWYDVplTlVDjLNBeUMuE5IcqPl09z/TuwK0qBBF9J83JJ2SqcEeTukJIr9axmFyj4A+nDXX1h2bfg215mvMqM9nmpqfYoQbFLKXpq95c983CULR2QSgzzZj0olTSPQaWoArMh1sGpRCY8lbAZoEppQlQpa0GqNNorQRWoSghySe0zdcB2AbJUlRhWIRyoIC575itqYWZbk9fEOqZL1aSmMrFdeaWmw1kln9debzs4b5Zergub3DP9HJLqAJerho7xgtHW0lvWhraMSojT3fnqTvvi+q4U4Nnnee6hP9ZCWiGHS2wQRFYJrmUzMG5ZUI9WSELu5v/iAVOG7yijQk3935z+AL7eLBdOmknO890sB+Ep0xxyzwEO/CSJL1QdXuHIcJbRWdMZZEPFp9rzPwqw88C0rjYGv7yxLRqJnL0adAbOAQwLiR46rgTV6LzVGP5Bpi2JgvJrzUEkdq4DLPfIj+PrdEa+AouJFYHTORG7TlGuu2vubKtyF7KUMCzoQ3O6bS42b/jAqVqUCzZNrEoeCi2W6M80oyqiuIassxay6aZxcAzljCs/+xsKgO7J6kAk9L6BhX7PHCwOTztJqLeqfbFQZpoD0RBC1DMP3eOqw8O+r9JKTPq7SvPdI+qwTvX2FQdCnptmT3vFMfhbIau6jvzeIXOvhQYGmb1aBb1DNvQ7HLuoO4DAHPoljl3UHUBguge5gUFmb0j6D8zIgeytmPhWTHwrJr4VE80R6fsqJrYloZMWE323bPXDFxP9trvLkxYTi2PoWzGx9SSzs5Cj9+9DKScG4bhpYt9yYuBZho5cxgk6lHH2o2HYkYegScFdBDwk18KuXIv65JpTNNybbE7R8ORs8wbGtuB0bOtcou6bbdbSVhp+MduAtbZ5wLJ0bLa5hcT92XYOQNRgnP91wsmGnSa/pyWv33uSid9kDrKrDZ3Tq7XvQ/DEFHQLsy+n4HO02bV47XXNd0CyeR251ivVkJVcnR1/V6r59l+Q21d7x6aaW9D+YXJrV6bpo/hQqOYfimrOLfKxqdbh3yhbqZbJiYlODATnE4Sa+XYXDV+QcU+57etIzV6ZCa2LE9/eqXVlpv0/mcjePO7NzJEpIta6V+VD9O5/ \ No newline at end of file diff --git a/docs/kubernetes-security/images/n-tier-application-architecture.png b/docs/kubernetes-security/images/n-tier-application-architecture.png new file mode 100644 index 000000000..fc7283505 Binary files /dev/null and b/docs/kubernetes-security/images/n-tier-application-architecture.png differ diff --git a/docs/observability.md b/docs/observability.md new file mode 100644 index 000000000..15bbb4541 --- /dev/null +++ b/docs/observability.md @@ -0,0 +1,68 @@ +# Observability + +## Logs +Loki is a centralized log server that uses Grafana as the frontend UI. + +### How to: + +#### Get to the logging area +Go to the `Explore` menu item on the left + +![alt text](./diagrams/images/loki-explore.png "Title") + +Select the datasource `loki`: + +![alt text](./diagrams/images/loki-select-datasource.png "Title") + +#### Searching + +##### All logs by a label +You can get all the logs for items that has a certain label. Kubernetes lets you add labels to your +application deployment. This label can be something specific to your app like `app_selector=my-app` +or something specific to an environment such as `env=dev`. + +Tip: +* These Kubernetes labels are arbitrary +* They are here to help you find things that you are interested in +* You should add labels to your deployments that aggregates the data into how you want to search for them +* The same labels are also captured by Prometheus which means you can search for logs and metrics with the same labels + +![alt text](./diagrams/images/loki-search-by-dropdown.png "Title") + +After clicking on one of these your search appears in the search field and the logs appear below that: + +![alt text](./diagrams/images/loki-logs-nginx.png "Title") + +##### Adding filters +Now that you have all of the logs for the item that you want, you will most likely want to filter it +to something that you are interested in looking for. Loki uses a pipe like syntax and regex. + +If you want to search for everything with the word `error`: +``` +{app_kubernetes_io_name="ingress-nginx"} |~ "error" +``` + +If you want to search for everything with the word `error` in any case (upper or lower): +``` +{app_kubernetes_io_name="ingress-nginx"} |~ "(?i)error" +``` + +If you want to search for everything with the word `error` or `warn` in a case +insensitive way: +``` +{app_kubernetes_io_name="ingress-nginx"} |~ "(?i)error|warn" +``` + +Everything after the `|~` is regex. You can google for a regex cheat sheet and use that to +help you with the searching syntax + +##### Loki Help +The Loki LogQL docs: https://grafana.com/docs/loki/latest/logql/ + +There is `help` button that expands the searching help menu which can help you get started. + +![alt text](./diagrams/images/loki-search-help.png "Title") + + +## Metrics +Prometheus diff --git a/docs/terraform-github-action-pipeline.md b/docs/terraform-github-action-pipeline.md new file mode 100644 index 000000000..6288cd2ab --- /dev/null +++ b/docs/terraform-github-action-pipeline.md @@ -0,0 +1,188 @@ +Terraform Github Actions Pipeline +================================ + +Based on this tutorial: https://learn.hashicorp.com/tutorials/terraform/github-actions + +## Setting up Github access to Terraform Cloud +Our Github Actions will run the Terraform we have locally but it will execute in Terraform Cloud. We will have to give Github Actions permission to Terraform Cloud so it can perform this action. + +## Get Terraform Cloud token +This will be an access token used in Github to acces Terraform Cloud + +* Go to: https://app.terraform.io/app/settings/tokens +* Click on `Create an API Token` +* Name it after the environment name +* Save the token for later use + +## Setup the Github repository +* Either use an exiting repository or create a new repository +* In your Github repository go to: `Settings->Secrets` +* Click on `New repository secret` + +If you only have one environment, then create a secret named: `TF_API_TOKEN` +If you have multiple environments, create a secret named `TF_API_TOKEN_` where `` is the environment name. This is the Terraform Cloud token and we will use a different token for each environment. + +## Terraform Cloud Setup +We will need to create a few workspaces: +1. kubernetes-ops-staging-10-vpc +1. kubernetes-ops-staging-20-eks +1. kubernetes-ops-staging-25-eks-cluster-autoscaler +1. kubernetes-ops-staging-30-helm-kube-prometheus-stack + +### Creatinging a new workspace +* Create a new workspace (API-Driven Workflow) +* Name it after your environment +* Docs: https://learn.hashicorp.com/tutorials/terraform/github-actions#set-up-terraform-cloud + +You will then get back a config block like this: +``` + terraform { + backend "remote" { + organization = "managedkube" + + # The workspace name is the path to the Terraform file with an underscore as the directory delimitor because a / is not allowed in + # the workspace's name. + workspaces { + name = "path-to-terraform-file" + } + } +} +``` +Save this somewhere. + +## Adding AWS permissions +* Cick on the `Variables` tab +* In the `Environment Variable` section add: + +``` +AWS_ACCESS_KEY_ID= +AWS_SECRET_ACCESS_KEY= +``` + +### Copy Github Actions workflow file over to your repository + +Copy the file in this repo: `./.github/workflows/terraform-pipeline-.yaml` file to your repo to the same location. + +If you changed the `TF_API_TOKEN` variable name, you will have to change it in this file. Update to what you changed it to. + +You might have to change the path for where the pipeline will look for changes in this file as well to reflect your path: +``` +terraform-environments/aws/dev +``` + +## Instantiating our cloud on AWS +The next set of steps will outline how we are going to build our Kubernetes cloud. We will build our cloud through the following high level steps: + +1. Create a VPC to hold our cloud +1. Create an EKS cluster +1. Setup Kubernetes Cluster Autoscaler +1. Install kube-prometheus-stack + +### Adding Terraform files +You only need the `./terraform-environments` items. These items uses the modules in this repository to instantiate everything in AWS. You can copy the `./terraform-modules` into your repository and point your usage to that if you want but you won't get the automatic updates when this repository updates these modules. You will have to copy over the changes. + +Copy the `./terraform-environments` folder over to your repository. + +You can rename the environment name to reflect what you want to name your environment to be. + +### Update your Terraform Dloud backend information +For each environment we have a Terraform Cloud workspace. This will help us to keep everything organized so that all of the Terraform state stores for each environment is in it's own segmented area. + +In the original step above when we created the Terraform Cloud workspace, it gave you a config block. We will now use that information and replace it in our Terraform file. + +In the file `./terraform-environments/aws/dev/10-vpc/main.tf`, we will replace this section: +``` + backend "remote" { + organization = "managedkube" + + # The workspace must be unique to this terraform + workspaces { + name = "terraform-environments_aws_dev_vpc" + } + } +``` +With what your Terraform Cloud Workspace gave you. If you are copying the items over from this repo, you will just have to change the `organization` name. + +## Creating the VPC +Path: `terraform-environments/aws/dev/10-vpc` + +Workflow: +* Open a PR with these changes +* You will see the Github Actions running which will run a `terraform plan` and output it to the PR +* If that goes successfully, the PR checks will green up and you can merge the PR +* Once you merge the PR, another Github Action will run and this time it will run with the `terraform apply` action. This will instantiate this Terraform plan. + +## Creating the EKS cluster +Path: `terraform-environments/aws/dev/eks` + +Follow the same workflow as the VPC. + +Note: You may encounter the following error when running Terraform locally or in the cloud. + +*This Terraform run is not authorized to read the state of the workspace `example-environment_vpc`.* + +*Most commonly, this is required when using the terraform_remote_state data source.* + +*To allow this access, `example-environment_vpc` must configure this workspace (`example-environments_eks`) as an authorized remote state consumer.* + +Here's the fix, you will need to give the organization or another workspace access to this state: +* Go to the workspace in Terraform Cloud's UI that you want to get data from +* In that workspace, go to Settings -> General +* Go down to the `Remote state sharing` section and enable it +* You can either give the entire organization access or specific workspaces access to this workspace's state + +## Github Actions workflow syntax + +https://docs.github.com/en/free-pro-team@latest/actions/reference/workflow-syntax-for-github-actions + +## Terraform Cloud + +### Workspaces +In Terraform cloud, a workspace is like the directory where your Terraform files are located in and where you execute Terraform from and where Terraform puts the state file locally. This means that every single new Terraform needs a new workspace. + +https://www.terraform.io/docs/cloud/workspaces/index.html#workspaces-are-collections-of-infrastructure + +## Usage + +Will have to create a pipeline for each Terraform you want to "sync" up. Not so GitOps-ey...i kinda want to get away from creating distinct pipelines. + + +## Getting remote state +At times you will have to get information that was created by another Terraform. For example, you might create a generic VPC that holds all of your resources then you might create an EKS cluster and an RDS in that VPC. Instead of combining those Terraforms into one big Terraform, you can separate it out. However, to create your EKS cluster or RDS, you will need to know certain information like the VPC ID and the subnets you want to put them into. With this, you can get that data and use it in the EKS or RDS Terraform. + +https://www.terraform.io/docs/cloud/workspaces/state.html + +``` +data "terraform_remote_state" "vpc" { + backend = "remote" + config = { + organization = "example_corp" + workspaces = { + name = "vpc-prod" + } + } +} + +resource "aws_instance" "redis_server" { + # Terraform 0.12 syntax: use the "outputs." attribute + subnet_id = data.terraform_remote_state.vpc.outputs.subnet_id + + # Terraform 0.11 syntax: use the "" attribute + subnet_id = "${data.terraform_remote_state.vpc.subnet_id}" +} +``` + +You will also need to give the organization or another workspace access to this state: +* Go to the workspace in Terraform Cloud's UI that you want to get data from +* In that workspace, go to Settings -> General +* Go down to the `Remote state sharing` section and enable it +* You can either give the entire organization access or specific workspaces access to this workspace's state + +## Delete workflow. +The delete workflow is not so great. I would ideally like to be able to delete the item from Git and have a plan and apply on merge to destroy the resources. + +You have to go into the Terraform's Cloud UI and into your workspace to delete the resources: +https://learn.hashicorp.com/tutorials/terraform/cloud-destroy?in=terraform/cloud-get-started#delete-the-terraform-cloud-workspace + +## Order of commiting +There is an order you have to commit the files. You will have to commit the VPC Terraform and let it create before commiting and merging the EKS cluster Terraform because the EKS Terraform depends on information from the VPC Terraform. If that information is not there, the EKS cluster Terraform will fail. diff --git a/docs/terraform-troubleshooting.md b/docs/terraform-troubleshooting.md new file mode 100644 index 000000000..e79c70c90 --- /dev/null +++ b/docs/terraform-troubleshooting.md @@ -0,0 +1,24 @@ +# Terraform Troubeshooting + +## AWS 403 + +``` +Terraform v0.15.1 +on linux_amd64 +Configuring remote state backend... +Initializing Terraform configuration... +╷ +│ Error: error configuring Terraform AWS Provider: error validating provider credentials: error calling sts:GetCallerIdentity: InvalidClientTokenId: The security token included in the request is invalid. +│ status code: 403, request id: dbd162e1-7207-43cc-b4ab-dd6944107e2e +│ +│ with provider["registry.terraform.io/hashicorp/aws"], +│ on main.tf line 21, in provider "aws": +│ 21: provider "aws" { +│ +╵ +``` + +This is most likely that the `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY` environment variable in Terraform cloud is incorrect. + +Check to make sure you entered in the correct AWS access keys. + diff --git a/docs/tools.md b/docs/tools.md new file mode 100644 index 000000000..0edcafef3 --- /dev/null +++ b/docs/tools.md @@ -0,0 +1,40 @@ +Tools you will need +==================== + +# Download CLIs +This project uses various CLIs and tools to help create this infrastructure. + +## Terraform + +Download location: https://releases.hashicorp.com/terraform/ + +## Terragrunt + +Download location: https://github.com/gruntwork-io/terragrunt/releases/tag/v0.18.7 + +## AWS CLI +Any recent version of the aws cli should work. The version it was tested on +was: + +``` +aws-cli/1.16.xx +``` + +Install instructions: https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-install.html + +## sshuttle +`sshuttle` is a tool that will create an SSH tunnel from your local laptop +to a remote network and forward everything destined for that IP space over there +with DNS resolution. It uses ssh to create the tunnel. + +Why not just use SSH? SSH does not have the functionality to forward the entire +CIDR range of the remote network to your local machine. The alternative is to +forward each individual host to your local machine and even in this case, you +don't get DNS resolution of the remote network with it. + +OSX +``` +brew install sshuttle +``` + +Linux install instructions: https://github.com/sshuttle/sshuttle#obtaining-sshuttle diff --git a/docs/wip-thoughts.md b/docs/wip-thoughts.md new file mode 100644 index 000000000..2f1d46efe --- /dev/null +++ b/docs/wip-thoughts.md @@ -0,0 +1,114 @@ +# Github Actions + +Introductory doc: [https://help.github.com/en/actions/automating-your-workflow-with-github-actions/configuring-a-workflow](https://help.github.com/en/actions/automating-your-workflow-with-github-actions/configuring-a-workflow) + +Workflow syntax: [https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions](https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-github-actions) + +Secrets/Environment vars: [https://help.github.com/en/actions/automating-your-workflow-with-github-actions/creating-and-using-encrypted-secrets](https://help.github.com/en/actions/automating-your-workflow-with-github-actions/creating-and-using-encrypted-secrets) + +Google example to build and deploy to a GKE cluster: [https://github.com/actions/starter-workflows/blob/master/ci/google.yml](https://github.com/actions/starter-workflows/blob/master/ci/google.yml) + + + +# Other workflows + +## Deployment + +https://github.community/t5/GitHub-Actions/GitHub-Actions-Manual-Trigger-Approvals/m-p/31517#M813 + + +# Github status page + +Github Action is still new, there can be problems with it triggering. If you are noticing issues check their +status page: + +https://www.githubstatus.com/ + + +.. + +# Dev workflow + +The dev workflow is not so great. + +For example, I was trying to download a tool (the tool don't really matter much) and use it +in the workflow. + +```yaml + # Set up sonobuoy + - name: Set up sonobuoy + run: | + curl -o ${SONOBUOY_TAR_FILE}.tar.gz --location ${SONOBUOY_URL}/${SONOBUOY_TAR_FILE}.tar.gz + tar -zxvf ${SONOBUOY_TAR_FILE}.tar.gz + export PATH=$(pwd):$PATH + sonobuoy version +``` + +This is a working version of it but there were many iterations before I got the tar output correct +and what it outputted and where the `sonobuoy` (tool) binary was. To debug this you start doing stuff like: + +```yaml + # Set up sonobuoy + - name: Set up sonobuoy + run: | + curl -o ${SONOBUOY_TAR_FILE}.tar.gz --location ${SONOBUOY_URL}/${SONOBUOY_TAR_FILE}.tar.gz + tar -zxvf ${SONOBUOY_TAR_FILE}.tar.gz + ls -l + export PATH=$(pwd):$PATH + sonobuoy version +``` + +Adding `ls -l` into the step and then committing it and then waiting for the Github Action executor to +execute it. If you are lucky you get it correct on the first try. I'm not that lucky. It took me a +bunch of tries before I got it correct. + +If you look at the commits around this time, you will see what I had to do: [https://github.com/ManagedKube/kubernetes-ops/commit/807185895f0ef0c19652b250f687b998a117b592](https://github.com/ManagedKube/kubernetes-ops/commit/807185895f0ef0c19652b250f687b998a117b592) + +That is not that cool of a workflow. + +Once I got that figured out, then if you look at this run: [https://github.com/ManagedKube/kubernetes-ops/commit/807185895f0ef0c19652b250f687b998a117b592/checks?check_suite_id=342939929#step:9:16](https://github.com/ManagedKube/kubernetes-ops/commit/807185895f0ef0c19652b250f687b998a117b592/checks?check_suite_id=342939929#step:9:16) + +```bash +time="2019-12-05T02:45:48Z" level=error msg="could not create sonobuoy client: couldn't get sonobuoy api helper: could not get api group resources: Get https://api-dev-test-us-east-1-k8-idc14e-1850800389.us-east-1.elb.amazonaws.com/api?timeout=32s: dial tcp 18.211.59.240:443: i/o timeout" +``` + +It timed out on trying to reach the Kubernetes API endpoint. That is the correct thing, I now have to open up the Kubernetes API to the +source IP of where Github Actions are coming from. + +Now, im debugging infrastructure issues here. This will have to be done but it doesn't have to be figured out right now. I am still +trying to figure out this pipeline run. + +What I really want to do is to run this pipeline locally and not have to do this commit->push loop all the time for every single little +action or change I want to make. + +I am specifically mentioning Github Actions here but this is not a problem exclusive to them. Jenkins pipelines has the same problem as +well. You are not able to run anything locally and you have to go through the commit->push loop to make Jenkins run your updates. + +# Am I using these pipelines wrong? + +I was working on another project today and it was about Apache Airflow. I didn't know much about it but the developers were running it on Kubernetes +and needed some help. So in helping them out, I was Googling around for information on what Airflow was, what the architecture was like, +how did it use/integrate with Kubernetes, and generally how it works. + +The blog that I came around to that is related to this problem is this blog: + +[https://medium.com/bluecore-engineering/were-all-using-airflow-wrong-and-how-to-fix-it-a56f14cb0753](https://medium.com/bluecore-engineering/were-all-using-airflow-wrong-and-how-to-fix-it-a56f14cb0753) + +The short of it, is that they were running into the same problems as I am right now with these "pipelines". They had to commit +everything then have the Airflow harness to run it and then each Airflow thing was wrapped around with an Operator (an Airflow +Operator not a Kubernetes Operator) and then it executed the action. In this sequence many things can go wrong. The problem +can be in Airflow scheduling, in the Airflow Operator (which they were saying happened a lot), or their own logic. So going +through this process they had to debug a lot of stuff until they got to the problem and most developers were not Airflow or Kubernetes +experts which makes debugging it even harder and very time consuming. Which means nobody really like it or used it. The adoption of +this was low in their company. + +The way they solve it was to run a generic Airflow Operator. This generic Airflow Operator basically only ran a Docker container which +gave it some nice properties. One of the big thing it gave them was that the developer can run the core logic without the Airflow +scheduling harness around it on her laptop. The Airflow Operator that spawned off a pod was very stable unlike other Operators that +are community maintained. The developer didn't have to know much about Airflow or Kubernetes to build a pipeline. They just had to +know the Airflow entry points and how to hook into it. + +This leads us back to my problem. I am having all of the same problems that they describe in the blog and all of the same solutions +would work for my problem. In my case, the Github Action is equivalent to Airflow which I really do not want to debug. Github Action +also can just run a Docker container for me. If I made Github Action run my container, then I can develop all I want locally until it works +then try to have Github Actions to run it for me. diff --git a/docs/wireguard/README.md b/docs/wireguard/README.md new file mode 100644 index 000000000..afd279e6d --- /dev/null +++ b/docs/wireguard/README.md @@ -0,0 +1,153 @@ +# Wireguard VPN + +Main setup guide: https://www.digitalocean.com/community/tutorials/how-to-set-up-wireguard-on-ubuntu-20-04 + +**ToC** +- [Wireguard VPN](#wireguard-vpn) + * [New user setup](#new-user-setup) + + [Install the wireguard client](#install-the-wireguard-client) + + [Generate your private and public keys](#generate-your-private-and-public-keys) + - [Linux](#linux) + - [OSX](#osx) + + [Give the public key to your VPN administrator](#give-the-public-key-to-your-vpn-administrator) + + [Linux](#linux-1) + - [Connect to the tunnel](#connect-to-the-tunnel) + + [OSX](#osx-1) + * [VPN Administrator](#vpn-administrator) + + [What to do when someone gives you a public key](#what-to-do-when-someone-gives-you-a-public-key) + * [WireGuard Server info](#wireguard-server-info) + * [Adding a peer on the Wireguard VPN server](#adding-a-peer-on-the-wireguard-vpn-server) + * [Removing a peer](#removing-a-peer) + * [User table](#user-table) + +Table of contents generated with markdown-toc + + +## New user setup + +### Install the wireguard client + +https://www.wireguard.com/install/ + +### Generate your private and public keys + +#### Linux + +Private keys: +``` +wg genkey | sudo tee /etc/wireguard/private.key +``` + +Public keys: +``` +sudo cat /etc/wireguard/private.key | wg pubkey | sudo tee /etc/wireguard/public.key +``` + +#### OSX +https://serversideup.net/how-to-configure-a-wireguard-macos-client/ + +The `Add an empty tunnel` step will help you to generate your public and private keys + + +### Give the public key to your VPN administrator +The public key string is not a secret and can be passed around freely via Slack or email. + +Give this public key to your VPN administrator. + +You should never pass around your private key. + + +### Linux +Use the file in the same directory as this `README.md` named `client-wg-config.conf`. + +Put the content of that config file into your local computer at: `/etc/wireguard/wg0.conf` + +Replace the `` with your own private key. + +#### Connect to the tunnel + +``` +sudo wg-quick up wg0 +``` + +Check your local routes: +``` +ip route +``` + +Check the wireguard status: +``` +sudo wg +``` + +Turn off the VPN: +``` +sudo wg-quick down wg0 +``` + +### OSX + +Follow the directions in this guide: https://serversideup.net/how-to-configure-a-wireguard-macos-client/ + +Use the file in the same directory as this `README.md` named `client-wg-config.conf`. This will be your +config. + +Replace the `` with your own private key. + + + +## VPN Administrator + +### What to do when someone gives you a public key +This means someones wants to connect to this Wireguard VPN. + +The following steps will get them setup. + +## WireGuard Server info + +* Location: 641669687490 (production AWS account) +* AWS Region: us-east-1 + +How to access it: +* The ssh port is not enabled on the machine +* You have to use AWS SSM to access the machine +* GUI + * Log into the AWS production account via the web gui + * Navigate to: AWS System Manager -> Node Management -> Session Manager + * Click on "Start Session" + * Click on the radio button for node `i-02bb2da37071c6c04` + * Click on "Start Session" + * A new tab will open up with a web terminal + + +VPN CIDR: 10.2.200.0/24 + +## Adding a peer on the Wireguard VPN server +Run on the Wireguard server. + +You will use that public key to add the user in: +``` +sudo wg set wg0 peer allowed-ips 10.2.200.1 +``` + +Check the status: +``` +sudo wg +``` + +## Removing a peer + +``` +sudo wg set wg0 peer remove +``` + +## User table +| User | Assigned IP | Add command | +|----------------|----------------|----------------------------------------------------------------------------------------------| +| garland | 10.2.200.1/24 | sudo wg set wg0 peer OnA5n39plVMsap8MkADWgr0RPL0LCbzVFb4gLwSnGTQ= allowed-ips 10.2.200.1 | +| | | | +| | | | + +* Each user **MUST** have a unique "Assigned IP". The easiest way is to increment the last octet by 1. +* Then run the "Add command" on the Wireguard server +* Add each user to this table for record keeping and also used to decommision a user diff --git a/docs/wireguard/client-wg-config.conf b/docs/wireguard/client-wg-config.conf new file mode 100644 index 000000000..833c5bb6b --- /dev/null +++ b/docs/wireguard/client-wg-config.conf @@ -0,0 +1,18 @@ +[Interface] +PrivateKey = +Address = 10.2.200.1/24 +DNS = 10.2.0.2 + +# The wireguard server +[Peer] +# The wireguards server's public key +PublicKey = 5kK5yQBhcbzwPWmbPXLAChO5h3jvlVsA0QSNPS5XLzA= + +# Send only traffic destined for the network +#AllowedIPs = 10.0.0.0/16, 10.1.0.0/16, 10.2.0.0/16 + +# Send all local traffic through the VPN +AllowedIPs = 0.0.0.0/0 + +# The wireguard endpoint +Endpoint = 3.237.75.177:51820 diff --git a/docs/wireguard/server-wg-config.conf b/docs/wireguard/server-wg-config.conf new file mode 100644 index 000000000..4c0bfd003 --- /dev/null +++ b/docs/wireguard/server-wg-config.conf @@ -0,0 +1,10 @@ +[Interface] +PrivateKey = +Address = 10.2.200.0/24 +ListenPort = 51820 +SaveConfig = true + +PostUp = ufw route allow in on wg0 out on eth0 +PostUp = iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE +PreDown = ufw route delete allow in on wg0 out on eth0 +PreDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE diff --git a/old/clusters/aws/kops/.gitignore b/old/clusters/aws/kops/.gitignore new file mode 100644 index 000000000..e42858d34 --- /dev/null +++ b/old/clusters/aws/kops/.gitignore @@ -0,0 +1 @@ +kops*.yaml diff --git a/old/clusters/aws/kops/clusters/ci-pipeline/values.yaml b/old/clusters/aws/kops/clusters/ci-pipeline/values.yaml new file mode 100644 index 000000000..0aa089788 --- /dev/null +++ b/old/clusters/aws/kops/clusters/ci-pipeline/values.yaml @@ -0,0 +1,289 @@ +kopsName: ci-pipeline.us-east-1 +s3BucketName: kubernetes-ops-expanse-1234-kops-state-store +kubernetesVersion: 1.14.8 +dnsZone: k8s.local +awsRegion: us-east-1 +vpc: vpc-040b894f25ade9ef4 +sshKeyName: kubernetes_ops + +api: + loadBalancer: + type: Public + +availabilityZonesEtcd: +- masterZoneName: a + etcdName: a +- masterZoneName: b + etcdName: b +- masterZoneName: c + etcdName: c + +availabilityZonesKubeMaster: +- name: a + zone: a +- name: b + zone: b +- name: c + zone: c + +availabilityZonesAll: +- name: a + zone: a +- name: b + zone: b +- name: c + zone: c + +# Uncomment and grab set the nat-id from terraform to reuse nat gateway +availabilityZonesPrivate: + - zone: a + # egress: first-nat-id-from-terraform-output + - zone: b + # egress: second-nat-id-from-terraform-output + - zone: c + # egress: third-nat-id-from-terraform-output + +#limit to one zone +availabilityZonesThreatstackMaster: +- name: a + zone: a + +enablePublicSubnets: true + +sshAccess: +# - 0.0.0.0/0 +- 10.0.0.0/8 +- 38.30.8.138/32 + +kubernetesApiAccess: +# Internal routes +# - 10.0.0.0/8 +# - 172.0.0.0/8 +# # External access +# - 38.30.8.138/32 +- 0.0.0.0/0 + +iam: + allowContainerRegistry: true + +networkCIDR: 10.10.0.0/16 +networkPortion: "10.10" + +subnets: + - name: utility + type: Utility + blocks: + - cidr: 10.10.10.0/24 + zone: a + - cidr: 10.10.11.0/24 + zone: b + - cidr: 10.10.12.0/24 + zone: c + - name: public + type: Public + blocks: + - cidr: 10.10.20.0/24 + zone: a + - cidr: 10.10.21.0/24 + zone: b + - cidr: 10.10.22.0/24 + zone: c + - name: kube-master + type: Private + blocks: + - cidr: 10.10.30.0/24 + zone: a + - cidr: 10.10.31.0/24 + zone: b + - cidr: 10.10.32.0/24 + zone: c + - name: infrastructure-zone + type: Private + blocks: + - cidr: 10.10.40.0/24 + zone: a + - cidr: 10.10.41.0/24 + zone: b + - cidr: 10.10.42.0/24 + zone: c + - name: worker-zone + type: Private + blocks: + - cidr: 10.10.50.0/24 + zone: a + - cidr: 10.10.51.0/24 + zone: b + - cidr: 10.10.52.0/24 + zone: c + - name: threatstack-master-zone + type: Private + blocks: + - cidr: 10.10.60.0/24 + zone: a + - cidr: 10.10.61.0/24 + zone: b + - cidr: 10.10.62.0/24 + zone: c + +enableBastionGroup1: true +enableThreatstackMasterGroup1: false + +instanceGroups: + kubeMaster: + # CoreOS: https://github.com/kubernetes/kops/blob/06b0111251ab87861e57dbf5f8d36f02e84af04d/docs/images.md#coreos + image: 595879546273/CoreOS-stable-2023.5.0-hvm + machineType: t3.medium + maxSize: 1 + minSize: 1 + cloudLabels: + CostCenter: kubernetes-saas + Owner: kubernetes + Project: cloud + Purpose: kubernetes-master + managed_by: kops + nodeLabels: + # kops.k8s.io/my-label: a-label + bastionWorkersGroup1: + # Amazon Linux AMI + image: ami-0de53d8956e8dcf80 + machineType: t3.medium + maxSize: 10 + minSize: 1 + cloudLabels: + CostCenter: kubernetes-saas + Owner: kubernetes + Project: cloud + Purpose: kubernetes-spot-node + managed_by: kops + # https://github.com/kubernetes/autoscaler/issues/511#issuecomment-354616866 + k8s.io/cluster-autoscaler/node-template/label/prod.us-east-1.k8s.local/role: scale-zero + threatstackMaster: + # CoreOS: https://github.com/kubernetes/kops/blob/06b0111251ab87861e57dbf5f8d36f02e84af04d/docs/images.md#coreos + image: 595879546273/CoreOS-stable-2079.5.1-hvm + machineType: t3.medium + maxSize: 0 + minSize: 0 + cloudLabels: + CostCenter: kubernetes-saas + Owner: kubernetes + Project: cloud + Purpose: kubernetes-threatstack-master + managed_by: kops + nodeLabels: + threatstack-master: "true" + taints: + enable: true + items: + - application=threatstack-master:NoSchedule + +# A list of workers instances groups that will use all zones +# Add an item in here to create a new instance group in all zones +workerInstanceGroupsAllZones: + on-demand: + # CoreOS: https://github.com/kubernetes/kops/blob/06b0111251ab87861e57dbf5f8d36f02e84af04d/docs/images.md#coreos + image: 595879546273/CoreOS-stable-2023.5.0-hvm + machineType: t3.large + maxSize: 0 + minSize: 0 + cloudLabels: + CostCenter: kubernetes-saas + Owner: kubernetes + Project: cloud + Purpose: kubernetes-spot-node + managed_by: kops + # https://github.com/kubernetes/autoscaler/issues/511#issuecomment-354616866 + k8s.io/cluster-autoscaler/node-template/label/prod.us-east-1.k8s.local/role: scale-zero + nodeLabels: + prod.us-east-1.k8s.local/role: scale-zero + kubernetes-ops/isSpot: "false" + kubernetes-ops/instanceType: t3.medium + kubernetes-ops/hasPublicIP: "false" + taints: {} + spotGroup1: + # CoreOS: https://github.com/kubernetes/kops/blob/06b0111251ab87861e57dbf5f8d36f02e84af04d/docs/images.md#coreos + image: 595879546273/CoreOS-stable-2023.5.0-hvm + machineType: t3.medium + maxPrice: "0.01" + maxSize: 1 + minSize: 1 + cloudLabels: + CostCenter: kubernetes-saas + Owner: kubernetes + Project: cloud + Purpose: kubernetes-spot-node + managed_by: kops + # https://github.com/kubernetes/autoscaler/issues/511#issuecomment-354616866 + k8s.io/cluster-autoscaler/node-template/label/prod.us-east-1.k8s.local/role: scale-zero + nodeLabels: + kops.k8s.io/instancegroup: spot-zone-a + prod.us-east-1.k8s.local/role: scale-zero + kubernetes-ops/isSpot: "false" + kubernetes-ops/instanceType: t3.medium + kubernetes-ops/hasPublicIP: "false" + taints: {} + infrastructureGroup1: + # CoreOS: https://github.com/kubernetes/kops/blob/06b0111251ab87861e57dbf5f8d36f02e84af04d/docs/images.md#coreos + image: 595879546273/CoreOS-stable-2023.5.0-hvm + machineType: t3.medium + maxSize: 0 + minSize: 0 + cloudLabels: + CostCenter: kubernetes-saas + Owner: kubernetes + Project: cloud + Purpose: kubernetes-spot-node + managed_by: kops + # https://github.com/kubernetes/autoscaler/issues/511#issuecomment-354616866 + k8s.io/cluster-autoscaler/node-template/label/prod.us-east-1.k8s.local/role: scale-zero + nodeLabels: + prod.us-east-1.k8s.local/role: scale-zero + kubernetes-ops/isSpot: "false" + kubernetes-ops/instanceType: t3.medium + kubernetes-ops/hasPublicIP: "false" + kubernetes-ops/application: infrastructure + taints: + - application=infrastructure:NoSchedule + jenkinsMastersGroup1: + # CoreOS: https://github.com/kubernetes/kops/blob/06b0111251ab87861e57dbf5f8d36f02e84af04d/docs/images.md#coreos + image: 595879546273/CoreOS-stable-2023.5.0-hvm + machineType: t3.medium + maxSize: 0 + minSize: 0 + cloudLabels: + CostCenter: kubernetes-saas + Owner: kubernetes + Project: cloud + Purpose: kubernetes-spot-node + managed_by: kops + # https://github.com/kubernetes/autoscaler/issues/511#issuecomment-354616866 + k8s.io/cluster-autoscaler/node-template/label/prod.us-east-1.k8s.local/role: scale-zero + nodeLabels: + prod.us-east-1.k8s.local/role: scale-zero + kubernetes-ops/isSpot: "false" + kubernetes-ops/instanceType: t3.medium + kubernetes-ops/hasPublicIP: "false" + kubernetes-ops/application: jenkins-masters + taints: + - application=jenkins-master:NoSchedule + jenkinsWorkersGroup1: + # CoreOS: https://github.com/kubernetes/kops/blob/06b0111251ab87861e57dbf5f8d36f02e84af04d/docs/images.md#coreos + image: 595879546273/CoreOS-stable-2023.5.0-hvm + machineType: t3.medium + maxSize: 0 + minSize: 0 + cloudLabels: + CostCenter: kubernetes-saas + Owner: kubernetes + Project: cloud + Purpose: kubernetes-spot-node + managed_by: kops + # https://github.com/kubernetes/autoscaler/issues/511#issuecomment-354616866 + k8s.io/cluster-autoscaler/node-template/label/prod.us-east-1.k8s.local/role: scale-zero + nodeLabels: + prod.us-east-1.k8s.local/role: scale-zero + kubernetes-ops/isSpot: "false" + kubernetes-ops/instanceType: t3.medium + kubernetes-ops/hasPublicIP: "false" + kubernetes-ops/application: jenkins-workers + taints: + - application=jenkins-workers:NoSchedule diff --git a/clusters/aws/kops/clusters/dev-example/values.yaml b/old/clusters/aws/kops/clusters/dev-example/values.yaml similarity index 74% rename from clusters/aws/kops/clusters/dev-example/values.yaml rename to old/clusters/aws/kops/clusters/dev-example/values.yaml index 3c9f399aa..27085656d 100644 --- a/clusters/aws/kops/clusters/dev-example/values.yaml +++ b/old/clusters/aws/kops/clusters/dev-example/values.yaml @@ -1,29 +1,48 @@ kopsName: dev-example.us-east-1 -s3BucketName: kubernetes-ops-2345-kops-state-store -kubernetesVersion: 1.11.7 +s3BucketName: kubernetes-ops-1234-kops-state-store +kubernetesVersion: 1.13.10 dnsZone: k8s.local awsRegion: us-east-1 vpc: vpc-id-from-the-terraform-output sshKeyName: kubernetes_ops availabilityZonesEtcd: -- a -- b -- c +- masterZoneName: a + etcdName: a +- masterZoneName: b + etcdName: b +- masterZoneName: c + etcdName: c availabilityZonesKubeMaster: -- a -- b -- c +- name: a + zone: a +- name: b + zone: b +- name: c + zone: c availabilityZonesAll: -- a -- b -- c +- name: a + zone: a +- name: b + zone: b +- name: c + zone: c + +# Uncomment and grab set the nat-id from terraform to reuse nat gateway +availabilityZonesPrivate: + - zone: a + # egress: first-nat-id-from-terraform-output + - zone: b + # egress: second-nat-id-from-terraform-output + - zone: c + # egress: third-nat-id-from-terraform-output #limit to one zone availabilityZonesThreatstackMaster: -- a +- name: a + zone: a enablePublicSubnets: true @@ -40,22 +59,66 @@ kubernetesApiAccess: iam: allowContainerRegistry: true -# etcd -etcd: - version: 3.2.18 - networkCIDR: 10.10.0.0/16 networkPortion: "10.10" -docker: - overrides: false - bridgeIP: 172.26.0.1/16 +subnets: + - name: utility + type: Utility + blocks: + - cidr: 10.12.10.0/24 + zone: a + - cidr: 10.12.11.0/24 + zone: b + - cidr: 10.12.12.0/24 + zone: c + - name: public + type: Public + blocks: + - cidr: 10.12.20.0/24 + zone: a + - cidr: 10.12.21.0/24 + zone: b + - cidr: 10.12.22.0/24 + zone: c + - name: kube-master + type: Private + blocks: + - cidr: 10.12.30.0/24 + zone: a + - cidr: 10.12.31.0/24 + zone: b + - cidr: 10.12.32.0/24 + zone: c + - name: infrastructure-zone + type: Private + blocks: + - cidr: 10.12.40.0/24 + zone: a + - cidr: 10.12.41.0/24 + zone: b + - cidr: 10.12.42.0/24 + zone: c + - name: worker-zone + type: Private + blocks: + - cidr: 10.12.50.0/24 + zone: a + - cidr: 10.12.51.0/24 + zone: b + - cidr: 10.12.52.0/24 + zone: c + - name: threatstack-master-zone + type: Private + blocks: + - cidr: 10.12.60.0/24 + zone: a + - cidr: 10.12.61.0/24 + zone: b + - cidr: 10.12.62.0/24 + zone: c enableBastionGroup1: true -enableSpotInstanceGroup1: false -enableOnDemandGroup1: true -enableInfrastructureGroup1: true -enableJenkinsGroup1: false enableThreatstackMasterGroup1: false instanceGroups: @@ -73,13 +136,12 @@ instanceGroups: managed_by: kops nodeLabels: # kops.k8s.io/my-label: a-label - spotGroup1: - # CoreOS: https://github.com/kubernetes/kops/blob/06b0111251ab87861e57dbf5f8d36f02e84af04d/docs/images.md#coreos - image: 595879546273/CoreOS-stable-2023.5.0-hvm + bastionWorkersGroup1: + # Amazon Linux AMI + image: ami-0de53d8956e8dcf80 machineType: t3.medium - maxPrice: "0.01" - maxSize: 0 - minSize: 0 + maxSize: 10 + minSize: 1 cloudLabels: CostCenter: kubernetes-saas Owner: kubernetes @@ -88,22 +150,34 @@ instanceGroups: managed_by: kops # https://github.com/kubernetes/autoscaler/issues/511#issuecomment-354616866 k8s.io/cluster-autoscaler/node-template/label/prod.us-east-1.k8s.local/role: scale-zero + threatstackMaster: + # CoreOS: https://github.com/kubernetes/kops/blob/06b0111251ab87861e57dbf5f8d36f02e84af04d/docs/images.md#coreos + image: 595879546273/CoreOS-stable-2079.5.1-hvm + machineType: t3.medium + maxSize: 1 + minSize: 1 + cloudLabels: + CostCenter: kubernetes-saas + Owner: kubernetes + Project: cloud + Purpose: kubernetes-threatstack-master + managed_by: kops nodeLabels: - kops.k8s.io/instancegroup: spot-zone-a - prod.us-east-1.k8s.local/role: scale-zero - kubernetes-ops/isSpot: "false" - kubernetes-ops/instanceType: t3.medium - kubernetes-ops/hasPublicIP: "false" + threatstack-master: "true" taints: - enable: false + enable: true items: - - application=generic:NoSchedule - onDemandGroup1: + - application=threatstack-master:NoSchedule + +# A list of workers instances groups that will use all zones +# Add an item in here to create a new instance group in all zones +workerInstanceGroupsAllZones: + on-demand: # CoreOS: https://github.com/kubernetes/kops/blob/06b0111251ab87861e57dbf5f8d36f02e84af04d/docs/images.md#coreos image: 595879546273/CoreOS-stable-2023.5.0-hvm machineType: t3.large maxSize: 10 - minSize: 1 + minSize: 0 cloudLabels: CostCenter: kubernetes-saas Owner: kubernetes @@ -117,15 +191,13 @@ instanceGroups: kubernetes-ops/isSpot: "false" kubernetes-ops/instanceType: t3.medium kubernetes-ops/hasPublicIP: "false" - taints: - enable: false - items: - - application=generic:NoSchedule - infrastructureGroup1: + taints: {} + spotGroup1: # CoreOS: https://github.com/kubernetes/kops/blob/06b0111251ab87861e57dbf5f8d36f02e84af04d/docs/images.md#coreos image: 595879546273/CoreOS-stable-2023.5.0-hvm machineType: t3.medium - maxSize: 10 + maxPrice: "0.01" + maxSize: 0 minSize: 0 cloudLabels: CostCenter: kubernetes-saas @@ -136,16 +208,13 @@ instanceGroups: # https://github.com/kubernetes/autoscaler/issues/511#issuecomment-354616866 k8s.io/cluster-autoscaler/node-template/label/prod.us-east-1.k8s.local/role: scale-zero nodeLabels: + kops.k8s.io/instancegroup: spot-zone-a prod.us-east-1.k8s.local/role: scale-zero kubernetes-ops/isSpot: "false" kubernetes-ops/instanceType: t3.medium kubernetes-ops/hasPublicIP: "false" - kubernetes-ops/application: infrastructure - taints: - enable: true - items: - - application=infrastructure:NoSchedule - jenkinsMastersGroup1: + taints: {} + infrastructureGroup1: # CoreOS: https://github.com/kubernetes/kops/blob/06b0111251ab87861e57dbf5f8d36f02e84af04d/docs/images.md#coreos image: 595879546273/CoreOS-stable-2023.5.0-hvm machineType: t3.medium @@ -164,12 +233,10 @@ instanceGroups: kubernetes-ops/isSpot: "false" kubernetes-ops/instanceType: t3.medium kubernetes-ops/hasPublicIP: "false" - kubernetes-ops/application: jenkins-masters + kubernetes-ops/application: infrastructure taints: - enable: true - items: - - application=jenkins-master:NoSchedule - jenkinsWorkersGroup1: + - application=infrastructure:NoSchedule + jenkinsMastersGroup1: # CoreOS: https://github.com/kubernetes/kops/blob/06b0111251ab87861e57dbf5f8d36f02e84af04d/docs/images.md#coreos image: 595879546273/CoreOS-stable-2023.5.0-hvm machineType: t3.medium @@ -188,17 +255,15 @@ instanceGroups: kubernetes-ops/isSpot: "false" kubernetes-ops/instanceType: t3.medium kubernetes-ops/hasPublicIP: "false" - kubernetes-ops/application: jenkins-workers + kubernetes-ops/application: jenkins-masters taints: - enable: true - items: - - application=jenkins-workers:NoSchedule - bastionWorkersGroup1: - # Amazon Linux AMI - image: ami-0de53d8956e8dcf80 + - application=jenkins-master:NoSchedule + jenkinsWorkersGroup1: + # CoreOS: https://github.com/kubernetes/kops/blob/06b0111251ab87861e57dbf5f8d36f02e84af04d/docs/images.md#coreos + image: 595879546273/CoreOS-stable-2023.5.0-hvm machineType: t3.medium maxSize: 10 - minSize: 1 + minSize: 0 cloudLabels: CostCenter: kubernetes-saas Owner: kubernetes @@ -207,21 +272,11 @@ instanceGroups: managed_by: kops # https://github.com/kubernetes/autoscaler/issues/511#issuecomment-354616866 k8s.io/cluster-autoscaler/node-template/label/prod.us-east-1.k8s.local/role: scale-zero - threatstackMaster: - # CoreOS: https://github.com/kubernetes/kops/blob/06b0111251ab87861e57dbf5f8d36f02e84af04d/docs/images.md#coreos - image: 595879546273/CoreOS-stable-2079.5.1-hvm - machineType: t3.medium - maxSize: 1 - minSize: 1 - cloudLabels: - CostCenter: kubernetes-saas - Owner: kubernetes - Project: cloud - Purpose: kubernetes-threatstack-master - managed_by: kops nodeLabels: - threatstack-master: "true" + prod.us-east-1.k8s.local/role: scale-zero + kubernetes-ops/isSpot: "false" + kubernetes-ops/instanceType: t3.medium + kubernetes-ops/hasPublicIP: "false" + kubernetes-ops/application: jenkins-workers taints: - enable: true - items: - - application=threatstack-master:NoSchedule + - application=jenkins-workers:NoSchedule diff --git a/old/clusters/aws/kops/clusters/dev-test/values.yaml b/old/clusters/aws/kops/clusters/dev-test/values.yaml new file mode 100644 index 000000000..dcfb80cc9 --- /dev/null +++ b/old/clusters/aws/kops/clusters/dev-test/values.yaml @@ -0,0 +1,289 @@ +kopsName: dev-test.us-east-1 +s3BucketName: kubernetes-ops-expanse-1234-kops-state-store +kubernetesVersion: 1.14.9 +dnsZone: k8s.local +awsRegion: us-east-1 +vpc: vpc-040b894f25ade9ef4 +sshKeyName: kubernetes_ops + +api: + loadBalancer: + type: Public + +availabilityZonesEtcd: +- masterZoneName: a + etcdName: a +- masterZoneName: b + etcdName: b +- masterZoneName: c + etcdName: c + +availabilityZonesKubeMaster: +- name: a + zone: a +- name: b + zone: b +- name: c + zone: c + +availabilityZonesAll: +- name: a + zone: a +- name: b + zone: b +- name: c + zone: c + +# Uncomment and grab set the nat-id from terraform to reuse nat gateway +availabilityZonesPrivate: + - zone: a + # egress: first-nat-id-from-terraform-output + - zone: b + # egress: second-nat-id-from-terraform-output + - zone: c + # egress: third-nat-id-from-terraform-output + +#limit to one zone +availabilityZonesThreatstackMaster: +- name: a + zone: a + +enablePublicSubnets: true + +sshAccess: +# - 0.0.0.0/0 +- 10.0.0.0/8 +- 38.30.8.138/32 + +kubernetesApiAccess: +# Internal routes +# - 10.0.0.0/8 +# - 172.0.0.0/8 +# # External access +# - 38.30.8.138/32 +- 0.0.0.0/0 + +iam: + allowContainerRegistry: true + +networkCIDR: 10.10.0.0/16 +networkPortion: "10.10" + +subnets: + - name: utility + type: Utility + blocks: + - cidr: 10.10.10.0/24 + zone: a + - cidr: 10.10.11.0/24 + zone: b + - cidr: 10.10.12.0/24 + zone: c + - name: public + type: Public + blocks: + - cidr: 10.10.20.0/24 + zone: a + - cidr: 10.10.21.0/24 + zone: b + - cidr: 10.10.22.0/24 + zone: c + - name: kube-master + type: Private + blocks: + - cidr: 10.10.30.0/24 + zone: a + - cidr: 10.10.31.0/24 + zone: b + - cidr: 10.10.32.0/24 + zone: c + - name: infrastructure-zone + type: Private + blocks: + - cidr: 10.10.40.0/24 + zone: a + - cidr: 10.10.41.0/24 + zone: b + - cidr: 10.10.42.0/24 + zone: c + - name: worker-zone + type: Private + blocks: + - cidr: 10.10.50.0/24 + zone: a + - cidr: 10.10.51.0/24 + zone: b + - cidr: 10.10.52.0/24 + zone: c + - name: threatstack-master-zone + type: Private + blocks: + - cidr: 10.10.60.0/24 + zone: a + - cidr: 10.10.61.0/24 + zone: b + - cidr: 10.10.62.0/24 + zone: c + +enableBastionGroup1: true +enableThreatstackMasterGroup1: false + +instanceGroups: + kubeMaster: + # CoreOS: https://github.com/kubernetes/kops/blob/06b0111251ab87861e57dbf5f8d36f02e84af04d/docs/images.md#coreos + image: 595879546273/CoreOS-stable-2023.5.0-hvm + machineType: t3.medium + maxSize: 1 + minSize: 1 + cloudLabels: + CostCenter: kubernetes-saas + Owner: kubernetes + Project: cloud + Purpose: kubernetes-master + managed_by: kops + nodeLabels: + # kops.k8s.io/my-label: a-label + bastionWorkersGroup1: + # Amazon Linux AMI + image: ami-0de53d8956e8dcf80 + machineType: t3.medium + maxSize: 10 + minSize: 1 + cloudLabels: + CostCenter: kubernetes-saas + Owner: kubernetes + Project: cloud + Purpose: kubernetes-spot-node + managed_by: kops + # https://github.com/kubernetes/autoscaler/issues/511#issuecomment-354616866 + k8s.io/cluster-autoscaler/node-template/label/prod.us-east-1.k8s.local/role: scale-zero + threatstackMaster: + # CoreOS: https://github.com/kubernetes/kops/blob/06b0111251ab87861e57dbf5f8d36f02e84af04d/docs/images.md#coreos + image: 595879546273/CoreOS-stable-2079.5.1-hvm + machineType: t3.medium + maxSize: 0 + minSize: 0 + cloudLabels: + CostCenter: kubernetes-saas + Owner: kubernetes + Project: cloud + Purpose: kubernetes-threatstack-master + managed_by: kops + nodeLabels: + threatstack-master: "true" + taints: + enable: true + items: + - application=threatstack-master:NoSchedule + +# A list of workers instances groups that will use all zones +# Add an item in here to create a new instance group in all zones +workerInstanceGroupsAllZones: + on-demand: + # CoreOS: https://github.com/kubernetes/kops/blob/06b0111251ab87861e57dbf5f8d36f02e84af04d/docs/images.md#coreos + image: 595879546273/CoreOS-stable-2023.5.0-hvm + machineType: t3.large + maxSize: 0 + minSize: 0 + cloudLabels: + CostCenter: kubernetes-saas + Owner: kubernetes + Project: cloud + Purpose: kubernetes-spot-node + managed_by: kops + # https://github.com/kubernetes/autoscaler/issues/511#issuecomment-354616866 + k8s.io/cluster-autoscaler/node-template/label/prod.us-east-1.k8s.local/role: scale-zero + nodeLabels: + prod.us-east-1.k8s.local/role: scale-zero + kubernetes-ops/isSpot: "false" + kubernetes-ops/instanceType: t3.medium + kubernetes-ops/hasPublicIP: "false" + taints: {} + spotGroup1: + # CoreOS: https://github.com/kubernetes/kops/blob/06b0111251ab87861e57dbf5f8d36f02e84af04d/docs/images.md#coreos + image: 595879546273/CoreOS-stable-2023.5.0-hvm + machineType: t3.medium + maxPrice: "0.01" + maxSize: 1 + minSize: 1 + cloudLabels: + CostCenter: kubernetes-saas + Owner: kubernetes + Project: cloud + Purpose: kubernetes-spot-node + managed_by: kops + # https://github.com/kubernetes/autoscaler/issues/511#issuecomment-354616866 + k8s.io/cluster-autoscaler/node-template/label/prod.us-east-1.k8s.local/role: scale-zero + nodeLabels: + kops.k8s.io/instancegroup: spot-zone-a + prod.us-east-1.k8s.local/role: scale-zero + kubernetes-ops/isSpot: "false" + kubernetes-ops/instanceType: t3.medium + kubernetes-ops/hasPublicIP: "false" + taints: {} + infrastructureGroup1: + # CoreOS: https://github.com/kubernetes/kops/blob/06b0111251ab87861e57dbf5f8d36f02e84af04d/docs/images.md#coreos + image: 595879546273/CoreOS-stable-2023.5.0-hvm + machineType: t3.medium + maxSize: 0 + minSize: 0 + cloudLabels: + CostCenter: kubernetes-saas + Owner: kubernetes + Project: cloud + Purpose: kubernetes-spot-node + managed_by: kops + # https://github.com/kubernetes/autoscaler/issues/511#issuecomment-354616866 + k8s.io/cluster-autoscaler/node-template/label/prod.us-east-1.k8s.local/role: scale-zero + nodeLabels: + prod.us-east-1.k8s.local/role: scale-zero + kubernetes-ops/isSpot: "false" + kubernetes-ops/instanceType: t3.medium + kubernetes-ops/hasPublicIP: "false" + kubernetes-ops/application: infrastructure + taints: + - application=infrastructure:NoSchedule + jenkinsMastersGroup1: + # CoreOS: https://github.com/kubernetes/kops/blob/06b0111251ab87861e57dbf5f8d36f02e84af04d/docs/images.md#coreos + image: 595879546273/CoreOS-stable-2023.5.0-hvm + machineType: t3.medium + maxSize: 0 + minSize: 0 + cloudLabels: + CostCenter: kubernetes-saas + Owner: kubernetes + Project: cloud + Purpose: kubernetes-spot-node + managed_by: kops + # https://github.com/kubernetes/autoscaler/issues/511#issuecomment-354616866 + k8s.io/cluster-autoscaler/node-template/label/prod.us-east-1.k8s.local/role: scale-zero + nodeLabels: + prod.us-east-1.k8s.local/role: scale-zero + kubernetes-ops/isSpot: "false" + kubernetes-ops/instanceType: t3.medium + kubernetes-ops/hasPublicIP: "false" + kubernetes-ops/application: jenkins-masters + taints: + - application=jenkins-master:NoSchedule + jenkinsWorkersGroup1: + # CoreOS: https://github.com/kubernetes/kops/blob/06b0111251ab87861e57dbf5f8d36f02e84af04d/docs/images.md#coreos + image: 595879546273/CoreOS-stable-2023.5.0-hvm + machineType: t3.medium + maxSize: 0 + minSize: 0 + cloudLabels: + CostCenter: kubernetes-saas + Owner: kubernetes + Project: cloud + Purpose: kubernetes-spot-node + managed_by: kops + # https://github.com/kubernetes/autoscaler/issues/511#issuecomment-354616866 + k8s.io/cluster-autoscaler/node-template/label/prod.us-east-1.k8s.local/role: scale-zero + nodeLabels: + prod.us-east-1.k8s.local/role: scale-zero + kubernetes-ops/isSpot: "false" + kubernetes-ops/instanceType: t3.medium + kubernetes-ops/hasPublicIP: "false" + kubernetes-ops/application: jenkins-workers + taints: + - application=jenkins-workers:NoSchedule diff --git a/old/clusters/aws/kops/clusters/dev/values.yaml b/old/clusters/aws/kops/clusters/dev/values.yaml new file mode 100644 index 000000000..d43ca95b1 --- /dev/null +++ b/old/clusters/aws/kops/clusters/dev/values.yaml @@ -0,0 +1,282 @@ +kopsName: dev.us-east-1 +s3BucketName: kubernetes-ops-1234-kops-state-store +kubernetesVersion: 1.13.10 +dnsZone: k8s.local +awsRegion: us-east-1 +vpc: vpc-id-from-the-terraform-output +sshKeyName: kubernetes_ops + +availabilityZonesEtcd: +- masterZoneName: a + etcdName: a +- masterZoneName: b + etcdName: b +- masterZoneName: c + etcdName: c + +availabilityZonesKubeMaster: +- name: a + zone: a +- name: b + zone: b +- name: c + zone: c + +availabilityZonesAll: +- name: a + zone: a +- name: b + zone: b +- name: c + zone: c + +# Uncomment and grab set the nat-id from terraform to reuse nat gateway +availabilityZonesPrivate: + - zone: a + # egress: first-nat-id-from-terraform-output + - zone: b + # egress: second-nat-id-from-terraform-output + - zone: c + # egress: third-nat-id-from-terraform-output + +#limit to one zone +availabilityZonesThreatstackMaster: +- name: a + zone: a + +enablePublicSubnets: true + +sshAccess: +- 0.0.0.0/0 +# - 10.0.0.0/8 + +kubernetesApiAccess: +# Internal routes +- 10.0.0.0/8 +- 172.0.0.0/8 +- 0.0.0.0/0 + +iam: + allowContainerRegistry: true + +networkCIDR: 10.10.0.0/16 +networkPortion: "10.10" + +subnets: + - name: utility + type: Utility + blocks: + - cidr: 10.10.10.0/24 + zone: a + - cidr: 10.10.11.0/24 + zone: b + - cidr: 10.10.12.0/24 + zone: c + - name: public + type: Public + blocks: + - cidr: 10.10.20.0/24 + zone: a + - cidr: 10.10.21.0/24 + zone: b + - cidr: 10.10.22.0/24 + zone: c + - name: kube-master + type: Private + blocks: + - cidr: 10.10.30.0/24 + zone: a + - cidr: 10.10.31.0/24 + zone: b + - cidr: 10.10.32.0/24 + zone: c + - name: infrastructure-zone + type: Private + blocks: + - cidr: 10.10.40.0/24 + zone: a + - cidr: 10.10.41.0/24 + zone: b + - cidr: 10.10.42.0/24 + zone: c + - name: worker-zone + type: Private + blocks: + - cidr: 10.10.50.0/24 + zone: a + - cidr: 10.10.51.0/24 + zone: b + - cidr: 10.10.52.0/24 + zone: c + - name: threatstack-master-zone + type: Private + blocks: + - cidr: 10.10.60.0/24 + zone: a + - cidr: 10.10.61.0/24 + zone: b + - cidr: 10.10.62.0/24 + zone: c + +enableBastionGroup1: true +enableThreatstackMasterGroup1: false + +instanceGroups: + kubeMaster: + # CoreOS: https://github.com/kubernetes/kops/blob/06b0111251ab87861e57dbf5f8d36f02e84af04d/docs/images.md#coreos + image: 595879546273/CoreOS-stable-2023.5.0-hvm + machineType: t3.medium + maxSize: 1 + minSize: 1 + cloudLabels: + CostCenter: kubernetes-saas + Owner: kubernetes + Project: cloud + Purpose: kubernetes-master + managed_by: kops + nodeLabels: + # kops.k8s.io/my-label: a-label + bastionWorkersGroup1: + # Amazon Linux AMI + image: ami-0de53d8956e8dcf80 + machineType: t3.medium + maxSize: 10 + minSize: 1 + cloudLabels: + CostCenter: kubernetes-saas + Owner: kubernetes + Project: cloud + Purpose: kubernetes-spot-node + managed_by: kops + # https://github.com/kubernetes/autoscaler/issues/511#issuecomment-354616866 + k8s.io/cluster-autoscaler/node-template/label/prod.us-east-1.k8s.local/role: scale-zero + threatstackMaster: + # CoreOS: https://github.com/kubernetes/kops/blob/06b0111251ab87861e57dbf5f8d36f02e84af04d/docs/images.md#coreos + image: 595879546273/CoreOS-stable-2079.5.1-hvm + machineType: t3.medium + maxSize: 1 + minSize: 1 + cloudLabels: + CostCenter: kubernetes-saas + Owner: kubernetes + Project: cloud + Purpose: kubernetes-threatstack-master + managed_by: kops + nodeLabels: + threatstack-master: "true" + taints: + enable: true + items: + - application=threatstack-master:NoSchedule + +# A list of workers instances groups that will use all zones +# Add an item in here to create a new instance group in all zones +workerInstanceGroupsAllZones: + on-demand: + # CoreOS: https://github.com/kubernetes/kops/blob/06b0111251ab87861e57dbf5f8d36f02e84af04d/docs/images.md#coreos + image: 595879546273/CoreOS-stable-2023.5.0-hvm + machineType: t3.large + maxSize: 10 + minSize: 0 + cloudLabels: + CostCenter: kubernetes-saas + Owner: kubernetes + Project: cloud + Purpose: kubernetes-spot-node + managed_by: kops + # https://github.com/kubernetes/autoscaler/issues/511#issuecomment-354616866 + k8s.io/cluster-autoscaler/node-template/label/prod.us-east-1.k8s.local/role: scale-zero + nodeLabels: + prod.us-east-1.k8s.local/role: scale-zero + kubernetes-ops/isSpot: "false" + kubernetes-ops/instanceType: t3.medium + kubernetes-ops/hasPublicIP: "false" + taints: {} + spotGroup1: + # CoreOS: https://github.com/kubernetes/kops/blob/06b0111251ab87861e57dbf5f8d36f02e84af04d/docs/images.md#coreos + image: 595879546273/CoreOS-stable-2023.5.0-hvm + machineType: t3.medium + maxPrice: "0.01" + maxSize: 0 + minSize: 0 + cloudLabels: + CostCenter: kubernetes-saas + Owner: kubernetes + Project: cloud + Purpose: kubernetes-spot-node + managed_by: kops + # https://github.com/kubernetes/autoscaler/issues/511#issuecomment-354616866 + k8s.io/cluster-autoscaler/node-template/label/prod.us-east-1.k8s.local/role: scale-zero + nodeLabels: + kops.k8s.io/instancegroup: spot-zone-a + prod.us-east-1.k8s.local/role: scale-zero + kubernetes-ops/isSpot: "false" + kubernetes-ops/instanceType: t3.medium + kubernetes-ops/hasPublicIP: "false" + taints: {} + infrastructureGroup1: + # CoreOS: https://github.com/kubernetes/kops/blob/06b0111251ab87861e57dbf5f8d36f02e84af04d/docs/images.md#coreos + image: 595879546273/CoreOS-stable-2023.5.0-hvm + machineType: t3.medium + maxSize: 10 + minSize: 0 + cloudLabels: + CostCenter: kubernetes-saas + Owner: kubernetes + Project: cloud + Purpose: kubernetes-spot-node + managed_by: kops + # https://github.com/kubernetes/autoscaler/issues/511#issuecomment-354616866 + k8s.io/cluster-autoscaler/node-template/label/prod.us-east-1.k8s.local/role: scale-zero + nodeLabels: + prod.us-east-1.k8s.local/role: scale-zero + kubernetes-ops/isSpot: "false" + kubernetes-ops/instanceType: t3.medium + kubernetes-ops/hasPublicIP: "false" + kubernetes-ops/application: infrastructure + taints: + - application=infrastructure:NoSchedule + jenkinsMastersGroup1: + # CoreOS: https://github.com/kubernetes/kops/blob/06b0111251ab87861e57dbf5f8d36f02e84af04d/docs/images.md#coreos + image: 595879546273/CoreOS-stable-2023.5.0-hvm + machineType: t3.medium + maxSize: 10 + minSize: 0 + cloudLabels: + CostCenter: kubernetes-saas + Owner: kubernetes + Project: cloud + Purpose: kubernetes-spot-node + managed_by: kops + # https://github.com/kubernetes/autoscaler/issues/511#issuecomment-354616866 + k8s.io/cluster-autoscaler/node-template/label/prod.us-east-1.k8s.local/role: scale-zero + nodeLabels: + prod.us-east-1.k8s.local/role: scale-zero + kubernetes-ops/isSpot: "false" + kubernetes-ops/instanceType: t3.medium + kubernetes-ops/hasPublicIP: "false" + kubernetes-ops/application: jenkins-masters + taints: + - application=jenkins-master:NoSchedule + jenkinsWorkersGroup1: + # CoreOS: https://github.com/kubernetes/kops/blob/06b0111251ab87861e57dbf5f8d36f02e84af04d/docs/images.md#coreos + image: 595879546273/CoreOS-stable-2023.5.0-hvm + machineType: t3.medium + maxSize: 10 + minSize: 0 + cloudLabels: + CostCenter: kubernetes-saas + Owner: kubernetes + Project: cloud + Purpose: kubernetes-spot-node + managed_by: kops + # https://github.com/kubernetes/autoscaler/issues/511#issuecomment-354616866 + k8s.io/cluster-autoscaler/node-template/label/prod.us-east-1.k8s.local/role: scale-zero + nodeLabels: + prod.us-east-1.k8s.local/role: scale-zero + kubernetes-ops/isSpot: "false" + kubernetes-ops/instanceType: t3.medium + kubernetes-ops/hasPublicIP: "false" + kubernetes-ops/application: jenkins-workers + taints: + - application=jenkins-workers:NoSchedule diff --git a/old/clusters/aws/kops/clusters/prod/values.yaml b/old/clusters/aws/kops/clusters/prod/values.yaml new file mode 100644 index 000000000..e97178019 --- /dev/null +++ b/old/clusters/aws/kops/clusters/prod/values.yaml @@ -0,0 +1,282 @@ +kopsName: prod.us-east-1 +s3BucketName: kubernetes-ops-1234-kops-state-store +kubernetesVersion: 1.13.10 +dnsZone: k8s.local +awsRegion: us-east-1 +vpc: vpc-id-from-the-terraform-output +sshKeyName: kubernetes_ops + +availabilityZonesEtcd: +- masterZoneName: a + etcdName: a +- masterZoneName: b + etcdName: b +- masterZoneName: c + etcdName: c + +availabilityZonesKubeMaster: +- name: a + zone: a +- name: b + zone: b +- name: c + zone: c + +availabilityZonesAll: +- name: a + zone: a +- name: b + zone: b +- name: c + zone: c + +# Uncomment and grab set the nat-id from terraform to reuse nat gateway +availabilityZonesPrivate: + - zone: a + # egress: first-nat-id-from-terraform-output + - zone: b + # egress: second-nat-id-from-terraform-output + - zone: c + # egress: third-nat-id-from-terraform-output + +#limit to one zone +availabilityZonesThreatstackMaster: +- name: a + zone: a + +enablePublicSubnets: true + +sshAccess: +- 0.0.0.0/0 +# - 10.0.0.0/8 + +kubernetesApiAccess: +# Internal routes +- 10.0.0.0/8 +- 172.0.0.0/8 +- 0.0.0.0/0 + +iam: + allowContainerRegistry: true + +networkCIDR: 10.13.0.0/16 +networkPortion: "10.13" + +subnets: + - name: utility + type: Utility + blocks: + - cidr: 10.13.10.0/24 + zone: a + - cidr: 10.13.11.0/24 + zone: b + - cidr: 10.13.12.0/24 + zone: c + - name: public + type: Public + blocks: + - cidr: 10.13.20.0/24 + zone: a + - cidr: 10.13.21.0/24 + zone: b + - cidr: 10.13.22.0/24 + zone: c + - name: kube-master + type: Private + blocks: + - cidr: 10.13.30.0/24 + zone: a + - cidr: 10.13.31.0/24 + zone: b + - cidr: 10.13.32.0/24 + zone: c + - name: infrastructure-zone + type: Private + blocks: + - cidr: 10.13.40.0/24 + zone: a + - cidr: 10.13.41.0/24 + zone: b + - cidr: 10.13.42.0/24 + zone: c + - name: worker-zone + type: Private + blocks: + - cidr: 10.13.50.0/24 + zone: a + - cidr: 10.13.51.0/24 + zone: b + - cidr: 10.13.52.0/24 + zone: c + - name: threatstack-master-zone + type: Private + blocks: + - cidr: 10.13.60.0/24 + zone: a + - cidr: 10.13.61.0/24 + zone: b + - cidr: 10.13.62.0/24 + zone: c + +enableBastionGroup1: true +enableThreatstackMasterGroup1: false + +instanceGroups: + kubeMaster: + # CoreOS: https://github.com/kubernetes/kops/blob/06b0111251ab87861e57dbf5f8d36f02e84af04d/docs/images.md#coreos + image: 595879546273/CoreOS-stable-2023.5.0-hvm + machineType: t3.medium + maxSize: 1 + minSize: 1 + cloudLabels: + CostCenter: kubernetes-saas + Owner: kubernetes + Project: cloud + Purpose: kubernetes-master + managed_by: kops + nodeLabels: + # kops.k8s.io/my-label: a-label + bastionWorkersGroup1: + # Amazon Linux AMI + image: ami-0de53d8956e8dcf80 + machineType: t3.medium + maxSize: 10 + minSize: 1 + cloudLabels: + CostCenter: kubernetes-saas + Owner: kubernetes + Project: cloud + Purpose: kubernetes-spot-node + managed_by: kops + # https://github.com/kubernetes/autoscaler/issues/511#issuecomment-354616866 + k8s.io/cluster-autoscaler/node-template/label/prod.us-east-1.k8s.local/role: scale-zero + threatstackMaster: + # CoreOS: https://github.com/kubernetes/kops/blob/06b0111251ab87861e57dbf5f8d36f02e84af04d/docs/images.md#coreos + image: 595879546273/CoreOS-stable-2079.5.1-hvm + machineType: t3.medium + maxSize: 1 + minSize: 1 + cloudLabels: + CostCenter: kubernetes-saas + Owner: kubernetes + Project: cloud + Purpose: kubernetes-threatstack-master + managed_by: kops + nodeLabels: + threatstack-master: "true" + taints: + enable: true + items: + - application=threatstack-master:NoSchedule + +# A list of workers instances groups that will use all zones +# Add an item in here to create a new instance group in all zones +workerInstanceGroupsAllZones: + on-demand: + # CoreOS: https://github.com/kubernetes/kops/blob/06b0111251ab87861e57dbf5f8d36f02e84af04d/docs/images.md#coreos + image: 595879546273/CoreOS-stable-2023.5.0-hvm + machineType: t3.large + maxSize: 10 + minSize: 0 + cloudLabels: + CostCenter: kubernetes-saas + Owner: kubernetes + Project: cloud + Purpose: kubernetes-spot-node + managed_by: kops + # https://github.com/kubernetes/autoscaler/issues/511#issuecomment-354616866 + k8s.io/cluster-autoscaler/node-template/label/prod.us-east-1.k8s.local/role: scale-zero + nodeLabels: + prod.us-east-1.k8s.local/role: scale-zero + kubernetes-ops/isSpot: "false" + kubernetes-ops/instanceType: t3.medium + kubernetes-ops/hasPublicIP: "false" + taints: {} + spotGroup1: + # CoreOS: https://github.com/kubernetes/kops/blob/06b0111251ab87861e57dbf5f8d36f02e84af04d/docs/images.md#coreos + image: 595879546273/CoreOS-stable-2023.5.0-hvm + machineType: t3.medium + maxPrice: "0.01" + maxSize: 0 + minSize: 0 + cloudLabels: + CostCenter: kubernetes-saas + Owner: kubernetes + Project: cloud + Purpose: kubernetes-spot-node + managed_by: kops + # https://github.com/kubernetes/autoscaler/issues/511#issuecomment-354616866 + k8s.io/cluster-autoscaler/node-template/label/prod.us-east-1.k8s.local/role: scale-zero + nodeLabels: + kops.k8s.io/instancegroup: spot-zone-a + prod.us-east-1.k8s.local/role: scale-zero + kubernetes-ops/isSpot: "false" + kubernetes-ops/instanceType: t3.medium + kubernetes-ops/hasPublicIP: "false" + taints: {} + infrastructureGroup1: + # CoreOS: https://github.com/kubernetes/kops/blob/06b0111251ab87861e57dbf5f8d36f02e84af04d/docs/images.md#coreos + image: 595879546273/CoreOS-stable-2023.5.0-hvm + machineType: t3.medium + maxSize: 10 + minSize: 0 + cloudLabels: + CostCenter: kubernetes-saas + Owner: kubernetes + Project: cloud + Purpose: kubernetes-spot-node + managed_by: kops + # https://github.com/kubernetes/autoscaler/issues/511#issuecomment-354616866 + k8s.io/cluster-autoscaler/node-template/label/prod.us-east-1.k8s.local/role: scale-zero + nodeLabels: + prod.us-east-1.k8s.local/role: scale-zero + kubernetes-ops/isSpot: "false" + kubernetes-ops/instanceType: t3.medium + kubernetes-ops/hasPublicIP: "false" + kubernetes-ops/application: infrastructure + taints: + - application=infrastructure:NoSchedule + jenkinsMastersGroup1: + # CoreOS: https://github.com/kubernetes/kops/blob/06b0111251ab87861e57dbf5f8d36f02e84af04d/docs/images.md#coreos + image: 595879546273/CoreOS-stable-2023.5.0-hvm + machineType: t3.medium + maxSize: 10 + minSize: 0 + cloudLabels: + CostCenter: kubernetes-saas + Owner: kubernetes + Project: cloud + Purpose: kubernetes-spot-node + managed_by: kops + # https://github.com/kubernetes/autoscaler/issues/511#issuecomment-354616866 + k8s.io/cluster-autoscaler/node-template/label/prod.us-east-1.k8s.local/role: scale-zero + nodeLabels: + prod.us-east-1.k8s.local/role: scale-zero + kubernetes-ops/isSpot: "false" + kubernetes-ops/instanceType: t3.medium + kubernetes-ops/hasPublicIP: "false" + kubernetes-ops/application: jenkins-masters + taints: + - application=jenkins-master:NoSchedule + jenkinsWorkersGroup1: + # CoreOS: https://github.com/kubernetes/kops/blob/06b0111251ab87861e57dbf5f8d36f02e84af04d/docs/images.md#coreos + image: 595879546273/CoreOS-stable-2023.5.0-hvm + machineType: t3.medium + maxSize: 10 + minSize: 0 + cloudLabels: + CostCenter: kubernetes-saas + Owner: kubernetes + Project: cloud + Purpose: kubernetes-spot-node + managed_by: kops + # https://github.com/kubernetes/autoscaler/issues/511#issuecomment-354616866 + k8s.io/cluster-autoscaler/node-template/label/prod.us-east-1.k8s.local/role: scale-zero + nodeLabels: + prod.us-east-1.k8s.local/role: scale-zero + kubernetes-ops/isSpot: "false" + kubernetes-ops/instanceType: t3.medium + kubernetes-ops/hasPublicIP: "false" + kubernetes-ops/application: jenkins-workers + taints: + - application=jenkins-workers:NoSchedule diff --git a/old/clusters/aws/kops/clusters/qa/values.yaml b/old/clusters/aws/kops/clusters/qa/values.yaml new file mode 100644 index 000000000..ea9588035 --- /dev/null +++ b/old/clusters/aws/kops/clusters/qa/values.yaml @@ -0,0 +1,282 @@ +kopsName: qa.us-east-1 +s3BucketName: kubernetes-ops-1234-kops-state-store +kubernetesVersion: 1.13.10 +dnsZone: k8s.local +awsRegion: us-east-1 +vpc: vpc-id-from-the-terraform-output +sshKeyName: kubernetes_ops + +availabilityZonesEtcd: +- masterZoneName: a + etcdName: a +- masterZoneName: b + etcdName: b +- masterZoneName: c + etcdName: c + +availabilityZonesKubeMaster: +- name: a + zone: a +- name: b + zone: b +- name: c + zone: c + +availabilityZonesAll: +- name: a + zone: a +- name: b + zone: b +- name: c + zone: c + +# Uncomment and grab set the nat-id from terraform to reuse nat gateway +availabilityZonesPrivate: + - zone: a + # egress: first-nat-id-from-terraform-output + - zone: b + # egress: second-nat-id-from-terraform-output + - zone: c + # egress: third-nat-id-from-terraform-output + +#limit to one zone +availabilityZonesThreatstackMaster: +- name: a + zone: a + +enablePublicSubnets: true + +sshAccess: +- 0.0.0.0/0 +# - 10.0.0.0/8 + +kubernetesApiAccess: +# Internal routes +- 10.0.0.0/8 +- 172.0.0.0/8 +- 0.0.0.0/0 + +iam: + allowContainerRegistry: true + +networkCIDR: 10.11.0.0/16 +networkPortion: "10.11" + +subnets: + - name: utility + type: Utility + blocks: + - cidr: 10.11.10.0/24 + zone: a + - cidr: 10.11.11.0/24 + zone: b + - cidr: 10.11.12.0/24 + zone: c + - name: public + type: Public + blocks: + - cidr: 10.11.20.0/24 + zone: a + - cidr: 10.11.21.0/24 + zone: b + - cidr: 10.11.22.0/24 + zone: c + - name: kube-master + type: Private + blocks: + - cidr: 10.11.30.0/24 + zone: a + - cidr: 10.11.31.0/24 + zone: b + - cidr: 10.11.32.0/24 + zone: c + - name: infrastructure-zone + type: Private + blocks: + - cidr: 10.11.40.0/24 + zone: a + - cidr: 10.11.41.0/24 + zone: b + - cidr: 10.11.42.0/24 + zone: c + - name: worker-zone + type: Private + blocks: + - cidr: 10.11.50.0/24 + zone: a + - cidr: 10.11.51.0/24 + zone: b + - cidr: 10.11.52.0/24 + zone: c + - name: threatstack-master-zone + type: Private + blocks: + - cidr: 10.11.60.0/24 + zone: a + - cidr: 10.11.61.0/24 + zone: b + - cidr: 10.11.62.0/24 + zone: c + +enableBastionGroup1: true +enableThreatstackMasterGroup1: false + +instanceGroups: + kubeMaster: + # CoreOS: https://github.com/kubernetes/kops/blob/06b0111251ab87861e57dbf5f8d36f02e84af04d/docs/images.md#coreos + image: 595879546273/CoreOS-stable-2023.5.0-hvm + machineType: t3.medium + maxSize: 1 + minSize: 1 + cloudLabels: + CostCenter: kubernetes-saas + Owner: kubernetes + Project: cloud + Purpose: kubernetes-master + managed_by: kops + nodeLabels: + # kops.k8s.io/my-label: a-label + bastionWorkersGroup1: + # Amazon Linux AMI + image: ami-0de53d8956e8dcf80 + machineType: t3.medium + maxSize: 10 + minSize: 1 + cloudLabels: + CostCenter: kubernetes-saas + Owner: kubernetes + Project: cloud + Purpose: kubernetes-spot-node + managed_by: kops + # https://github.com/kubernetes/autoscaler/issues/511#issuecomment-354616866 + k8s.io/cluster-autoscaler/node-template/label/prod.us-east-1.k8s.local/role: scale-zero + threatstackMaster: + # CoreOS: https://github.com/kubernetes/kops/blob/06b0111251ab87861e57dbf5f8d36f02e84af04d/docs/images.md#coreos + image: 595879546273/CoreOS-stable-2079.5.1-hvm + machineType: t3.medium + maxSize: 1 + minSize: 1 + cloudLabels: + CostCenter: kubernetes-saas + Owner: kubernetes + Project: cloud + Purpose: kubernetes-threatstack-master + managed_by: kops + nodeLabels: + threatstack-master: "true" + taints: + enable: true + items: + - application=threatstack-master:NoSchedule + +# A list of workers instances groups that will use all zones +# Add an item in here to create a new instance group in all zones +workerInstanceGroupsAllZones: + on-demand: + # CoreOS: https://github.com/kubernetes/kops/blob/06b0111251ab87861e57dbf5f8d36f02e84af04d/docs/images.md#coreos + image: 595879546273/CoreOS-stable-2023.5.0-hvm + machineType: t3.large + maxSize: 10 + minSize: 0 + cloudLabels: + CostCenter: kubernetes-saas + Owner: kubernetes + Project: cloud + Purpose: kubernetes-spot-node + managed_by: kops + # https://github.com/kubernetes/autoscaler/issues/511#issuecomment-354616866 + k8s.io/cluster-autoscaler/node-template/label/prod.us-east-1.k8s.local/role: scale-zero + nodeLabels: + prod.us-east-1.k8s.local/role: scale-zero + kubernetes-ops/isSpot: "false" + kubernetes-ops/instanceType: t3.medium + kubernetes-ops/hasPublicIP: "false" + taints: {} + spotGroup1: + # CoreOS: https://github.com/kubernetes/kops/blob/06b0111251ab87861e57dbf5f8d36f02e84af04d/docs/images.md#coreos + image: 595879546273/CoreOS-stable-2023.5.0-hvm + machineType: t3.medium + maxPrice: "0.01" + maxSize: 0 + minSize: 0 + cloudLabels: + CostCenter: kubernetes-saas + Owner: kubernetes + Project: cloud + Purpose: kubernetes-spot-node + managed_by: kops + # https://github.com/kubernetes/autoscaler/issues/511#issuecomment-354616866 + k8s.io/cluster-autoscaler/node-template/label/prod.us-east-1.k8s.local/role: scale-zero + nodeLabels: + kops.k8s.io/instancegroup: spot-zone-a + prod.us-east-1.k8s.local/role: scale-zero + kubernetes-ops/isSpot: "false" + kubernetes-ops/instanceType: t3.medium + kubernetes-ops/hasPublicIP: "false" + taints: {} + infrastructureGroup1: + # CoreOS: https://github.com/kubernetes/kops/blob/06b0111251ab87861e57dbf5f8d36f02e84af04d/docs/images.md#coreos + image: 595879546273/CoreOS-stable-2023.5.0-hvm + machineType: t3.medium + maxSize: 10 + minSize: 0 + cloudLabels: + CostCenter: kubernetes-saas + Owner: kubernetes + Project: cloud + Purpose: kubernetes-spot-node + managed_by: kops + # https://github.com/kubernetes/autoscaler/issues/511#issuecomment-354616866 + k8s.io/cluster-autoscaler/node-template/label/prod.us-east-1.k8s.local/role: scale-zero + nodeLabels: + prod.us-east-1.k8s.local/role: scale-zero + kubernetes-ops/isSpot: "false" + kubernetes-ops/instanceType: t3.medium + kubernetes-ops/hasPublicIP: "false" + kubernetes-ops/application: infrastructure + taints: + - application=infrastructure:NoSchedule + jenkinsMastersGroup1: + # CoreOS: https://github.com/kubernetes/kops/blob/06b0111251ab87861e57dbf5f8d36f02e84af04d/docs/images.md#coreos + image: 595879546273/CoreOS-stable-2023.5.0-hvm + machineType: t3.medium + maxSize: 10 + minSize: 0 + cloudLabels: + CostCenter: kubernetes-saas + Owner: kubernetes + Project: cloud + Purpose: kubernetes-spot-node + managed_by: kops + # https://github.com/kubernetes/autoscaler/issues/511#issuecomment-354616866 + k8s.io/cluster-autoscaler/node-template/label/prod.us-east-1.k8s.local/role: scale-zero + nodeLabels: + prod.us-east-1.k8s.local/role: scale-zero + kubernetes-ops/isSpot: "false" + kubernetes-ops/instanceType: t3.medium + kubernetes-ops/hasPublicIP: "false" + kubernetes-ops/application: jenkins-masters + taints: + - application=jenkins-master:NoSchedule + jenkinsWorkersGroup1: + # CoreOS: https://github.com/kubernetes/kops/blob/06b0111251ab87861e57dbf5f8d36f02e84af04d/docs/images.md#coreos + image: 595879546273/CoreOS-stable-2023.5.0-hvm + machineType: t3.medium + maxSize: 10 + minSize: 0 + cloudLabels: + CostCenter: kubernetes-saas + Owner: kubernetes + Project: cloud + Purpose: kubernetes-spot-node + managed_by: kops + # https://github.com/kubernetes/autoscaler/issues/511#issuecomment-354616866 + k8s.io/cluster-autoscaler/node-template/label/prod.us-east-1.k8s.local/role: scale-zero + nodeLabels: + prod.us-east-1.k8s.local/role: scale-zero + kubernetes-ops/isSpot: "false" + kubernetes-ops/instanceType: t3.medium + kubernetes-ops/hasPublicIP: "false" + kubernetes-ops/application: jenkins-workers + taints: + - application=jenkins-workers:NoSchedule diff --git a/old/clusters/aws/kops/clusters/staging/values.yaml b/old/clusters/aws/kops/clusters/staging/values.yaml new file mode 100644 index 000000000..1a136d06e --- /dev/null +++ b/old/clusters/aws/kops/clusters/staging/values.yaml @@ -0,0 +1,280 @@ +kopsName: staging.us-east-1 +s3BucketName: kubernetes-ops-1234-kops-state-store +kubernetesVersion: 1.13.10 +dnsZone: k8s.local +awsRegion: us-east-1 +vpc: vpc-id-from-the-terraform-output +sshKeyName: kubernetes_ops + +availabilityZonesEtcd: +- masterZoneName: a + etcdName: a +- masterZoneName: b + etcdName: b +- masterZoneName: c + etcdName: c + +availabilityZonesKubeMaster: +- name: a + zone: a +- name: b + zone: b +- name: c + zone: c + +availabilityZonesAll: +- name: a + zone: a +- name: b + zone: b +- name: c + zone: c + +# Uncomment and grab set the nat-id from terraform to reuse nat gateway +availabilityZonesPrivate: + - zone: a + # egress: first-nat-id-from-terraform-output + - zone: b + # egress: second-nat-id-from-terraform-output + - zone: c + # egress: third-nat-id-from-terraform-output + +#limit to one zone +availabilityZonesThreatstackMaster: +- name: a + zone: a + +sshAccess: +- 0.0.0.0/0 +# - 10.0.0.0/8 + +kubernetesApiAccess: +# Internal routes +- 10.0.0.0/8 +- 172.0.0.0/8 +- 0.0.0.0/0 + +iam: + allowContainerRegistry: true + +networkCIDR: 10.12.0.0/16 +networkPortion: "10.12" + +subnets: + - name: utility + type: Utility + blocks: + - cidr: 10.12.10.0/24 + zone: a + - cidr: 10.12.11.0/24 + zone: b + - cidr: 10.12.12.0/24 + zone: c + - name: public + type: Public + blocks: + - cidr: 10.12.20.0/24 + zone: a + - cidr: 10.12.21.0/24 + zone: b + - cidr: 10.12.22.0/24 + zone: c + - name: kube-master + type: Private + blocks: + - cidr: 10.12.30.0/24 + zone: a + - cidr: 10.12.31.0/24 + zone: b + - cidr: 10.12.32.0/24 + zone: c + - name: infrastructure-zone + type: Private + blocks: + - cidr: 10.12.40.0/24 + zone: a + - cidr: 10.12.41.0/24 + zone: b + - cidr: 10.12.42.0/24 + zone: c + - name: worker-zone + type: Private + blocks: + - cidr: 10.12.50.0/24 + zone: a + - cidr: 10.12.51.0/24 + zone: b + - cidr: 10.12.52.0/24 + zone: c + - name: threatstack-master-zone + type: Private + blocks: + - cidr: 10.12.60.0/24 + zone: a + - cidr: 10.12.61.0/24 + zone: b + - cidr: 10.12.62.0/24 + zone: c + +enableBastionGroup1: true +enableThreatstackMasterGroup1: false + +instanceGroups: + kubeMaster: + # CoreOS: https://github.com/kubernetes/kops/blob/06b0111251ab87861e57dbf5f8d36f02e84af04d/docs/images.md#coreos + image: 595879546273/CoreOS-stable-2023.5.0-hvm + machineType: t3.medium + maxSize: 1 + minSize: 1 + cloudLabels: + CostCenter: kubernetes-saas + Owner: kubernetes + Project: cloud + Purpose: kubernetes-master + managed_by: kops + nodeLabels: + # kops.k8s.io/my-label: a-label + bastionWorkersGroup1: + # Amazon Linux AMI + image: ami-0de53d8956e8dcf80 + machineType: t3.medium + maxSize: 10 + minSize: 1 + cloudLabels: + CostCenter: kubernetes-saas + Owner: kubernetes + Project: cloud + Purpose: kubernetes-spot-node + managed_by: kops + # https://github.com/kubernetes/autoscaler/issues/511#issuecomment-354616866 + k8s.io/cluster-autoscaler/node-template/label/prod.us-east-1.k8s.local/role: scale-zero + threatstackMaster: + # CoreOS: https://github.com/kubernetes/kops/blob/06b0111251ab87861e57dbf5f8d36f02e84af04d/docs/images.md#coreos + image: 595879546273/CoreOS-stable-2079.5.1-hvm + machineType: t3.medium + maxSize: 1 + minSize: 1 + cloudLabels: + CostCenter: kubernetes-saas + Owner: kubernetes + Project: cloud + Purpose: kubernetes-threatstack-master + managed_by: kops + nodeLabels: + threatstack-master: "true" + taints: + enable: true + items: + - application=threatstack-master:NoSchedule + +# A list of workers instances groups that will use all zones +# Add an item in here to create a new instance group in all zones +workerInstanceGroupsAllZones: + on-demand: + # CoreOS: https://github.com/kubernetes/kops/blob/06b0111251ab87861e57dbf5f8d36f02e84af04d/docs/images.md#coreos + image: 595879546273/CoreOS-stable-2023.5.0-hvm + machineType: t3.large + maxSize: 10 + minSize: 0 + cloudLabels: + CostCenter: kubernetes-saas + Owner: kubernetes + Project: cloud + Purpose: kubernetes-spot-node + managed_by: kops + # https://github.com/kubernetes/autoscaler/issues/511#issuecomment-354616866 + k8s.io/cluster-autoscaler/node-template/label/prod.us-east-1.k8s.local/role: scale-zero + nodeLabels: + prod.us-east-1.k8s.local/role: scale-zero + kubernetes-ops/isSpot: "false" + kubernetes-ops/instanceType: t3.medium + kubernetes-ops/hasPublicIP: "false" + taints: {} + spotGroup1: + # CoreOS: https://github.com/kubernetes/kops/blob/06b0111251ab87861e57dbf5f8d36f02e84af04d/docs/images.md#coreos + image: 595879546273/CoreOS-stable-2023.5.0-hvm + machineType: t3.medium + maxPrice: "0.01" + maxSize: 0 + minSize: 0 + cloudLabels: + CostCenter: kubernetes-saas + Owner: kubernetes + Project: cloud + Purpose: kubernetes-spot-node + managed_by: kops + # https://github.com/kubernetes/autoscaler/issues/511#issuecomment-354616866 + k8s.io/cluster-autoscaler/node-template/label/prod.us-east-1.k8s.local/role: scale-zero + nodeLabels: + kops.k8s.io/instancegroup: spot-zone-a + prod.us-east-1.k8s.local/role: scale-zero + kubernetes-ops/isSpot: "false" + kubernetes-ops/instanceType: t3.medium + kubernetes-ops/hasPublicIP: "false" + taints: {} + infrastructureGroup1: + # CoreOS: https://github.com/kubernetes/kops/blob/06b0111251ab87861e57dbf5f8d36f02e84af04d/docs/images.md#coreos + image: 595879546273/CoreOS-stable-2023.5.0-hvm + machineType: t3.medium + maxSize: 10 + minSize: 0 + cloudLabels: + CostCenter: kubernetes-saas + Owner: kubernetes + Project: cloud + Purpose: kubernetes-spot-node + managed_by: kops + # https://github.com/kubernetes/autoscaler/issues/511#issuecomment-354616866 + k8s.io/cluster-autoscaler/node-template/label/prod.us-east-1.k8s.local/role: scale-zero + nodeLabels: + prod.us-east-1.k8s.local/role: scale-zero + kubernetes-ops/isSpot: "false" + kubernetes-ops/instanceType: t3.medium + kubernetes-ops/hasPublicIP: "false" + kubernetes-ops/application: infrastructure + taints: + - application=infrastructure:NoSchedule + jenkinsMastersGroup1: + # CoreOS: https://github.com/kubernetes/kops/blob/06b0111251ab87861e57dbf5f8d36f02e84af04d/docs/images.md#coreos + image: 595879546273/CoreOS-stable-2023.5.0-hvm + machineType: t3.medium + maxSize: 10 + minSize: 0 + cloudLabels: + CostCenter: kubernetes-saas + Owner: kubernetes + Project: cloud + Purpose: kubernetes-spot-node + managed_by: kops + # https://github.com/kubernetes/autoscaler/issues/511#issuecomment-354616866 + k8s.io/cluster-autoscaler/node-template/label/prod.us-east-1.k8s.local/role: scale-zero + nodeLabels: + prod.us-east-1.k8s.local/role: scale-zero + kubernetes-ops/isSpot: "false" + kubernetes-ops/instanceType: t3.medium + kubernetes-ops/hasPublicIP: "false" + kubernetes-ops/application: jenkins-masters + taints: + - application=jenkins-master:NoSchedule + jenkinsWorkersGroup1: + # CoreOS: https://github.com/kubernetes/kops/blob/06b0111251ab87861e57dbf5f8d36f02e84af04d/docs/images.md#coreos + image: 595879546273/CoreOS-stable-2023.5.0-hvm + machineType: t3.medium + maxSize: 10 + minSize: 0 + cloudLabels: + CostCenter: kubernetes-saas + Owner: kubernetes + Project: cloud + Purpose: kubernetes-spot-node + managed_by: kops + # https://github.com/kubernetes/autoscaler/issues/511#issuecomment-354616866 + k8s.io/cluster-autoscaler/node-template/label/prod.us-east-1.k8s.local/role: scale-zero + nodeLabels: + prod.us-east-1.k8s.local/role: scale-zero + kubernetes-ops/isSpot: "false" + kubernetes-ops/instanceType: t3.medium + kubernetes-ops/hasPublicIP: "false" + kubernetes-ops/application: jenkins-workers + taints: + - application=jenkins-workers:NoSchedule diff --git a/old/clusters/aws/kops/clusters/values.yaml b/old/clusters/aws/kops/clusters/values.yaml new file mode 100644 index 000000000..e85a2ffd8 --- /dev/null +++ b/old/clusters/aws/kops/clusters/values.yaml @@ -0,0 +1,21 @@ +--- +# Topology +topology: + dns: + type: Public + masters: private + nodes: private + +api: + # Sets the Master's API to Internal or Public + # Docs: https://github.com/kubernetes/kops/blob/master/docs/topology.md#changing-topology-of-the-api-server + loadBalancer: + type: Internal + +# etcd +etcd: + version: 3.3.10 + +docker: + overrides: false + bridgeIP: 172.26.0.1/16 diff --git a/old/clusters/aws/kops/kops.sh b/old/clusters/aws/kops/kops.sh new file mode 100755 index 000000000..33a7556eb --- /dev/null +++ b/old/clusters/aws/kops/kops.sh @@ -0,0 +1,501 @@ +#!/bin/bash -e + +# create_kops - A script to create a Kops Kubernetes cluster + +########################################## +##### Constants +########################################## + +TIME_NOW=$(date +"%x %r %Z") +KOPS_VERSION="1.14." + +########################################## +##### Functions +########################################## + +usage() { + exec 1>&2 + echo + echo "usage: $0 [[[-n kops_name ] ] | [-h]]" + echo + echo " This script helps you manage the life cycle of your Kubernetes cluster." + echo + echo " This script will check the version of your kops binary matches with the version that is " + echo " set in this script. Kops clusters has to be applied with the same version as the binary" + echo " to keep the upgrades consistent." + echo + echo " Options:" + echo " --dry-run : Do not apply and only perform a dry run. Defaults to true." + echo + echo " --create : create a cluster" + echo + echo " --cloudonly : Add cloudonly option to the kops rolling-update" + echo + echo " --delete : delete a cluster" + echo + echo " --get-bastion : Get bastion host" + echo + echo " --name : The environment name. This should correspond to a cluster folder name." + echo + echo " --read : Output info on a cluster" + echo + echo " --rolling-update : Perform a rolling update on a cluster" + echo + echo " --template : Template out the kops cluster manifest" + echo + echo " --update : Update a cluster" + echo + echo " --help : this help menu" + echo + echo " Examples:" + echo " # Template out a cluster's manifest:" + echo " $0 --name dev --template true" + echo + echo " # Create a cluster:" + echo " $0 --name dev --create true -dry-run false" + echo + echo " # Delete a cluster:" + echo " $0 --name dev --delete true --dry-run false" + echo + exit 1 +} + +check_kops_version() +{ + command=$(kops version) + + if [[ "${command}" == *"${KOPS_VERSION}"* ]]; then + echo "[INFO] Kops version: ${command}" + else + echo "[ERROR] Kops version expected: ${KOPS_VERSION}" + echo "Got: ${command}" + exit 1 + fi +} + +create() +{ + # Checks + VALUES_FILE_PATH_COMMONS="./clusters/values.yaml" + VALUES_FILE_PATH_ENVIRONMENT="./clusters/${kops_name}/values.yaml" + TEMPLATE_FILE_PATH="./template/cluster.yml" + + if [ ! -f ${VALUES_FILE_PATH_ENVIRONMENT} ]; then + echo "File does not exist: ${VALUES_FILE_PATH_ENVIRONMENT}" + exit 1 + fi + + if [ ! -f ${TEMPLATE_FILE_PATH} ]; then + echo "File does not exist: ${TEMPLATE_FILE_PATH}" + exit 1 + fi + + kops_state_store=s3://$(cat ${VALUES_FILE_PATH_ENVIRONMENT} | grep "s3BucketName: " | awk '{print $2}' | tr -d '[:space:]') + export KOPS_STATE_STORE=${kops_state_store} + echo "[INFO] Setting KOPS_STATE_STORE: ${kops_state_store}" + + if [ "${dry_run}" == "false" ]; then + echo "[INFO] Not a dry run" + echo "[INFO] Templating out" + kops toolbox template --template ${TEMPLATE_FILE_PATH} --values ${VALUES_FILE_PATH_COMMONS} --values ${VALUES_FILE_PATH_ENVIRONMENT} > ./kops-templated-${kops_name}.yaml + cat kops-templated-${kops_name}.yaml + + echo "[INFO] Creating the cluster" + kops create -f ./kops-templated-${kops_name}.yaml + + dns_zone=$(cat ${VALUES_FILE_PATH_ENVIRONMENT} | grep "dnsZone: " | awk '{print $2}' | tr -d '[:space:]') + cluster_name=$(cat ${VALUES_FILE_PATH_ENVIRONMENT} | grep "kopsName: " | awk '{print $2}' | tr -d '[:space:]').${dns_zone} + + mkdir ./ssh-keys/${cluster_name} + + yes y | ssh-keygen -t rsa -b 4096 -C "kops@kops.com" -f ./ssh-keys/${cluster_name}/id_rsa_kops_script -q -N "" >/dev/null + + echo "[INFO] Setting to generic ssh pub key" + kops create secret --name ${cluster_name} sshpublickey admin -i ./ssh-keys/${cluster_name}/id_rsa_kops_script.pub + + echo "[INFO] Applying cluster to AWS" + kops --name ${cluster_name} update cluster --yes + + echo "[INFO] Get clusters" + kops --name ${cluster_name} get clusters + + echo "[INFO] Get instance groups" + kops --name ${cluster_name} get ig + + else + echo "[INFO] Dry run" + kops toolbox template --template ${TEMPLATE_FILE_PATH} --values ${VALUES_FILE_PATH_COMMONS} --values ${VALUES_FILE_PATH_ENVIRONMENT} + fi + + echo "Finished" + +} + +read() +{ + # Checks + VALUES_FILE_PATH_ENVIRONMENT="./clusters/${kops_name}/values.yaml" + TEMPLATE_FILE_PATH="./template/cluster.yml" + + if [ ! -f ${VALUES_FILE_PATH_ENVIRONMENT} ]; then + echo "File does not exist: ${VALUES_FILE_PATH_ENVIRONMENT}" + exit 1 + fi + + if [ ! -f ${TEMPLATE_FILE_PATH} ]; then + echo "File does not exist: ${TEMPLATE_FILE_PATH}" + exit 1 + fi + + kops_state_store=s3://$(cat ${VALUES_FILE_PATH_ENVIRONMENT} | grep "s3BucketName: " | awk '{print $2}' | tr -d '[:space:]') + export KOPS_STATE_STORE=${kops_state_store} + echo "[INFO] Setting KOPS_STATE_STORE: ${kops_state_store}" + + dns_zone=$(cat ${VALUES_FILE_PATH_ENVIRONMENT} | grep "dnsZone: " | awk '{print $2}' | tr -d '[:space:]') + cluster_name=$(cat ${VALUES_FILE_PATH_ENVIRONMENT} | grep "kopsName: " | awk '{print $2}' | tr -d '[:space:]').${dns_zone} + + echo "[INFO] Get clusters" + kops --name ${cluster_name} get cluster + + echo "[INFO] Get instance groups" + kops --name ${cluster_name} get ig +} + +template() +{ + # Checks + VALUES_FILE_PATH_COMMONS="./clusters/values.yaml" + VALUES_FILE_PATH_ENVIRONMENT="./clusters/${kops_name}/values.yaml" + TEMPLATE_FILE_PATH="./template/cluster.yml" + + if [ ! -f ${VALUES_FILE_PATH_ENVIRONMENT} ]; then + echo "File does not exist: ${VALUES_FILE_PATH_ENVIRONMENT}" + exit 1 + fi + + if [ ! -f ${TEMPLATE_FILE_PATH} ]; then + echo "File does not exist: ${TEMPLATE_FILE_PATH}" + exit 1 + fi + + kops_state_store=s3://$(cat ${VALUES_FILE_PATH_ENVIRONMENT} | grep "s3BucketName: " | awk '{print $2}' | tr -d '[:space:]') + export KOPS_STATE_STORE=${kops_state_store} + echo "[INFO] Setting KOPS_STATE_STORE: ${kops_state_store}" + + echo "[INFO] Dry run" + kops toolbox template --template ${TEMPLATE_FILE_PATH} --values ${VALUES_FILE_PATH_COMMONS} --values ${VALUES_FILE_PATH_ENVIRONMENT} + + echo "Finished" +} + +update() +{ + # cluster_name=$(kops get clusters | grep "^${kops_name}\." | awk '{print $1}') + # echo "[INFO] Updating cluster named: ${cluster_name}" + + # Checks + VALUES_FILE_PATH_COMMONS="./clusters/values.yaml" + VALUES_FILE_PATH_ENVIRONMENT="./clusters/${kops_name}/values.yaml" + TEMPLATE_FILE_PATH="./template/cluster.yml" + + if [ ! -f ${VALUES_FILE_PATH_ENVIRONMENT} ]; then + echo "File does not exist: ${VALUES_FILE_PATH_ENVIRONMENT}" + exit 1 + fi + + if [ ! -f ${TEMPLATE_FILE_PATH} ]; then + echo "File does not exist: ${TEMPLATE_FILE_PATH}" + exit 1 + fi + + kops_state_store=s3://$(cat ${VALUES_FILE_PATH_ENVIRONMENT} | grep "s3BucketName: " | awk '{print $2}' | tr -d '[:space:]') + export KOPS_STATE_STORE=${kops_state_store} + echo "[INFO] Setting KOPS_STATE_STORE: ${kops_state_store}" + + if [ "${dry_run}" == "false" ]; then + echo "[INFO] Not a dry run" + echo "[INFO] Templating out" + set -x + kops toolbox template --template ${TEMPLATE_FILE_PATH} --values ${VALUES_FILE_PATH_COMMONS} --values ${VALUES_FILE_PATH_ENVIRONMENT} > ./kops-templated-${kops_name}.yaml + set +x + cat kops-templated-${kops_name}.yaml + + dns_zone=$(cat ${VALUES_FILE_PATH_ENVIRONMENT} | grep "dnsZone: " | awk '{print $2}' | tr -d '[:space:]') + cluster_name=$(cat ${VALUES_FILE_PATH_ENVIRONMENT} | grep "kopsName: " | awk '{print $2}' | tr -d '[:space:]').${dns_zone} + echo "[INFO] Updating cluster named: ${cluster_name}" + + echo "[INFO] Updating the cluster" + #--force is required so that any resources (ie new instance groups) are created; + # without this flag the call fails with a resource DNE error + set -x + kops --name ${cluster_name} replace -f ./kops-templated-${kops_name}.yaml --force + set +x + + echo "[INFO] Applying cluster to AWS" + set -x + kops --name ${cluster_name} update cluster --yes + set +x + + echo "[INFO] Cluster instance groups:" + set -x + kops --name ${cluster_name} get ig + set +x + + else + echo "[INFO] Dry run" + echo "[INFO] Templating out" + set -x + kops toolbox template --template ${TEMPLATE_FILE_PATH} --values ${VALUES_FILE_PATH_COMMONS} --values ${VALUES_FILE_PATH_ENVIRONMENT} > ./kops-templated-${kops_name}.yaml + set +x + cat kops-templated-${kops_name}.yaml + + dns_zone=$(cat ${VALUES_FILE_PATH_ENVIRONMENT} | grep "dnsZone: " | awk '{print $2}' | tr -d '[:space:]') + cluster_name=$(cat ${VALUES_FILE_PATH_ENVIRONMENT} | grep "kopsName: " | awk '{print $2}' | tr -d '[:space:]').${dns_zone} + echo "[INFO] Updating cluster named: ${cluster_name}" + + echo "[INFO] Updating the cluster" + #--force is required so that any resources (ie new instance groups) are created; + # without this flag the call fails with a resource DNE error + set -x + kops --name ${cluster_name} replace -f ./kops-templated-${kops_name}.yaml --force + set +x + + echo "[INFO] Applying cluster to AWS" + set -x + kops --name ${cluster_name} update cluster + set +x + + echo "[INFO] Cluster instance groups:" + set -x + kops --name ${cluster_name} get ig + set +x + fi + + echo "Finished" +} + +rolling_update() +{ + # Checks + VALUES_FILE_PATH_ENVIRONMENT="./clusters/${kops_name}/values.yaml" + TEMPLATE_FILE_PATH="./template/cluster.yml" + + if [ ! -f ${VALUES_FILE_PATH_ENVIRONMENT} ]; then + echo "File does not exist: ${VALUES_FILE_PATH_ENVIRONMENT}" + exit 1 + fi + + if [ ! -f ${TEMPLATE_FILE_PATH} ]; then + echo "File does not exist: ${TEMPLATE_FILE_PATH}" + exit 1 + fi + + kops_state_store=s3://$(cat ${VALUES_FILE_PATH_ENVIRONMENT} | grep "s3BucketName: " | awk '{print $2}' | tr -d '[:space:]') + export KOPS_STATE_STORE=${kops_state_store} + echo "[INFO] Setting KOPS_STATE_STORE: ${kops_state_store}" + + USE_CLOUD_ONLY_FLAG="" + if [ "${cloudonly}" == "true" ]; then + echo "[INFO] Using --cloudonly flag. This will not drain the nodes first. It will simply terminate the nodes." + USE_CLOUD_ONLY_FLAG="--cloudonly" + fi + + if [ "${dry_run}" == "false" ]; then + echo "[INFO] Not a dry run" + + dns_zone=$(cat ${VALUES_FILE_PATH_ENVIRONMENT} | grep "dnsZone: " | awk '{print $2}' | tr -d '[:space:]') + cluster_name=$(cat ${VALUES_FILE_PATH_ENVIRONMENT} | grep "kopsName: " | awk '{print $2}' | tr -d '[:space:]').${dns_zone} + echo "[INFO] Rolling cluster named: ${cluster_name}" + + kops --name ${cluster_name} rolling-update cluster --yes ${USE_CLOUD_ONLY_FLAG} + + echo "[INFO] rolling-update cluster:" + kops --name ${cluster_name} rolling-update cluster ${USE_CLOUD_ONLY_FLAG} + + else + echo "[INFO] Dry run" + + dns_zone=$(cat ${VALUES_FILE_PATH_ENVIRONMENT} | grep "dnsZone: " | awk '{print $2}' | tr -d '[:space:]') + cluster_name=$(cat ${VALUES_FILE_PATH_ENVIRONMENT} | grep "kopsName: " | awk '{print $2}' | tr -d '[:space:]').${dns_zone} + echo "[INFO] Rolling cluster named: ${cluster_name}" + + kops --name ${cluster_name} rolling-update cluster ${USE_CLOUD_ONLY_FLAG} + + echo "[INFO] rolling-update cluster:" + kops --name ${cluster_name} rolling-update cluster ${USE_CLOUD_ONLY_FLAG} + fi + + echo "Finished" +} + +delete() +{ + # Checks + VALUES_FILE_PATH_ENVIRONMENT="./clusters/${kops_name}/values.yaml" + TEMPLATE_FILE_PATH="./template/cluster.yml" + + if [ ! -f ${VALUES_FILE_PATH_ENVIRONMENT} ]; then + echo "File does not exist: ${VALUES_FILE_PATH_ENVIRONMENT}" + exit 1 + fi + + if [ ! -f ${TEMPLATE_FILE_PATH} ]; then + echo "File does not exist: ${TEMPLATE_FILE_PATH}" + exit 1 + fi + + kops_state_store=s3://$(cat ${VALUES_FILE_PATH_ENVIRONMENT} | grep "s3BucketName: " | awk '{print $2}' | tr -d '[:space:]') + export KOPS_STATE_STORE=${kops_state_store} + echo "[INFO] Setting KOPS_STATE_STORE: ${kops_state_store}" + + dns_zone=$(cat ${VALUES_FILE_PATH_ENVIRONMENT} | grep "dnsZone: " | awk '{print $2}' | tr -d '[:space:]') + cluster_name=$(cat ${VALUES_FILE_PATH_ENVIRONMENT} | grep "kopsName: " | awk '{print $2}' | tr -d '[:space:]').${dns_zone} + echo "[INFO] Deleting cluster named: ${cluster_name}" + + if [ "${dry_run}" == "false" ]; then + echo "[INFO] Not a dry run" + + kops --name ${cluster_name} delete cluster --yes + + else + echo "[INFO] Dry run" + kops --name ${cluster_name} delete cluster + fi +} + +get_bastion() +{ + # Checks + VALUES_FILE_PATH_ENVIRONMENT="./clusters/${kops_name}/values.yaml" + TEMPLATE_FILE_PATH="./template/cluster.yml" + + if [ ! -f ${VALUES_FILE_PATH_ENVIRONMENT} ]; then + echo "File does not exist: ${VALUES_FILE_PATH_ENVIRONMENT}" + exit 1 + fi + + if [ ! -f ${TEMPLATE_FILE_PATH} ]; then + echo "File does not exist: ${TEMPLATE_FILE_PATH}" + exit 1 + fi + + kops_state_store=s3://$(cat ${VALUES_FILE_PATH_ENVIRONMENT} | grep "s3BucketName: " | awk '{print $2}' | tr -d '[:space:]') + export KOPS_STATE_STORE=${kops_state_store} + echo "[INFO] Setting KOPS_STATE_STORE: ${kops_state_store}" + + dns_zone=$(cat ${VALUES_FILE_PATH_ENVIRONMENT} | grep "dnsZone: " | awk '{print $2}' | tr -d '[:space:]') + cluster_name=$(cat ${VALUES_FILE_PATH_ENVIRONMENT} | grep "kopsName: " | awk '{print $2}' | tr -d '[:space:]') + region=$(cat ${VALUES_FILE_PATH_ENVIRONMENT} | grep "awsRegion: " | awk '{print $2}' | tr -d '[:space:]') + network_cidr=$(cat ${VALUES_FILE_PATH_ENVIRONMENT} | grep "networkCIDR: " | awk '{print $2}' | tr -d '[:space:]') + + echo "[INFO] Getting bastion host for cluster named: ${cluster_name}" + + DESCRIBE_LOAD_BALANCER_OUTPUT=$(aws elb describe-load-balancers) + + # Get the ELB DNS name + bastion_dns_name=$(echo ${DESCRIBE_LOAD_BALANCER_OUTPUT} | jq -r ".LoadBalancerDescriptions[] | .DNSName" | grep "bastion-${kops_name}-${region}") + + # Get the Kubernetes API server out of the kubeconfig file + kubernetes_api_server=$(kubectl config view --minify | grep server | cut -f 2- -d ":" | tr -d " " | grep -oP "internal.*") + + echo "[INFO] bastion_dns_name: ${bastion_dns_name}" + echo "[INFO] Add ssh keys into your ssh-agent: ssh-add ./ssh-keys/${cluster_name}/kubernetes-ops.pem" + # echo "[INFO] run: sudo ssh -i ./ssh-keys/${cluster_name}/kubernetes-ops.pem -L 443:${kubernetes_api_server}:443 ec2-user@${bastion_dns_name}" + echo "[INFO] sshuttle command: sshuttle -r ec2-user@${bastion_dns_name} ${network_cidr} -v" + echo "[INFO] In another terminal run: kubectl get nodes" + +} + + +########################################## +##### Main +########################################## + +kops_name="none" +dry_run="true" +create="false" +read="false" +get_bastion="false" +update="false" +delete="false" +rolling_update="false" +cloudonly="false" + +if [ $# == 0 ]; then + usage + exit +fi + +while [ "$1" != "" ]; do + case $1 in + -n | --name ) shift + kops_name=$1 + ;; + -d | --dry-run ) shift + dry_run=$1 + ;; + -c | --create ) shift + create=true + ;; + -r | --read ) shift + read=true + ;; + -u | --update ) shift + update=true + ;; + -ru | --rolling-update ) shift + rolling_update=true + ;; + -co | --cloudonly ) shift + cloudonly=true + ;; + -t | --template ) shift + template=true + ;; + -x | --delete ) shift + delete=true + ;; + -b | --get-bastion ) shift + get_bastion=true + ;; + -h | --help ) usage + exit + ;; + * ) usage + exit 1 + esac + shift +done + +echo "[INFO] dry_run = ${dry_run}" +echo "[INFO] kops_name = $kops_name" + +check_kops_version + +if [ "${create}" == "true" ]; then + create $kops_name +fi + +if [ "${read}" == "true" ]; then + read $kops_name +fi + +if [ "${update}" == "true" ]; then + update $kops_name +fi + +if [ "${rolling_update}" == "true" ]; then + rolling_update $kops_name +fi + +if [ "${template}" == "true" ]; then + template $kops_name +fi + +if [ "${delete}" == "true" ]; then + delete $kops_name +fi + +if [ "${get_bastion}" == "true" ]; then + get_bastion $kops_name +fi diff --git a/clusters/aws/kops/template/cluster.yml b/old/clusters/aws/kops/template/cluster.yml similarity index 54% rename from clusters/aws/kops/template/cluster.yml rename to old/clusters/aws/kops/template/cluster.yml index a7bf66bc3..7d7ecd9dd 100644 --- a/clusters/aws/kops/template/cluster.yml +++ b/old/clusters/aws/kops/template/cluster.yml @@ -1,17 +1,34 @@ # -# using kops cli 1.11.1 +# using kops cli 1.13.0 # {{- $awsRegion := .awsRegion }} {{- $networkPortion := .networkPortion }} {{- $kopsName := .kopsName }} {{- $dnsZone := .dnsZone }} {{- $instanceGroups := .instanceGroups }} + {{- $availabilityZonesAll := .availabilityZonesAll }} + {{- $availabilityZonesPrivate := .availabilityZonesPrivate }} apiVersion: kops/v1alpha2 kind: Cluster metadata: name: {{ .kopsName }}.{{ .dnsZone }} spec: + hooks: + # Adding here since the kubeAPIServer.DisableBasicAuth is not working in this kops version yet + - before: + - kubelet.service + manifest: | + Type=oneshot + ExecStart=/usr/bin/sed -i 's/\-\-basic-auth-file=\/srv\/kubernetes\/basic_auth.csv//' /etc/kubernetes/manifests/kube-apiserver.manifest + name: remove_basic_auth + # Adding here since the kubeAPIServer.DisableBasicAuth is not working in this kops version yet + - before: + - kubelet.service + manifest: | + Type=oneshot + ExecStart=/usr/bin/sed -i 's/\-\-token-auth-file=\/srv\/kubernetes\/known_tokens.csv //' /etc/kubernetes/manifests/kube-apiserver.manifest + name: remove_token_auth fileAssets: # https://github.com/kubernetes/kops/blob/master/docs/cluster_spec.md#audit-logging - name: apiserver-audit-policy @@ -101,8 +118,8 @@ spec: api: dns: {} loadBalancer: - type: Internal - idleTimeoutSeconds: 300 + type: {{ .api.loadBalancer.type }} + idleTimeoutSeconds: 1800 authorization: rbac: {} {{- if .docker.overrides }} @@ -119,18 +136,22 @@ spec: etcdClusters: # https://github.com/kubernetes/kops/blob/master/docs/cluster_spec.md#etcdclusters-v3--tls - enableEtcdTLS: true + cpuRequest: 200m + memoryRequest: 128Mi etcdMembers: {{- range $key, $value := .availabilityZonesEtcd }} - - instanceGroup: master-{{ $awsRegion }}{{ $value }} - name: {{ $value }} + - instanceGroup: master-{{ $awsRegion }}{{ $value.masterZoneName }} + name: {{ $value.etcdName }} {{- end }} name: main version: {{ .etcd.version }} - enableEtcdTLS: true + cpuRequest: 200m + memoryRequest: 128Mi etcdMembers: {{- range $key, $value := .availabilityZonesEtcd }} - - instanceGroup: master-{{ $awsRegion }}{{ $value }} - name: {{ $value }} + - instanceGroup: master-{{ $awsRegion }}{{ $value.masterZoneName }} + name: {{ $value.etcdName }} {{- end }} name: events version: {{ .etcd.version }} @@ -139,11 +160,16 @@ spec: allowContainerRegistry: {{ .iam.allowContainerRegistry }} legacy: false kubeAPIServer: + # configs: https://github.com/kubernetes/kops/blob/master/pkg/apis/kops/componentconfig.go auditLogPath: /var/log/kube-apiserver-audit.log - auditLogMaxAge: 10 - auditLogMaxBackups: 1 + auditLogMaxAge: 30 + auditLogMaxBackups: 10 auditLogMaxSize: 100 auditPolicyFile: /srv/kubernetes/audit.yaml + AnonymousAuth: false + DisableBasicAuth: false + tlsMinVersion: VersionTLS12 + tlsCipherSuites: ["TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_RSA_WITH_AES_256_GCM_SHA384"] # https://github.com/kubernetes/kops/blob/master/docs/cluster_spec.md#runtimeconfig # runtimeConfig: # batch/v2alpha1: "true" @@ -162,9 +188,14 @@ spec: - ResourceQuota - NodeRestriction - Priority + kubeControllerManager: + tlsMinVersion: VersionTLS12 + tlsCipherSuites: ["TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_RSA_WITH_AES_256_GCM_SHA384"] kubelet: # https://github.com/kubernetes/kops/blob/master/docs/security.md#kubelet-api anonymousAuth: false + tlsMinVersion: VersionTLS12 + tlsCipherSuites: ["TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_RSA_WITH_AES_256_GCM_SHA384"] # kubeReserved: # cpu: "100m" # memory: "100Mi" @@ -189,71 +220,41 @@ spec: - "{{ $value }}" {{- end }} subnets: - # utility subnets - {{- range $key, $value := .availabilityZonesAll }} - - cidr: {{ $networkPortion }}.1{{ $key }}.0/24 - name: {{ $awsRegion }}{{ $value }}-utility - type: Utility - zone: {{ $awsRegion }}{{ $value }} - {{- end }} - - {{- if .enablePublicSubnets -}} - {{- range $key, $value := .availabilityZonesAll }} - - cidr: {{ $networkPortion }}.2{{ $key }}.0/24 - name: public-{{ $value }} - type: Public - zone: {{ $awsRegion }}{{ $value }} - {{- end }} - {{- end }} - - # Kube masters subnets - {{- range $key, $value := .availabilityZonesKubeMaster }} - - cidr: {{ $networkPortion }}.3{{ $key }}.0/24 - name: kube-master-{{ $value }} - type: Private - zone: {{ $awsRegion }}{{ $value }} - {{- end }} - - # infrastructure subnets - {{- range $key, $value := .availabilityZonesAll }} - - cidr: {{ $networkPortion }}.4{{ $key }}.0/24 - name: infrastructure-zone-{{ $value }} - type: Private - zone: {{ $awsRegion }}{{ $value }} - {{- end }} - - # worker subnets - {{- range $key, $value := .availabilityZonesAll }} - - cidr: {{ $networkPortion }}.5{{ $key }}.0/24 - name: worker-zone-{{ $value }} - type: Private - zone: {{ $awsRegion }}{{ $value }} - {{- end }} - - # threatstackmaster subnets - {{- range $key, $value := .availabilityZonesAll }} - - cidr: {{ $networkPortion }}.6{{ $key }}.0/24 - name: threatstack-master-zone-{{ $value }} - type: Private - zone: {{ $awsRegion }}{{ $value }} + {{- range $subnet := .subnets }} + {{- range $key, $value := $subnet.blocks }} + - cidr: {{ $value.cidr }} + type: {{ $subnet.type }} + {{- if eq $subnet.type "Private" }} + name: {{ $subnet.name }}-{{ with (index $availabilityZonesPrivate $key) }}{{ .zone }}{{ end }} + zone: {{ $awsRegion }}{{ with (index $availabilityZonesPrivate $key) }}{{ .zone }}{{ end }} + {{- with (index $availabilityZonesPrivate $key) }} + {{- if (index . "egress") }} + egress: {{ .egress }} + {{- end }} + {{- end }} + {{- else }} + name: {{ $subnet.name }}-{{ with (index $availabilityZonesAll $key) }}{{ .zone }}{{ end }} + zone: {{ $awsRegion }}{{ with (index $availabilityZonesAll $key) }}{{ .zone }}{{ end }} + {{- end }} {{- end }} + {{- end }} - topology: - dns: - type: Public - masters: private - nodes: private - # - # Kubernetes Masters - # - {{- range $key, $value := .availabilityZonesKubeMaster }} + topology: + dns: + type: {{ .topology.dns.type }} + masters: {{ .topology.masters }} + nodes: {{ .topology.nodes }} +# +# Kubernetes Masters +# +{{- range $key, $value := .availabilityZonesKubeMaster }} --- apiVersion: kops/v1alpha2 kind: InstanceGroup metadata: labels: kops.k8s.io/cluster: {{ $kopsName }}.{{ $dnsZone }} - name: master-{{ $awsRegion }}{{ $value }} + name: master-{{ $awsRegion }}{{ $value.name }} spec: cloudLabels: {{- range $key, $value := $instanceGroups.kubeMaster.cloudLabels }} @@ -265,204 +266,14 @@ spec: maxSize: {{ $instanceGroups.kubeMaster.maxSize }} minSize: {{ $instanceGroups.kubeMaster.minSize }} nodeLabels: - kops.k8s.io/instancegroup: master-{{ $awsRegion }}{{ $value }} + kops.k8s.io/instancegroup: master-{{ $awsRegion }}{{ $value.name }} {{- range $key, $value := $instanceGroups.kubeMaster.nodeLabels }} {{ $key }}: "{{ $value }}" {{- end }} role: Master subnets: - - kube-master-{{ $value }} - {{- end }} - - # - # infrastructure group - # - {{- if .enableInfrastructureGroup1 -}} - {{- range $key, $value := .availabilityZonesAll }} ---- -apiVersion: kops/v1alpha2 -kind: InstanceGroup -metadata: - labels: - kops.k8s.io/cluster: {{ $kopsName }}.{{ $dnsZone }} - name: infrastructure-zone-{{ $value }} -spec: - cloudLabels: - {{- range $key, $value := $instanceGroups.infrastructureGroup1.cloudLabels }} - {{ $key }}: "{{ $value }}" - {{- end }} - image: {{ $instanceGroups.infrastructureGroup1.image }} - machineType: {{ $instanceGroups.infrastructureGroup1.machineType }} - maxSize: {{ $instanceGroups.infrastructureGroup1.maxSize }} - minSize: {{ $instanceGroups.infrastructureGroup1.minSize }} - nodeLabels: - kops.k8s.io/instancegroup: infrastructure-zone-{{ $value }} - {{- range $key, $value := $instanceGroups.infrastructureGroup1.nodeLabels }} - {{ $key }}: "{{ $value }}" - {{- end }} - {{ if $instanceGroups.infrastructureGroup1.taints.enable }} - taints: - {{- range $key, $value := $instanceGroups.infrastructureGroup1.taints.items }} - - "{{ $value }}" - {{- end }} - {{- end }} - role: Node - subnets: - - infrastructure-zone-{{ $value }} - {{- end }} - {{- end }} - - # - ## Spot instances - # - {{- if .enableSpotInstanceGroup1 -}} - {{- range $key, $value := .availabilityZonesAll }} ---- -apiVersion: kops/v1alpha2 -kind: InstanceGroup -metadata: - labels: - kops.k8s.io/cluster: {{ $kopsName }}.{{ $dnsZone }} - name: spot-zone-{{ $value }} -spec: - cloudLabels: - {{- range $key, $value := $instanceGroups.spotGroup1.cloudLabels }} - {{ $key }}: "{{ $value }}" - {{- end }} - image: {{ $instanceGroups.spotGroup1.image }} - machineType: {{ $instanceGroups.spotGroup1.machineType }} - maxPrice: {{ $instanceGroups.spotGroup1.maxPrice }} - maxSize: {{ $instanceGroups.spotGroup1.maxSize }} - minSize: {{ $instanceGroups.spotGroup1.minSize }} - nodeLabels: - {{- range $key, $value := $instanceGroups.spotGroup1.nodeLabels }} - {{ $key }}: "{{ $value }}" - {{- end }} - {{ if $instanceGroups.spotGroup1.taints.enable }} - taints: - {{- range $key, $value := $instanceGroups.spotGroup1.taints.items }} - - "{{ $value }}" - {{- end }} - {{- end }} - role: Node - subnets: - - worker-zone-{{ $value }} - {{- end }} - {{- end }} - - # - # On Damand instances - # - {{- if .enableOnDemandGroup1 -}} - {{- range $key, $value := .availabilityZonesAll }} ---- -apiVersion: kops/v1alpha2 -kind: InstanceGroup -metadata: - labels: - kops.k8s.io/cluster: {{ $kopsName }}.{{ $dnsZone }} - name: on-demand-zone-{{ $value }} -spec: - cloudLabels: - {{- range $key, $value := $instanceGroups.onDemandGroup1.cloudLabels }} - {{ $key }}: "{{ $value }}" - {{- end }} - image: {{ $instanceGroups.onDemandGroup1.image }} - machineType: {{ $instanceGroups.onDemandGroup1.machineType }} - maxSize: {{ $instanceGroups.onDemandGroup1.maxSize }} - minSize: {{ $instanceGroups.onDemandGroup1.minSize }} - nodeLabels: - kops.k8s.io/instancegroup: on-demand-zone-{{ $value }} - {{- range $key, $value := $instanceGroups.onDemandGroup1.nodeLabels }} - {{ $key }}: "{{ $value }}" - {{- end }} - {{ if $instanceGroups.onDemandGroup1.taints.enable }} - taints: - {{- range $key, $value := $instanceGroups.onDemandGroup1.taints.items }} - - "{{ $value }}" - {{- end }} - {{- end }} - role: Node - subnets: - - worker-zone-{{ $value }} - {{- end }} - {{- end }} - - # - # Jenkins masters group - # - {{- if .enableJenkinsGroup1 -}} - {{- range $key, $value := .availabilityZonesAll }} ---- -apiVersion: kops/v1alpha2 -kind: InstanceGroup -metadata: - labels: - kops.k8s.io/cluster: {{ $kopsName }}.{{ $dnsZone }} - name: jenkins-master-zone-{{ $value }} -spec: - cloudLabels: - {{- range $key, $value := $instanceGroups.jenkinsMastersGroup1.cloudLabels }} - {{ $key }}: "{{ $value }}" - {{- end }} - image: {{ $instanceGroups.jenkinsMastersGroup1.image }} - machineType: {{ $instanceGroups.jenkinsMastersGroup1.machineType }} - maxSize: {{ $instanceGroups.jenkinsMastersGroup1.maxSize }} - minSize: {{ $instanceGroups.jenkinsMastersGroup1.minSize }} - nodeLabels: - kops.k8s.io/instancegroup: jenkins-master-zone-{{ $value }} - {{- range $key, $value := $instanceGroups.jenkinsMastersGroup1.nodeLabels }} - {{ $key }}: "{{ $value }}" - {{- end }} - {{ if $instanceGroups.jenkinsMastersGroup1.taints.enable }} - taints: - {{- range $key, $value := $instanceGroups.jenkinsMastersGroup1.taints.items }} - - "{{ $value }}" - {{- end }} - {{- end }} - role: Node - subnets: - - worker-zone-{{ $value }} - {{- end }} - {{- end }} - - # - # Jenkins workers group - # - {{- if .enableJenkinsGroup1 -}} - {{- range $key, $value := .availabilityZonesAll }} ---- -apiVersion: kops/v1alpha2 -kind: InstanceGroup -metadata: - labels: - kops.k8s.io/cluster: {{ $kopsName }}.{{ $dnsZone }} - name: jenkins-workers-zone-{{ $value }} -spec: - cloudLabels: - {{- range $key, $value := $instanceGroups.jenkinsWorkersGroup1.cloudLabels }} - {{ $key }}: "{{ $value }}" - {{- end }} - image: {{ $instanceGroups.jenkinsWorkersGroup1.image }} - machineType: {{ $instanceGroups.jenkinsWorkersGroup1.machineType }} - maxSize: {{ $instanceGroups.jenkinsWorkersGroup1.maxSize }} - minSize: {{ $instanceGroups.jenkinsWorkersGroup1.minSize }} - nodeLabels: - kops.k8s.io/instancegroup: jenkins-worker-zone-{{ $value }} - {{- range $key, $value := $instanceGroups.jenkinsWorkersGroup1.nodeLabels }} - {{ $key }}: "{{ $value }}" - {{- end }} - {{ if $instanceGroups.jenkinsWorkersGroup1.taints.enable }} - taints: - {{- range $key, $value := $instanceGroups.jenkinsWorkersGroup1.taints.items }} - - "{{ $value }}" - {{- end }} - {{- end }} - role: Node - subnets: - - worker-zone-{{ $value }} - {{- end }} - {{- end }} + - kube-master-{{ $value.name }} +{{- end }} # # Bastion workers group @@ -470,14 +281,14 @@ spec: # {{- if .enableBastionGroup1 -}} {{- range $key, $value := .availabilityZonesAll }} - {{- if eq $value "a" -}} + {{- if eq $value.zone (index $availabilityZonesAll 0).zone }} --- apiVersion: kops/v1alpha2 kind: InstanceGroup metadata: labels: kops.k8s.io/cluster: {{ $kopsName }}.{{ $dnsZone }} - name: bastion-workers-zone-{{ $value }} + name: bastion-workers-zone-{{ $value.name }} spec: cloudLabels: {{- range $key, $value := $instanceGroups.bastionWorkersGroup1.cloudLabels }} @@ -490,7 +301,7 @@ spec: minSize: {{ $instanceGroups.bastionWorkersGroup1.minSize }} role: Bastion subnets: - - public-{{ $value }} + - public-{{ $value.name }} {{- end }} {{- end }} {{- end }} @@ -506,7 +317,7 @@ kind: InstanceGroup metadata: labels: kops.k8s.io/cluster: {{ $kopsName }}.{{ $dnsZone }} - name: threatstack-master-zone-{{ $value }} + name: threatstack-master-zone-{{ $value.name }} spec: cloudLabels: {{- range $key, $value := $instanceGroups.threatstackMaster.cloudLabels }} @@ -517,7 +328,7 @@ spec: maxSize: {{ $instanceGroups.threatstackMaster.maxSize }} minSize: {{ $instanceGroups.threatstackMaster.minSize }} nodeLabels: - kops.k8s.io/instancegroup: threatstack-master-zone-{{ $value }} + kops.k8s.io/instancegroup: threatstack-master-zone-{{ $value.name }} {{- range $key, $value := $instanceGroups.threatstackMaster.nodeLabels }} {{ $key }}: "{{ $value }}" {{- end }} @@ -529,6 +340,48 @@ spec: {{- end }} role: Node subnets: - - threatstack-master-zone-{{ $value }} + - threatstack-master-zone-{{ $value.name }} {{- end }} {{- end }} + +####################################################### +# Worker node group - all zones +####################################################### +{{- $availabilityZonesAll := .availabilityZonesAll }} + +{{- range $key, $value := .workerInstanceGroupsAllZones }} +####################################################### +# Worker node group - all zones - {{ $key }} +####################################################### +{{- range $azKey, $azValue := $availabilityZonesAll }} +--- +apiVersion: kops/v1alpha2 +kind: InstanceGroup +metadata: + labels: + kops.k8s.io/cluster: {{ $kopsName }}.{{ $dnsZone }} + name: {{ $key }}-zone-{{ $azValue.name }} +spec: + cloudLabels: + {{- range $keyCloudLabels, $valueCloudLabels := $value.cloudLabels }} + {{ $keyCloudLabels }}: "{{ $valueCloudLabels }}" + {{- end }} + image: {{ $value.image }} + machineType: {{ $value.machineType }} + maxSize: {{ $value.maxSize }} + minSize: {{ $value.minSize }} + nodeLabels: + {{- range $nodeLabelsKey, $nodeLabelsValue := $value.nodeLabels }} + {{ $nodeLabelsKey }}: "{{ $nodeLabelsValue }}" + {{- end }} + {{- if $value.taints }} + taints: + {{- range $taintsKey, $taintsValue := $value.taints }} + - "{{ $taintsValue }}" + {{- end }} + {{- end }} + role: Node + subnets: + - worker-zone-{{ $azValue.name }} +{{- end }} +{{- end }} diff --git a/old/clusters/local/kind/README.md b/old/clusters/local/kind/README.md new file mode 100644 index 000000000..53d6d2ef2 --- /dev/null +++ b/old/clusters/local/kind/README.md @@ -0,0 +1,121 @@ +Kind +======= +Kind is an open source project that brings up a local Kuberenetes environment all +running in Docker. + +Doc: https://kind.sigs.k8s.io/docs/user/quick-start/ + + +# Installation instructions: + +Doc: https://github.com/kubernetes-sigs/kind#installation-and-usage + + +# Usage: + +## Creation: +``` +kind create cluster --config config.yaml --image kindest/node:v1.13.12 +``` + +## List +``` +kind get clusters +``` + +## Delete +``` +kind delete cluster +``` + +## Debug +By defaul if the create command fails it will clean up the Docker containers. + +You can append the `--retain` flag in the `kind create cluster...` command so +it won't remove the Docker containers on failure and you can debug the containers +from there. + +There is also a verbose flag to give you more information on what it is doing: `--v 7` + +# Example deployment + +## nginx-ingress + +``` +cd kubernetes/helm/nginx-ingress/ +``` + +Deploy: +``` +make ENVIRONMENT=kind external-apply +``` + +## http-echo app + +``` +cd kubernetes/helm/http-echo +``` + +Deploy: +``` +kubectl apply -f namespace.yaml +kubectl -n http-echo apply -f . +``` + +Test out the ingress: +```bash +root@ip-10-4-2-98:/home/ubuntu/kubernetes-ops/kubernetes/helm/http-echo# curl -v http://localhost -H "HOST: gar1.example.com" +* Rebuilt URL to: http://localhost/ +* Trying 127.0.0.1... +* TCP_NODELAY set +* Connected to localhost (127.0.0.1) port 80 (#0) +> GET / HTTP/1.1 +> HOST: gar1.example.com +> User-Agent: curl/7.58.0 +> Accept: */* +> +< HTTP/1.1 200 OK +< Server: nginx/1.15.10 +< Date: Thu, 19 Dec 2019 20:28:46 GMT +< Content-Type: text/plain +< Transfer-Encoding: chunked +< Connection: keep-alive +< Vary: Accept-Encoding +< + + +Hostname: echoserver-6bdccfbcd4-jv557 + +Pod Information: + -no pod information available- + +Server values: + server_version=nginx: 1.13.3 - lua: 10008 + +Request Information: + client_address=10.244.1.17 + method=GET + real path=/ + query= + request_version=1.1 + request_scheme=http + request_uri=http://gar1.example.com:8080/ + +Request Headers: + accept=*/* + host=gar1.example.com + user-agent=curl/7.58.0 + x-forwarded-for=10.244.1.1 + x-forwarded-host=gar1.example.com + x-forwarded-port=80 + x-forwarded-proto=http + x-original-uri=/ + x-real-ip=10.244.1.1 + x-request-id=2052b9f9e6a91587c5810773352fe7ab + x-scheme=http + +Request Body: + -no body in request- + +* Connection #0 to host localhost left intact +``` \ No newline at end of file diff --git a/old/clusters/local/kind/config.yaml b/old/clusters/local/kind/config.yaml new file mode 100644 index 000000000..ec68fd6c7 --- /dev/null +++ b/old/clusters/local/kind/config.yaml @@ -0,0 +1,30 @@ +--- +kind: Cluster +apiVersion: kind.x-k8s.io/v1alpha4 + +nodes: +- role: control-plane +- role: worker + extraPortMappings: + - containerPort: 30080 + hostPort: 80 + listenAddress: "0.0.0.0" # Optional, defaults to "0.0.0.0" + protocol: tcp + - containerPort: 30443 + hostPort: 443 + listenAddress: "0.0.0.0" # Optional, defaults to "0.0.0.0" + protocol: tcp + kubeadmConfigPatches: + - | + apiVersion: kubeadm.k8s.io/v1beta2 + kind: InitConfiguration + nodeRegistration: + kubeletExtraArgs: + node-labels: "ingress-ready=true" + authorization-mode: "AlwaysAllow" +# - role: worker +# extraPortMappings: +# - containerPort: 8080 +# hostPort: 8080 +# listenAddress: "0.0.0.0" # Optional, defaults to "0.0.0.0" +# protocol: udp # Optional, defaults to tcp \ No newline at end of file diff --git a/old/containers/kubernetes/clusters/kops/Dockerfile b/old/containers/kubernetes/clusters/kops/Dockerfile new file mode 100644 index 000000000..0e165e1ba --- /dev/null +++ b/old/containers/kubernetes/clusters/kops/Dockerfile @@ -0,0 +1,10 @@ +FROM ubuntu:18.04 + +# Add the entire repository into the container +ADD ./ /opt/repo/ + +WORKDIR /opt/repo/containers/kubernetes/clusters/kops + +RUN ./setup.sh + +WORKDIR /opt/repo \ No newline at end of file diff --git a/old/containers/kubernetes/clusters/kops/README.md b/old/containers/kubernetes/clusters/kops/README.md new file mode 100644 index 000000000..bc30343ba --- /dev/null +++ b/old/containers/kubernetes/clusters/kops/README.md @@ -0,0 +1,105 @@ +# kops + +## What you get +Yes, this is a very opinionated way of doing the upgrade. It is also very generic. Nothing that special about it. +It runs through `kops` update process in an automated way. This is using pure `kops` tooling with Github Actions and +some glue code (mostly in Bash). + +Why do this then? The only way to "glue" everything together and have it consitently working version to version is to +define how the cluster is defined and created. Then the automation knows how to handle it. Without you "subscribing" to +this method on how to manage your `kops` cluster, you would have to maintain all of this yourself. + +While this is just one of many ways to managed a `kops` cluster, we have found that managing a `kops` cluster this way is +very reasonable. Over the years of our consultancy, we have managed a lot of `kops` clusters this way with a lot of varying +technical "asks" and it mostly handled anything that was asked for. + +You get a fully automated `kops` update pipeline to update your kops cluster (with the correct binaries for everything), testing +the cluster after creation, and posting info back to PRs or comments on the output of the update. + +## Docs + +Task definition doc: [https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definition_parameters.html#family](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definition_parameters.html#family) + +## What the scripts do: + +### setup.sh +This sets up the container. Downloads things like: +* curl +* kops +* kubectl +* etc + +### create-cluster.sh +This script creates a temporary kops cluster. + +### e2e-tests.sh +This script runs the e2e tests + +### update-cluster.sh +This script updates the cluster + +### ci-pipeline.sh + +``` +./ci-pipeline.sh --initial-branch master --updated-to-branch kops-update-1.4.7 +``` + +## Local workflow + +### Build + +Run from the root of the repository: + +```bash +docker build -t managedkube/kops:dev -f ./containers/kubernetes/clusters/kops/Dockerfile . +``` + +### Dev local +Run from the root of this repository: + +```bash +docker run -ti \ +-e ENVIRONMENT_NAME=${ENVIRONMENT_NAME} \ +-e AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID} \ +-e AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY} \ +-e AWS_DEFAULT_REGION=${AWS_DEFAULT_REGION} \ +-e KOPS_STATE_STORE=${KOPS_STATE_STORE} \ +-v ${PWD}:/opt/repo \ +managedkube/kops:dev bash +``` + +### Push + +```bash +docker push managedkube/kops:dev +``` + +### Running +Export variables: +```bash +export AWS_ACCESS_KEY_ID="" +export AWS_SECRET_ACCESS_KEY="" +export AWS_DEFAULT_REGION="us-east-1" +export KOPS_STATE_STORE="" +export ENVIRONMENT_NAME=dev-test +``` + +```bash +docker run -ti \ +-e ENVIRONMENT_NAME=${ENVIRONMENT_NAME} \ +-e AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID} \ +-e AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY} \ +-e AWS_DEFAULT_REGION=${AWS_DEFAULT_REGION} \ +-e KOPS_STATE_STORE=${KOPS_STATE_STORE} \ +managedkube/kops:dev bash +``` + +run the cluster update: +``` +./containers/kubernetes/clusters/kops/update-cluster.sh +``` + +run the Kubernetes e2e tests: +``` +./containers/kubernetes/clusters/kops/e2e-tests.sh +``` \ No newline at end of file diff --git a/old/containers/kubernetes/clusters/kops/ci-pipeline.sh b/old/containers/kubernetes/clusters/kops/ci-pipeline.sh new file mode 100755 index 000000000..97dc240c0 --- /dev/null +++ b/old/containers/kubernetes/clusters/kops/ci-pipeline.sh @@ -0,0 +1,82 @@ +#!/bin/bash -e + +################################################### +## +## This script run inside of the Fargate Docker container. +## +## Need to rebuild Docker container on edit: true +## +################################################### + +if [ ! -z "${DEBUG}" ]; then + set -x +fi + +# Parse inputs +while [ "$1" != "" ]; do + case $1 in + -i | --initial-branch ) shift + INITIAL_BRANCH=$1 + ;; + -u | --updated-to-branch ) shift + UPDATE_TO_BRANCH=$1 + ;; + * ) usage + exit 1 + esac + shift +done + +# Check input params +if [ -z "${INITIAL_BRANCH}" ]; then + echo "The --initial-branch param must be set" + exit 1 +fi + +if [ -z "${UPDATE_TO_BRANCH}" ]; then + echo "The --updated-to-branch param must be set" + exit 1 +fi + +BASE_FILE_PATH="./containers/kubernetes/clusters/kops" + +message_banner() { + echo "#################################" + echo "#################################" + echo "$1" + echo "#################################" + echo "#################################" +} + +# Checkout the INITIAL_BRANCH branch +message_banner "git checkout ${INITIAL_BRANCH}" +git checkout ${INITIAL_BRANCH} + +# # Create initial cluster +message_banner "Creating initial cluster" +${BASE_FILE_PATH}/create-cluster.sh + +# Get the cluster name +CLUSTER_NAME=$(cat ./tmp-output/cluster-name.txt) + +# Run e2e tests +message_banner "Running e2e tests" +${BASE_FILE_PATH}/e2e-tests.sh || true + +# Checkout the UPDATE_TO_BRANCH branch +message_banner "git checkout ${UPDATE_TO_BRANCH}" +git checkout ${UPDATE_TO_BRANCH} + +# Copy ci-pipeline kops yaml to the newly created cluster's yaml +cp -a ./clusters/aws/kops/clusters/ci-pipeline/* ./clusters/aws/kops/clusters/${CLUSTER_NAME}/ + +echo "Replace kops values file with the correct name parameters" +sed -i "s/ci-pipeline/${CLUSTER_NAME}/g" ./clusters/aws/kops/clusters/${CLUSTER_NAME}/values.yaml + +# Update the cluster +message_banner "Updating the cluster" +${BASE_FILE_PATH}/update-cluster.sh + +# Run e2e tests +message_banner "Running e2e tests" +${BASE_FILE_PATH}/e2e-tests.sh || true diff --git a/old/containers/kubernetes/clusters/kops/cleanup.sh b/old/containers/kubernetes/clusters/kops/cleanup.sh new file mode 100755 index 000000000..01947217a --- /dev/null +++ b/old/containers/kubernetes/clusters/kops/cleanup.sh @@ -0,0 +1,58 @@ +#!/bin/bash -e + +if [ ! -z "${DEBUG}" ]; then + set -x +fi + +################################################### +## +## This script run inside of Github Actions. +## +## Need to rebuild Docker container on edit: false +## +################################################### + +CLUSTER_NAME_PREFIX="ci-pipeline" + +if [ "${DELETE_PREVIOUS_CLUSTER}" == "true" ]; then + + # Kops returns an array of clusters if there are more than one. + # If there is only one, it returns a json element with just one element + # We have to treat these two cases differently. + NUMBER_OF_CLUSTERS=$(kops get clusters | wc -l) + if [ "${NUMBER_OF_CLUSTERS}" -eq 2 ]; then + echo "There is one cluster." + + CLUSTER_NAME=$(kops get clusters --output json | jq -r .metadata.name) + + # Delete all cluster staring with ${CLUSTER_NAME_PREFIX} in the name + if echo ${CLUSTER_NAME} | grep -e "^${CLUSTER_NAME_PREFIX}"; then + + echo "Deleting cluster: ${CLUSTER_NAME}" + set -x + kops delete cluster ${CLUSTER_NAME} --yes + set +x + fi + else + + # Loop through the kops get clusters output and get each cluster name + for row in $(kops get clusters --output json | jq -r '.[] | @base64'); do + _jq() { + echo ${row} | base64 --decode | jq -r ${1} + } + + CLUSTER_NAME=$(_jq '.metadata.name') + + # Delete all cluster staring with ${CLUSTER_NAME_PREFIX} in the name + if echo ${CLUSTER_NAME} | grep -e "^${CLUSTER_NAME_PREFIX}"; then + + echo "Deleting cluster: ${CLUSTER_NAME}" + set -x + kops delete cluster ${CLUSTER_NAME} --yes + set +x + fi + done + + fi + +fi diff --git a/old/containers/kubernetes/clusters/kops/create-cluster.sh b/old/containers/kubernetes/clusters/kops/create-cluster.sh new file mode 100755 index 000000000..ae3f8a2db --- /dev/null +++ b/old/containers/kubernetes/clusters/kops/create-cluster.sh @@ -0,0 +1,64 @@ +#!/bin/bash -e + +################################################### +## +## This script run inside of the Fargate Docker container. +## +## Need to rebuild Docker container on edit: true +## +################################################### + +if [ ! -z "${DEBUG}" ]; then + set -x +fi + +# Initial base cluster name (before random UUID is appended) +CLUSTER_NAME=ci-pipeline + +TMP_OUTPUT_LOCATION=./tmp-output + +echo "Remove temporary output if it exist" +rm -rf ${TMP_OUTPUT_LOCATION} || true + +echo "Create temporary output folder" +mkdir ${TMP_OUTPUT_LOCATION} + +echo "Generate random UUID" +NEW_UUID=$(cat /dev/urandom | tr -dc 'a-z0-9' | fold -w 8 | head -n 1) + +CLUSTER_NAME=ci-pipeline-${NEW_UUID} + +echo "Copy ci-pipeline folder for this CI run's usage" +cp -a ./clusters/aws/kops/clusters/ci-pipeline ./clusters/aws/kops/clusters/${CLUSTER_NAME} + +echo "Output cluster name into the temporary folder" +echo "${CLUSTER_NAME}" > ${TMP_OUTPUT_LOCATION}/cluster-name.txt + +echo "Replace kops values file with the correct name parameters" +sed -i "s/ci-pipeline/${CLUSTER_NAME}/g" ./clusters/aws/kops/clusters/${CLUSTER_NAME}/values.yaml + +cd ./clusters/aws/kops/ + +echo "Creating a new kops cluster [DRY RUN]" +./kops.sh --name ${CLUSTER_NAME} --create true --dry-run true + +echo "Creating a new kops cluster [NOT DRY RUN]" +./kops.sh --name ${CLUSTER_NAME} --create true --dry-run false + +echo "cluster name: ${CLUSTER_NAME}" + +function wait_for_kube_api_ready() { + IS_DONE=false + until ${IS_DONE} + do + echo "Cannot reach the Kubernetes cluster yet. Wait and try again..." + sleep 2 + + STATUS=$(kubectl get nodes | grep "Ready" | wc -l) + if [ ${STATUS} -gt 2 ]; then + IS_DONE=true + fi + done +} + +wait_for_kube_api_ready \ No newline at end of file diff --git a/old/containers/kubernetes/clusters/kops/e2e-tests.sh b/old/containers/kubernetes/clusters/kops/e2e-tests.sh new file mode 100755 index 000000000..ef3934d93 --- /dev/null +++ b/old/containers/kubernetes/clusters/kops/e2e-tests.sh @@ -0,0 +1,31 @@ +#!/bin/bash -e + +################################################### +## +## This script run inside of the Fargate Docker container. +## +## Need to rebuild Docker container on edit: true +## +################################################### + +if [ ! -z "${DEBUG}" ]; then + set -x +fi + +echo "Run sonobuoy Kubernetes e2e tests" +echo "Running e2e tests" + +# Delete previous test +sonobuoy delete --all --wait + +if [ ! -z "${E2E_TESTS_QUICK_MODE}" ]; then + # Quick test + sonobuoy run --mode quick --wait +else + # Long test + sonobuoy run --e2e-focus="\\[Conformance\\]" --e2e-skip="(\[Serial\])" --wait +fi + +# Get results +results=$(sonobuoy retrieve) +sonobuoy results $results \ No newline at end of file diff --git a/old/containers/kubernetes/clusters/kops/fargate/task-definition-template.json b/old/containers/kubernetes/clusters/kops/fargate/task-definition-template.json new file mode 100644 index 000000000..3beab1fc3 --- /dev/null +++ b/old/containers/kubernetes/clusters/kops/fargate/task-definition-template.json @@ -0,0 +1,37 @@ +{ + "family": "pipeline", + "networkMode": "awsvpc", + "containerDefinitions": [ + { + "name": "worker", + "image": "managedkube/kops:dev", + "essential": true, + "entryPoint": [ + "sh", + "-c" + ], + "command": [ + "./containers/kubernetes/clusters/kops/ci-pipeline.sh -i master -u master" + ], + "environment" : [ + { "name" : "ENVIRONMENT_NAME", "value" : "dev-test" }, + { "name" : "E2E_TESTS_QUICK_MODE", "value": "true"} + ], + "logConfiguration": { + "logDriver": "awslogs", + "options": { + "awslogs-group": "ci-pipeline", + "awslogs-region": "us-east-1", + "awslogs-stream-prefix": "worker" + } + } + } + ], + "requiresCompatibilities": [ + "FARGATE" + ], + "cpu": "256", + "memory": "512", + "executionRoleArn": "arn:aws:iam:::role/ecsTaskExecutionRole", + "taskRoleArn": "arn:aws:iam:::role/kubernetesOpsKopsFargateTask" +} diff --git a/old/containers/kubernetes/clusters/kops/fargate/task-definition.json b/old/containers/kubernetes/clusters/kops/fargate/task-definition.json new file mode 100644 index 000000000..3c398dfcc --- /dev/null +++ b/old/containers/kubernetes/clusters/kops/fargate/task-definition.json @@ -0,0 +1,47 @@ +{ + "family": "pipeline", + "networkMode": "awsvpc", + "containerDefinitions": [ + { + "name": "worker", + "image": "managedkube/kops:dev", + "essential": true, + "entryPoint": [ + "sh", + "-c" + ], + "command": [ + "./containers/kubernetes/clusters/kops/ci-pipeline.sh -i master -u master" + ], + "environment": [ + { + "name": "ENVIRONMENT_NAME", + "value": "dev-test" + }, + { + "name": "E2E_TESTS_QUICK_MODE", + "value": "true" + }, + { + "name": "KOPS_STATE_STORE", + "value": "s3://kubernetes-ops-expanse-1234-kops-state-store" + } + ], + "logConfiguration": { + "logDriver": "awslogs", + "options": { + "awslogs-group": "ci-pipeline", + "awslogs-region": "us-east-1", + "awslogs-stream-prefix": "worker" + } + } + } + ], + "requiresCompatibilities": [ + "FARGATE" + ], + "cpu": "256", + "memory": "512", + "executionRoleArn": "arn:aws:iam:::role/kubernetesOpsKopsFargateTaskExecution", + "taskRoleArn": "arn:aws:iam:::role/kubernetesOpsKopsFargateTask" +} diff --git a/old/containers/kubernetes/clusters/kops/fargate/task-execution-policy.json b/old/containers/kubernetes/clusters/kops/fargate/task-execution-policy.json new file mode 100644 index 000000000..6984a974c --- /dev/null +++ b/old/containers/kubernetes/clusters/kops/fargate/task-execution-policy.json @@ -0,0 +1,17 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "ecr:GetAuthorizationToken", + "ecr:BatchCheckLayerAvailability", + "ecr:GetDownloadUrlForLayer", + "ecr:BatchGetImage", + "logs:CreateLogStream", + "logs:PutLogEvents" + ], + "Resource": "*" + } + ] +} diff --git a/old/containers/kubernetes/clusters/kops/fargate/task-policy.json b/old/containers/kubernetes/clusters/kops/fargate/task-policy.json new file mode 100644 index 000000000..9cc9d92a6 --- /dev/null +++ b/old/containers/kubernetes/clusters/kops/fargate/task-policy.json @@ -0,0 +1,10 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "*", + "Resource": "*" + } + ] +} diff --git a/old/containers/kubernetes/clusters/kops/fargate/task-role-trust-relationship.json b/old/containers/kubernetes/clusters/kops/fargate/task-role-trust-relationship.json new file mode 100644 index 000000000..3e7645da5 --- /dev/null +++ b/old/containers/kubernetes/clusters/kops/fargate/task-role-trust-relationship.json @@ -0,0 +1,14 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "", + "Effect": "Allow", + "Principal": { + "Service": "ecs-tasks.amazonaws.com" + }, + "Action": "sts:AssumeRole" + } + ] + } + \ No newline at end of file diff --git a/old/containers/kubernetes/clusters/kops/run.sh b/old/containers/kubernetes/clusters/kops/run.sh new file mode 100755 index 000000000..4e66f6e20 --- /dev/null +++ b/old/containers/kubernetes/clusters/kops/run.sh @@ -0,0 +1,48 @@ +#!/bin/bash -e + +################################################### +## +## This script run inside of Github Actions. +## +## Need to rebuild Docker container on edit: false +## +################################################### + +if [ ! -z "${DEBUG}" ]; then + set -x +fi + +CLUSTER_NAME="fargate-cluster" +PIPELINE_VERSION=20 + +# Start Fargate Task +TASK_ARN=$(aws ecs run-task --cluster ${CLUSTER_NAME} --task-definition pipeline:${PIPELINE_VERSION} --launch-type "FARGATE" --network-configuration "awsvpcConfiguration={subnets=[subnet-0121a9057485fbe72],securityGroups=[sg-01b56214e8d158906]}" | jq -r .tasks[0].taskArn) + +# Output Fargate task description +set -x +aws ecs describe-tasks --cluster ${CLUSTER_NAME} --tasks ${TASK_ARN} +set +x + +TASK_ID=$(echo ${TASK_ARN} | grep -o -e "\/.*" | grep -o -e "[0-9a-z].*") + +echo "#########################################" +echo "Command to tail logs while this runs: ecs-cli logs --cluster ${CLUSTER_NAME} --task-id ${TASK_ID}" --follow +echo "#########################################" + +# Poll until lastStatus is RUNNING +IS_DONE=false +until ${IS_DONE} +do + echo "Fargate task is not in a running state yet...wait and poll again. | lastStatus: ${STATUS}" + sleep 2 + + STATUS=$(aws ecs describe-tasks --cluster ${CLUSTER_NAME} --tasks ${TASK_ARN} | jq -r .tasks[0].lastStatus) + if [ "${STATUS}" == "STOPPED" ]; then + IS_DONE=true + fi +done + +# Follow logs until it has completed +set -x +ecs-cli logs --cluster ${CLUSTER_NAME} --task-id ${TASK_ID} +set +x \ No newline at end of file diff --git a/old/containers/kubernetes/clusters/kops/setup.sh b/old/containers/kubernetes/clusters/kops/setup.sh new file mode 100755 index 000000000..b51f8a300 --- /dev/null +++ b/old/containers/kubernetes/clusters/kops/setup.sh @@ -0,0 +1,47 @@ +#!/bin/bash -e + +################################################### +## +## This script run inside of the Dockerfile +## +## Need to rebuild Docker container on edit: true +## +################################################### + +if [ ! -z "${DEBUG}" ]; then + set -x +fi + +KUBECTL_VERSION=v1.16.0 +KOPS_VERSION=1.14.1 +SONOBUOY_VERSION=0.14.3 +ECS_CLI_VERSION=xxx + +KUBECTL_BINARY="https://storage.googleapis.com/kubernetes-release/release/${KUBECTL_VERSION}/bin/linux/amd64/kubectl" +KOPS_BINARY="https://github.com/kubernetes/kops/releases/download/${KOPS_VERSION}/kops-linux-amd64" +SONOBUOY_URL="https://github.com/vmware-tanzu/sonobuoy/releases/download/v${SONOBUOY_VERSION}/sonobuoy_${SONOBUOY_VERSION}_linux_amd64.tar.gz" + +echo "Setup ubuntu" +apt-get update && apt-get install -y curl keychain git + +echo "Setup kubectl" +curl -LO ${KUBECTL_BINARY} +chmod 755 kubectl +cp kubectl /usr/local/bin/ +kubectl version || true + +echo "Setup kops" +curl -o kops --location ${KOPS_BINARY} +chmod u+x ./kops +cp ./kops /usr/local/bin/ +kops version + +echo "Setup sonobuoy" +curl -o sonobuoy.tar.gz --location ${SONOBUOY_URL} +tar -zxvf sonobuoy.tar.gz +cp ./sonobuoy /usr/local/bin/ +sonobuoy version + +echo "Setup ecs-cli" +curl -o /usr/local/bin/ecs-cli https://amazon-ecs-cli.s3.amazonaws.com/ecs-cli-linux-amd64-latest +chmod 755 /usr/local/bin/ecs-cli \ No newline at end of file diff --git a/old/containers/kubernetes/clusters/kops/update-cluster.sh b/old/containers/kubernetes/clusters/kops/update-cluster.sh new file mode 100755 index 000000000..5c9b1920f --- /dev/null +++ b/old/containers/kubernetes/clusters/kops/update-cluster.sh @@ -0,0 +1,36 @@ +#!/bin/bash -e + +################################################### +## +## This script run inside of the Fargate Docker container. +## +## Need to rebuild Docker container on edit: true +## +################################################### + +if [ ! -z "${DEBUG}" ]; then + set -x +fi + +#CLOUD_ONLY="--cloudonly true" + +# Set the environment name to the tmp-output name if it exist +if [ -a ./tmp-output/cluster-name.txt ]; then + ENVIRONMENT_NAME=$(cat ./tmp-output/cluster-name.txt) + echo "ENVIRONMENT_NAME: ${ENVIRONMENT_NAME}" +fi + +cd ./clusters/aws/kops/ + +echo "Apply kops update [DRY RUN]" +./kops.sh --name ${ENVIRONMENT_NAME} --update true --dry-run true +sleep 5 + +echo "Apply kops update [NOT DRY RUN]" +./kops.sh --name ${ENVIRONMENT_NAME} --update true --dry-run false + +echo "Apply kops rolling update [DRY RUN]" +./kops.sh --name ${ENVIRONMENT_NAME} --rolling-update true ${CLOUD_ONLY} --dry-run true + +echo "Apply kops rolling update [NOT DRY RUN]" +./kops.sh --name ${ENVIRONMENT_NAME} --rolling-update true ${CLOUD_ONLY} --dry-run false diff --git a/old/docs/the-easier-way.md b/old/docs/the-easier-way.md new file mode 100644 index 000000000..61d5d686a --- /dev/null +++ b/old/docs/the-easier-way.md @@ -0,0 +1,104 @@ +The easier way +================ +This is not exactly the easy way but way easier than [the-manual-way.md](the-manual-way.md). + +This methods walks you through how to create the VPC and a Kops cluster via +the scripts we provide instead of using the CLIs manually. However, if you wanted +to learn what exactly it is doing and we encourage you to go through the [the-manual-way.md](the-manual-way.md) +once sometime. + +# Replace all of the S3 buckets used +See [s3 buckets replacement](README.md#setting-up-the-s3-buckets) + +# Create VPC + +## Run + +``` +cd ops +./vpc.sh -n dev --create true --dry-run false +``` + +# VPC ID +From the output of the Terraform run, a VPC ID was outputted in the format of +`vpc-xxxxxxx`. Copy this ID, you will need to put it into a few places. + +The following paths all starts from the root of this repository. + +## Terraform environment _env_defaults file +This file hold default values about this environment. We are adding in the +VPC ID here because there will be subsequent Terraforms that will use this ID +and place itself into this VPC. + +An example is if we wanted to use an RDS database. We will put the database +in this VPC and it will need the VPC ID to do that. + +File: `./tf-environments//dev/_env_defaults/gcp.tf` + +Update the `vpc_id` variable with the ID. + +## Kops values.yaml +This file holds the configuration for our Kops Kubernetes cluster for the `dev` +environment. We are going to tell Kops to put itself into this VPC. + +File: `./clusters/aws/kops/clusters/dev/values.yaml` + +Replace the value of `vpc` with the VPC ID. + +# Create the Kops Kubernetes cluster + +Run: +``` +cd clusters/aws/kops +./kops.sh --name dev --create true --dry-run false +``` + +# Interacting with the new Kubernetes cluster +The Kubernetes cluster that is created is a fully private Kubernetes cluster with +no public IP addresses. This means that you will have to get to the cluster some +how via a bastion host to be able to interact with it. During the setup, a +bastion host was created for you. The following steps shows you how to +connect to it and create a tunnel. + +``` +./kops.sh --name dev --get-bastion true --dry-run false +``` + +This will return information with a `sshuttle` command on how you can connect +to the remote network. + +# Git commit the changes back to the repository +Now that we have made all of our changes, we should commit all of the changes +back to our repository. + +See what has changed: +``` +git diff +``` + +Write a commit message: +``` +git commit -m 'Launching the dev cluster and updating the VPC IDs' -a +``` + +Push the changes back into git +``` +git push origin master +``` + +# Deleting + +# kops +Delete the kops cluster first + +``` +./kops.sh --name dev --delete true --dry-run false +``` + +# VPC +Delete the VPC next + +``` +cd ops +./vpc.sh -n dev --delete true --dry-run false +``` diff --git a/old/docs/the-manual-way.md b/old/docs/the-manual-way.md new file mode 100644 index 000000000..1c7d97b3e --- /dev/null +++ b/old/docs/the-manual-way.md @@ -0,0 +1,258 @@ +kubernetes-ops +================== +This repository represents an opinionated way to structure a repository that +holds the infrastructure level items. + +# Tools you will need + +See [tools.md](tools.md) + +# Setup your IP CIDR +This document contains how your IP CIDRs are going to be laid out for your +entire infrastructure. Care should be taken to review this and to make sure +this fits your needs. + +While getting started quick you can just go with any IP CIDR scheme just to test +it out but if you were to roll out a real world setup where people will consume +this infrastructure, not thinking this out a little bit might make it difficult +to do certain things later. It is unfortunate that this has to come so early in +the process. The IP CIDR is pretty much at the bottom of the stack which means +it touches everything. Making changes to this later will probably be very difficult +and require some kind of large scale migration or cut over. + +We suggest you take the `cidr-ranges.md` file as a good place to start. + +# Replace all of the S3 buckets used +See [s3 buckets replacement](README.md#setting-up-the-s3-buckets) + +# VPC Creation + +Directory: `/tf-environment` + +## Easy route + +Change directory to: `/tf-environments/aws/dev/dev/vpc` + +A note about the Terraform state store. We are using S3 for the state store and S3 bucket names has to be globally unique. +The file `/tf-environments/aws/dev/terragrunt.hcl` holds the state store configurations. +It is set to `kubernetes-ops-tf-state-${get_aws_account_id()}-terraform-state`. It puts your AWS Account ID in there as the "unique" key. + +Run: +``` +terragrunt init +terragrunt plan +terragrunt apply +``` + +This will create the VPC. + +## Creating additional environments that is not named "dev" + +Copy the directory `dev` to a name of the environment you want to create. +Like `dev-testing` is a good name. + +### Update parameters +Now we have to update some parameter values in the files that we just copied in +the `dev` directory. + +#### `_env_defaults/main.tf` +Update the parameter +- `environment_name` to `dev-testing` +- `vpc_cidr` to the CIDR you chose +- `aws_availability_zone_1` and the availability zones if this needs to be updated + +#### `aws/vpc/main.tf` +Update the parameters: +- `public_cidrs` to the CIDR range you choose +- `private_cidrs` to the CIDR range you choose + +## Launch + +Run: +``` +terragrunt init +terragrunt plan +terragrunt apply +``` + +## Post launch +The Terraform output would have given you a VPC ID + +``` +... +... +module.main.aws_route.private[0]: Creation complete after 1s (ID: r-rtb-015ee00a4ceb2c77b1080289494) +module.main.aws_route.private[2]: Creation complete after 1s (ID: r-rtb-0f342ec1f38c7dd7f1080289494) +module.main.aws_route.private[1]: Creation complete after 1s (ID: r-rtb-089e933a218c235121080289494) + +Apply complete! Resources: 29 added, 0 changed, 0 destroyed. + +Outputs: + +aws_vpc_id = vpc-01262c04bc41f2f1f +``` + +Copy this VPC id and put it into the `_env_defaults/main.tf` file in the `vpc_id` parameter + +This ID will be used by other Terraform modules/items that are launched into this VPC. + +We will use this ID in the Kops creation because we are putting the Kubernetes +cluster in this VPC. + +# Kubernetes Cluster creation + +## Change directory +From the root directory of this repo change directory to here: +``` +cd clusters/aws/kops/ +``` + +## Create an AWS EC2 key pair +This will create the key, change the permissions so you can only read it, and +add it to your shell environment for usage. + +``` +aws ec2 create-key-pair --key-name kubernetes_ops --query 'KeyMaterial' --output text > ./ssh-keys/kubernetes-ops.pem +chmod 400 ./ssh-keys/kubernetes-ops.pem +ssh-add ./ssh-keys/kubernetes-ops.pem +``` + +## Kops on AWS + +Kops is an open source tool to help you create Kubernetes cluster. We are going +to use this tool to help us create a cluster on AWS. + +Source project: https://github.com/kubernetes/kops + +### Download the kops tool +Using kops cli is very version specific. This will determine what version +of Kubernetes will be installed. + +We are currently using version 1.11.x. You can download the `kops` CLI here: + +https://github.com/kubernetes/kops/releases/tag/1.11.1 + +### Creating the cluster +There is a sample cluster named `dev-example` that you can launch as is. + +Put the `vpc-id` into the file: `./clusters/dev-example/values.yaml` + +Set the state store. The kops state store is where kops writes information about +the cluster during creation. The entire state of the cluster is here. It +writes the information out to an AWS S3 bucket. Since buckets are globally +unique, you need to select a name that is unique to you. You can simply change +the `2345` string to something else or another number to make it unique. + +``` +export KOPS_STATE_STORE=s3://kubernetes-ops-1234-kops-state-store +``` + +Put the same bucket name in this case `kubernetes-ops-1234-kops-state-store` in +the file `./clusters/dev-example/values.yaml` in the `s3BucketName` values field. + +Run this command to create the S3 bucket +``` +aws s3api create-bucket \ + --bucket ${KOPS_STATE_STORE} \ + --region us-east-1 \ + --versioning-configuration Status=Enabled +``` + +Enable versioning on the bucket: +``` +aws s3api put-bucket-versioning --bucket ${KOPS_STATE_STORE} --versioning-configuration Status=Enabled +``` + +Now, export out your AWS keys to the local shell: + +``` +export AWS_ACCESS_KEY_ID="foo" +export AWS_SECRET_ACCESS_KEY="bar" +export AWS_DEFAULT_REGION=us-east-1 +``` + +You can now run this command to output the templated values: + +``` +kops toolbox template --template ./template/cluster.yml --values ./clusters/dev-example/values.yaml --values ./clusters/values.yaml > /tmp/output.yaml +``` + +Run this command to create the cluster: +``` +kops create -f /tmp/output.yaml +``` + +At this point, it just created the configs for this cluster in S3. + +Get cluster name: +``` +kops get clusters +``` + +Set the cluster name from the output +``` +export cluster_name=dev-example.us-east-1.k8s.local +``` + +Create ssh keys to be able to ssh into the cluster. You don't have to enter a +passphrase for the key if you do not want to. Just hit enter. + +``` +ssh-keygen -t rsa -b 4096 -C "your_email@example.com" -f ./ssh-keys/id_rsa +``` + +Add the ssh keys into kops so it can put it on the machines. +``` +kops create secret --name ${cluster_name} sshpublickey admin -i ./ssh-keys/id_rsa.pub +``` + +Create the cluster. This will launch EC2 nodes and start configuring the kubernetes +cluster: +``` +kops --name ${cluster_name} update cluster --yes +``` + +By default, kops will place the `kubeconfig` on your local system. The kubeconfig +has information on how to reach this Kubernetes cluster and authentication for it. + +It is placed in: `~/.kube/config` + +#### Accessing the cluster +This cluster only has private IP addresses. You will not be able to reach it directly. +In the `dev-example` a bastion host is created for access. + +There is an easy tool to use to ssh and tunnel into a remote network called `sshuttle` + +Here is the source project: https://github.com/sshuttle/sshuttle + +There are binaries and installs for Windows, OSX, and Linux. + +Using this you would run the this command to tunnel traffic to this VPC. + +In the AWS console find the load balancer that is pointed to the bastion host. In the +EC2 Dashboard, got to "Load Balancer" and search for "bastion". The DNS name will +point to your bastion host: + +DNS name: bastion-dev-example-us-ea-3gprsr-2140616004.us-east-1.elb.amazonaws.com + +Add the ssh private key you just generated to your local store so you can ssh in: +``` +ssh-add ./ssh-keys/kubernetes-ops.pem +``` + +Run the sshuttle command: +``` +sshuttle -r ec2-user@bastion-dev-example-us-ea-3gprsr-2140616004.us-east-1.elb.amazonaws.com 10.10.0.0/16 -v +``` + +This will forward all traffic destined for `10.10.0.0/16` through this tunnel. + +In another shell, run a `kubectl` command to check connectivity: + +``` +kubectl get nodes +``` + +# References + +Kops setup: https://github.com/kubernetes/kops/blob/master/docs/aws.md diff --git a/old/docs/updating-a-kops-cluster.md b/old/docs/updating-a-kops-cluster.md new file mode 100644 index 000000000..30849c408 --- /dev/null +++ b/old/docs/updating-a-kops-cluster.md @@ -0,0 +1,76 @@ +Updating a Kops Cluster +======================== + +Sometime refer to as "Day 2" problems. The other part of the lifecycle after +cluster creations. This is where most of the Kubernetes cluster's lifecycle will +reside in. + +# Updating instance size +The most common operation to perform is updating the instance size to be +larger or smaller. This is an easy operation. + +Lets say you have a `dev` cluster. + +The following paths all starts from the root of this repository. + +Open and edit the file: `./clusters/aws/kops/clusters/dev/values.yaml` + +Lets say that you want to update the `onDemandGroup1` group. + +## Update the configuration file +Search or scroll down in the file until you find the group settings for `onDemandGroup1` + +``` +... +onDemandGroup1: + # CoreOS: https://github.com/kubernetes/kops/blob/06b0111251ab87861e57dbf5f8d36f02e84af04d/docs/images.md#coreos + image: 595879546273/CoreOS-stable-2023.5.0-hvm + machineType: t3.large + maxSize: 10 + minSize: 1 +... +``` + +Update the `machineType` value to the new instance type you want it to be. + +## Apply changes +After this change, we have to apply these changes + +Run a dry run to see what it will change: +``` +cd clusters/aws/kops +./kops.sh --name dev --update true --dry-run true +``` + +Apply the changes: +``` +./kops.sh --name dev --update true --dry-run false +``` + +## Roll the nodes +When we applied the changes, Kops changed the AWS configuration of the Launch +Configuration of the ASG group. This does not touch the current nodes that +are running. When a new node starts, it will use the new configuration but the +current node will stay as is. + +For this reason, we have to "roll" the nodes. This means that we will have to +terminate and let the system launch new nodes. + +Roll the nodes: +``` +./kops.sh --name dev --rolling-update true --dry-run false --cloudonly true +``` + +This will select nodes that needs updating and turn them off one by one until they +are all updated. + +## Commit back the changes + +Now that we have made the changes, we want to commit back these changes to our +repository. + +Another Git flow we could have used was after we made the config changes, we could +have started a new branch, commit the changes to that branch, and then opened a +pull request for these changes. With the Pull Request, we would solicit feedback +from our peers on what they think about this change. If everyone says it is ok, +we could merge and apply the changes and roll the nodes. diff --git a/old/kubernetes/helm/cert-manager/cert-manager/.gitignore b/old/kubernetes/helm/cert-manager/cert-manager/.gitignore new file mode 100644 index 000000000..15955aad4 --- /dev/null +++ b/old/kubernetes/helm/cert-manager/cert-manager/.gitignore @@ -0,0 +1 @@ +helm-output.yaml diff --git a/old/kubernetes/helm/cert-manager/cert-manager/Chart.lock b/old/kubernetes/helm/cert-manager/cert-manager/Chart.lock new file mode 100644 index 000000000..97a498625 --- /dev/null +++ b/old/kubernetes/helm/cert-manager/cert-manager/Chart.lock @@ -0,0 +1,6 @@ +dependencies: +- name: cert-manager + repository: https://charts.jetstack.io + version: v0.14.0 +digest: sha256:b21ccf331d7a85083a8ca3166416575968013168b891618dc54a59d6f1494bf5 +generated: "2020-03-17T19:46:12.068991985-07:00" diff --git a/old/kubernetes/helm/cert-manager/cert-manager/Chart.yaml b/old/kubernetes/helm/cert-manager/cert-manager/Chart.yaml new file mode 100644 index 000000000..c9df5d69c --- /dev/null +++ b/old/kubernetes/helm/cert-manager/cert-manager/Chart.yaml @@ -0,0 +1,9 @@ +apiVersion: v2 +name: cert-manager +version: v0.14.0 +appVersion: v0.14.0 +description: A Helm chart for cert-manager +dependencies: +- name: cert-manager + version: v0.14.0 + repository: https://charts.jetstack.io diff --git a/old/kubernetes/helm/cert-manager/cert-manager/Makefile b/old/kubernetes/helm/cert-manager/cert-manager/Makefile new file mode 100644 index 000000000..c56b02ee0 --- /dev/null +++ b/old/kubernetes/helm/cert-manager/cert-manager/Makefile @@ -0,0 +1,45 @@ +HELM_BINARY?=helm +KUBECONFIG?=~/.kube/config +KUBE_NAMESPACE?=cert-manager + +BASE_PATH=. + +APPLCATION_CHART_NAME=./ +# APPLCATION_CHART_NAME=jetstack/cert-manager +APPLICATION_NAME=cert-manager +VERSION=v0.14.0 + +VALUES_FILE?=values.yaml + +TEMPLATE_OUTPUT_FILE?=./helm-output.yaml + +dependency: + ${HELM_BINARY} dependency build + +apply-crd: + kubectl apply --validate=false -f https://raw.githubusercontent.com/jetstack/cert-manager/release-${VERSION}/deploy/manifests/00-crds.yaml + +delete-crd: + kubectl delete -f https://raw.githubusercontent.com/jetstack/cert-manager/release-${VERSION}/deploy/manifests/00-crds.yaml + +apply: + ${HELM_BINARY} upgrade -i ${APPLICATION_NAME} ./ --wait \ + --namespace ${KUBE_NAMESPACE} \ + --values ${VALUES_FILE} + +template: + ${HELM_BINARY} template ${APPLICATION_NAME} ./ --wait \ + --namespace ${KUBE_NAMESPACE} \ + --values ${VALUES_FILE} + +delete: + ${HELM_BINARY} --namespace ${KUBE_NAMESPACE} delete ${APPLICATION_NAME} + +list: + ${HELM_BINARY} list + +dependency-build: + ${HELM_BINARY} dependency build + +add-repository: + ${HELM_BINARY} repo add jetstack https://charts.jetstack.io diff --git a/old/kubernetes/helm/cert-manager/cert-manager/README.md b/old/kubernetes/helm/cert-manager/cert-manager/README.md new file mode 100644 index 000000000..f1043fdbd --- /dev/null +++ b/old/kubernetes/helm/cert-manager/cert-manager/README.md @@ -0,0 +1,90 @@ +Cert Manager +======== + +Helm Hub: https://hub.helm.sh/charts/jetstack/cert-manager + +Github: https://github.com/jetstack/cert-manager/tree/master/deploy/charts/cert-manager + +Documentation: https://cert-manager.readthedocs.io + + +# Install the Cert Manager's CRD + +This has to be done first + +``` +make apply-crd +``` + +## apply: +``` +make apply +``` + +## dependency-build + +``` +make dependency-build +``` +## template +Default template outputs to: /tmp/helm-output.yaml +``` +make template +``` + +## Deleting: +``` +make delete +``` + +Delete the CRDs for a clean removal: + +``` +make delete-crd +``` + +## Listing helm charts: +``` +make list +``` + +# dns01 issuer +Doc: http://docs.cert-manager.io/en/latest/reference/issuers/acme/dns01.html + +The `dns01` issuer is a method to authenticate to Let's Encrypt that you own the domain +by setting a DNS TXT record that is given back for the authorization. + +This method is useful for internal load balancers where Let's Encrypt can not reach the +actual hostname's endpoint. For this method to work, the `cert-manager` needs access +to where the domain is hosted. + +## ingress definition +Using the `dns01` to retrieve certificates, a few annotations needs to be placed on +the ingress. The following is an example: + +``` +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + name: echoserver + #namespace: echoserver + annotations: + kubernetes.io/tls-acme: "true" + kubernetes.io/ingress.class: "nginx-internal" + certmanager.k8s.io/cluster-issuer: issuer-dns01 + certmanager.k8s.io/acme-challenge-type: dns01 + certmanager.k8s.io/acme-dns01-provider: prod +spec: + tls: + - hosts: + - gar.q-internal.tech + secretName: foo-tls-secret + rules: + - host: gar.q-internal.tech + http: + paths: + - path: / + backend: + serviceName: echoserver + servicePort: 80 +``` diff --git a/old/kubernetes/helm/cert-manager/cert-manager/charts/cert-manager-v0.14.0.tgz b/old/kubernetes/helm/cert-manager/cert-manager/charts/cert-manager-v0.14.0.tgz new file mode 100644 index 000000000..f6fb1377a Binary files /dev/null and b/old/kubernetes/helm/cert-manager/cert-manager/charts/cert-manager-v0.14.0.tgz differ diff --git a/old/kubernetes/helm/cert-manager/cert-manager/values.yaml b/old/kubernetes/helm/cert-manager/cert-manager/values.yaml new file mode 100644 index 000000000..d66cd79e7 --- /dev/null +++ b/old/kubernetes/helm/cert-manager/cert-manager/values.yaml @@ -0,0 +1,5 @@ +--- +cert-manager: + global: + leaderElection: + namespace: cert-manager diff --git a/old/kubernetes/helm/cert-manager/cluster-issuer/.gitignore b/old/kubernetes/helm/cert-manager/cluster-issuer/.gitignore new file mode 100644 index 000000000..d39cf4024 --- /dev/null +++ b/old/kubernetes/helm/cert-manager/cluster-issuer/.gitignore @@ -0,0 +1 @@ +templated-output.yaml diff --git a/old/kubernetes/helm/cert-manager/cluster-issuer/Chart.yaml b/old/kubernetes/helm/cert-manager/cluster-issuer/Chart.yaml new file mode 100644 index 000000000..f1951f6ef --- /dev/null +++ b/old/kubernetes/helm/cert-manager/cluster-issuer/Chart.yaml @@ -0,0 +1,5 @@ +apiVersion: v2 +name: cluster-issuer +version: v0.1.1 +appVersion: v0.1.1 +description: A Helm chart to create the cert-manager cluster issuers diff --git a/old/kubernetes/helm/cert-manager/cluster-issuer/Makefile b/old/kubernetes/helm/cert-manager/cluster-issuer/Makefile new file mode 100644 index 000000000..089cf5f87 --- /dev/null +++ b/old/kubernetes/helm/cert-manager/cluster-issuer/Makefile @@ -0,0 +1,41 @@ +HELM_BINARY?=helm +KUBECTL_BINARY?=kubectl +KUBECONFIG?=~/.kube/config +KUBE_NAMESPACE?=cert-manager + +AWS_ACCESS_KEY_ID?=xxx +AWS_SECRET_ACCESS_KEY?=xxx + +BASE_PATH=. + +BASE_VALUES_FILE?=values.yaml +VALUES_FILE?=environments/${ENVIRONMENT}/values.yaml + +TEMPLATE_OUTPUT_FILE?=./templated-output.yaml + +apply: + ${HELM_BINARY} template \ + --namespace ${KUBE_NAMESPACE} \ + --values ${BASE_PATH}/${BASE_VALUES_FILE} \ + --values ${BASE_PATH}/${VALUES_FILE} \ + --set aws.accessKeyID=${AWS_ACCESS_KEY_ID} \ + --set aws.accessSecret=${AWS_SECRET_ACCESS_KEY} \ + ./ > ${TEMPLATE_OUTPUT_FILE} + kubectl --namespace ${KUBE_NAMESPACE} apply -f ${TEMPLATE_OUTPUT_FILE} + +template: + ${HELM_BINARY} template \ + --namespace ${KUBE_NAMESPACE} \ + --values ${BASE_PATH}/${BASE_VALUES_FILE} \ + --values ${BASE_PATH}/${VALUES_FILE} \ + --set aws.accessKeyID=${AWS_ACCESS_KEY_ID} \ + --set aws.accessSecret=${AWS_SECRET_ACCESS_KEY} \ + ./ + +delete: + ${HELM_BINARY} template \ + --namespace ${KUBE_NAMESPACE} \ + --values ${BASE_PATH}/${BASE_VALUES_FILE} \ + --values ${BASE_PATH}/${VALUES_FILE} \ + ./ > ${TEMPLATE_OUTPUT_FILE} + kubectl --namespace ${KUBE_NAMESPACE} delete -f ${TEMPLATE_OUTPUT_FILE} diff --git a/old/kubernetes/helm/cert-manager/cluster-issuer/README.md b/old/kubernetes/helm/cert-manager/cluster-issuer/README.md new file mode 100644 index 000000000..60674c76c --- /dev/null +++ b/old/kubernetes/helm/cert-manager/cluster-issuer/README.md @@ -0,0 +1,95 @@ +cert-manager cluster-issuer +============================== + +This is an add on chart to the Helm Stable `cert-manager` chart. + +You must have launch the `cert-manager` chart before you can use this chart. + +This chart helps you create issuers. + +# Set AWS keys +Setting the keys for AWS. Used for the DNS validation against route53 + +``` +export AWS_ACCESS_KEY_ID="foo" +export AWS_SECRET_ACCESS_KEY="bar" +``` + +# Usage: + +## Template + +``` +make ENVIRONMENT=dev-us template +``` + +## Apply + +``` +make ENVIRONMENT=dev-us apply +``` + +## delete + +``` +make ENVIRONMENT=dev-us delete +``` + +# Providers + +## GCP Cloud DNS + +Creating keys: https://docs.cert-manager.io/en/latest/tasks/issuers/setup-acme/dns01/google.html + +# Creating certs: + +## DNS01 verification: + +Adding a request for a certificate via a dns01 verification + +doc: https://docs.cert-manager.io/en/release-0.11/tutorials/acme/dns-validation.html + +``` +--- +apiVersion: cert-manager.io/v1alpha2 +kind: Certificate +metadata: + name: test1-dev-k8s-managedkube-com-tls + namespace: default +spec: + secretName: test1-dev-k8s-managedkube-com-tls + issuerRef: + # kind: ClusterIssuer + name: issuer-dns01 + dnsNames: + - test1.dev.k8s.managedkube.com + - test2.dev.k8s.managedkube.com + +``` + +# Create a sealed-secret + +``` +# Secret source information +NAMESPACE=cert-manager +SECRET_NAME=clouddns-dns01-solver-svc-acct +FILE_PATH=/media/veracrypt1/managedkube/sa-managedkube-admin.json + +# kubeseal info +PUB_CERT=./kubernetes/helm/sealed-secrets/environments/gcp-dev/pub-cert.pem +KUBESEAL_SECRET_OUTPUT_FILE=${SECRET_NAME}.yaml + +kubectl -n ${NAMESPACE} create secret generic ${SECRET_NAME} \ +--from-file=${FILE_PATH} \ +--dry-run \ +-o json > ${SECRET_NAME}.json + +kubeseal --format=yaml --cert=${PUB_CERT} < ${SECRET_NAME}.json > ${KUBESEAL_SECRET_OUTPUT_FILE} +``` + +## Remove the secrets from your filesystem + +``` +rm ${SECRET_NAME}.* +``` + diff --git a/old/kubernetes/helm/cert-manager/cluster-issuer/environments/aws-dev/values.yaml b/old/kubernetes/helm/cert-manager/cluster-issuer/environments/aws-dev/values.yaml new file mode 100644 index 000000000..3bafde8a3 --- /dev/null +++ b/old/kubernetes/helm/cert-manager/cluster-issuer/environments/aws-dev/values.yaml @@ -0,0 +1,5 @@ +--- +aws: + region: us-east-1 + accessKeyID: xxx + secretKey: xxx diff --git a/old/kubernetes/helm/cert-manager/cluster-issuer/environments/gcp-dev/values.yaml b/old/kubernetes/helm/cert-manager/cluster-issuer/environments/gcp-dev/values.yaml new file mode 100644 index 000000000..0efa0d57f --- /dev/null +++ b/old/kubernetes/helm/cert-manager/cluster-issuer/environments/gcp-dev/values.yaml @@ -0,0 +1,24 @@ +--- +provider: google + +# Google Cloud DNS +clouddns: + # The ID of the GCP project + project: managedkube + # This is the secret used to access the service account + # The file name has to be "credentials.json". The file name is put into the secret + # as the key name and the chart is looking for the key name "credentials.json" + # kubectl -n cert-manager create secret generic clouddns-dns01-solver-svc-acct --from-file=credentials.json + # Doc: https://cert-manager.io/docs/configuration/acme/dns01/google/#set-up-a-service-account + serviceAccountSecretRef: + name: "clouddns-dns01-solver-svc-acct" + key: credentials.json + +issuer: + dns: + enabled: true + name: issuer-dns01 + + http: + enabled: true + name: issuer-http01 diff --git a/old/kubernetes/helm/cert-manager/cluster-issuer/templates/aws-route53-credentials-secret.yaml b/old/kubernetes/helm/cert-manager/cluster-issuer/templates/aws-route53-credentials-secret.yaml new file mode 100644 index 000000000..1c75fae7f --- /dev/null +++ b/old/kubernetes/helm/cert-manager/cluster-issuer/templates/aws-route53-credentials-secret.yaml @@ -0,0 +1,14 @@ +{{ if eq .Values.provider "aws" }} +{{- if .Values.issuer.dns.enabled }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: aws-route53-credentials-secret +type: Opaque +data: + # Base64 encoded string of the aws private key + secret-access-key: {{ .Values.aws.accessSecret | b64enc }} + +{{- end }} +{{- end }} diff --git a/old/kubernetes/helm/cert-manager/cluster-issuer/templates/dns01.yaml b/old/kubernetes/helm/cert-manager/cluster-issuer/templates/dns01.yaml new file mode 100644 index 000000000..07b0c1e2b --- /dev/null +++ b/old/kubernetes/helm/cert-manager/cluster-issuer/templates/dns01.yaml @@ -0,0 +1,43 @@ +{{- if .Values.issuer.dns.enabled }} +# doc: http://docs.cert-manager.io/en/latest/reference/issuers/acme/dns01.html +--- +apiVersion: cert-manager.io/v1alpha2 +kind: ClusterIssuer +metadata: + name: {{ .Values.issuer.dns.name }} + namespace: {{ .Values.namespace }} +spec: + acme: + email: {{ .Values.email }} + server: {{ .Values.letsencrypt.server }} + privateKeySecretRef: + name: letsencrypt-private-key-dns-01 + solvers: + - dns01: + + {{ if eq .Values.provider "aws" }} + # AWS Provider - https://cert-manager.io/docs/configuration/acme/dns01/route53/ + route53: + region: {{ .Values.aws.region }} + + # optional if ambient credentials are available; see ambient credentials documentation + accessKeyID: {{ .Values.aws.accessKeyID }} + secretAccessKeySecretRef: + name: aws-route53-credentials-secret + key: secret-access-key + {{- end }} + + {{ if eq .Values.provider "google" }} + # Google Provider - https://cert-manager.io/docs/configuration/acme/dns01/google/ + clouddns: + # The ID of the GCP project + project: {{ .Values.clouddns.project }} + # This is the secret used to access the service account + serviceAccountSecretRef: + name: {{ .Values.clouddns.serviceAccountSecretRef.name }} + key: {{ .Values.clouddns.serviceAccountSecretRef.key }} + {{- end }} + + + +{{- end }} diff --git a/old/kubernetes/helm/cert-manager/cluster-issuer/templates/http01.yaml b/old/kubernetes/helm/cert-manager/cluster-issuer/templates/http01.yaml new file mode 100644 index 000000000..bdff021e2 --- /dev/null +++ b/old/kubernetes/helm/cert-manager/cluster-issuer/templates/http01.yaml @@ -0,0 +1,23 @@ +{{- if .Values.issuer.http.enabled }} +--- +apiVersion: cert-manager.io/v1alpha2 +kind: ClusterIssuer +metadata: + name: issuer-http01 + namespace: {{ .Values.namespace }} +spec: + acme: + # The ACME server URL + server: {{ .Values.letsencrypt.server }} + # Email address used for ACME registration + email: {{ .Values.email }} + # Name of a secret used to store the ACME account private key from step 3 + privateKeySecretRef: + name: letsencrypt-private-key-http-01 + # Enable the HTTP-01 challenge provider + solvers: + - http01: + ingress: + class: nginx-external + +{{- end }} diff --git a/old/kubernetes/helm/cert-manager/cluster-issuer/values.yaml b/old/kubernetes/helm/cert-manager/cluster-issuer/values.yaml new file mode 100644 index 000000000..d48bc500a --- /dev/null +++ b/old/kubernetes/helm/cert-manager/cluster-issuer/values.yaml @@ -0,0 +1,16 @@ +--- +email: devops@managedkube.com + +namespace: cert-manager + +letsencrypt: + server: https://acme-v02.api.letsencrypt.org/directory + +issuer: + dns: + enabled: true + name: issuer-dns01 + + http: + enabled: true + name: issuer-http01 diff --git a/old/kubernetes/helm/cluster-autoscaler/.gitignore b/old/kubernetes/helm/cluster-autoscaler/.gitignore new file mode 100644 index 000000000..c5bf9d03a --- /dev/null +++ b/old/kubernetes/helm/cluster-autoscaler/.gitignore @@ -0,0 +1 @@ +output.yaml diff --git a/old/kubernetes/helm/cluster-autoscaler/Chart.yaml b/old/kubernetes/helm/cluster-autoscaler/Chart.yaml new file mode 100644 index 000000000..cd01ceb02 --- /dev/null +++ b/old/kubernetes/helm/cluster-autoscaler/Chart.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +name: cluster-autoscaler +version: 0.13.3 +appVersion: 1.13.1 +description: Scales worker nodes within autoscaling groups. diff --git a/old/kubernetes/helm/cluster-autoscaler/Makefile b/old/kubernetes/helm/cluster-autoscaler/Makefile new file mode 100644 index 000000000..ea1c56c1d --- /dev/null +++ b/old/kubernetes/helm/cluster-autoscaler/Makefile @@ -0,0 +1,43 @@ +HELM_BINARY?=helm +KUBECTL_BINARY?=kubectl +KUBECONFIG?=~/.kube/config +KUBE_NAMESPACE?=cluster-autoscaler +APPLICATION_NAME?=cluster-autoscaler + +NAME?=cluster-autoscaler + +BASE_PATH=. + +BASE_VALUES_FILE?=values.yaml +VALUES_FILE?=environments/${ENVIRONMENT}/values.yaml + +TEMPLATE_OUTPUT_FILE?=./output.yaml + +apply: + ${HELM_BINARY} template \ + --namespace ${KUBE_NAMESPACE} \ + --name ${APPLICATION_NAME} \ + --values ${BASE_PATH}/${BASE_VALUES_FILE} \ + --values ${BASE_PATH}/${VALUES_FILE} \ + ./ > ${TEMPLATE_OUTPUT_FILE} + kubectl --namespace ${KUBE_NAMESPACE} apply -f ${TEMPLATE_OUTPUT_FILE} + +template: + ${HELM_BINARY} template \ + --namespace ${KUBE_NAMESPACE} \ + --name ${APPLICATION_NAME} \ + --values ${BASE_PATH}/${BASE_VALUES_FILE} \ + --values ${BASE_PATH}/${VALUES_FILE} \ + ./ + +delete: + ${HELM_BINARY} template \ + --namespace ${KUBE_NAMESPACE} \ + --name ${APPLICATION_NAME} \ + --values ${BASE_PATH}/${BASE_VALUES_FILE} \ + --values ${BASE_PATH}/${VALUES_FILE} \ + ./ > ${TEMPLATE_OUTPUT_FILE} + kubectl --namespace ${KUBE_NAMESPACE} delete -f ${TEMPLATE_OUTPUT_FILE} + +build-dependency: + ${HELM_BINARY} dependency build diff --git a/old/kubernetes/helm/cluster-autoscaler/README.md b/old/kubernetes/helm/cluster-autoscaler/README.md new file mode 100644 index 000000000..0b93dae06 --- /dev/null +++ b/old/kubernetes/helm/cluster-autoscaler/README.md @@ -0,0 +1,43 @@ +cluster-autoscaler +=================== + +Source Helm Chart: https://github.com/helm/charts/tree/master/stable/cluster-autoscaler + +# Usage: + +## Template out +This is mainly for debugging and development purposes to see what the output yaml +will look like before applying. + +``` +make ENVIRONMENT=dev-us template +``` + +## Install/Upgrade + +``` +make ENVIRONMENT=dev-us apply +``` + +## Delete + +``` +make ENVIRONMENT=dev-us delete +``` + +# AWS Keys + +Either update the `./values.yaml` file with the AWS keys, or create a secret with +the keys for the cluster-autoscaler to use. + +``` +apiVersion: v1 +data: + AwsAccessKeyId: base64-encoded-string-here + AwsSecretAccessKey: base64-encoded-string-here +kind: Secret +metadata: + name: cluster-autoscaler-aws-cluster-autoscaler + namespace: cluster-autoscaler +type: Opaque +``` diff --git a/old/kubernetes/helm/cluster-autoscaler/charts/cluster-autoscaler-0.13.3.tgz b/old/kubernetes/helm/cluster-autoscaler/charts/cluster-autoscaler-0.13.3.tgz new file mode 100644 index 000000000..134bfcbab Binary files /dev/null and b/old/kubernetes/helm/cluster-autoscaler/charts/cluster-autoscaler-0.13.3.tgz differ diff --git a/old/kubernetes/helm/cluster-autoscaler/environments/dev/values.yaml b/old/kubernetes/helm/cluster-autoscaler/environments/dev/values.yaml new file mode 100644 index 000000000..dedc0c0cd --- /dev/null +++ b/old/kubernetes/helm/cluster-autoscaler/environments/dev/values.yaml @@ -0,0 +1,20 @@ +cluster-autoscaler: + cloudProvider: aws + awsRegion: us-east-1 + + autoscalingGroups: + - name: on-demand-zone-a.dev2.us-east-1.k8s.local + maxSize: 20 + minSize: 0 + - name: on-demand-zone-b.dev2.us-east-1.k8s.local + maxSize: 20 + minSize: 0 + - name: infrastructure-zone-a.dev2.us-east-1.k8s.local + maxSize: 10 + minSize: 0 + - name: infrastructure-zone-b.dev2.us-east-1.k8s.local + maxSize: 10 + minSize: 0 + - name: infrastructure-zone-c.dev2.us-east-1.k8s.local + maxSize: 10 + minSize: 0 diff --git a/old/kubernetes/helm/cluster-autoscaler/requirements.lock b/old/kubernetes/helm/cluster-autoscaler/requirements.lock new file mode 100644 index 000000000..540bdc4d6 --- /dev/null +++ b/old/kubernetes/helm/cluster-autoscaler/requirements.lock @@ -0,0 +1,6 @@ +dependencies: +- name: cluster-autoscaler + repository: https://kubernetes-charts.storage.googleapis.com/ + version: 0.13.3 +digest: sha256:1715d9e5a2b10a22b1024cf42134b19aeeb5214af4f6b9c776164ece88ee280e +generated: 2019-06-26T18:49:43.267728397-07:00 diff --git a/old/kubernetes/helm/cluster-autoscaler/requirements.yaml b/old/kubernetes/helm/cluster-autoscaler/requirements.yaml new file mode 100644 index 000000000..0888e6ee3 --- /dev/null +++ b/old/kubernetes/helm/cluster-autoscaler/requirements.yaml @@ -0,0 +1,5 @@ +--- +dependencies: +- name: cluster-autoscaler + version: 0.13.3 + repository: https://kubernetes-charts.storage.googleapis.com/ diff --git a/old/kubernetes/helm/cluster-autoscaler/values.yaml b/old/kubernetes/helm/cluster-autoscaler/values.yaml new file mode 100644 index 000000000..8defadd44 --- /dev/null +++ b/old/kubernetes/helm/cluster-autoscaler/values.yaml @@ -0,0 +1,56 @@ +--- +cluster-autoscaler: + cloudProvider: aws + awsRegion: us-east-1 + awsAccessKeyID: bar + awsSecretAccessKey: foo + + rbac: + ## If true, create & use RBAC resources + ## + create: true + ## If true, create & use Pod Security Policy resources + ## https://kubernetes.io/docs/concepts/policy/pod-security-policy/ + pspEnabled: true + + resources: + limits: + cpu: 100m + memory: 300Mi + requests: + cpu: 100m + memory: 300Mi + + ## Are you using Prometheus Operator? + serviceMonitor: + enabled: true + interval: "10s" + # Namespace Prometheus is installed in + namespace: cluster-autoscaler + ## Defaults to whats used if you follow CoreOS [Prometheus Install Instructions](https://github.com/helm/charts/tree/master/stable/prometheus-operator#tldr) + ## [Prometheus Selector Label](https://github.com/helm/charts/tree/master/stable/prometheus-operator#prometheus-operator-1) + ## [Kube Prometheus Selector Label](https://github.com/helm/charts/tree/master/stable/prometheus-operator#exporters) + ## kubectl -n monitoring get prometheus monitoring-prometheus-oper-prometheus -o yaml + selector: + release: monitoring-prometheus-operator + + # https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/FAQ.md + extraArgs: + v: 7 + stderrthreshold: info + logtostderr: true + # write-status-configmap: true + # leader-elect: true + # skip-nodes-with-local-storage: false + # expander: least-waste + # scale-down-enabled: true + # balance-similar-node-groups: true + # min-replica-count: 2 + # scale-down-utilization-threshold: 0.5 + # scale-down-non-empty-candidates-count: 5 + # max-node-provision-time: 15m0s + # scan-interval: 10s + # scale-down-delay: 10m + # scale-down-unneeded-time: 10m + # skip-nodes-with-local-storage: false + # skip-nodes-with-system-pods: true diff --git a/old/kubernetes/helm/external-dns/.gitignore b/old/kubernetes/helm/external-dns/.gitignore new file mode 100644 index 000000000..83f6e3971 --- /dev/null +++ b/old/kubernetes/helm/external-dns/.gitignore @@ -0,0 +1 @@ +credentials.json diff --git a/old/kubernetes/helm/external-dns/Chart.yaml b/old/kubernetes/helm/external-dns/Chart.yaml new file mode 100644 index 000000000..752ac2910 --- /dev/null +++ b/old/kubernetes/helm/external-dns/Chart.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +version: 2.5.3 +appVersion: 0.5.15 +description: external-dns +name: external-dns diff --git a/old/kubernetes/helm/external-dns/Makefile b/old/kubernetes/helm/external-dns/Makefile new file mode 100644 index 000000000..775fe7dbb --- /dev/null +++ b/old/kubernetes/helm/external-dns/Makefile @@ -0,0 +1,46 @@ +HELM_BINARY?=helm +KUBECTL_BINARY?=kubectl +KUBECONFIG?=~/.kube/config +KUBE_NAMESPACE?=external-dns +APPLICATION_NAME?=external-dns + +NAME?=external-dns + +BASE_PATH=. + +BASE_VALUES_FILE?=values.yaml +VALUES_FILE?=environments/${ENVIRONMENT}/values.yaml + +TEMPLATE_OUTPUT_FILE?=/tmp/output.yaml + +apply: + ${HELM_BINARY} template \ + --namespace ${KUBE_NAMESPACE} \ + --name ${APPLICATION_NAME} \ + --values ${BASE_PATH}/${BASE_VALUES_FILE} \ + --values ${BASE_PATH}/${VALUES_FILE} \ + ./ > ${TEMPLATE_OUTPUT_FILE} + kubectl --namespace ${KUBE_NAMESPACE} apply -f ${TEMPLATE_OUTPUT_FILE} + +template: + ${HELM_BINARY} template \ + --namespace ${KUBE_NAMESPACE} \ + --name ${APPLICATION_NAME} \ + --values ${BASE_PATH}/${BASE_VALUES_FILE} \ + --values ${BASE_PATH}/${VALUES_FILE} \ + ./ + +delete: + ${HELM_BINARY} template \ + --namespace ${KUBE_NAMESPACE} \ + --name ${APPLICATION_NAME} \ + --values ${BASE_PATH}/${BASE_VALUES_FILE} \ + --values ${BASE_PATH}/${VALUES_FILE} \ + ./ > ${TEMPLATE_OUTPUT_FILE} + kubectl --namespace ${KUBE_NAMESPACE} delete -f ${TEMPLATE_OUTPUT_FILE} + +build-dependency: + ${HELM_BINARY} dependency build + +list: + ${HELM_BINARY} list diff --git a/old/kubernetes/helm/external-dns/README.md b/old/kubernetes/helm/external-dns/README.md new file mode 100644 index 000000000..680e117a0 --- /dev/null +++ b/old/kubernetes/helm/external-dns/README.md @@ -0,0 +1,43 @@ +external-dns +============== + +Source: https://github.com/helm/charts/tree/master/stable/external-dns + + +# IAM Permissions needed for this app: +https://github.com/helm/charts/tree/master/stable/external-dns#iam-permissions + +You can create an AWS key specifically for this application with these permissions + +``` +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "route53:ChangeResourceRecordSets" + ], + "Resource": [ + "arn:aws:route53:::hostedzone/*" + ] + }, + { + "Effect": "Allow", + "Action": [ + "route53:ListHostedZones", + "route53:ListResourceRecordSets" + ], + "Resource": [ + "*" + ] + } + ] +} +``` + +# Annotating the service or ingress + +``` +external-dns.alpha.kubernetes.io/hostname: nginx.example.org +``` diff --git a/old/kubernetes/helm/external-dns/charts/external-dns-2.5.3.tgz b/old/kubernetes/helm/external-dns/charts/external-dns-2.5.3.tgz new file mode 100644 index 000000000..05be20901 Binary files /dev/null and b/old/kubernetes/helm/external-dns/charts/external-dns-2.5.3.tgz differ diff --git a/old/kubernetes/helm/external-dns/environments/aws-dev/values.yaml b/old/kubernetes/helm/external-dns/environments/aws-dev/values.yaml new file mode 100644 index 000000000..be9ccf929 --- /dev/null +++ b/old/kubernetes/helm/external-dns/environments/aws-dev/values.yaml @@ -0,0 +1,16 @@ +--- +external-dns: + + ## The dns provider + provider: aws + + txtOwnerId: "k8s-aws-dev" + + ## List of domains that can be managed + domainFilters: ["dev.us-east-1.managedkube.com"] + + aws: + credentials: + secretKey: "" + accessKey: "" + region: us-east-1 diff --git a/old/kubernetes/helm/external-dns/environments/gcp-dev/values.yaml b/old/kubernetes/helm/external-dns/environments/gcp-dev/values.yaml new file mode 100644 index 000000000..1ba63d7a0 --- /dev/null +++ b/old/kubernetes/helm/external-dns/environments/gcp-dev/values.yaml @@ -0,0 +1,23 @@ +--- +external-dns: + ## The dns provider + provider: google + + txtOwnerId: "k8s-gcp-dev" + + ## List of domains that can be managed + domainFilters: ["dev.k8s.managedkube.com"] + + google: + ## Google Project to use + ## + project: "managedkube" + ## Google Application Credentials + ## + # Sepcify a secret containing the credentials.json file + # + # The file name has to be "credentials.json". The file name is put into the secret + # as the key name and the chart is looking for the key name "credentials.json" + # kubectl -n external-dns create secret generic gcp-credentials-json --from-file=/credentials.json + serviceAccountSecret: "gcp-credentials-json" + # serviceAccountKey: "" diff --git a/old/kubernetes/helm/external-dns/requirements.lock b/old/kubernetes/helm/external-dns/requirements.lock new file mode 100644 index 000000000..ac2109629 --- /dev/null +++ b/old/kubernetes/helm/external-dns/requirements.lock @@ -0,0 +1,6 @@ +dependencies: +- name: external-dns + repository: https://kubernetes-charts.storage.googleapis.com/ + version: 2.5.3 +digest: sha256:bff49d84e7d194f445e9997f8bd94de2497d602ddcbb798cd016eda8ee4eef33 +generated: 2019-08-14T20:07:12.135322678-07:00 diff --git a/old/kubernetes/helm/external-dns/requirements.yaml b/old/kubernetes/helm/external-dns/requirements.yaml new file mode 100644 index 000000000..322bd1412 --- /dev/null +++ b/old/kubernetes/helm/external-dns/requirements.yaml @@ -0,0 +1,5 @@ +--- +dependencies: +- name: external-dns + version: 2.5.3 + repository: https://kubernetes-charts.storage.googleapis.com/ diff --git a/old/kubernetes/helm/external-dns/values.yaml b/old/kubernetes/helm/external-dns/values.yaml new file mode 100644 index 000000000..544b8780b --- /dev/null +++ b/old/kubernetes/helm/external-dns/values.yaml @@ -0,0 +1,23 @@ +--- +external-dns: + + resources: + limits: + memory: 50Mi + requests: + memory: 50Mi + cpu: 10m + + # DNS Creation + # upsert-only: would prevent ExternalDNS from deleting any records, omit to enable full synchronization + # sync: would allow for deletes + policy: upsert-only + + # These help tell which records are owned by external-dns. + registry: "txt" + txtOwnerId: "k8s" + + logLevel: debug + + rbac: + create: true diff --git a/old/kubernetes/helm/flux/README.md b/old/kubernetes/helm/flux/README.md new file mode 100644 index 000000000..54b1008f9 --- /dev/null +++ b/old/kubernetes/helm/flux/README.md @@ -0,0 +1,71 @@ +Flux Setup +============ +Flux is a GitOps workflow tool that runs an operator in each cluster you want it to be able to deploy into. You link it up with your Git repository and it syncs your repository with your cluster. This means that if you wanted to deploy something or update something in the Kubernetes cluster, all you have to do is make the changes in the source repository, commit, and push it in. Flux will check with the source repository every so often and sync what is there to the Kubernetes cluster. The Flux operator will sync and deploy items based on Kubernetes yaml files only. + +Here is the official documentation for reference: [https://docs.fluxcd.io/en/latest/introduction.html](https://docs.fluxcd.io/en/latest/introduction.html) + +# Deploy the Flux Operator + +``` +cd ./flux +``` + +## Add an environment's values.yaml file + +For each environment you want to deploy Flux into and for the Git repository you want it to watch, you will have to configure this. + +For example, if you have a dev environment watching this repository, you will make a values file like (`./environments/dev/values.yaml`): + +```yaml +flux: + git: + url: git@github.com:ManagedKube/kubernetes-ops.git + branch: master + path: "kubernetes/flux" +``` + +This pointing to the repository with the `url` at the `branch` and at a certain path in this repository it is watching. + +## Deploy it out to your Kubernetes cluster + +``` +make ENVIRONMENT=dev apply-crd +make ENVIRONMENT=dev apply +``` + +## Get the Git public key +For Flux to be able to watch your repository, you will need to add it's public ssh key to your Git repository. + +Get the public ssh key: + +``` +make get-identity +``` + +This will output a key. + +``` +In order to sync your cluster state with git you need to copy the public key and create a deploy key with write access on your GitHub repository. + +Open GitHub, navigate to your fork, go to Setting > Deploy keys, click on Add deploy key, give it a Title, check Allow write access, paste the Flux public key and click Add key. +``` + +# Deploy the Flux helm-operator +While the Flux Operator syncs and deploys Kubernetes yaml files, the Flux helm-operator acts on the kind: + +```yaml +apiVersion: helm.fluxcd.io/v1 +kind: HelmRelease +``` + +With this Flux CRD, we can express Helm deployments in a yaml file and the Flux helm-operator will run the Helm3 commands for us and deploy it in the cluster. In short, this helps us to sync Helm3 definitions in our Git repository to a Helm deployment in our Kubernetes cluster. + +## Deploy + +``` +cd ./helm-operator +make ENVIRONMENT=dev apply-crd +make ENVIRONMENT=dev apply +``` + + diff --git a/old/kubernetes/helm/flux/flux/Chart.yaml b/old/kubernetes/helm/flux/flux/Chart.yaml new file mode 100644 index 000000000..54d16b9fe --- /dev/null +++ b/old/kubernetes/helm/flux/flux/Chart.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +appVersion: "1.18.0" +version: 1.2.0 +kubeVersion: ">=1.9.0-0" +name: flux +description: Flux is a tool that automatically ensures that the state of a cluster matches what is specified in version control +home: https://fluxcd.io +sources: +- https://github.com/fluxcd/flux + +dependencies: +- name: flux + version: 1.2.0 + repository: https://charts.fluxcd.io diff --git a/old/kubernetes/helm/flux/flux/Makefile b/old/kubernetes/helm/flux/flux/Makefile new file mode 100644 index 000000000..d3941ad91 --- /dev/null +++ b/old/kubernetes/helm/flux/flux/Makefile @@ -0,0 +1,44 @@ +HELM_BINARY?=helm +FLUXCTL_BINARY?=fluxctl +KUBECONFIG?=~/.kube/config +KUBE_NAMESPACE?=flux + +BASE_PATH=. + +APPLCATION_CHART_NAME=./ +APPLICATION_NAME=flux +# VERSION=0.11 + +dependency: + ${HELM_BINARY} dependency build + +apply-crd: + kubectl apply --validate=false -f https://raw.githubusercontent.com/jetstack/cert-manager/release-${VERSION}/deploy/manifests/00-crds.yaml + +delete-crd: + kubectl delete -f https://raw.githubusercontent.com/jetstack/cert-manager/release-${VERSION}/deploy/manifests/00-crds.yaml + +apply: + ${HELM_BINARY} upgrade -i ${APPLICATION_NAME} ./ --wait \ + --namespace ${KUBE_NAMESPACE} \ + --values ${BASE_PATH}/environments/${ENVIRONMENT}/values.yaml + +template: + ${HELM_BINARY} template ${APPLICATION_NAME} ./ --wait \ + --namespace ${KUBE_NAMESPACE} \ + --values ${BASE_PATH}/environments/${ENVIRONMENT}/values.yaml + +delete: + ${HELM_BINARY} --namespace ${KUBE_NAMESPACE} delete ${APPLICATION_NAME} + +list: + ${HELM_BINARY} --namespace ${KUBE_NAMESPACE} list + +dependency-build: + ${HELM_BINARY} dependency build + +add-repository: + ${HELM_BINARY} repo add fluxcd https://charts.fluxcd.io + +get-identity: + ${FLUXCTL_BINARY} identity --k8s-fwd-ns ${KUBE_NAMESPACE} --k8s-fwd-labels "release=flux,app=flux" diff --git a/old/kubernetes/helm/flux/flux/README.md b/old/kubernetes/helm/flux/flux/README.md new file mode 100644 index 000000000..4884b151e --- /dev/null +++ b/old/kubernetes/helm/flux/flux/README.md @@ -0,0 +1,26 @@ +Weaveworks Flux: +================== + +Sourc repo: https://github.com/fluxcd/flux + +A great tutorial: https://github.com/fluxcd/helm-operator-get-started + + +# Setup + +## Install the helm chart +You should update the `./environment/dev/values.yaml` file with your Git repository URL. + +``` +make ENVIRONMENT=dev apply +``` + +## Get the Git ssh pub key + +``` +make ENVIRONMENT=dev get-identity +``` + +In order to sync your cluster state with Git you need to copy the public key and create a deploy key with write access on your GitHub repository. + +Open GitHub, navigate to your fork, go to Setting > Deploy keys click on Add deploy key, check Allow write access, paste the Flux public key and click Add key. diff --git a/old/kubernetes/helm/flux/flux/charts/flux-1.2.0.tgz b/old/kubernetes/helm/flux/flux/charts/flux-1.2.0.tgz new file mode 100644 index 000000000..035da8877 Binary files /dev/null and b/old/kubernetes/helm/flux/flux/charts/flux-1.2.0.tgz differ diff --git a/old/kubernetes/helm/flux/flux/environments/dev/values.yaml b/old/kubernetes/helm/flux/flux/environments/dev/values.yaml new file mode 100644 index 000000000..7255c96bc --- /dev/null +++ b/old/kubernetes/helm/flux/flux/environments/dev/values.yaml @@ -0,0 +1,5 @@ +flux: + git: + url: git@github.com:ManagedKube/kubernetes-ops.git + branch: master + path: "kubernetes/flux/releases/gcp/dev" diff --git a/old/kubernetes/helm/flux/flux/requirements.lock b/old/kubernetes/helm/flux/flux/requirements.lock new file mode 100644 index 000000000..e3fd61eac --- /dev/null +++ b/old/kubernetes/helm/flux/flux/requirements.lock @@ -0,0 +1,6 @@ +dependencies: +- name: flux + repository: https://charts.fluxcd.io + version: 1.2.0 +digest: sha256:e714caf6399f11e6cbc14ae04dbdae6b21d7730f17caed768a50a4db2b0a1b52 +generated: "2020-03-07T13:33:19.663636901-08:00" diff --git a/old/kubernetes/helm/flux/flux/values.yaml b/old/kubernetes/helm/flux/flux/values.yaml new file mode 100644 index 000000000..e69de29bb diff --git a/old/kubernetes/helm/flux/helm-operator/Chart.yaml b/old/kubernetes/helm/flux/helm-operator/Chart.yaml new file mode 100644 index 000000000..9bda62622 --- /dev/null +++ b/old/kubernetes/helm/flux/helm-operator/Chart.yaml @@ -0,0 +1,15 @@ + +apiVersion: v1 +appVersion: "1.0.0-rc9" +version: 0.7.0 +kubeVersion: ">=1.11.0-0" +name: helm-operator +description: Flux Helm Operator is a CRD controller for declarative helming +home: https://fluxcd.io +sources: +- https://github.com/fluxcd/helm-operator + +dependencies: +- name: helm-operator + version: 0.7.0 + repository: https://charts.fluxcd.io diff --git a/old/kubernetes/helm/flux/helm-operator/Makefile b/old/kubernetes/helm/flux/helm-operator/Makefile new file mode 100644 index 000000000..953e33066 --- /dev/null +++ b/old/kubernetes/helm/flux/helm-operator/Makefile @@ -0,0 +1,45 @@ +HELM_BINARY?=helm +KUBECONFIG?=~/.kube/config +KUBE_NAMESPACE?=flux + +BASE_PATH=. + +APPLCATION_CHART_NAME=./ +APPLICATION_NAME=helm-operator +# CRD_VERSION=1.0.0 + +dependency: + ${HELM_BINARY} dependency build + +# This CRD should be versioned once they get to 1.0.0 +apply-crd: + kubectl apply -f https://raw.githubusercontent.com/fluxcd/helm-operator/master/deploy/crds.yaml + +delete-crd: + kubectl delete -f https://raw.githubusercontent.com/fluxcd/helm-operator/master/deploy/crds.yaml + +apply: + ${HELM_BINARY} upgrade -i ${APPLICATION_NAME} ./ --wait \ + --namespace ${KUBE_NAMESPACE} \ + --set git.ssh.secretName=flux-git-deploy \ + --set helm.versions=v3 + + +#--values ${BASE_PATH}/environments/${ENVIRONMENT}/values.yaml + +template: + ${HELM_BINARY} template ${APPLICATION_NAME} ./ --wait \ + --namespace ${KUBE_NAMESPACE} \ + --values ${BASE_PATH}/environments/${ENVIRONMENT}/values.yaml + +delete: + ${HELM_BINARY} --namespace ${KUBE_NAMESPACE} delete ${APPLICATION_NAME} + +list: + ${HELM_BINARY} --namespace ${KUBE_NAMESPACE} list + +dependency-build: + ${HELM_BINARY} dependency build + +add-repository: + ${HELM_BINARY} repo add fluxcd https://charts.fluxcd.io diff --git a/old/kubernetes/helm/flux/helm-operator/README.md b/old/kubernetes/helm/flux/helm-operator/README.md new file mode 100644 index 000000000..db61e03e7 --- /dev/null +++ b/old/kubernetes/helm/flux/helm-operator/README.md @@ -0,0 +1,23 @@ +Flux Helm-Operator +==================== + +Source: https://github.com/fluxcd/helm-operator + +Good tutorial: https://github.com/fluxcd/helm-operator-get-started + +Very helpful doc on the `HelmRelease` CRD and what it can do: https://github.com/fluxcd/helm-operator/blob/master/docs/references/helmrelease-custom-resource.md + + +# Setup + +## Apply the `HelmRelease` CRD + +``` +make ENVIRONMENT=dev apply-crd +``` + +# Install the helm operator + +``` +make ENVIRONMENT=dev apply +``` diff --git a/old/kubernetes/helm/flux/helm-operator/charts/helm-operator-0.7.0.tgz b/old/kubernetes/helm/flux/helm-operator/charts/helm-operator-0.7.0.tgz new file mode 100644 index 000000000..bf32804c6 Binary files /dev/null and b/old/kubernetes/helm/flux/helm-operator/charts/helm-operator-0.7.0.tgz differ diff --git a/old/kubernetes/helm/flux/helm-operator/environments/dev/values.yaml b/old/kubernetes/helm/flux/helm-operator/environments/dev/values.yaml new file mode 100644 index 000000000..e69de29bb diff --git a/old/kubernetes/helm/flux/helm-operator/requirements.lock b/old/kubernetes/helm/flux/helm-operator/requirements.lock new file mode 100644 index 000000000..c223085a5 --- /dev/null +++ b/old/kubernetes/helm/flux/helm-operator/requirements.lock @@ -0,0 +1,6 @@ +dependencies: +- name: helm-operator + repository: https://charts.fluxcd.io + version: 0.7.0 +digest: sha256:077f7f42fb0f354389c43538850ff769ef4abc17e7f2a082efc3806ee6e51e95 +generated: "2020-03-09T05:57:46.805206448-07:00" diff --git a/old/kubernetes/helm/flux/helm-operator/values.yaml b/old/kubernetes/helm/flux/helm-operator/values.yaml new file mode 100644 index 000000000..d3c6fa49c --- /dev/null +++ b/old/kubernetes/helm/flux/helm-operator/values.yaml @@ -0,0 +1,7 @@ +helm-operator: + helm: + versions: v3 + + git: + ssh: + secretName: flux-git-deploy diff --git a/old/kubernetes/helm/flux/namespaces/namespace.yaml b/old/kubernetes/helm/flux/namespaces/namespace.yaml new file mode 100644 index 000000000..e80ad5a8e --- /dev/null +++ b/old/kubernetes/helm/flux/namespaces/namespace.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: flux + labels: + name: flux diff --git a/old/kubernetes/helm/http-echo/README.md b/old/kubernetes/helm/http-echo/README.md new file mode 100644 index 000000000..4891a5926 --- /dev/null +++ b/old/kubernetes/helm/http-echo/README.md @@ -0,0 +1,4 @@ +HTTP Echo +============ + +Source: https://github.com/kelseyhightower/gke-service-accounts-tutorial diff --git a/old/kubernetes/helm/http-echo/deployment.yaml b/old/kubernetes/helm/http-echo/deployment.yaml new file mode 100644 index 000000000..21f15d18a --- /dev/null +++ b/old/kubernetes/helm/http-echo/deployment.yaml @@ -0,0 +1,24 @@ +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: echoserver +spec: + replicas: 1 + template: + metadata: + labels: + app: echoserver + spec: + containers: + - image: gcr.io/google_containers/echoserver:1.10 + imagePullPolicy: Always + name: echoserver + ports: + - containerPort: 8080 + resources: + requests: + memory: "64Mi" + cpu: "1000m" + limits: + memory: "128Mi" + cpu: "1000m" \ No newline at end of file diff --git a/old/kubernetes/helm/http-echo/ingress.yaml b/old/kubernetes/helm/http-echo/ingress.yaml new file mode 100644 index 000000000..4ec8f9385 --- /dev/null +++ b/old/kubernetes/helm/http-echo/ingress.yaml @@ -0,0 +1,20 @@ +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + name: echoserver + annotations: + # kubernetes.io/tls-acme: "true" + kubernetes.io/ingress.class: "nginx-external" +spec: + # tls: + # - hosts: + # - echo.example.com + # secretName: echoserver-tls + rules: + - host: gar1.example.com + http: + paths: + - path: / + backend: + serviceName: echoserver + servicePort: 80 diff --git a/old/kubernetes/helm/http-echo/namespace.yaml b/old/kubernetes/helm/http-echo/namespace.yaml new file mode 100644 index 000000000..db78534ac --- /dev/null +++ b/old/kubernetes/helm/http-echo/namespace.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: http-echo + labels: + name: http-ech diff --git a/old/kubernetes/helm/http-echo/service.yaml b/old/kubernetes/helm/http-echo/service.yaml new file mode 100644 index 000000000..0484dd62c --- /dev/null +++ b/old/kubernetes/helm/http-echo/service.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Service +metadata: + name: echoserver +spec: + ports: + - port: 80 + targetPort: 8080 + protocol: TCP + selector: + app: echoserver diff --git a/old/kubernetes/helm/jenkins/.gitignore b/old/kubernetes/helm/jenkins/.gitignore new file mode 100644 index 000000000..c5bf9d03a --- /dev/null +++ b/old/kubernetes/helm/jenkins/.gitignore @@ -0,0 +1 @@ +output.yaml diff --git a/old/kubernetes/helm/jenkins/Chart.yaml b/old/kubernetes/helm/jenkins/Chart.yaml new file mode 100644 index 000000000..4963b074e --- /dev/null +++ b/old/kubernetes/helm/jenkins/Chart.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +name: jenkins +home: https://jenkins.io/ +version: 1.2.2 +appVersion: lts +description: Open source continuous integration server. It supports multiple SCM tools + including CVS, Subversion and Git. It can execute Apache Ant and Apache Maven-based + projects as well as arbitrary scripts. +sources: +- https://github.com/jenkinsci/jenkins +- https://github.com/jenkinsci/docker-jnlp-slave +- https://github.com/nuvo/kube-tasks +- https://github.com/jenkinsci/configuration-as-code-plugin +maintainers: +- name: lachie83 + email: lachlan.evenson@microsoft.com +- name: viglesiasce + email: viglesias@google.com +- name: maorfr + email: maor.friedman@redhat.com +- name: torstenwalter + email: mail@torstenwalter.de +icon: https://wiki.jenkins-ci.org/download/attachments/2916393/logo.png diff --git a/old/kubernetes/helm/jenkins/Makefile b/old/kubernetes/helm/jenkins/Makefile new file mode 100644 index 000000000..74024110f --- /dev/null +++ b/old/kubernetes/helm/jenkins/Makefile @@ -0,0 +1,46 @@ +HELM_BINARY?=helm +KUBECTL_BINARY?=kubectl +KUBECONFIG?=~/.kube/config +KUBE_NAMESPACE?=jenkins +APPLICATION_NAME?=jenkins + +NAME?=jenkins + +BASE_PATH=. + +BASE_VALUES_FILE?=values.yaml +VALUES_FILE?=values-${ENVIRONMENT}.yaml + +TEMPLATE_OUTPUT_FILE?=./output.yaml + +apply: + ${HELM_BINARY} template \ + --namespace ${KUBE_NAMESPACE} \ + --name ${APPLICATION_NAME} \ + --values ${BASE_PATH}/${BASE_VALUES_FILE} \ + --values ${BASE_PATH}/${VALUES_FILE} \ + ./ > ${TEMPLATE_OUTPUT_FILE} + kubectl --namespace ${KUBE_NAMESPACE} apply -f ${TEMPLATE_OUTPUT_FILE} + +template: + ${HELM_BINARY} template \ + --namespace ${KUBE_NAMESPACE} \ + --name ${APPLICATION_NAME} \ + --values ${BASE_PATH}/${BASE_VALUES_FILE} \ + --values ${BASE_PATH}/${VALUES_FILE} \ + ./ + +delete: + ${HELM_BINARY} template \ + --namespace ${KUBE_NAMESPACE} \ + --name ${APPLICATION_NAME} \ + --values ${BASE_PATH}/${BASE_VALUES_FILE} \ + --values ${BASE_PATH}/${VALUES_FILE} \ + ./ > ${TEMPLATE_OUTPUT_FILE} + kubectl --namespace ${KUBE_NAMESPACE} delete -f ${TEMPLATE_OUTPUT_FILE} + +build-dependency: + ${HELM_BINARY} dependency build + +list: + ${HELM_BINARY} list diff --git a/old/kubernetes/helm/jenkins/README.md b/old/kubernetes/helm/jenkins/README.md new file mode 100644 index 000000000..5a3a2e7b3 --- /dev/null +++ b/old/kubernetes/helm/jenkins/README.md @@ -0,0 +1,4 @@ +Jenkins +============ + +Source Chart: https://github.com/helm/charts/tree/master/stable/jenkins diff --git a/old/kubernetes/helm/jenkins/charts/jenkins-1.2.2.tgz b/old/kubernetes/helm/jenkins/charts/jenkins-1.2.2.tgz new file mode 100644 index 000000000..802cfcb85 Binary files /dev/null and b/old/kubernetes/helm/jenkins/charts/jenkins-1.2.2.tgz differ diff --git a/old/kubernetes/helm/jenkins/requirements.lock b/old/kubernetes/helm/jenkins/requirements.lock new file mode 100644 index 000000000..f3d429c34 --- /dev/null +++ b/old/kubernetes/helm/jenkins/requirements.lock @@ -0,0 +1,6 @@ +dependencies: +- name: jenkins + repository: https://kubernetes-charts.storage.googleapis.com/ + version: 1.2.2 +digest: sha256:85557de12aea7fcd68cf6fc0fea3b4583883de8091bfa181ad1f043914433fd4 +generated: 2019-06-14T18:14:43.292223386-07:00 diff --git a/old/kubernetes/helm/jenkins/requirements.yaml b/old/kubernetes/helm/jenkins/requirements.yaml new file mode 100644 index 000000000..6787213bd --- /dev/null +++ b/old/kubernetes/helm/jenkins/requirements.yaml @@ -0,0 +1,5 @@ +--- +dependencies: +- name: jenkins + version: 1.2.2 + repository: https://kubernetes-charts.storage.googleapis.com/ diff --git a/old/kubernetes/helm/jenkins/values-infrastructure.yaml b/old/kubernetes/helm/jenkins/values-infrastructure.yaml new file mode 100644 index 000000000..4bb211357 --- /dev/null +++ b/old/kubernetes/helm/jenkins/values-infrastructure.yaml @@ -0,0 +1,18 @@ +--- +jenkins: + master: + adminPassword: eUx6dmRkMjBkdw + ingress: + enabled: true + # For Kubernetes v1.14+, use 'networking.k8s.io/v1beta1' + apiVersion: "extensions/v1beta1" + labels: {} + annotations: + kubernetes.io/ingress.class: nginx-external + external-dns.alpha.kubernetes.io/hostname: jenkins.t.htap.us + certmanager.k8s.io/cluster-issuer: issuer-http01 + hostName: jenkins.t.htap.us + tls: + - secretName: jenkins-tls + hosts: + - jenkins.t.htap.us diff --git a/old/kubernetes/helm/jenkins/values.yaml b/old/kubernetes/helm/jenkins/values.yaml new file mode 100644 index 000000000..8eeee84ad --- /dev/null +++ b/old/kubernetes/helm/jenkins/values.yaml @@ -0,0 +1,11 @@ +--- +jenkins: + master: + # LoadBalancerSourcesRange is a list of allowed CIDR values, which are combined with ServicePort to + # set allowed inbound rules on the security group assigned to the master load balancer + # loadBalancerSourceRanges: + # # Office IPs + # - 12.190.239.210/32 + # - 67.207.97.74/32 + # - 13.52.67.208/32 + serviceType: ClusterIP diff --git a/old/kubernetes/helm/kube-bench/kops/job-master.yaml b/old/kubernetes/helm/kube-bench/kops/job-master.yaml new file mode 100644 index 000000000..c149124d5 --- /dev/null +++ b/old/kubernetes/helm/kube-bench/kops/job-master.yaml @@ -0,0 +1,47 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: kube-bench-master +spec: + template: + spec: + hostPID: true + nodeSelector: + node-role.kubernetes.io/master: "" + tolerations: + - key: node-role.kubernetes.io/master + operator: Exists + effect: NoSchedule + containers: + - name: kube-bench + image: aquasec/kube-bench:latest + # Checks available: https://github.com/aquasecurity/kube-bench/blob/master/cfg/1.11/master.yaml + command: ["kube-bench","master", "--version", "1.11", "--check=1.1.1,1.1.2,1.1.3,1.1.4,1.1.5,1.1.6,1.1.7,1.1.8,1.1.9,1.1.10,1.1.11,1.1.12,1.1.13,1.1.14,1.1.15,1.1.16,1.1.17,1.1.18,1.1.19,1.1.20,1.1.21,1.1.22,1.1.23,1.1.24,1.1.25,1.1.26,1.1.27,1.1.28,1.1.29,1.1.30,1.1.31,1.1.32,1.1.33,1.1.34,1.1.35,1.1.36,1.1.37,1.1.38,1.1.39,1.2.1,1.2.2,1.3.1,1.3.2,1.3.3,1.3.4,1.3.5,1.3.6,1.3.7,1.4.1,1.4.2,1.4.3,1.4.4,1.4.5,1.4.6,1.4.7,1.4.8,1.4.9,1.4.10,1.4.13,1.4.14,1.4.15,1.4.16,1.4.17,1.4.18,1.5.1,1.5.2,1.5.3,1.5.4,1.5.5,1.5.6,1.5.7,1.6.1,1.6.2,1.6.3,1.6.4,1.6.5,1.6.6,1.6.7,1.6.8,1.7.1,1.7.2,1.7.3,1.7.4,1.7.5,1.7.6,1.7.7"] + # command: ["sleep", "999999"] + volumeMounts: + - name: var-lib-etcd + mountPath: /var/lib/etcd + - name: etc-kubernetes + mountPath: /etc/kubernetes + # /usr/bin is mounted to access kubectl / kubelet, for auto-detecting the Kubernetes version. + # You can omit this mount if you specify --version as part of the command. + - name: usr-bin + mountPath: /usr/bin + restartPolicy: Never + volumes: + - name: var-lib-etcd + hostPath: + path: "/var/lib/etcd" + - name: etc-kubernetes + hostPath: + path: "/etc/kubernetes" + # CoreOS path to where the kubelet binary is + - name: usr-bin + hostPath: + path: "/opt/kubernetes/bin" + nodeSelector: + kubernetes.io/role: master + tolerations: + - effect: NoSchedule + key: node-role.kubernetes.io/master + operator: Exists diff --git a/old/kubernetes/helm/kube-bench/kops/job-node.yaml b/old/kubernetes/helm/kube-bench/kops/job-node.yaml new file mode 100644 index 000000000..fe17996b3 --- /dev/null +++ b/old/kubernetes/helm/kube-bench/kops/job-node.yaml @@ -0,0 +1,41 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: kube-bench-node +spec: + template: + spec: + hostPID: true + containers: + - name: kube-bench + image: aquasec/kube-bench:latest + imagePullPolicy: Always + # command: ["kube-bench","node", "--version", "1.11", "--json"] + command: ["kube-bench", "--version", "1.11"] + # command: ["kube-bench","node"] + volumeMounts: + - name: var-lib-kubelet + mountPath: /var/lib/kubelet + - name: etc-systemd + mountPath: /etc/systemd + - name: etc-kubernetes + mountPath: /etc/kubernetes + # /usr/bin is mounted to access kubectl / kubelet, for auto-detecting the Kubernetes version. + # You can omit this mount if you specify --version as part of the command. + - name: usr-bin + mountPath: /usr/bin + restartPolicy: Never + volumes: + - name: var-lib-kubelet + hostPath: + path: "/var/lib/kubelet" + - name: etc-systemd + hostPath: + path: "/etc/systemd" + - name: etc-kubernetes + hostPath: + path: "/etc/kubernetes" + # CoreOS path to where the kubelet binary is + - name: usr-bin + hostPath: + path: "/opt/kubernetes/bin" diff --git a/old/kubernetes/helm/kube-metrics-adapter/Chart.yaml b/old/kubernetes/helm/kube-metrics-adapter/Chart.yaml new file mode 100644 index 000000000..1ac7a05f8 --- /dev/null +++ b/old/kubernetes/helm/kube-metrics-adapter/Chart.yaml @@ -0,0 +1,5 @@ +apiVersion: v2 +name: kube-metrics-adapter +version: v0.1.0 +appVersion: v0.1.0 +description: Kube Metrics Adapter is a general purpose metrics adapter for Kubernetes that can collect and serve custom and external metrics for Horizontal Pod Autoscaling. diff --git a/old/kubernetes/helm/kube-metrics-adapter/README.md b/old/kubernetes/helm/kube-metrics-adapter/README.md new file mode 100644 index 000000000..e26374b9a --- /dev/null +++ b/old/kubernetes/helm/kube-metrics-adapter/README.md @@ -0,0 +1,7 @@ +kube-metrics-adapter +===================== + +Source: https://github.com/zalando-incubator/kube-metrics-adapter + +Kube Metrics Adapter is a general purpose metrics adapter for Kubernetes that can collect and serve custom and external metrics for Horizontal Pod Autoscaling. + diff --git a/old/kubernetes/helm/kube-metrics-adapter/templates/custom-metrics-apiservice.yaml b/old/kubernetes/helm/kube-metrics-adapter/templates/custom-metrics-apiservice.yaml new file mode 100644 index 000000000..2342427a8 --- /dev/null +++ b/old/kubernetes/helm/kube-metrics-adapter/templates/custom-metrics-apiservice.yaml @@ -0,0 +1,14 @@ +apiVersion: apiregistration.k8s.io/v1beta1 +kind: APIService +metadata: + name: v1beta1.custom.metrics.k8s.io +spec: + service: + name: kube-metrics-adapter + namespace: kube-system + group: custom.metrics.k8s.io + version: v1beta1 + insecureSkipTLSVerify: true + groupPriorityMinimum: 100 + versionPriority: 100 + \ No newline at end of file diff --git a/old/kubernetes/helm/kube-metrics-adapter/templates/deployment.yaml b/old/kubernetes/helm/kube-metrics-adapter/templates/deployment.yaml new file mode 100644 index 000000000..45149fa31 --- /dev/null +++ b/old/kubernetes/helm/kube-metrics-adapter/templates/deployment.yaml @@ -0,0 +1,40 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: kube-metrics-adapter + namespace: kube-system + labels: + application: kube-metrics-adapter + version: {{ .Values.image.tag }} +spec: + replicas: 1 + selector: + matchLabels: + application: kube-metrics-adapter + template: + metadata: + labels: + application: kube-metrics-adapter + version: {{ .Values.image.tag }} + annotations: + iam.amazonaws.com/role: "kube-aws-test-1-app-zmon" + spec: + serviceAccountName: custom-metrics-apiserver + containers: + - name: kube-metrics-adapter + image: registry.opensource.zalan.do/teapot/kube-metrics-adapter:{{ .Values.image.tag }} + args: + # - --v=9 + - --prometheus-server=http://prometheus.kube-system.svc.cluster.local + - --skipper-ingress-metrics + - --aws-external-metrics + env: + - name: AWS_REGION + value: {{ .Values.aws.region }} + resources: + limits: + cpu: 100m + memory: 100Mi + requests: + cpu: 100m + memory: 100Mi diff --git a/old/kubernetes/helm/kube-metrics-adapter/templates/external-metrics-apiservice.yaml b/old/kubernetes/helm/kube-metrics-adapter/templates/external-metrics-apiservice.yaml new file mode 100644 index 000000000..e43784f38 --- /dev/null +++ b/old/kubernetes/helm/kube-metrics-adapter/templates/external-metrics-apiservice.yaml @@ -0,0 +1,13 @@ +apiVersion: apiregistration.k8s.io/v1beta1 +kind: APIService +metadata: + name: v1beta1.external.metrics.k8s.io +spec: + service: + name: kube-metrics-adapter + namespace: kube-system + group: external.metrics.k8s.io + version: v1beta1 + insecureSkipTLSVerify: true + groupPriorityMinimum: 100 + versionPriority: 100 diff --git a/old/kubernetes/helm/kube-metrics-adapter/templates/rbac.yaml b/old/kubernetes/helm/kube-metrics-adapter/templates/rbac.yaml new file mode 100644 index 000000000..6bfc7e9e1 --- /dev/null +++ b/old/kubernetes/helm/kube-metrics-adapter/templates/rbac.yaml @@ -0,0 +1,146 @@ +kind: ServiceAccount +apiVersion: v1 +metadata: + name: custom-metrics-apiserver + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: custom-metrics-server-resources +rules: +- apiGroups: + - custom.metrics.k8s.io + resources: ["*"] + verbs: ["*"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: external-metrics-server-resources +rules: +- apiGroups: + - external.metrics.k8s.io + resources: ["*"] + verbs: ["*"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: custom-metrics-resource-reader +rules: +- apiGroups: + - "" + resources: + - namespaces + - pods + - services + verbs: + - get + - list +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: custom-metrics-resource-collector +rules: +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +- apiGroups: + - "" + resources: + - pods + verbs: + - list +- apiGroups: + - apps + resources: + - deployments + - statefulsets + verbs: + - get +- apiGroups: + - extensions + resources: + - ingresses + verbs: + - get +- apiGroups: + - autoscaling + resources: + - horizontalpodautoscalers + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: hpa-controller-custom-metrics +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: custom-metrics-server-resources +subjects: +- kind: ServiceAccount + name: horizontal-pod-autoscaler + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: hpa-controller-external-metrics +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: external-metrics-server-resources +subjects: +- kind: ServiceAccount + name: horizontal-pod-autoscaler + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: custom-metrics-auth-reader + namespace: kube-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: extension-apiserver-authentication-reader +subjects: +- kind: ServiceAccount + name: custom-metrics-apiserver + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: custom-metrics:system:auth-delegator +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:auth-delegator +subjects: +- kind: ServiceAccount + name: custom-metrics-apiserver + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: custom-metrics-resource-collector +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: custom-metrics-resource-collector +subjects: +- kind: ServiceAccount + name: custom-metrics-apiserver + namespace: kube-system diff --git a/old/kubernetes/helm/kube-metrics-adapter/templates/service.yaml b/old/kubernetes/helm/kube-metrics-adapter/templates/service.yaml new file mode 100644 index 000000000..b1a24f1f0 --- /dev/null +++ b/old/kubernetes/helm/kube-metrics-adapter/templates/service.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Service +metadata: + name: kube-metrics-adapter + namespace: kube-system +spec: + ports: + - port: 443 + targetPort: 443 + selector: + application: kube-metrics-adapter diff --git a/old/kubernetes/helm/kube-metrics-adapter/test-usage/deployment.yaml b/old/kubernetes/helm/kube-metrics-adapter/test-usage/deployment.yaml new file mode 100644 index 000000000..b12942296 --- /dev/null +++ b/old/kubernetes/helm/kube-metrics-adapter/test-usage/deployment.yaml @@ -0,0 +1,29 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: custom-metrics-consumer + labels: + application: custom-metrics-consumer + version: latest +spec: + selector: + matchLabels: + application: custom-metrics-consumer + template: + metadata: + labels: + application: custom-metrics-consumer + version: latest + spec: + containers: + - name: custom-metrics-consumer + image: mikkeloscar/custom-metrics-consumer:latest + args: + - --fake-queue-length=2000 + resources: + limits: + cpu: 10m + memory: 25Mi + requests: + cpu: 10m + memory: 25Mi diff --git a/old/kubernetes/helm/kube-metrics-adapter/test-usage/hpa-pod-metric.yaml b/old/kubernetes/helm/kube-metrics-adapter/test-usage/hpa-pod-metric.yaml new file mode 100644 index 000000000..a58ae9e48 --- /dev/null +++ b/old/kubernetes/helm/kube-metrics-adapter/test-usage/hpa-pod-metric.yaml @@ -0,0 +1,60 @@ +apiVersion: autoscaling/v2beta2 +kind: HorizontalPodAutoscaler +metadata: + name: custom-metrics-consumer + namespace: default + labels: + application: custom-metrics-consumer + annotations: + # metric-config.../ + metric-config.pods.queue-length.json-path/json-key: "$.queue.length" + metric-config.pods.queue-length.json-path/path: /metrics + metric-config.pods.queue-length.json-path/port: "9090" + # metric-config.object.requests-per-second.prometheus/query: | + # scalar(sum(rate(skipper_serve_host_duration_seconds_count{host="custom-metrics_example_org"}[1m]))) + # metric-config.object.requests-per-second.prometheus/per-replica: "true" + # metric-config.object.requests-per-second.skipper/interval: "1s" +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: custom-metrics-consumer + minReplicas: 1 + maxReplicas: 10 + metrics: + # - type: Resource + # resource: + # name: cpu + # current: + # averageUtilization: 50 + + - type: Pods + pods: + metric: + name: queue-length + target: + averageValue: 10k + type: AverageValue + + # - type: Object + # object: + # describedObject: + # apiVersion: extensions/v1beta1 + # kind: Ingress + # name: custom-metrics-consumer + # metric: + # name: requests-per-second + # target: + # averageValue: "10" + # type: AverageValue + # - type: External + # external: + # metric: + # name: sqs-queue-length + # selector: + # matchLabels: + # queue-name: foobar + # region: eu-central-1 + # target: + # averageValue: "30" + # type: AverageValue diff --git a/old/kubernetes/helm/kube-metrics-adapter/test-usage/hpa-prometheus-metric-v2beta1.yaml b/old/kubernetes/helm/kube-metrics-adapter/test-usage/hpa-prometheus-metric-v2beta1.yaml new file mode 100644 index 000000000..d0ebf4113 --- /dev/null +++ b/old/kubernetes/helm/kube-metrics-adapter/test-usage/hpa-prometheus-metric-v2beta1.yaml @@ -0,0 +1,75 @@ +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: custom-metrics-consumer + namespace: default + labels: + application: custom-metrics-consumer + annotations: + # metric-config.../ + # metric-config.pods.queue-length.json-path/json-key: "$.queue.length" + # metric-config.pods.queue-length.json-path/path: /metrics + # metric-config.pods.queue-length.json-path/port: "9090" + # metric-config.object.requests-per-second.prometheus/query: | + # scalar(sum(rate(skipper_serve_host_duration_seconds_count{host="custom-metrics_example_org"}[1m]))) + # metric-config.object.requests-per-second.prometheus/per-replica: "true" + # metric-config.object.requests-per-second.skipper/interval: "1s" + metric-config.external.prometheus-query.prometheus/prometheus-server: http://prometheus-operator-prometheus.monitoring.svc:9090 + metric-config.external.prometheus-query.prometheus/processed-events-per-second: | + sum(rate(nginx_ingress_controller_nginx_process_connections_total{}[1m])) +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: custom-metrics-consumer + minReplicas: 1 + maxReplicas: 10 + metrics: + # - type: Resource + # resource: + # name: cpu + # current: + # averageUtilization: 50 + + - type: External + external: + metricName: "gar" + metric: + name: prometheus-query + selector: + matchLabels: + query-name: processed-events-per-second + target: + type: AverageValue + averageValue: "1" + + # - type: Pods + # pods: + # metric: + # name: queue-length + # target: + # averageValue: 10k + # type: AverageValue + + # - type: Object + # object: + # describedObject: + # apiVersion: extensions/v1beta1 + # kind: Ingress + # name: custom-metrics-consumer + # metric: + # name: requests-per-second + # target: + # averageValue: "10" + # type: AverageValue + # - type: External + # external: + # metric: + # name: sqs-queue-length + # selector: + # matchLabels: + # queue-name: foobar + # region: eu-central-1 + # target: + # averageValue: "30" + # type: AverageValue diff --git a/old/kubernetes/helm/kube-metrics-adapter/test-usage/hpa-prometheus-metric-v2beta2.yaml b/old/kubernetes/helm/kube-metrics-adapter/test-usage/hpa-prometheus-metric-v2beta2.yaml new file mode 100644 index 000000000..1adf1c8e7 --- /dev/null +++ b/old/kubernetes/helm/kube-metrics-adapter/test-usage/hpa-prometheus-metric-v2beta2.yaml @@ -0,0 +1,74 @@ +apiVersion: autoscaling/v2beta2 +kind: HorizontalPodAutoscaler +metadata: + name: custom-metrics-consumer + namespace: default + labels: + application: custom-metrics-consumer + annotations: + # metric-config.../ + # metric-config.pods.queue-length.json-path/json-key: "$.queue.length" + # metric-config.pods.queue-length.json-path/path: /metrics + # metric-config.pods.queue-length.json-path/port: "9090" + # metric-config.object.requests-per-second.prometheus/query: | + # scalar(sum(rate(skipper_serve_host_duration_seconds_count{host="custom-metrics_example_org"}[1m]))) + # metric-config.object.requests-per-second.prometheus/per-replica: "true" + # metric-config.object.requests-per-second.skipper/interval: "1s" + metric-config.external.prometheus-query.prometheus/prometheus-server: http://prometheus-operator-prometheus.monitoring.svc:9090 + metric-config.external.prometheus-query.prometheus/processed-events-per-second: | + sum(rate(nginx_ingress_controller_nginx_process_connections_total{}[1m])) +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: custom-metrics-consumer + minReplicas: 1 + maxReplicas: 10 + metrics: + # - type: Resource + # resource: + # name: cpu + # current: + # averageUtilization: 50 + + - type: External + external: + metric: + name: prometheus-query + selector: + matchLabels: + query-name: processed-events-per-second + target: + type: AverageValue + averageValue: "1" + + # - type: Pods + # pods: + # metric: + # name: queue-length + # target: + # averageValue: 10k + # type: AverageValue + + # - type: Object + # object: + # describedObject: + # apiVersion: extensions/v1beta1 + # kind: Ingress + # name: custom-metrics-consumer + # metric: + # name: requests-per-second + # target: + # averageValue: "10" + # type: AverageValue + # - type: External + # external: + # metric: + # name: sqs-queue-length + # selector: + # matchLabels: + # queue-name: foobar + # region: eu-central-1 + # target: + # averageValue: "30" + # type: AverageValue diff --git a/old/kubernetes/helm/kube-metrics-adapter/values.yaml b/old/kubernetes/helm/kube-metrics-adapter/values.yaml new file mode 100644 index 000000000..e1489f083 --- /dev/null +++ b/old/kubernetes/helm/kube-metrics-adapter/values.yaml @@ -0,0 +1,5 @@ +image: + tag: v0.1.2 + +aws: + region: us-east-1 diff --git a/old/kubernetes/helm/nginx-ingress/.gitignore b/old/kubernetes/helm/nginx-ingress/.gitignore new file mode 100644 index 000000000..d39cf4024 --- /dev/null +++ b/old/kubernetes/helm/nginx-ingress/.gitignore @@ -0,0 +1 @@ +templated-output.yaml diff --git a/old/kubernetes/helm/nginx-ingress/Chart.yaml b/old/kubernetes/helm/nginx-ingress/Chart.yaml new file mode 100644 index 000000000..13c5c8882 --- /dev/null +++ b/old/kubernetes/helm/nginx-ingress/Chart.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +version: 1.33.4 +appVersion: 0.30.0 +description: An nginx Ingress controller that uses ConfigMap to store the nginx configuration. +name: nginx-ingress + +dependencies: +- name: nginx-ingress + version: 1.33.4 + repository: https://kubernetes-charts.storage.googleapis.com/ diff --git a/old/kubernetes/helm/nginx-ingress/Makefile b/old/kubernetes/helm/nginx-ingress/Makefile new file mode 100644 index 000000000..c065c3e8f --- /dev/null +++ b/old/kubernetes/helm/nginx-ingress/Makefile @@ -0,0 +1,52 @@ +HELM_BINARY?=helm +KUBECTL_BINARY?=kubectl +KUBECONFIG?=~/.kube/config +KUBE_NAMESPACE?=ingress + +APPLICATION_NAME=nginx-ingress + +BASE_PATH=. + +APPLCATION_CHART_NAME=stable/nginx-ingress + +BASE_VALUES_FILE?=values.yaml +VALUES_FILE?=values-${ENVIRONMENT}.yaml + +TEMPLATE_OUTPUT_FILE?=./templated-output.yaml + +apply: + ${HELM_BINARY} upgrade -i ${APPLICATION_NAME} ./ --wait \ + --namespace ${KUBE_NAMESPACE} \ + --values ${VALUES_FILE} + +template: + ${HELM_BINARY} template ${APPLICATION_NAME} ./ --wait \ + --namespace ${KUBE_NAMESPACE} \ + --values ${VALUES_FILE} + +delete: + ${HELM_BINARY} --namespace ${KUBE_NAMESPACE} delete ${APPLICATION_NAME} + +build-dependency: + ${HELM_BINARY} dependency build + +list: + ${HELM_BINARY} list + +internal-template: + make APPLICATION_NAME=internal VALUES_FILE=environments/${ENVIRONMENT}/values-internal.yaml template + +internal-apply: + make APPLICATION_NAME=internal VALUES_FILE=environments/${ENVIRONMENT}/values-internal.yaml apply + +internal-delete: + make APPLICATION_NAME=internal VALUES_FILE=environments/${ENVIRONMENT}/values-internal.yaml delete + +external-template: + make APPLICATION_NAME=external VALUES_FILE=environments/${ENVIRONMENT}/values-external.yaml template + +external-apply: + make APPLICATION_NAME=external VALUES_FILE=environments/${ENVIRONMENT}/values-external.yaml apply + +external-delete: + make APPLICATION_NAME=external VALUES_FILE=environments/${ENVIRONMENT}/values-external.yaml delete diff --git a/old/kubernetes/helm/nginx-ingress/README.md b/old/kubernetes/helm/nginx-ingress/README.md new file mode 100644 index 000000000..0e0909d24 --- /dev/null +++ b/old/kubernetes/helm/nginx-ingress/README.md @@ -0,0 +1,59 @@ +nginx-ingress +=============== + +Source helm chart: https://github.com/helm/charts/tree/master/stable/nginx-ingress + +# Topology this creates + +![nginx ingress traffic flow](./diagrams/nginx-ingress-diagram.png) + +# Why an external and internal nginx-ingress? +The `internal` is set with to us an internal ELB. This ELB will have an private +IP address reachable only from your internal network. + +The `external` has a public IP address that is reachable from anywhere from +the internet. + +Launching both of these will create two setups of the above diagram. The external +setup is usually for your traffic to your application that you want external +users to be able to access (like your customers). + +The internal setup is for internal items which internal users should only have +access to such as employees. Items like Prometheus monitoring, Grafana, or +any other internal only applications you are running on the cluster. + +# Usage: + +## internal + +### template +``` +make ENVIRONMENT=dev internal-template +``` + +### apply +``` +make ENVIRONMENT=dev internal-apply +``` + +### delete +``` +make ENVIRONMENT=dev internal-delete +``` + +## external + +### template +``` +make ENVIRONMENT=dev external-template +``` + +### apply +``` +make ENVIRONMENT=dev external-apply +``` + +### delete +``` +make ENVIRONMENT=dev external-delete +``` diff --git a/old/kubernetes/helm/nginx-ingress/charts/nginx-ingress-1.33.4.tgz b/old/kubernetes/helm/nginx-ingress/charts/nginx-ingress-1.33.4.tgz new file mode 100644 index 000000000..1a3b6d160 Binary files /dev/null and b/old/kubernetes/helm/nginx-ingress/charts/nginx-ingress-1.33.4.tgz differ diff --git a/old/kubernetes/helm/nginx-ingress/diagrams/nginx-ingress-diagram.png b/old/kubernetes/helm/nginx-ingress/diagrams/nginx-ingress-diagram.png new file mode 100644 index 000000000..81f9a09d0 Binary files /dev/null and b/old/kubernetes/helm/nginx-ingress/diagrams/nginx-ingress-diagram.png differ diff --git a/old/kubernetes/helm/nginx-ingress/diagrams/nginx-ingress-diagram.svg b/old/kubernetes/helm/nginx-ingress/diagrams/nginx-ingress-diagram.svg new file mode 100644 index 000000000..e42ff5808 --- /dev/null +++ b/old/kubernetes/helm/nginx-ingress/diagrams/nginx-ingress-diagram.svg @@ -0,0 +1,385 @@ +
HTTP:80/HTTPS:443
HTTP:80/HTTPS:443
HTTP
HTTP
HTTP
HTTP
HTTP
HTTP
HTTP
HTTP
HTTP
User/Internet
ELB
Nginx Ingress
Service 1
Service 2
Service 3
Pod 1
Pod 2
Pod 1
Pod 2
Pod 1
Pod 2
 \ No newline at end of file diff --git a/old/kubernetes/helm/nginx-ingress/environments/dev/values-external.yaml b/old/kubernetes/helm/nginx-ingress/environments/dev/values-external.yaml new file mode 100644 index 000000000..01fa20746 --- /dev/null +++ b/old/kubernetes/helm/nginx-ingress/environments/dev/values-external.yaml @@ -0,0 +1,14 @@ +nginx-ingress: + controller: + electionID: ingress-controller-leader-external + ingressClass: nginx-external + + # service: + # annotations: + # service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "arn:aws:acm:us-east-1:11111111111:certificate/1111111-1111-1111-1111-111111111" + + # Whitelisting IPs inbound + # loadBalancerSourceRanges: + # # Temporary ManagedKube + # - 38.30.8.138/32 + # - 1.1.1.1/32 diff --git a/old/kubernetes/helm/nginx-ingress/environments/dev/values-internal.yaml b/old/kubernetes/helm/nginx-ingress/environments/dev/values-internal.yaml new file mode 100644 index 000000000..261067079 --- /dev/null +++ b/old/kubernetes/helm/nginx-ingress/environments/dev/values-internal.yaml @@ -0,0 +1,9 @@ +nginx-ingress: + controller: + electionID: ingress-controller-leader-internal + ingressClass: nginx-internal + + service: + annotations: + service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 + service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "arn:aws:acm:us-east-1:11111111111:certificate/1111111-1111-1111-1111-111111111" diff --git a/old/kubernetes/helm/nginx-ingress/environments/gke-dev/values-external.yaml b/old/kubernetes/helm/nginx-ingress/environments/gke-dev/values-external.yaml new file mode 100644 index 000000000..01fa20746 --- /dev/null +++ b/old/kubernetes/helm/nginx-ingress/environments/gke-dev/values-external.yaml @@ -0,0 +1,14 @@ +nginx-ingress: + controller: + electionID: ingress-controller-leader-external + ingressClass: nginx-external + + # service: + # annotations: + # service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "arn:aws:acm:us-east-1:11111111111:certificate/1111111-1111-1111-1111-111111111" + + # Whitelisting IPs inbound + # loadBalancerSourceRanges: + # # Temporary ManagedKube + # - 38.30.8.138/32 + # - 1.1.1.1/32 diff --git a/old/kubernetes/helm/nginx-ingress/environments/gke-dev/values-internal.yaml b/old/kubernetes/helm/nginx-ingress/environments/gke-dev/values-internal.yaml new file mode 100644 index 000000000..2b5bb064d --- /dev/null +++ b/old/kubernetes/helm/nginx-ingress/environments/gke-dev/values-internal.yaml @@ -0,0 +1,8 @@ +nginx-ingress: + controller: + electionID: ingress-controller-leader-internal + ingressClass: nginx-internal + + service: + annotations: + cloud.google.com/load-balancer-type: "Internal" diff --git a/old/kubernetes/helm/nginx-ingress/environments/kind/values-external.yaml b/old/kubernetes/helm/nginx-ingress/environments/kind/values-external.yaml new file mode 100644 index 000000000..50bee142c --- /dev/null +++ b/old/kubernetes/helm/nginx-ingress/environments/kind/values-external.yaml @@ -0,0 +1,20 @@ +nginx-ingress: + controller: + electionID: ingress-controller-leader-external + ingressClass: nginx-external + + # service: + # annotations: + # service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "arn:aws:acm:us-east-1:11111111111:certificate/1111111-1111-1111-1111-111111111" + + # Whitelisting IPs inbound + # loadBalancerSourceRanges: + # # Temporary ManagedKube + # - 38.30.8.138/32 + # - 1.1.1.1/32 + + service: + type: NodePort + nodePorts: + http: "30080" + https: "30443" diff --git a/old/kubernetes/helm/nginx-ingress/environments/kind/values-internal.yaml b/old/kubernetes/helm/nginx-ingress/environments/kind/values-internal.yaml new file mode 100644 index 000000000..08712a405 --- /dev/null +++ b/old/kubernetes/helm/nginx-ingress/environments/kind/values-internal.yaml @@ -0,0 +1,14 @@ +nginx-ingress: + controller: + electionID: ingress-controller-leader-internal + ingressClass: nginx-internal + + service: + annotations: + service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 + service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "arn:aws:acm:us-east-1:11111111111:certificate/1111111-1111-1111-1111-111111111" + + type: NodePort + nodePorts: + http: "31080" + https: "31443" diff --git a/old/kubernetes/helm/nginx-ingress/environments/prod/values-external.yaml b/old/kubernetes/helm/nginx-ingress/environments/prod/values-external.yaml new file mode 100644 index 000000000..811864000 --- /dev/null +++ b/old/kubernetes/helm/nginx-ingress/environments/prod/values-external.yaml @@ -0,0 +1,14 @@ +nginx-ingress: + controller: + electionID: ingress-controller-leader-external + ingressClass: nginx-external + + service: + annotations: + service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "arn:aws:acm:us-east-1:11111111111:certificate/1111111-1111-1111-1111-111111111" + + # Whitelisting IPs inbound + # loadBalancerSourceRanges: + # # Temporary ManagedKube + # - 38.30.8.138/32 + # - 1.1.1.1/32 diff --git a/old/kubernetes/helm/nginx-ingress/environments/prod/values-internal.yaml b/old/kubernetes/helm/nginx-ingress/environments/prod/values-internal.yaml new file mode 100644 index 000000000..261067079 --- /dev/null +++ b/old/kubernetes/helm/nginx-ingress/environments/prod/values-internal.yaml @@ -0,0 +1,9 @@ +nginx-ingress: + controller: + electionID: ingress-controller-leader-internal + ingressClass: nginx-internal + + service: + annotations: + service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 + service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "arn:aws:acm:us-east-1:11111111111:certificate/1111111-1111-1111-1111-111111111" diff --git a/old/kubernetes/helm/nginx-ingress/environments/qa/values-external.yaml b/old/kubernetes/helm/nginx-ingress/environments/qa/values-external.yaml new file mode 100644 index 000000000..811864000 --- /dev/null +++ b/old/kubernetes/helm/nginx-ingress/environments/qa/values-external.yaml @@ -0,0 +1,14 @@ +nginx-ingress: + controller: + electionID: ingress-controller-leader-external + ingressClass: nginx-external + + service: + annotations: + service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "arn:aws:acm:us-east-1:11111111111:certificate/1111111-1111-1111-1111-111111111" + + # Whitelisting IPs inbound + # loadBalancerSourceRanges: + # # Temporary ManagedKube + # - 38.30.8.138/32 + # - 1.1.1.1/32 diff --git a/old/kubernetes/helm/nginx-ingress/environments/qa/values-internal.yaml b/old/kubernetes/helm/nginx-ingress/environments/qa/values-internal.yaml new file mode 100644 index 000000000..261067079 --- /dev/null +++ b/old/kubernetes/helm/nginx-ingress/environments/qa/values-internal.yaml @@ -0,0 +1,9 @@ +nginx-ingress: + controller: + electionID: ingress-controller-leader-internal + ingressClass: nginx-internal + + service: + annotations: + service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 + service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "arn:aws:acm:us-east-1:11111111111:certificate/1111111-1111-1111-1111-111111111" diff --git a/old/kubernetes/helm/nginx-ingress/environments/staging/values-external.yaml b/old/kubernetes/helm/nginx-ingress/environments/staging/values-external.yaml new file mode 100644 index 000000000..811864000 --- /dev/null +++ b/old/kubernetes/helm/nginx-ingress/environments/staging/values-external.yaml @@ -0,0 +1,14 @@ +nginx-ingress: + controller: + electionID: ingress-controller-leader-external + ingressClass: nginx-external + + service: + annotations: + service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "arn:aws:acm:us-east-1:11111111111:certificate/1111111-1111-1111-1111-111111111" + + # Whitelisting IPs inbound + # loadBalancerSourceRanges: + # # Temporary ManagedKube + # - 38.30.8.138/32 + # - 1.1.1.1/32 diff --git a/old/kubernetes/helm/nginx-ingress/environments/staging/values-internal.yaml b/old/kubernetes/helm/nginx-ingress/environments/staging/values-internal.yaml new file mode 100644 index 000000000..261067079 --- /dev/null +++ b/old/kubernetes/helm/nginx-ingress/environments/staging/values-internal.yaml @@ -0,0 +1,9 @@ +nginx-ingress: + controller: + electionID: ingress-controller-leader-internal + ingressClass: nginx-internal + + service: + annotations: + service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0 + service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "arn:aws:acm:us-east-1:11111111111:certificate/1111111-1111-1111-1111-111111111" diff --git a/old/kubernetes/helm/nginx-ingress/mermaid/nginx-ingress-diagram-flow.txt b/old/kubernetes/helm/nginx-ingress/mermaid/nginx-ingress-diagram-flow.txt new file mode 100644 index 000000000..22c3a2293 --- /dev/null +++ b/old/kubernetes/helm/nginx-ingress/mermaid/nginx-ingress-diagram-flow.txt @@ -0,0 +1,15 @@ +graph TD +A[User/Internet] -->|HTTP:80/HTTPS:443| B[ELB] +B --> |HTTP:80/HTTPS:443| C[Nginx Ingress] +C -->|HTTP| D[Service 1] +C -->|HTTP| E[Service 2] +C -->|HTTP| F[Service 3] + +D -->|HTTP| G[Pod 1] +D -->|HTTP| H[Pod 2] + +E -->|HTTP| I[Pod 1] +E -->|HTTP| J[Pod 2] + +F -->|HTTP| K[Pod 1] +F -->|HTTP| L[Pod 2] diff --git a/old/kubernetes/helm/nginx-ingress/namespace.yaml b/old/kubernetes/helm/nginx-ingress/namespace.yaml new file mode 100644 index 000000000..56903e1f7 --- /dev/null +++ b/old/kubernetes/helm/nginx-ingress/namespace.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: ingress + labels: + name: ingress diff --git a/old/kubernetes/helm/nginx-ingress/namespaces/namespace.yaml b/old/kubernetes/helm/nginx-ingress/namespaces/namespace.yaml new file mode 100644 index 000000000..a2025500e --- /dev/null +++ b/old/kubernetes/helm/nginx-ingress/namespaces/namespace.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: ingress + labels: + name: ingress diff --git a/old/kubernetes/helm/nginx-ingress/requirements.lock b/old/kubernetes/helm/nginx-ingress/requirements.lock new file mode 100644 index 000000000..a9b6769b6 --- /dev/null +++ b/old/kubernetes/helm/nginx-ingress/requirements.lock @@ -0,0 +1,6 @@ +dependencies: +- name: nginx-ingress + repository: https://kubernetes-charts.storage.googleapis.com/ + version: 1.33.4 +digest: sha256:e41cf4da7f6c9d890f56034927595867f27bdb7e8c96b147efa4effc725dc88e +generated: "2020-03-09T06:45:36.579364997-07:00" diff --git a/old/kubernetes/helm/nginx-ingress/test/go.mod b/old/kubernetes/helm/nginx-ingress/test/go.mod new file mode 100644 index 000000000..85d45cd8e --- /dev/null +++ b/old/kubernetes/helm/nginx-ingress/test/go.mod @@ -0,0 +1,8 @@ +module github.com/ManagedKube/kubernetes-ops + +go 1.12 + +require ( + github.com/gruntwork-io/terratest v0.26.0 + k8s.io/api v0.17.4 +) diff --git a/old/kubernetes/helm/nginx-ingress/test/go.sum b/old/kubernetes/helm/nginx-ingress/test/go.sum new file mode 100644 index 000000000..cb9cc635e --- /dev/null +++ b/old/kubernetes/helm/nginx-ingress/test/go.sum @@ -0,0 +1,552 @@ +cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= +cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= +cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU= +cloud.google.com/go v0.44.1/go.mod h1:iSa0KzasP4Uvy3f1mN/7PiObzGgflwredwwASm/v6AU= +cloud.google.com/go v0.44.2/go.mod h1:60680Gw3Yr4ikxnPRS/oxxkBccT6SA1yMk63TGekxKY= +cloud.google.com/go v0.45.1/go.mod h1:RpBamKRgapWJb87xiFSdk4g1CME7QZg3uwTez+TSTjc= +cloud.google.com/go v0.46.3/go.mod h1:a6bKKbmY7er1mI7TEI4lsAkts/mkhTSZK8w33B4RAg0= +cloud.google.com/go v0.51.0 h1:PvKAVQWCtlGUSlZkGW3QLelKaWq7KYv/MW1EboG8bfM= +cloud.google.com/go v0.51.0/go.mod h1:hWtGJ6gnXH+KgDv+V0zFGDvpi07n3z8ZNj3T1RW0Gcw= +cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o= +cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE= +cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I= +cloud.google.com/go/storage v1.0.0/go.mod h1:IhtSnM/ZTZV8YYJWCY8RULGVqBDmpoyjwiyrjsg+URw= +dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= +github.com/Azure/azure-sdk-for-go v35.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= +github.com/Azure/azure-sdk-for-go v38.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= +github.com/Azure/azure-sdk-for-go v38.1.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= +github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78/go.mod h1:LmzpDX56iTiv29bbRTIsUNlaFfuhWRQBWjQdVyAevI8= +github.com/Azure/go-autorest/autorest v0.9.0/go.mod h1:xyHB1BMZT0cuDHU7I0+g046+BFDTQ8rEZB0s4Yfa6bI= +github.com/Azure/go-autorest/autorest v0.9.3/go.mod h1:GsRuLYvwzLjjjRoWEIyMUaYq8GNUx2nRB378IPt/1p0= +github.com/Azure/go-autorest/autorest/adal v0.5.0/go.mod h1:8Z9fGy2MpX0PvDjB1pEgQTmVqjGhiHBW7RJJEciWzS0= +github.com/Azure/go-autorest/autorest/adal v0.8.0/go.mod h1:Z6vX6WXXuyieHAXwMj0S6HY6e6wcHn37qQMBQlvY3lc= +github.com/Azure/go-autorest/autorest/adal v0.8.1/go.mod h1:ZjhuQClTqx435SRJ2iMlOxPYt3d2C/T/7TiQCVZSn3Q= +github.com/Azure/go-autorest/autorest/azure/auth v0.4.2/go.mod h1:90gmfKdlmKgfjUpnCEpOJzsUEjrWDSLwHIG73tSXddM= +github.com/Azure/go-autorest/autorest/azure/cli v0.3.1/go.mod h1:ZG5p860J94/0kI9mNJVoIoLgXcirM2gF5i2kWloofxw= +github.com/Azure/go-autorest/autorest/date v0.1.0/go.mod h1:plvfp3oPSKwf2DNjlBjWF/7vwR+cUD/ELuzDCXwHUVA= +github.com/Azure/go-autorest/autorest/date v0.2.0/go.mod h1:vcORJHLJEh643/Ioh9+vPmf1Ij9AEBM5FuBIXLmIy0g= +github.com/Azure/go-autorest/autorest/mocks v0.1.0/go.mod h1:OTyCOPRA2IgIlWxVYxBee2F5Gr4kF2zd2J5cFRaIDN0= +github.com/Azure/go-autorest/autorest/mocks v0.2.0/go.mod h1:OTyCOPRA2IgIlWxVYxBee2F5Gr4kF2zd2J5cFRaIDN0= +github.com/Azure/go-autorest/autorest/mocks v0.3.0/go.mod h1:a8FDP3DYzQ4RYfVAxAN3SVSiiO77gL2j2ronKKP0syM= +github.com/Azure/go-autorest/autorest/to v0.2.0/go.mod h1:GunWKJp1AEqgMaGLV+iocmRAJWqST1wQYhyyjXJ3SJc= +github.com/Azure/go-autorest/autorest/to v0.3.0/go.mod h1:MgwOyqaIuKdG4TL/2ywSsIWKAfJfgHDo8ObuUk3t5sA= +github.com/Azure/go-autorest/autorest/validation v0.1.0/go.mod h1:Ha3z/SqBeaalWQvokg3NZAlQTalVMtOIAs1aGK7G6u8= +github.com/Azure/go-autorest/autorest/validation v0.2.0/go.mod h1:3EEqHnBxQGHXRYq3HT1WyXAvT7LLY3tl70hw6tQIbjI= +github.com/Azure/go-autorest/logger v0.1.0/go.mod h1:oExouG+K6PryycPJfVSxi/koC6LSNgds39diKLz7Vrc= +github.com/Azure/go-autorest/tracing v0.5.0/go.mod h1:r/s2XiOKccPW3HrqB+W0TQzfbtp2fGCgRFtBroKn4Dk= +github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= +github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= +github.com/GoogleCloudPlatform/k8s-cloud-provider v0.0.0-20190822182118-27a4ced34534/go.mod h1:iroGtC8B3tQiqtds1l+mgk/BBOrxbqjH+eUfFQYRc14= +github.com/Masterminds/semver v1.5.0/go.mod h1:MB6lktGJrhw8PrUyiEoblNEGEQ+RzHPF078ddwwvV3Y= +github.com/Microsoft/go-winio v0.4.14/go.mod h1:qXqCSQ3Xa7+6tgxaGTIe4Kpcdsi+P8jBhyzoq1bpyYA= +github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ= +github.com/PuerkitoBio/purell v1.0.0/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0= +github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0= +github.com/PuerkitoBio/urlesc v0.0.0-20160726150825-5bd2802263f2/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE= +github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE= +github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= +github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= +github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8= +github.com/aws/aws-lambda-go v1.13.3/go.mod h1:4UKl9IzQMoD+QF79YdCuzCwp8VbmG4VAQwij/eHl5CU= +github.com/aws/aws-sdk-go v1.16.26/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo= +github.com/aws/aws-sdk-go v1.27.1 h1:MXnqY6SlWySaZAqNnXThOvjRFdiiOuKtC6i7baFdNdU= +github.com/aws/aws-sdk-go v1.27.1/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo= +github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q= +github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8= +github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs= +github.com/blang/semver v3.5.0+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk= +github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc h1:biVzkmvwrH8WK8raXaxBx6fRVTlJILwEwQGL1I/ByEI= +github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8= +github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= +github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI= +github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI= +github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU= +github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= +github.com/cockroachdb/datadriven v0.0.0-20190809214429-80d97fb3cbaa/go.mod h1:zn76sxSg3SzpJ0PPJaLDCu+Bu0Lg3sKTORVIj19EIF8= +github.com/containerd/containerd v1.3.0/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA= +github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE= +github.com/coreos/go-etcd v2.0.0+incompatible/go.mod h1:Jez6KQU2B/sWsbdaef3ED8NzMklzPG4d5KIOhIy30Tk= +github.com/coreos/go-oidc v2.1.0+incompatible/go.mod h1:CgnwVTmzoESiwO9qyAFEMiHoZ1nMCKZlZ9V6mm3/LKc= +github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk= +github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk= +github.com/coreos/go-systemd v0.0.0-20180511133405-39ca1b05acc7/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= +github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= +github.com/coreos/pkg v0.0.0-20160727233714-3ac0863d7acf/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA= +github.com/coreos/pkg v0.0.0-20180108230652-97fdf19511ea/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA= +github.com/cpuguy83/go-md2man v1.0.10 h1:BSKMNlYxDvnunlTymqtgONjNnaRV1sTpcovwwjF22jk= +github.com/cpuguy83/go-md2man v1.0.10/go.mod h1:SmD6nW6nTyfqj6ABTjUi3V3JVMnlJmwcJI5acqYI6dE= +github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU= +github.com/cpuguy83/go-md2man/v2 v2.0.0 h1:EoUDS0afbrsXAZ9YQ9jdu/mZ2sXgT1/2yyNng4PGlyM= +github.com/cpuguy83/go-md2man/v2 v2.0.0/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU= +github.com/creack/pty v1.1.7/go.mod h1:lj5s0c3V2DBrqTV7llrYr5NG6My20zk30Fl46Y7DoTY= +github.com/davecgh/go-spew v0.0.0-20151105211317-5215b55f46b2/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= +github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ= +github.com/dimchansky/utfbom v1.1.0/go.mod h1:rO41eb7gLfo8SF1jd9F8HplJm1Fewwi4mQvIirEdv+8= +github.com/dnaeon/go-vcr v1.0.1/go.mod h1:aBB1+wY4s93YsC3HHjMBMrwTj2R9FHDzUr9KyGc8n1E= +github.com/docker/cli v0.0.0-20191017083524-a8ff7f821017/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= +github.com/docker/cli v0.0.0-20200109221225-a4f60165b7a3/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= +github.com/docker/distribution v2.7.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= +github.com/docker/docker v0.7.3-0.20190327010347-be7ac8be2ae0/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +github.com/docker/docker v1.4.2-0.20190924003213-a8608b5b67c7/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +github.com/docker/docker-credential-helpers v0.6.3/go.mod h1:WRaJzqw3CTB9bk10avuGsjVBZsD05qeibJ1/TYlvc0Y= +github.com/docker/go-connections v0.4.0/go.mod h1:Gbd7IOopHjR8Iph03tsViu4nIes5XhDvyHbTtUxmeec= +github.com/docker/go-units v0.4.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk= +github.com/docker/spdystream v0.0.0-20160310174837-449fdfce4d96/go.mod h1:Qh8CwZgvJUkLughtfhJv5dyTYa91l1fOUCrgjqmcifM= +github.com/docker/spdystream v0.0.0-20181023171402-6480d4af844c h1:ZfSZ3P3BedhKGUhzj7BQlPSU4OvT6tfOKe3DVHzOA7s= +github.com/docker/spdystream v0.0.0-20181023171402-6480d4af844c/go.mod h1:Qh8CwZgvJUkLughtfhJv5dyTYa91l1fOUCrgjqmcifM= +github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE= +github.com/dustin/go-humanize v0.0.0-20171111073723-bb3d318650d4/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk= +github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk= +github.com/elazarl/goproxy v0.0.0-20170405201442-c4fc26588b6e/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc= +github.com/elazarl/goproxy v0.0.0-20190911111923-ecfe977594f1/go.mod h1:Ro8st/ElPeALwNFlcTpWmkr6IoMFfkjXAvTHpevnDsM= +github.com/elazarl/goproxy/ext v0.0.0-20190711103511-473e67f1d7d2/go.mod h1:gNh8nYJoAm43RfaxurUnxr+N1PwuFV3ZMl/efxlIlY8= +github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs= +github.com/emicklei/go-restful v2.9.5+incompatible/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs= +github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= +github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= +github.com/evanphx/json-patch v4.2.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= +github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4= +github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= +github.com/ghodss/yaml v0.0.0-20150909031657-73d445a93680/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= +github.com/ghodss/yaml v1.0.0 h1:wQHKEahhL6wmXdzwWG11gIVCkOv05bNOh+Rxn0yngAk= +github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= +github.com/globalsign/mgo v0.0.0-20181015135952-eeefdecb41b8/go.mod h1:xkRDCp4j0OGD1HRkm4kmhM+pmpv3AKq5SU7GMg4oO/Q= +github.com/go-errors/errors v1.0.2-0.20180813162953-d98b870cc4e0 h1:skJKxRtNmevLqnayafdLe2AsenqRupVmzZSqrvb5caU= +github.com/go-errors/errors v1.0.2-0.20180813162953-d98b870cc4e0/go.mod h1:f4zRHt4oKfwPJE5k8C9vpYG+aDHdBFUsgrm6/TyX73Q= +github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= +github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= +github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE= +github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas= +github.com/go-openapi/jsonpointer v0.0.0-20160704185906-46af16f9f7b1/go.mod h1:+35s3my2LFTysnkMfxsJBAMHj/DoqoB9knIWoYG/Vk0= +github.com/go-openapi/jsonpointer v0.19.2/go.mod h1:3akKfEdA7DF1sugOqz1dVQHBcuDBPKZGEoHC/NkiQRg= +github.com/go-openapi/jsonpointer v0.19.3/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg= +github.com/go-openapi/jsonreference v0.0.0-20160704190145-13c6e3589ad9/go.mod h1:W3Z9FmVs9qj+KR4zFKmDPGiLdk1D9Rlm7cyMvf57TTg= +github.com/go-openapi/jsonreference v0.19.2/go.mod h1:jMjeRr2HHw6nAVajTXJ4eiUwohSTlpa0o73RUL1owJc= +github.com/go-openapi/jsonreference v0.19.3/go.mod h1:rjx6GuL8TTa9VaixXglHmQmIL98+wF9xc8zWvFonSJ8= +github.com/go-openapi/spec v0.0.0-20160808142527-6aced65f8501/go.mod h1:J8+jY1nAiCcj+friV/PDoE1/3eeccG9LYBs0tYvLOWc= +github.com/go-openapi/spec v0.19.3/go.mod h1:FpwSN1ksY1eteniUU7X0N/BgJ7a4WvBFVA8Lj9mJglo= +github.com/go-openapi/swag v0.0.0-20160704191624-1d0bd113de87/go.mod h1:DXUve3Dpr1UfpPtxFw+EFuQ41HhCWZfha5jSVRG7C7I= +github.com/go-openapi/swag v0.19.2/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk= +github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk= +github.com/go-sql-driver/mysql v1.4.1 h1:g24URVg0OFbNUTx9qqY1IRZ9D9z3iPyi5zKhQZpNwpA= +github.com/go-sql-driver/mysql v1.4.1/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w= +github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= +github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= +github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4= +github.com/gogo/protobuf v1.2.2-0.20190723190241-65acae22fc9d h1:3PaI8p3seN09VjbTYC/QWlUZdZ1qS1zGjy7LH2Wt07I= +github.com/gogo/protobuf v1.2.2-0.20190723190241-65acae22fc9d/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o= +github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= +github.com/golang/groupcache v0.0.0-20160516000752-02826c3e7903/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= +github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= +github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= +github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= +github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= +github.com/golang/mock v1.3.1/go.mod h1:sBzyDLLjw3U8JLTeZvSv8jJB+tU5PVekmnlKIyFUx0Y= +github.com/golang/protobuf v0.0.0-20161109072736-4bd1920723d7/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.3.2 h1:6nsPYzhq5kReh6QImI3k5qWzO4PEbvbIW2cwSfR/6xs= +github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= +github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= +github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= +github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= +github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= +github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-containerregistry v0.0.0-20200110202235-f4fb41bf00a3/go.mod h1:2wIuQute9+hhWqvL3vEI7YB0EKluF4WcPzI1eAliazk= +github.com/google/gofuzz v0.0.0-20161122191042-44d81051d367/go.mod h1:HP5RmnzzSNb993RKQDq4+1A4ia9nllfqcQFTQJedwGI= +github.com/google/gofuzz v1.0.0 h1:A8PeW59pxE9IoFRqBp37U+mSNaQoZ46F1f0f863XSXw= +github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= +github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs= +github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= +github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= +github.com/google/pprof v0.0.0-20191218002539-d4f498aebedc/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= +github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= +github.com/google/uuid v1.0.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/google/uuid v1.1.1 h1:Gkbcsh/GbpXz7lPftLA3P6TYMwjCLYm83jiFQZF/3gY= +github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg= +github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk= +github.com/googleapis/gnostic v0.0.0-20170729233727-0c5108395e2d/go.mod h1:sJBsCZ4ayReDTBIg8b9dl28c5xFWyhBTVRp3pOg5EKY= +github.com/googleapis/gnostic v0.2.2/go.mod h1:sJBsCZ4ayReDTBIg8b9dl28c5xFWyhBTVRp3pOg5EKY= +github.com/googleapis/gnostic v0.3.1 h1:WeAefnSUHlBb0iJKwxFDZdbfGwkd7xRNuV+IpXMJhYk= +github.com/googleapis/gnostic v0.3.1/go.mod h1:on+2t9HRStVgn95RSsFWFz+6Q0Snyqv1awfrALZdbtU= +github.com/gophercloud/gophercloud v0.1.0/go.mod h1:vxM41WHh5uqHVBMZHzuwNOHh8XEoIEcSTewFxm1c5g8= +github.com/gorilla/mux v1.7.3/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs= +github.com/gorilla/websocket v0.0.0-20170926233335-4201258b820c/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ= +github.com/gorilla/websocket v1.4.0/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ= +github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA= +github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA= +github.com/grpc-ecosystem/go-grpc-middleware v1.0.1-0.20190118093823-f849b5445de4/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs= +github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk= +github.com/grpc-ecosystem/grpc-gateway v1.9.5/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY= +github.com/gruntwork-io/gruntwork-cli v0.5.1 h1:mVmVsFubUSLSCO8bGigI63HXzvzkC0uWXzm4dd9pXRg= +github.com/gruntwork-io/gruntwork-cli v0.5.1/go.mod h1:IBX21bESC1/LGoV7jhXKUnTQTZgQ6dYRsoj/VqxUSZQ= +github.com/gruntwork-io/terratest v0.26.0 h1:RFDr6nh/zn3rN1bZjZ9kYrEXIKof5T0AMEjgn+tXETw= +github.com/gruntwork-io/terratest v0.26.0/go.mod h1:ONEOU6Fv3a1rN16Z5t5yWbV57DkVC7665yRyvu3aWnk= +github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= +github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= +github.com/hashicorp/golang-lru v0.5.3/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4= +github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ= +github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU= +github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= +github.com/imdario/mergo v0.3.5/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA= +github.com/imdario/mergo v0.3.7 h1:Y+UAYTZ7gDEuOfhxKWy+dvb5dRQ6rJjFSdX2HZY1/gI= +github.com/imdario/mergo v0.3.7/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA= +github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8= +github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af h1:pmfjZENx5imkbgOkpRUYLnmbU7UEFbjtDA2hxJ1ichM= +github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k= +github.com/joefitzgerald/rainbow-reporter v0.1.0/go.mod h1:481CNgqmVHQZzdIbN52CupLJyoVwB10FQ/IQlF1pdL8= +github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo= +github.com/json-iterator/go v0.0.0-20180612202835-f2b4162afba3/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU= +github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU= +github.com/json-iterator/go v1.1.7/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= +github.com/json-iterator/go v1.1.8 h1:QiWkFLKq0T7mpzwOTu6BzNDbfTE8OLrYhVKYMLF46Ok= +github.com/json-iterator/go v1.1.8/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= +github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU= +github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk= +github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w= +github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q= +github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00= +github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= +github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= +github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= +github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc= +github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= +github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= +github.com/kr/pty v1.1.5/go.mod h1:9r2w37qlBe7rQ6e1fg1S/9xpWHSnaqNdHD3WcMdbPDA= +github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= +github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ= +github.com/magiconair/properties v1.8.1/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ= +github.com/mailru/easyjson v0.0.0-20160728113105-d5b7844b561a/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= +github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= +github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= +github.com/mailru/easyjson v0.7.0/go.mod h1:KAzv3t3aY1NaHWoQz1+4F1ccyAH66Jk7yos7ldAVICs= +github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU= +github.com/mattn/go-isatty v0.0.4/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4= +github.com/mattn/go-runewidth v0.0.2/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU= +github.com/mattn/go-zglob v0.0.2-0.20190814121620-e3c945676326/go.mod h1:9fxibJccNxU2cnpIKLRRFA7zX7qhkJIQWBb449FYHOo= +github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0= +github.com/maxbrunsfeld/counterfeiter/v6 v6.2.2/go.mod h1:eD9eIE7cdwcMi9rYluz88Jz2VyhSmden33/aXg4oVIY= +github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y= +github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= +github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y= +github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= +github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg= +github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= +github.com/modern-go/reflect2 v0.0.0-20180320133207-05fbef0ca5da/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= +github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= +github.com/modern-go/reflect2 v1.0.1 h1:9f412s+6RmYXLWZSEzVVgPGK7C2PphHj5RJrvfx9AWI= +github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= +github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc= +github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= +github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= +github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= +github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw= +github.com/olekukonko/tablewriter v0.0.0-20170122224234-a0225b3f23b5/go.mod h1:vsDQFd/mU46D+Z4whnwzcISnGGzXWMclvtLoiIKAKIo= +github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= +github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= +github.com/onsi/ginkgo v1.8.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= +github.com/onsi/ginkgo v1.10.1/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= +github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA= +github.com/onsi/gomega v1.5.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= +github.com/onsi/gomega v1.7.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= +github.com/opencontainers/go-digest v1.0.0-rc1/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s= +github.com/opencontainers/image-spec v1.0.1/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0= +github.com/oracle/oci-go-sdk v7.1.0+incompatible/go.mod h1:VQb79nF8Z2cwLkLS35ukwStZIg5F66tcBccjip/j888= +github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic= +github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU= +github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/pkg/errors v0.9.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/pmezard/go-difflib v0.0.0-20151028094244-d8ed2627bdf0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= +github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/pquerna/cachecontrol v0.0.0-20171018203845-0dec1b30a021/go.mod h1:prYjPmNq4d1NPVmpShWobRqXY3q7Vp+80DqgxxUrUIA= +github.com/pquerna/otp v1.2.0 h1:/A3+Jn+cagqayeR3iHs/L62m5ue7710D35zl1zJ1kok= +github.com/pquerna/otp v1.2.0/go.mod h1:dkJfzwRKNiegxyNb54X/3fLwhCynbMspSyWKnvi1AEg= +github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw= +github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo= +github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= +github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= +github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= +github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= +github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= +github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= +github.com/remyoudompheng/bigfft v0.0.0-20170806203942-52369c62f446/go.mod h1:uYEyJGbgTkfkS4+E/PavXkNJcbFIpEtjt2B0KDQ5+9M= +github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg= +github.com/rogpeppe/go-charset v0.0.0-20180617210344-2471d30d28b4/go.mod h1:qgYeAmZ5ZIpBWTGllZSQnw97Dj+woV0toclVaRGI8pc= +github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= +github.com/rubiojr/go-vhd v0.0.0-20160810183302-0bfd3b39853c/go.mod h1:DM5xW0nvfNNm2uytzsvhI3OnX8uzaRAg8UX/CnDqbto= +github.com/russross/blackfriday v1.5.2 h1:HyvC0ARfnZBqnXwABFeSZHpKvJHJJfPz81GNueLj0oo= +github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR/rfWxYHBV53g= +github.com/russross/blackfriday/v2 v2.0.1 h1:lPqVAte+HuHNfhJ/0LC98ESWRz8afy9tM/0RK8m9o+Q= +github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= +github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0= +github.com/sclevine/spec v1.2.0/go.mod h1:W4J29eT/Kzv7/b9IWLB055Z+qvVC9vt0Arko24q7p+U= +github.com/shopspring/decimal v0.0.0-20200105231215-408a2507e114/go.mod h1:DKyhrW/HYNuLGql+MJL6WCR6knT2jwCFRcu2hWCYk4o= +github.com/shurcooL/sanitized_anchor_name v1.0.0 h1:PdmoCO6wvbs+7yrJyMORt4/BmY5IYyJwS/kOiWx8mHo= +github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc= +github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo= +github.com/sirupsen/logrus v1.4.1/go.mod h1:ni0Sbl8bgC9z8RoU9G6nDWqqs/fq4eDPysMBDgk/93Q= +github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE= +github.com/soheilhy/cmux v0.1.4/go.mod h1:IM3LyeVVIOuxMH7sFAkER9+bJ4dT7Ms6E4xg4kGIyLM= +github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ= +github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk= +github.com/spf13/cast v1.3.0/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE= +github.com/spf13/cobra v0.0.3/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ= +github.com/spf13/cobra v0.0.5/go.mod h1:3K3wKZymM7VvHMDS9+Akkh4K60UwM26emMESw8tLCHU= +github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo= +github.com/spf13/pflag v0.0.0-20170130214245-9ff6c6923cff/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= +github.com/spf13/pflag v1.0.1/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= +github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= +github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= +github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= +github.com/spf13/viper v1.3.2/go.mod h1:ZiWeW+zYFKm7srdB9IoDzzZXaJaI5eL9QjNiN/DMA2s= +github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE= +github.com/stretchr/testify v0.0.0-20151208002404-e3a8ff8ce365/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= +github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= +github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= +github.com/stretchr/testify v1.4.0 h1:2E4SXV/wtOkTonXsotYi4li6zVWxYlZuYNCXe9XRJyk= +github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= +github.com/tmc/grpc-websocket-proxy v0.0.0-20170815181823-89b8d40f7ca8/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= +github.com/ugorji/go/codec v0.0.0-20181204163529-d75b2dcb6bc8/go.mod h1:VFNgLljTbGfSG7qAOspJ7OScBnGdDN/yBr0sguwnwf0= +github.com/urfave/cli v1.20.0/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA= +github.com/urfave/cli v1.22.1 h1:+mkCCcOFKPnCmVYVcURKps1Xe+3zP90gSYGNfRkjoIY= +github.com/urfave/cli v1.22.1/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0= +github.com/vdemeester/k8s-pkg-credentialprovider v0.0.0-20200107171650-7c61ffa44238/go.mod h1:JwQJCMWpUDqjZrB5jpw0f5VbN7U95zxFy1ZDpoEarGo= +github.com/vmware/govmomi v0.20.3/go.mod h1:URlwyTFZX72RmxtxuaFL2Uj3fD1JTvZdx59bHWk6aFU= +github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU= +github.com/xordataexchange/crypt v0.0.3-0.20170626215501-b2862e3d0a77/go.mod h1:aYKd//L2LvnjZzWKhF00oedf4jCCReLcmhLdhm1A27Q= +go.etcd.io/bbolt v1.3.3/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU= +go.etcd.io/etcd v0.0.0-20191023171146-3cf2f69b5738/go.mod h1:dnLIgRNXwCJa5e+c6mIZCrds/GIG4ncV9HhK5PX7jPg= +go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= +go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8= +go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= +go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= +go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0= +go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q= +golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= +golang.org/x/crypto v0.0.0-20181203042331-505ab145d0a9/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= +golang.org/x/crypto v0.0.0-20190211182817-74369b46fc67/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= +golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= +golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20190611184440-5c40567a22f8/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20190820162420-60c769a6c586/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20191206172530-e9b2fee46413/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= +golang.org/x/crypto v0.0.0-20200109152110-61a87790db17 h1:nVJ3guKA9qdkEQ3TUdXI9QSINo2CUPM/cySEvw2w8I0= +golang.org/x/crypto v0.0.0-20200109152110-61a87790db17/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= +golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= +golang.org/x/exp v0.0.0-20190125153040-c74c464bbbf2/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= +golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= +golang.org/x/exp v0.0.0-20190312203227-4b39c73a6495/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= +golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= +golang.org/x/exp v0.0.0-20190829153037-c13cbed26979/go.mod h1:86+5VVa7VpoJ4kLfm080zCjGlMRFzhUhsZKEZO7MGek= +golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= +golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js= +golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0= +golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= +golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU= +golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= +golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= +golang.org/x/lint v0.0.0-20190409202823-959b441ac422/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= +golang.org/x/lint v0.0.0-20190909230951-414d861bb4ac/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= +golang.org/x/lint v0.0.0-20191125180803-fdd1cda4f05f/go.mod h1:5qLYkcX4OjUUV8bRuDixDT3tpyyb+LUpUlRWLxfhWrs= +golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE= +golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028/go.mod h1:E/iHnbuqvinMTCcRqshq8CkpyQDoeVncDDYHnLhea+o= +golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc= +golang.org/x/mod v0.1.0/go.mod h1:0QHyrYULN0/3qlju5TqG8bIK38QM8yzMo5ekMj3DlcY= +golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg= +golang.org/x/net v0.0.0-20170114055629-f2499483f923/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20181220203305-927f97764cc3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= +golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20190628185345-da137c7871d7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20190813141303-74dc4d7220e7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20191004110552-13f9640d40b9/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553 h1:efeOvDhwQ29Dj3SdAV/MJf8oukgn+8D8WgaCaRMchF8= +golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= +golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= +golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= +golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= +golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d h1:TzXSXBo42m9gQenoE3b9BGiEpg5IG2JkU5FkPIawgtw= +golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= +golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sys v0.0.0-20170830134202-bb24a47a89ea/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20181107165924-66b7b1311ac8/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20181205085412-a5c9d58dba9a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190209173611-3b5209105503/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190502145724-3ef323f4f1fd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190616124812-15dcb6c0061f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190626221950-04f50cda93cb/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190826190057-c7b8b68b1456/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191010194322-b09406accb47/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200107162124-548cf772de50 h1:YvQ10rzcqWXLlJZ3XCUoO25savxmscf4+SC+ZqiCHhA= +golang.org/x/sys v0.0.0-20200107162124-548cf772de50/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/text v0.0.0-20160726164857-2910a502d2bf/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.2 h1:tW2bmiBqwgJj/UpqtC8EpXEZVYOwU0yG4iWbprSVAcs= +golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= +golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/time v0.0.0-20190308202827-9d24e82272b4 h1:SvFZT6jyqRaOeXpc5h/JSfZenJ2O330aBsf7JfSUXmQ= +golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20181011042414-1f849cf54d09/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20181030221726-6c7e314b6563/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20190206041539-40960b6deb8e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY= +golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= +golang.org/x/tools v0.0.0-20190312151545-0bb0c0a6e846/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= +golang.org/x/tools v0.0.0-20190312170243-e65039ee4138/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= +golang.org/x/tools v0.0.0-20190425150028-36563e24a262/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= +golang.org/x/tools v0.0.0-20190506145303-2d16b83fe98c/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= +golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= +golang.org/x/tools v0.0.0-20190606124116-d0a3d012864b/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= +golang.org/x/tools v0.0.0-20190614205625-5aca471b1d59/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= +golang.org/x/tools v0.0.0-20190621195816-6e04913cbbac/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= +golang.org/x/tools v0.0.0-20190628153133-6cdbf07be9d0/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= +golang.org/x/tools v0.0.0-20190706070813-72ffa07ba3db/go.mod h1:jcCCGcm9btYwXyDqrUWc6MKQKKGJCWEQ3AfLSRIbEuI= +golang.org/x/tools v0.0.0-20190816200558-6889da9d5479/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20190911174233-4f2ddba30aff/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20190920225731-5eefd052ad72/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191012152004-8de300cfc20a/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191125144606-a911d9008d1f/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191205215504-7b8c8591a921/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191227053925-7b8e75db28f4/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= +golang.org/x/tools v0.0.0-20200113040837-eac381796e91/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= +golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +gonum.org/v1/gonum v0.0.0-20190331200053-3d26580ed485/go.mod h1:2ltnJ7xHfj0zHS40VVPYEAAMTa3ZGguvHGBSJeRWqE0= +gonum.org/v1/netlib v0.0.0-20190313105609-8cb42192e0e0/go.mod h1:wa6Ws7BG/ESfp6dHfk7C6KdzKA7wR7u/rKwOGE66zvw= +gonum.org/v1/netlib v0.0.0-20190331212654-76723241ea4e/go.mod h1:kS+toOQn6AQKjmKJ7gzohV1XkqsFehRA2FbsbkopSuQ= +google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE= +google.golang.org/api v0.6.1-0.20190607001116-5213b8090861/go.mod h1:btoxGiFvQNVUZQ8W08zLtrVS08CNpINPEfxXxgJL1Q4= +google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M= +google.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg= +google.golang.org/api v0.9.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg= +google.golang.org/api v0.15.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI= +google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= +google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= +google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= +google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0= +google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= +google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= +google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= +google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= +google.golang.org/genproto v0.0.0-20190425155659-357c62f0e4bb/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= +google.golang.org/genproto v0.0.0-20190502173448-54afdca5d873/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= +google.golang.org/genproto v0.0.0-20190801165951-fa694d86fc64/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= +google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= +google.golang.org/genproto v0.0.0-20190911173649-1774047e7e51/go.mod h1:IbNlFCBrqXvoKpeg0TB2l7cyZUmoaFKYIwrEpbDKLA8= +google.golang.org/genproto v0.0.0-20191230161307-f3c370f40bfb/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= +google.golang.org/genproto v0.0.0-20200108215221-bd8f9a0ef82f/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= +google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= +google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38= +google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM= +google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= +google.golang.org/grpc v1.23.1/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= +google.golang.org/grpc v1.24.0/go.mod h1:XDChyiUovWa60DnaeDeZmSW86xtLtjtZbwvSiRnRtcA= +google.golang.org/grpc v1.26.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= +gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= +gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/cheggaaa/pb.v1 v1.0.25/go.mod h1:V/YB90LKu/1FcN3WVnfiiE5oMCibMjukxqG/qStrOgw= +gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI= +gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys= +gopkg.in/gcfg.v1 v1.2.0/go.mod h1:yesOnuUOFQAhST5vPY4nbZsb/huCgGGXlipJsBn0b3o= +gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= +gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= +gopkg.in/natefinch/lumberjack.v2 v2.0.0/go.mod h1:l0ndWWf7gzL7RNwBG7wST/UCcT4T24xpD6X8LsfU/+k= +gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo= +gopkg.in/square/go-jose.v2 v2.2.2/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI= +gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw= +gopkg.in/warnings.v0 v0.1.1/go.mod h1:jksf8JmL6Qr/oQM2OXTHunEvvTAsrWBLb6OOjuVWRNI= +gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7/go.mod h1:JAlM8MvJe8wmxCU4Bli9HhUf9+ttbYbLASfIpnQbh74= +gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.2.8 h1:obN1ZagJSUGI0Ek/LBmuj4SNLPfIny3KsKFopxRdj10= +gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81HFBacw= +honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= +honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= +honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= +honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= +honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg= +k8s.io/api v0.17.0/go.mod h1:npsyOePkeP0CPwyGfXDHxvypiYMJxBWAMpQxCaJ4ZxI= +k8s.io/api v0.17.4 h1:HbwOhDapkguO8lTAE8OX3hdF2qp8GtpC9CW/MQATXXo= +k8s.io/api v0.17.4/go.mod h1:5qxx6vjmwUVG2nHQTKGlLts8Tbok8PzHl4vHtVFuZCA= +k8s.io/apimachinery v0.17.0/go.mod h1:b9qmWdKlLuU9EBh+06BtLcSf/Mu89rWL33naRxs1uZg= +k8s.io/apimachinery v0.17.4 h1:UzM+38cPUJnzqSQ+E1PY4YxMHIzQyCg29LOoGfo79Zw= +k8s.io/apimachinery v0.17.4/go.mod h1:gxLnyZcGNdZTCLnq3fgzyg2A5BVCHTNDFrw8AmuJ+0g= +k8s.io/apiserver v0.17.0/go.mod h1:ABM+9x/prjINN6iiffRVNCBR2Wk7uY4z+EtEGZD48cg= +k8s.io/client-go v0.17.0 h1:8QOGvUGdqDMFrm9sD6IUFl256BcffynGoe80sxgTEDg= +k8s.io/client-go v0.17.0/go.mod h1:TYgR6EUHs6k45hb6KWjVD6jFZvJV4gHDikv/It0xz+k= +k8s.io/cloud-provider v0.17.0/go.mod h1:Ze4c3w2C0bRsjkBUoHpFi+qWe3ob1wI2/7cUn+YQIDE= +k8s.io/code-generator v0.0.0-20191121015212-c4c8f8345c7e/go.mod h1:DVmfPQgxQENqDIzVR2ddLXMH34qeszkKSdH/N+s+38s= +k8s.io/component-base v0.17.0/go.mod h1:rKuRAokNMY2nn2A6LP/MiwpoaMRHpfRnrPaUJJj1Yoc= +k8s.io/csi-translation-lib v0.17.0/go.mod h1:HEF7MEz7pOLJCnxabi45IPkhSsE/KmxPQksuCrHKWls= +k8s.io/gengo v0.0.0-20190128074634-0689ccc1d7d6/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0= +k8s.io/gengo v0.0.0-20190822140433-26a664648505/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0= +k8s.io/klog v0.0.0-20181102134211-b9b56d5dfc92/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk= +k8s.io/klog v0.3.0/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk= +k8s.io/klog v1.0.0 h1:Pt+yjF5aB1xDSVbau4VsWe+dQNzA0qv1LlXdC2dF6Q8= +k8s.io/klog v1.0.0/go.mod h1:4Bi6QPql/J/LkTDqv7R/cd3hPo4k2DG6Ptcz060Ez5I= +k8s.io/kube-openapi v0.0.0-20191107075043-30be4d16710a/go.mod h1:1TqjTSzOxsLGIKfj0lK8EeCP7K1iUG65v09OM0/WG5E= +k8s.io/kubernetes v1.11.10/go.mod h1:ocZa8+6APFNC2tX1DZASIbocyYT5jHzqFVsY5aoB7Jk= +k8s.io/legacy-cloud-providers v0.17.0/go.mod h1:DdzaepJ3RtRy+e5YhNtrCYwlgyK87j/5+Yfp0L9Syp8= +k8s.io/utils v0.0.0-20191114184206-e782cd3c129f h1:GiPwtSzdP43eI1hpPCbROQCCIgCuiMMNF8YUVLF3vJo= +k8s.io/utils v0.0.0-20191114184206-e782cd3c129f/go.mod h1:sZAwmy6armz5eXlNoLmJcl4F1QuKu7sr+mFQ0byX7Ew= +modernc.org/cc v1.0.0/go.mod h1:1Sk4//wdnYJiUIxnW8ddKpaOJCF37yAdqYnkxUpaYxw= +modernc.org/golex v1.0.0/go.mod h1:b/QX9oBD/LhixY6NDh+IdGv17hgB+51fET1i2kPSmvk= +modernc.org/mathutil v1.0.0/go.mod h1:wU0vUrJsVWBZ4P6e7xtFJEhFSNsfRLJ8H458uRjg03k= +modernc.org/strutil v1.0.0/go.mod h1:lstksw84oURvj9y3tn8lGvRxyRC1S2+g5uuIzNfIOBs= +modernc.org/xc v1.0.0/go.mod h1:mRNCo0bvLjGhHO9WsyuKVU4q0ceiDDDoEeWDJHrNx8I= +rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= +sigs.k8s.io/structured-merge-diff v0.0.0-20190525122527-15d366b2352e/go.mod h1:wWxsB5ozmmv/SG7nM11ayaAW51xMvak/t1r0CSlcokI= +sigs.k8s.io/structured-merge-diff v1.0.1-0.20191108220359-b1b620dd3f06/go.mod h1:/ULNhyfzRopfcjskuui0cTITekDduZ7ycKN3oUT9R18= +sigs.k8s.io/yaml v1.1.0 h1:4A07+ZFc2wgJwo8YNlQpr1rVlgUDlxXHhPJciaPY5gs= +sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o= diff --git a/old/kubernetes/helm/nginx-ingress/test/integration_controller_deployment_test.go b/old/kubernetes/helm/nginx-ingress/test/integration_controller_deployment_test.go new file mode 100644 index 000000000..2c5c62043 --- /dev/null +++ b/old/kubernetes/helm/nginx-ingress/test/integration_controller_deployment_test.go @@ -0,0 +1,81 @@ +package test + +import ( + "fmt" + "strings" + "testing" + + "github.com/gruntwork-io/terratest/modules/helm" + "github.com/gruntwork-io/terratest/modules/k8s" + "github.com/gruntwork-io/terratest/modules/random" +) + +func TestPodDeploysContainerImageHelmTemplateEngine(t *testing.T) { + // Path to the helm chart we will test + helmChartPath := "../" + + // To ensure we can reuse the resource config on the same cluster to test different scenarios, we setup a unique + // namespace for the resources for this test. + // Note that namespaces must be lowercase. + namespaceName := fmt.Sprintf("kubernetes-ops-integration-test-nginx-ingress-%s", strings.ToLower(random.UniqueId())) + + // Setup the kubectl config and context. Here we choose to use the defaults, which is: + // - HOME/.kube/config for the kubectl config file + // - Current context of the kubectl config file + kubectlOptions := k8s.NewKubectlOptions("", "", namespaceName) + + // Create a namespace for this test deployment + k8s.CreateNamespace(t, kubectlOptions, namespaceName) + + // Delete the namespace at the end of the test + defer k8s.DeleteNamespace(t, kubectlOptions, namespaceName) + + // Setup the args + // We use a fullnameOverride so we can find the Pod later during verification + releaseName := fmt.Sprintf("nginx-ingress-test-%s", strings.ToLower(random.UniqueId())) + options := &helm.Options{ + SetValues: map[string]string{ + "nginx-ingress.controller.image.repository": "quay.io/kubernetes-ingress-controller/nginx-ingress-controller", + "nginx-ingress.controller.image.tag": "0.30.0", + "fullnameOverride": releaseName, + }, + KubectlOptions: kubectlOptions, + } + + // Helm install the chart + helm.Install(t, options, helmChartPath, releaseName) + + // Delete the resources at the end of the test + defer helm.Delete(t, options, releaseName, false) + + // Now that the chart is deployed, verify the deployment. This function will open a tunnel to the Pod and hit the + // nginx container endpoint. + // verifyNginxPod(t, kubectlOptions, podName) +} + +// verifyNginxPod will open a tunnel to the Pod and hit the endpoint to verify the nginx welcome page is shown. +// func verifyNginxPod(t *testing.T, kubectlOptions *k8s.KubectlOptions, podName string) { +// // Wait for the pod to come up. It takes some time for the Pod to start, so retry a few times. +// retries := 15 +// sleep := 5 * time.Second +// k8s.WaitUntilPodAvailable(t, kubectlOptions, podName, retries, sleep) + +// // We will first open a tunnel to the pod, making sure to close it at the end of the test. +// tunnel := k8s.NewTunnel(kubectlOptions, k8s.ResourceTypePod, podName, 0, 80) +// defer tunnel.Close() +// tunnel.ForwardPort(t) + +// // ... and now that we have the tunnel, we will verify that we get back a 200 OK with the nginx welcome page. +// // It takes some time for the Pod to start, so retry a few times. +// endpoint := fmt.Sprintf("http://%s", tunnel.Endpoint()) +// http_helper.HttpGetWithRetryWithCustomValidation( +// t, +// endpoint, +// nil, +// retries, +// sleep, +// func(statusCode int, body string) bool { +// return statusCode == 200 && strings.Contains(body, "Welcome to nginx") +// }, +// ) +// } diff --git a/old/kubernetes/helm/nginx-ingress/test/template_controller_configmap_test.go b/old/kubernetes/helm/nginx-ingress/test/template_controller_configmap_test.go new file mode 100644 index 000000000..2466e5dd8 --- /dev/null +++ b/old/kubernetes/helm/nginx-ingress/test/template_controller_configmap_test.go @@ -0,0 +1,37 @@ +package test + +import ( + "testing" + + "github.com/gruntwork-io/terratest/modules/helm" + corev1 "k8s.io/api/core/v1" +) + +func TestControllerConfigmapTemplateRendersProxyBodySize(t *testing.T) { + // Path to the helm chart we will test + helmChartPath := "../" + + // Setup the args + options := &helm.Options{ + SetValues: map[string]string{ + "nginx-ingress.controller.config.proxy-body-size": "8m", + }, + } + + releaseName := "nginx-ingress" + + // Run RenderTemplate to render the template and capture the output. + output := helm.RenderTemplate(t, options, helmChartPath, releaseName, []string{"charts/nginx-ingress/templates/controller-configmap.yaml"}) + + // Now we use kubernetes/client-go library to render the template output into the struct. + var configmap corev1.ConfigMap + helm.UnmarshalK8SYaml(t, output, &configmap) + + // // Verify the spec is set to the expected value + expectedValue := "8m" + cm := configmap.Data + if cm["proxy-body-size"] != expectedValue { + t.Fatalf("Rendered container image (%s) is not expected (%s)", cm["proxy-body-size"], expectedValue) + } + +} diff --git a/old/kubernetes/helm/nginx-ingress/test/template_controller_deployment_test.go b/old/kubernetes/helm/nginx-ingress/test/template_controller_deployment_test.go new file mode 100644 index 000000000..aa35277d0 --- /dev/null +++ b/old/kubernetes/helm/nginx-ingress/test/template_controller_deployment_test.go @@ -0,0 +1,66 @@ +package test + +import ( + "testing" + + appsv1 "k8s.io/api/apps/v1" + + "github.com/gruntwork-io/terratest/modules/helm" +) + +func TestDeploymentTemplateRendersContainerImage(t *testing.T) { + // Path to the helm chart we will test + helmChartPath := "../" + + // Setup the args + options := &helm.Options{ + SetValues: map[string]string{ + "nginx-ingress.controller.image.repository": "quay.io/kubernetes-ingress-controller/nginx-ingress-controller", + "nginx-ingress.controller.image.tag": "0.30.0", + }, + } + + releaseName := "nginx-ingress" + + // Run RenderTemplate to render the template and capture the output. + output := helm.RenderTemplate(t, options, helmChartPath, releaseName, []string{"charts/nginx-ingress/templates/controller-deployment.yaml"}) + + // Now we use kubernetes/client-go library to render the template output into the struct + var deployment appsv1.Deployment + helm.UnmarshalK8SYaml(t, output, &deployment) + + // Verify the spec is set to the expected value + expectedContainerImage := "quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.30.0" + podContainers := deployment.Spec.Template.Spec.Containers + if podContainers[0].Image != expectedContainerImage { + t.Fatalf("Rendered container image (%s) is not expected (%s)", podContainers[0].Image, expectedContainerImage) + } + +} + +func TestDeploymentTemplateRendersServiceAccountName(t *testing.T) { + // Path to the helm chart we will test + helmChartPath := "../" + + // Setup the args + options := &helm.Options{ + SetValues: map[string]string{}, + } + + releaseName := "nginx-ingress" + + // Run RenderTemplate to render the template and capture the output. + output := helm.RenderTemplate(t, options, helmChartPath, releaseName, []string{"charts/nginx-ingress/templates/controller-deployment.yaml"}) + + // Now we use kubernetes/client-go library to render the template output into the struct. + var deployment appsv1.Deployment + helm.UnmarshalK8SYaml(t, output, &deployment) + + // Verify the spec is set to the expected value + expectedServiceAccountName := "nginx-ingress" + deploymentSpec := deployment.Spec.Template.Spec + if deploymentSpec.ServiceAccountName != expectedServiceAccountName { + t.Fatalf("Rendered container image (%s) is not expected (%s)", deploymentSpec.ServiceAccountName, expectedServiceAccountName) + } + +} diff --git a/old/kubernetes/helm/nginx-ingress/values.yaml b/old/kubernetes/helm/nginx-ingress/values.yaml new file mode 100644 index 000000000..50cfc4aa7 --- /dev/null +++ b/old/kubernetes/helm/nginx-ingress/values.yaml @@ -0,0 +1,66 @@ +nginx-ingress: + controller: + replicaCount: 2 + ## Name of the ingress class to route through this controller + ## + # ingressClass: nginx-external + + service: + omitClusterIP: true + enableHttp: true + enableHttps: true + targetPorts: + http: http + https: https + # + # annotations: + # service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "60" + # service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "443" + # service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "ssl" + + config: + # https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#ssl-ciphers + # ssl-ciphers: "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA" + # https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#ssl-protocols + # ssl-protocols: "TLSv1 TLSv1.1 TLSv1.2" + proxy-body-size: 10m + + publishService: + enabled: true + + metrics: + enabled: true + service: + omitClusterIP: true + serviceMonitor: + enabled: true + additionalLabels: + release: monitoring-prometheus-operator + + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: component + operator: In + values: + - controller + topologyKey: "kubernetes.io/hostname" + + defaultBackend: + replicaCount: 2 + + service: + omitClusterIP: true + + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: component + operator: In + values: + - default-backend + topologyKey: "kubernetes.io/hostname" diff --git a/old/kubernetes/helm/prometheus-blackbox-exporter/.gitignore b/old/kubernetes/helm/prometheus-blackbox-exporter/.gitignore new file mode 100644 index 000000000..d39cf4024 --- /dev/null +++ b/old/kubernetes/helm/prometheus-blackbox-exporter/.gitignore @@ -0,0 +1 @@ +templated-output.yaml diff --git a/old/kubernetes/helm/prometheus-blackbox-exporter/Chart.yaml b/old/kubernetes/helm/prometheus-blackbox-exporter/Chart.yaml new file mode 100644 index 000000000..0669aff5f --- /dev/null +++ b/old/kubernetes/helm/prometheus-blackbox-exporter/Chart.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +description: Prometheus Blackbox Exporter +name: prometheus-blackbox-exporter +version: 0.3.0 +appVersion: 0.14.0 +home: https://github.com/prometheus/blackbox_exporter +sources: + - https://github.com/prometheus/blackbox_exporter +keywords: + - prometheus + - blackbox + - monitoring +maintainers: + - name: gianrubio + email: gianrubio@gmail.com diff --git a/old/kubernetes/helm/prometheus-blackbox-exporter/Makefile b/old/kubernetes/helm/prometheus-blackbox-exporter/Makefile new file mode 100644 index 000000000..56f30297c --- /dev/null +++ b/old/kubernetes/helm/prometheus-blackbox-exporter/Makefile @@ -0,0 +1,56 @@ +HELM_BINARY?=helm +KUBECTL_BINARY?=kubectl +KUBECONFIG?=~/.kube/config +KUBE_NAMESPACE?=monitoring + +APPLICATION_NAME=prometheus-blackbox-exporter + +BASE_PATH=. + +APPLCATION_CHART_NAME=stable/prometheus-blackbox-exporter + +BASE_VALUES_FILE?=values.yaml +VALUES_FILE?=values.yaml + +TEMPLATE_OUTPUT_FILE?=./templated-output.yaml + +apply: + ${HELM_BINARY} template \ + --namespace ${KUBE_NAMESPACE} \ + --name ${APPLICATION_NAME} \ + --values ${BASE_PATH}/${BASE_VALUES_FILE} \ + --values ${BASE_PATH}/${VALUES_FILE} \ + ./ > ${TEMPLATE_OUTPUT_FILE} + kubectl --namespace ${KUBE_NAMESPACE} apply -f ${TEMPLATE_OUTPUT_FILE} + +template: + ${HELM_BINARY} template \ + --namespace ${KUBE_NAMESPACE} \ + --name ${APPLICATION_NAME} \ + --values ${BASE_PATH}/${BASE_VALUES_FILE} \ + --values ${BASE_PATH}/${VALUES_FILE} \ + ./ + +delete: + ${HELM_BINARY} template \ + --namespace ${KUBE_NAMESPACE} \ + --name ${APPLICATION_NAME} \ + --values ${BASE_PATH}/${BASE_VALUES_FILE} \ + --values ${BASE_PATH}/${VALUES_FILE} \ + ./ > ${TEMPLATE_OUTPUT_FILE} + kubectl --namespace ${KUBE_NAMESPACE} delete -f ${TEMPLATE_OUTPUT_FILE} + +build-dependency: + helm dependency build + +list: + ${HELM_BINARY} list + +servicemonitor-template: + cat environments/${ENVIRONMENT}/servicemonitor.yaml + +servicemonitor-apply: + kubectl --namespace ${KUBE_NAMESPACE} apply -f environments/${ENVIRONMENT}/servicemonitor.yaml + +servicemonitor-delete: + kubectl --namespace ${KUBE_NAMESPACE} delete -f environments/${ENVIRONMENT}/servicemonitor.yaml diff --git a/old/kubernetes/helm/prometheus-blackbox-exporter/README.md b/old/kubernetes/helm/prometheus-blackbox-exporter/README.md new file mode 100644 index 000000000..737de96e5 --- /dev/null +++ b/old/kubernetes/helm/prometheus-blackbox-exporter/README.md @@ -0,0 +1,67 @@ +Prometheus Blackbox Exporter +============================ + +Source project: https://github.com/prometheus/blackbox_exporter + +Helm Chart: https://github.com/helm/charts/tree/master/stable/prometheus-blackbox-exporter + +This tool helps us monitor URL endpoints and SSL certs. + + +# Usage: + +## Setup +This installs the Prometheus Blackbox monitor into the Kubernetes cluster. + +At this point, it is not monitoring anything + + +### Template + +``` +make template +``` + +### Install/update + +``` +make apply +``` + +### Delete + +``` +make delete +``` + +### Apply a monitor +This will apply the monitoring so that Prometheus will go and scrape the Blackbox +monitoring for items in the `servicemonitor`. + +You will need to create a `servicemonitor` file for each environment and for the +items you want to monitor. + +### Template + +``` +make EVIRONMENT=dev-us template +``` + +### Install/update + +``` +make EVIRONMENT=dev-us apply +``` + +### Delete + +``` +make EVIRONMENT=dev-us delete +``` + + +# Testing +You can port forward to the Prometheus Blackbox Exporter pod and query +for a result via this URL + +http://localhost:9115/probe?target=managedkube.com&module=http_2xx diff --git a/old/kubernetes/helm/prometheus-blackbox-exporter/charts/prometheus-blackbox-exporter-0.3.0.tgz b/old/kubernetes/helm/prometheus-blackbox-exporter/charts/prometheus-blackbox-exporter-0.3.0.tgz new file mode 100644 index 000000000..ad8b7de74 Binary files /dev/null and b/old/kubernetes/helm/prometheus-blackbox-exporter/charts/prometheus-blackbox-exporter-0.3.0.tgz differ diff --git a/old/kubernetes/helm/prometheus-blackbox-exporter/environments/dev-us/servicemonitor.yaml b/old/kubernetes/helm/prometheus-blackbox-exporter/environments/dev-us/servicemonitor.yaml new file mode 100644 index 000000000..721fa5cfc --- /dev/null +++ b/old/kubernetes/helm/prometheus-blackbox-exporter/environments/dev-us/servicemonitor.yaml @@ -0,0 +1,55 @@ +--- +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + labels: + app: prometheus-blackbox-exporter + release: monitoring-prometheus-operator + name: prometheus-blackbox-exporter-1 +spec: + endpoints: + - interval: 30s + path: /probe + params: + target: + - www.managedkube.com/pages/healthcheck + port: http + scheme: http + scrapeTimeout: "10s" + metricRelabelings: + - sourceLabels: [] + targetLabel: target_url + replacement: www.managedkube.com/pages/healthcheck + namespaceSelector: + any: true + selector: + matchLabels: + app: prometheus-blackbox-exporter + +--- +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + labels: + app: prometheus-blackbox-exporter + release: monitoring-prometheus-operator + name: prometheus-blackbox-exporter-2 +spec: + endpoints: + - interval: 30s + path: /probe + params: + target: + - www.managedkube.com + port: http + scheme: http + scrapeTimeout: "10s" + metricRelabelings: + - sourceLabels: [] + targetLabel: target_url + replacement: www.managedkube.com + namespaceSelector: + any: true + selector: + matchLabels: + app: prometheus-blackbox-exporter diff --git a/old/kubernetes/helm/prometheus-blackbox-exporter/requirements.lock b/old/kubernetes/helm/prometheus-blackbox-exporter/requirements.lock new file mode 100644 index 000000000..6a9790342 --- /dev/null +++ b/old/kubernetes/helm/prometheus-blackbox-exporter/requirements.lock @@ -0,0 +1,6 @@ +dependencies: +- name: prometheus-blackbox-exporter + repository: https://kubernetes-charts.storage.googleapis.com/ + version: 0.3.0 +digest: sha256:51c9e9ed66f6d5731e7330f749d72f17867fa4e74b6fdde6049c7c5e533c2b74 +generated: 2019-05-28T10:59:23.890793679-07:00 diff --git a/old/kubernetes/helm/prometheus-blackbox-exporter/requirements.yaml b/old/kubernetes/helm/prometheus-blackbox-exporter/requirements.yaml new file mode 100644 index 000000000..f06114548 --- /dev/null +++ b/old/kubernetes/helm/prometheus-blackbox-exporter/requirements.yaml @@ -0,0 +1,5 @@ +--- +dependencies: +- name: prometheus-blackbox-exporter + version: 0.3.0 + repository: https://kubernetes-charts.storage.googleapis.com/ diff --git a/old/kubernetes/helm/prometheus-blackbox-exporter/values.yaml b/old/kubernetes/helm/prometheus-blackbox-exporter/values.yaml new file mode 100644 index 000000000..a90500533 --- /dev/null +++ b/old/kubernetes/helm/prometheus-blackbox-exporter/values.yaml @@ -0,0 +1,17 @@ +--- +prometheus-blackbox-exporter: + resources: + limits: + memory: 300Mi + requests: + memory: 50Mi + + config: + modules: + http_2xx: + prober: http + timeout: 5s + http: + valid_http_versions: ["HTTP/1.1", "HTTP/2"] + no_follow_redirects: false + preferred_ip_protocol: "ip4" diff --git a/old/kubernetes/helm/prometheus-operator/.gitignore b/old/kubernetes/helm/prometheus-operator/.gitignore new file mode 100644 index 000000000..d39cf4024 --- /dev/null +++ b/old/kubernetes/helm/prometheus-operator/.gitignore @@ -0,0 +1 @@ +templated-output.yaml diff --git a/old/kubernetes/helm/prometheus-operator/Chart.yaml b/old/kubernetes/helm/prometheus-operator/Chart.yaml new file mode 100644 index 000000000..93cf7c0f4 --- /dev/null +++ b/old/kubernetes/helm/prometheus-operator/Chart.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +description: prometheus-operator +name: prometheus-operator +version: 8.11.1 +appVersion: 0.36.0 + +dependencies: +- name: prometheus-operator + version: 8.11.1 + repository: https://kubernetes-charts.storage.googleapis.com/ diff --git a/old/kubernetes/helm/prometheus-operator/Makefile b/old/kubernetes/helm/prometheus-operator/Makefile new file mode 100644 index 000000000..151ad5ffa --- /dev/null +++ b/old/kubernetes/helm/prometheus-operator/Makefile @@ -0,0 +1,45 @@ +HELM_BINARY?=helm +KUBECTL_BINARY?=kubectl +KUBECONFIG?=~/.kube/config +KUBE_NAMESPACE?=monitoring + +APPLICATION_NAME=prometheus-operator + +BASE_PATH=. + +APPLCATION_CHART_NAME=stable/prometheus-operator + +BASE_VALUES_FILE?=values.yaml +VALUES_FILE?=environments/${ENVIRONMENT}/values.yaml + +TEMPLATE_OUTPUT_FILE?=/tmp/output.yaml + +apply: + ${HELM_BINARY} upgrade -i ${APPLICATION_NAME} ./ --wait \ + --namespace ${KUBE_NAMESPACE} \ + --values ${BASE_PATH}/${BASE_VALUES_FILE} \ + --values ${BASE_PATH}/${VALUES_FILE} + +template: + ${HELM_BINARY} template ${APPLICATION_NAME} ./ --wait \ + --namespace ${KUBE_NAMESPACE} \ + --values ${BASE_PATH}/${BASE_VALUES_FILE} \ + --values ${BASE_PATH}/${VALUES_FILE} + +delete: + ${HELM_BINARY} -n ${KUBE_NAMESPACE} delete ${APPLICATION_NAME} + +delete-crd: + # CRDs are added on install by default: `prometheusOperator.createCustomResource` + # https://github.com/helm/charts/tree/master/stable/prometheus-operator#uninstalling-the-chart + ${KUBECTL_BINARY} delete crd prometheuses.monitoring.coreos.com + ${KUBECTL_BINARY} delete crd prometheusrules.monitoring.coreos.com + ${KUBECTL_BINARY} delete crd servicemonitors.monitoring.coreos.com + ${KUBECTL_BINARY} delete crd podmonitors.monitoring.coreos.com + ${KUBECTL_BINARY} delete crd alertmanagers.monitoring.coreos.com + +dependency-build: + ${HELM_BINARY} dependency build + +list: + ${HELM_BINARY} list diff --git a/old/kubernetes/helm/prometheus-operator/README.md b/old/kubernetes/helm/prometheus-operator/README.md new file mode 100644 index 000000000..e68e7591f --- /dev/null +++ b/old/kubernetes/helm/prometheus-operator/README.md @@ -0,0 +1,49 @@ +Prometheus Operator Helm +========================= + +Helm Chart: https://github.com/helm/charts/tree/master/stable/prometheus-operator + + +# Usage + +## Install via Tiller + +``` +make KUBE_NAMESPACE=monitoring VALUES_FILE=values-example-env.yaml install +``` + +## Install via template +Without using a tiller + +``` +export KUBE_NAMESPACE= +make KUBE_NAMESPACE=${KUBE_NAMESPACE} VALUES_FILE=values-example-env.yaml template + +kubectl --namespace ${KUBE_NAMESPACE} apply -f /tmp/output.yaml +``` + +THis doesnt work, the namespaces are not inserted correctly + +# Deployment + +### template +``` +make ENVIRONMENT=dev-us template +``` + +### apply +``` +make ENVIRONMENT=dev-us install +``` + +### delete +``` +make ENVIRONMENT=dev-us delete +``` + +Prometheus creates Kubernetes CRDs which should be deleted to remove all Prometheus +traces: + +``` +make ENVIRONMENT=dev-us delete-crd +``` diff --git a/old/kubernetes/helm/prometheus-operator/alertrules/cluster-health.yaml b/old/kubernetes/helm/prometheus-operator/alertrules/cluster-health.yaml new file mode 100644 index 000000000..ecbdbd8e8 --- /dev/null +++ b/old/kubernetes/helm/prometheus-operator/alertrules/cluster-health.yaml @@ -0,0 +1,24 @@ +--- +apiVersion: monitoring.coreos.com/v1 +kind: PrometheusRule +metadata: + labels: + prometheus: k8s + role: alert-rules + app: prometheus-operator + release: monitoring-prometheus-operator + name: cluster-health.rules + namespace: monitoring +spec: + groups: + - name: kube.state.metric.pod + rules: + - alert: ExcessivePodsInPendingState + expr: count(kube_pod_status_phase{phase="Pending"} == 1) > 5 + for: 5m + labels: + severity: critical + annotations: + description: 'This can mean that there is not enough capacity in the cluster. Current + value: {{ $value }}' + summary: The number of pods in a pending state is over 10. This can also mean a node might be unavailable. diff --git a/old/kubernetes/helm/prometheus-operator/alertrules/cpu-rules.yaml b/old/kubernetes/helm/prometheus-operator/alertrules/cpu-rules.yaml new file mode 100644 index 000000000..b4faa644c --- /dev/null +++ b/old/kubernetes/helm/prometheus-operator/alertrules/cpu-rules.yaml @@ -0,0 +1,31 @@ +--- +apiVersion: monitoring.coreos.com/v1 +kind: PrometheusRule +metadata: + labels: + prometheus: k8s + role: alert-rules + app: prometheus-operator + release: monitoring-prometheus-operator + name: cpu.rules + namespace: monitoring +spec: + groups: + - name: kube.state.metric.pod + rules: + - alert: NodeLoadAverage5minutes + expr: node_load5 > count(node_cpu{mode="idle"}) WITHOUT (cpu, mode) * 5 + for: 30m + labels: + severity: page + annotations: + description: '{{ $labels.instance }} 1m load average is: {{ $value }}).' + summary: Node 1 minute load average is high + - alert: NodeLoadAverage15minutes + expr: node_load15 > count(node_cpu{mode="idle"}) WITHOUT (cpu, mode) * 5 + for: 60m + labels: + severity: page + annotations: + description: '{{ $labels.instance }} 15m load average is: {{ $value }}).' + summary: Node 15 minute load average is high diff --git a/old/kubernetes/helm/prometheus-operator/alertrules/disk-rules.yaml b/old/kubernetes/helm/prometheus-operator/alertrules/disk-rules.yaml new file mode 100644 index 000000000..9c0c06c08 --- /dev/null +++ b/old/kubernetes/helm/prometheus-operator/alertrules/disk-rules.yaml @@ -0,0 +1,46 @@ +--- +apiVersion: monitoring.coreos.com/v1 +kind: PrometheusRule +metadata: + labels: + prometheus: k8s + role: alert-rules + app: prometheus-operator + release: monitoring-prometheus-operator + name: disk.rules + namespace: monitoring +spec: + groups: + - name: kube.state.metric.pod + rules: + - alert: DiskWillFillIn4Hours + expr: predict_linear(node_filesystem_free{job="node-exporter",mountpoint=~"/rootfs|/rootfs/var/lib/docker"}[1h], + 4 * 3600) < 0 and ON(instance) time() - node_boot_time{job="node-exporter"} + > 3600 + for: 10m + labels: + severity: warning + annotations: + description: '{{ $labels.kubernetes_io_hostname }} will run out of disk space + in 4 hours on partition: {{ $labels.mountpoint }}.' + summary: Disk will be filled in 4 hours + - alert: NodeLowRootDiskWarning + expr: ((node_filesystem_size{mountpoint="/rootfs"} - node_filesystem_free{mountpoint="/rootfs"}) + / node_filesystem_size{mountpoint="/rootfs"} * 100) > 85 + for: 2m + labels: + severity: page + annotations: + description: '{{$labels.instance}}: Root disk usage is above 85% (current value + is: {{ $value }})' + summary: '{{$labels.instance}}: Low root disk space' + - alert: NodeLowRootDiskCritical + expr: ((node_filesystem_size{mountpoint="/rootfs"} - node_filesystem_free{mountpoint="/rootfs"}) + / node_filesystem_size{mountpoint="/rootfs"} * 100) > 90 + for: 2m + labels: + severity: page + annotations: + description: '{{$labels.instance}}: Root disk usage is above 90% (current value + is: {{ $value }})' + summary: '{{$labels.instance}}: Low root disk space' diff --git a/old/kubernetes/helm/prometheus-operator/alertrules/kube-apiserver.yaml b/old/kubernetes/helm/prometheus-operator/alertrules/kube-apiserver.yaml new file mode 100644 index 000000000..0e4f7a88e --- /dev/null +++ b/old/kubernetes/helm/prometheus-operator/alertrules/kube-apiserver.yaml @@ -0,0 +1,24 @@ +--- +apiVersion: monitoring.coreos.com/v1 +kind: PrometheusRule +metadata: + labels: + prometheus: k8s + role: alert-rules + app: prometheus-operator + release: monitoring-prometheus-operator + name: kube-apiserver.rules + namespace: monitoring +spec: + groups: + - name: kube.state.metric.pod + rules: + - alert: K8SApiserverDown + expr: absent(kube_pod_container_status_running{container="kube-apiserver"} == 1) + for: 5m + labels: + severity: critical + annotations: + description: Prometheus failed to scrape Kube API server(s), or all API servers + have disappeared from service discovery. + summary: API server unreachable diff --git a/old/kubernetes/helm/prometheus-operator/alertrules/kube-controller-manager.yaml b/old/kubernetes/helm/prometheus-operator/alertrules/kube-controller-manager.yaml new file mode 100644 index 000000000..c2768607e --- /dev/null +++ b/old/kubernetes/helm/prometheus-operator/alertrules/kube-controller-manager.yaml @@ -0,0 +1,24 @@ +--- +apiVersion: monitoring.coreos.com/v1 +kind: PrometheusRule +metadata: + labels: + prometheus: k8s + role: alert-rules + app: prometheus-operator + release: monitoring-prometheus-operator + name: kube-controller-manager.rules + namespace: monitoring +spec: + groups: + - name: kube.state.metric.pod + rules: + - alert: K8SControllerManagerDown + expr: absent(kube_pod_container_status_running{container="kube-controller-manager"} == 1) + for: 5m + labels: + severity: critical + annotations: + description: There is no running K8S controller manager. Deployments and replication + controllers are not making progress. + summary: Controller manager is down diff --git a/old/kubernetes/helm/prometheus-operator/alertrules/kube-node-status.yaml b/old/kubernetes/helm/prometheus-operator/alertrules/kube-node-status.yaml new file mode 100644 index 000000000..5f6c774b1 --- /dev/null +++ b/old/kubernetes/helm/prometheus-operator/alertrules/kube-node-status.yaml @@ -0,0 +1,49 @@ +--- +apiVersion: monitoring.coreos.com/v1 +kind: PrometheusRule +metadata: + labels: + prometheus: k8s + role: alert-rules + app: prometheus-operator + release: monitoring-prometheus-operator + name: kube-node-status.rules + namespace: monitoring +spec: + groups: + - name: kube.state.metric.pod + rules: + - alert: NodeCPUUsage + expr: (100 - (avg(irate(node_cpu{mode="idle"}[5m])) BY (instance) * 100)) > 75 + for: 2m + labels: + severity: alert + annotations: + description: "{{$labels.instance}}: CPU usage is above 75% (current value is: {{ $value }})" + summary: "{{$labels.instance}}: High CPU usage detect" + - alert: KubeNodeStatusOutOfDisk + expr: kube_node_status_out_of_disk{condition="true"} > 0 + for: 1m + labels: + severity: page + annotations: + description: This kube node status is reporting that it is out of disk space + summary: 'Kube node is reporting out of disk space: {{$labels.node}}' + - alert: KubeNodeStatusDiskPressure + expr: kube_node_status_disk_pressure{condition="true"} > 0 + for: 1m + labels: + severity: page + annotations: + description: Pressure exists on the disk size – that is, if the disk capacity + is low + summary: 'Kube node is reporting disk pressure is high: {{$labels.node}}' + - alert: KubeNodeStatusMemoryPressure + expr: kube_node_status_memory_pressure{condition="true"} > 0 + for: 1m + labels: + severity: page + annotations: + description: Pressure exists on the node memory – that is, if the node memory + is low + summary: 'Kube node is reporting memory pressure is high: {{$labels.node}}' diff --git a/old/kubernetes/helm/prometheus-operator/alertrules/kube-scheduler.yaml b/old/kubernetes/helm/prometheus-operator/alertrules/kube-scheduler.yaml new file mode 100644 index 000000000..9353ce0cf --- /dev/null +++ b/old/kubernetes/helm/prometheus-operator/alertrules/kube-scheduler.yaml @@ -0,0 +1,24 @@ +--- +apiVersion: monitoring.coreos.com/v1 +kind: PrometheusRule +metadata: + labels: + prometheus: k8s + role: alert-rules + app: prometheus-operator + release: monitoring-prometheus-operator + name: kube-scheduler.rules + namespace: monitoring +spec: + groups: + - name: kube.state.metric.pod + rules: + - alert: K8SSchedulerDown + expr: absent(kube_pod_container_status_running{container="kube-scheduler"} == 1) + for: 5m + labels: + severity: critical + annotations: + description: There is no running K8S scheduler. New pods are not being assigned + to nodes. + summary: Scheduler is down diff --git a/old/kubernetes/helm/prometheus-operator/alertrules/kube-state-metric-pod.yaml b/old/kubernetes/helm/prometheus-operator/alertrules/kube-state-metric-pod.yaml new file mode 100644 index 000000000..cdc1f06b7 --- /dev/null +++ b/old/kubernetes/helm/prometheus-operator/alertrules/kube-state-metric-pod.yaml @@ -0,0 +1,34 @@ +--- +apiVersion: monitoring.coreos.com/v1 +kind: PrometheusRule +metadata: + labels: + prometheus: k8s + role: alert-rules + app: prometheus-operator + release: monitoring-prometheus-operator + name: kube-state-metrics-pods.rules + namespace: monitoring +spec: + groups: + - name: kube.state.metric.pod + rules: + - alert: KubeStateContainerStatusTerminatedReasonOOMKilled + expr: | + kube_pod_container_status_terminated_reason{reason="OOMKilled"} == 1 + for: 1m + labels: + severity: page + annotations: + description: '{{ $labels.pod }} was OOMKilled. Value: {{ $value }}' + summary: Pod was killed for using more than the memory limits set + + - alert: KubeStateContainerStatusWaitingReasonCrashLoopBackOff + expr: | + kube_pod_container_status_waiting_reason{reason="CrashLoopBackOff"} == 1 + for: 1m + labels: + severity: page + annotations: + description: '{{ $labels.pod }} is in a CrashLoopBackOff state' + summary: '{{ $labels.pod }} is in a CrashLoopBackOff state' diff --git a/old/kubernetes/helm/prometheus-operator/alertrules/memory-rules.yaml b/old/kubernetes/helm/prometheus-operator/alertrules/memory-rules.yaml new file mode 100644 index 000000000..1cb489018 --- /dev/null +++ b/old/kubernetes/helm/prometheus-operator/alertrules/memory-rules.yaml @@ -0,0 +1,34 @@ +--- +apiVersion: monitoring.coreos.com/v1 +kind: PrometheusRule +metadata: + labels: + prometheus: k8s + role: alert-rules + app: prometheus-operator + release: monitoring-prometheus-operator + name: memory.rules + namespace: monitoring +spec: + groups: + - name: kube.state.metric.pod + rules: + - alert: NodeSwapUsage + expr: (((node_memory_SwapTotal - node_memory_SwapFree) / node_memory_SwapTotal) + * 100) > 95 + for: 35m + labels: + severity: page + annotations: + description: '{{$labels.instance}}: Swap usage usage is above 95% (current value + is: {{ $value }})' + summary: '{{$labels.instance}}: Swap usage detected' + - alert: NodeMemoryUsage + expr: (((node_memory_MemTotal - node_memory_MemFree - node_memory_Cached) / (node_memory_MemTotal) + * 100)) > 95 + for: 35m + labels: + severity: page + annotations: + description: '{{$labels.instance}}: Memory usage is above 95% (current value is: {{ $value }})' + summary: '{{$labels.instance}}: High memory usage detected' diff --git a/old/kubernetes/helm/prometheus-operator/charts/prometheus-operator-8.11.1.tgz b/old/kubernetes/helm/prometheus-operator/charts/prometheus-operator-8.11.1.tgz new file mode 100644 index 000000000..fe47f707e Binary files /dev/null and b/old/kubernetes/helm/prometheus-operator/charts/prometheus-operator-8.11.1.tgz differ diff --git a/old/kubernetes/helm/prometheus-operator/dashboards/analysis-by-cluster.yaml b/old/kubernetes/helm/prometheus-operator/dashboards/analysis-by-cluster.yaml new file mode 100644 index 000000000..c8b8e1bb9 --- /dev/null +++ b/old/kubernetes/helm/prometheus-operator/dashboards/analysis-by-cluster.yaml @@ -0,0 +1,1479 @@ +# source: https://grafana.com/dashboards/6873 +--- +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + grafana_dashboard: "1" + name: analysis-by-cluster-dashboard +data: + analysis-by-cluster-dashboard.json: |- + { + "__inputs": [ + { + "name": "DS_PROMETHEUS", + "label": "Prometheus", + "description": "", + "type": "datasource", + "pluginId": "prometheus", + "pluginName": "Prometheus" + }, + { + "name": "VAR_COSTCPU", + "type": "constant", + "label": "CPU", + "value": "17.78", + "description": "" + }, + { + "name": "VAR_COSTPCPU", + "type": "constant", + "label": "PE CPU", + "value": "5.35", + "description": "" + }, + { + "name": "VAR_COSTRAM", + "type": "constant", + "label": "RAM", + "value": "2.38", + "description": "" + }, + { + "name": "VAR_COSTPRAM", + "type": "constant", + "label": "PE RAM", + "value": "0.72", + "description": "" + }, + { + "name": "VAR_COSTSTORAGESTANDARD", + "type": "constant", + "label": "Storage", + "value": "0.044", + "description": "" + }, + { + "name": "VAR_COSTSTORAGESSD", + "type": "constant", + "label": "SSD", + "value": "0.187", + "description": "" + }, + { + "name": "VAR_COSTDISCOUNT", + "type": "constant", + "label": "Disc.", + "value": "30", + "description": "" + } + ], + "__requires": [ + { + "type": "grafana", + "id": "grafana", + "name": "Grafana", + "version": "5.2.1" + }, + { + "type": "datasource", + "id": "prometheus", + "name": "Prometheus", + "version": "5.0.0" + }, + { + "type": "panel", + "id": "singlestat", + "name": "Singlestat", + "version": "5.0.0" + }, + { + "type": "panel", + "id": "table", + "name": "Table", + "version": "5.0.0" + }, + { + "type": "panel", + "id": "text", + "name": "Text", + "version": "5.0.0" + } + ], + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": "-- Grafana --", + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "type": "dashboard" + } + ] + }, + "description": "A dashboard to help with cost and utilisation", + "editable": true, + "gnetId": 6873, + "graphTooltip": 0, + "id": null, + "iteration": 1530978789642, + "links": [], + "panels": [ + { + "content": "This dashboard shows indicative monthly costing for the cluster, based on **current** requests for CPU, RAM and Storage. \nUtilisation figures represent utilsation of current, active deployments vs their request limits, and **does not** include data from instances no longer running.", + "gridPos": { + "h": 2, + "w": 24, + "x": 0, + "y": 0 + }, + "id": 86, + "links": [], + "mode": "markdown", + "title": "", + "transparent": true, + "type": "text" + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": true, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(50, 172, 45, 0.97)", + "#c15c17" + ], + "datasource": "Prometheus", + "decimals": 2, + "description": "This gauge shows the current CPU use vs CPU available", + "editable": true, + "error": false, + "format": "percent", + "gauge": { + "maxValue": 100, + "minValue": 0, + "show": true, + "thresholdLabels": false, + "thresholdMarkers": true + }, + "gridPos": { + "h": 4, + "w": 3, + "x": 0, + "y": 2 + }, + "height": "180px", + "hideTimeOverride": true, + "id": 82, + "interval": null, + "isNew": true, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": false, + "lineColor": "rgb(31, 120, 193)", + "show": false + }, + "tableColumn": "", + "targets": [ + { + "expr": "(\n sum(\n count(irate(container_cpu_usage_seconds_total{id=\"/\"}[1m])) by (instance)\n * on (instance) \n sum(irate(container_cpu_usage_seconds_total{id=\"/\"}[1m])) by (instance)\n ) \n / \n (sum (kube_node_status_allocatable_cpu_cores))\n) * 100", + "format": "time_series", + "interval": "", + "intervalFactor": 1, + "refId": "A", + "step": 10 + } + ], + "thresholds": "30, 80", + "timeFrom": "", + "title": "CPU Utilisation", + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "current" + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": true, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(50, 172, 45, 0.97)", + "#c15c17" + ], + "datasource": "Prometheus", + "decimals": 2, + "description": "This panel shows current CPU reservation requests by applications, vs CPU available", + "editable": true, + "error": false, + "format": "percent", + "gauge": { + "maxValue": 100, + "minValue": 0, + "show": true, + "thresholdLabels": false, + "thresholdMarkers": true + }, + "gridPos": { + "h": 4, + "w": 3, + "x": 3, + "y": 2 + }, + "height": "180px", + "id": 91, + "interval": null, + "isNew": true, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": false, + "lineColor": "rgb(31, 120, 193)", + "show": false + }, + "tableColumn": "", + "targets": [ + { + "expr": "(\n sum(container_spec_cpu_shares{namespace!=\"\"})\n / \n (sum (kube_node_status_allocatable_cpu_cores) * 1000)\n) * 100", + "format": "time_series", + "interval": "", + "intervalFactor": 1, + "refId": "A", + "step": 10 + } + ], + "thresholds": "30, 80", + "title": "CPU Requests", + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "current" + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "#299c46", + "rgba(237, 129, 40, 0.89)", + "#d44a3a" + ], + "datasource": "Prometheus", + "decimals": 2, + "format": "currencyUSD", + "gauge": { + "maxValue": 100, + "minValue": 0, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": true + }, + "gridPos": { + "h": 4, + "w": 4, + "x": 6, + "y": 2 + }, + "id": 75, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": false, + "lineColor": "rgb(31, 120, 193)", + "show": false + }, + "tableColumn": "label_cloud_google_com_gke_preemptible", + "targets": [ + { + "expr": "sum(\n (\n (\n sum(kube_node_status_capacity_cpu_cores) by (node)\n * on (node) group_left (label_cloud_google_com_gke_preemptible)\n kube_node_labels{label_cloud_google_com_gke_preemptible=\"true\"}\n ) * $costpcpu\n )\n or\n (\n (\n sum(kube_node_status_capacity_cpu_cores) by (node)\n * on (node) group_left (label_cloud_google_com_gke_preemptible)\n kube_node_labels{label_cloud_google_com_gke_preemptible!=\"true\"}\n ) * ($costcpu - ($costcpu / 100 * $costDiscount))\n )\n) ", + "format": "time_series", + "instant": true, + "interval": "", + "intervalFactor": 1, + "legendFormat": " {{ node }}", + "refId": "A" + } + ], + "thresholds": "", + "timeShift": null, + "title": "CPU Cost", + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "current" + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "#299c46", + "rgba(237, 129, 40, 0.89)", + "#d44a3a" + ], + "datasource": "Prometheus", + "decimals": 2, + "format": "currencyUSD", + "gauge": { + "maxValue": 100, + "minValue": 0, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": true + }, + "gridPos": { + "h": 4, + "w": 4, + "x": 10, + "y": 2 + }, + "id": 78, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": false, + "lineColor": "rgb(31, 120, 193)", + "show": false + }, + "tableColumn": "label_cloud_google_com_gke_preemptible", + "targets": [ + { + "expr": "sum (\n sum(kube_persistentvolumeclaim_info{storageclass=~\".*ssd.*\"}) by (persistentvolumeclaim, namespace, storageclass)\n + on (persistentvolumeclaim, namespace) group_right(storageclass)\n sum(kube_persistentvolumeclaim_resource_requests_storage_bytes) by (persistentvolumeclaim, namespace)\n) / 1024 / 1024 /1024 * $costStorageSSD\n\n+\n\nsum (\n sum(kube_persistentvolumeclaim_info{storageclass!~\".*ssd.*\"}) by (persistentvolumeclaim, namespace, storageclass)\n + on (persistentvolumeclaim, namespace) group_right(storageclass)\n sum(kube_persistentvolumeclaim_resource_requests_storage_bytes) by (persistentvolumeclaim, namespace)\n) / 1024 / 1024 /1024 * $costStorageStandard\n\n+ \n\nsum(container_fs_limit_bytes{device=~\"^/dev/[sv]d[a-z][1-9]$\",id=\"/\"}) / 1024 / 1024 / 1024 * $costStorageStandard", + "format": "time_series", + "instant": true, + "interval": "", + "intervalFactor": 1, + "legendFormat": " {{ node }}", + "refId": "A" + } + ], + "thresholds": "", + "timeShift": null, + "title": "Storage Cost (Cluster and PVC)", + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "current" + }, + { + "columns": [ + { + "text": "Avg", + "value": "avg" + } + ], + "datasource": "Prometheus", + "description": "This table shows the comparison of CPU and RAM requests by applications, vs the capacity of the node", + "fontSize": "100%", + "gridPos": { + "h": 8, + "w": 10, + "x": 14, + "y": 2 + }, + "hideTimeOverride": true, + "id": 90, + "links": [], + "pageSize": 7, + "repeatDirection": "v", + "scroll": true, + "showHeader": true, + "sort": { + "col": 1, + "desc": true + }, + "styles": [ + { + "alias": "RAM Requests", + "colorMode": "value", + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(50, 172, 45, 0.97)", + "#ef843c" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "mappingType": 1, + "pattern": "Value #A", + "thresholds": [ + "30", + " 80" + ], + "type": "number", + "unit": "percent" + }, + { + "alias": "Node", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "mappingType": 1, + "pattern": "node", + "thresholds": [], + "type": "string", + "unit": "short" + }, + { + "alias": "", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "mappingType": 1, + "pattern": "Time", + "thresholds": [], + "type": "hidden", + "unit": "short" + }, + { + "alias": "CPU Requests", + "colorMode": "value", + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(50, 172, 45, 0.97)", + "#ef843c" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "mappingType": 1, + "pattern": "Value #B", + "thresholds": [ + "30", + " 80" + ], + "type": "number", + "unit": "percent" + } + ], + "targets": [ + { + "expr": "( \n sum(kube_pod_container_resource_requests_cpu_cores) by (node) \n /\n sum(kube_node_status_allocatable_cpu_cores) by (node)\n) * 100", + "format": "table", + "instant": true, + "intervalFactor": 1, + "legendFormat": "{{ node }}", + "refId": "B" + }, + { + "expr": "( \n sum(kube_pod_container_resource_requests_memory_bytes) by (node) \n /\n sum(kube_node_status_allocatable_memory_bytes) by (node)\n) * 100", + "format": "table", + "hide": false, + "instant": true, + "interval": "", + "intervalFactor": 1, + "legendFormat": "{{ node }}", + "refId": "A" + } + ], + "timeFrom": null, + "timeShift": null, + "title": "Cluster Node Utilisation by CPU and RAM requests", + "transform": "table", + "transparent": false, + "type": "table" + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": true, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(50, 172, 45, 0.97)", + "#c15c17" + ], + "datasource": "Prometheus", + "description": "This gauge shows current RAM use by RAM available", + "editable": true, + "error": false, + "format": "percent", + "gauge": { + "maxValue": 100, + "minValue": 0, + "show": true, + "thresholdLabels": false, + "thresholdMarkers": true + }, + "gridPos": { + "h": 4, + "w": 3, + "x": 0, + "y": 6 + }, + "height": "180px", + "hideTimeOverride": true, + "id": 80, + "interval": null, + "isNew": true, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": false, + "lineColor": "rgb(31, 120, 193)", + "show": false + }, + "tableColumn": "", + "targets": [ + { + "expr": "(\n sum(\n count(container_memory_working_set_bytes{id=\"/\"}) by (instance)\n * on (instance) \n sum(avg_over_time(container_memory_working_set_bytes{id=\"/\"}[1m])) by (instance)\n )\n /\n sum(kube_node_status_allocatable_memory_bytes)\n) * 100", + "format": "time_series", + "interval": "", + "intervalFactor": 1, + "refId": "A", + "step": 10 + } + ], + "thresholds": "30,80", + "timeFrom": "", + "title": "RAM Utilisation", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "current" + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": true, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(50, 172, 45, 0.97)", + "#c15c17" + ], + "datasource": "Prometheus", + "description": "This panel shows current RAM reservation requests by applications, vs RAM available", + "editable": true, + "error": false, + "format": "percent", + "gauge": { + "maxValue": 100, + "minValue": 0, + "show": true, + "thresholdLabels": false, + "thresholdMarkers": true + }, + "gridPos": { + "h": 4, + "w": 3, + "x": 3, + "y": 6 + }, + "height": "180px", + "id": 92, + "interval": null, + "isNew": true, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": false, + "lineColor": "rgb(31, 120, 193)", + "show": false + }, + "tableColumn": "", + "targets": [ + { + "expr": "(\n sum(kube_pod_container_resource_requests_memory_bytes{namespace!=\"\"})\n /\n sum(kube_node_status_allocatable_memory_bytes)\n) * 100", + "format": "time_series", + "interval": "", + "intervalFactor": 1, + "refId": "A", + "step": 10 + } + ], + "thresholds": "30,80", + "title": "RAM Requests", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "current" + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "#299c46", + "rgba(237, 129, 40, 0.89)", + "#d44a3a" + ], + "datasource": "Prometheus", + "decimals": 2, + "format": "currencyUSD", + "gauge": { + "maxValue": 100, + "minValue": 0, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": true + }, + "gridPos": { + "h": 4, + "w": 4, + "x": 6, + "y": 6 + }, + "id": 77, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": false, + "lineColor": "rgb(31, 120, 193)", + "show": false + }, + "tableColumn": "label_cloud_google_com_gke_preemptible", + "targets": [ + { + "expr": "sum(\n (\n (\n sum(kube_node_status_capacity_memory_bytes) by (node)\n * on (node) group_left (label_cloud_google_com_gke_preemptible)\n kube_node_labels{label_cloud_google_com_gke_preemptible=\"true\"}\n ) /1024/1024/1024 * $costpram\n )\n or\n (\n (\n sum(kube_node_status_capacity_memory_bytes) by (node)\n * on (node) group_left (label_cloud_google_com_gke_preemptible)\n kube_node_labels{label_cloud_google_com_gke_preemptible!=\"true\"}\n ) /1024/1024/1024 * ($costram - ($costram / 100 * $costDiscount))\n)\n) ", + "format": "time_series", + "instant": true, + "interval": "", + "intervalFactor": 1, + "legendFormat": " {{ node }}", + "refId": "A" + } + ], + "thresholds": "", + "timeShift": null, + "title": "RAM Cost", + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "current" + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "#299c46", + "rgba(237, 129, 40, 0.89)", + "#d44a3a" + ], + "datasource": "Prometheus", + "decimals": 2, + "format": "currencyUSD", + "gauge": { + "maxValue": 100, + "minValue": 0, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": true + }, + "gridPos": { + "h": 4, + "w": 4, + "x": 10, + "y": 6 + }, + "id": 93, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": false, + "lineColor": "rgb(31, 120, 193)", + "show": false + }, + "tableColumn": "label_cloud_google_com_gke_preemptible", + "targets": [ + { + "expr": "# CPU\nsum(\n (\n (\n sum(kube_node_status_capacity_cpu_cores) by (node)\n * on (node) group_left (label_cloud_google_com_gke_preemptible)\n kube_node_labels{label_cloud_google_com_gke_preemptible=\"true\"}\n ) * $costpcpu\n )\n or\n (\n (\n sum(kube_node_status_capacity_cpu_cores) by (node)\n * on (node) group_left (label_cloud_google_com_gke_preemptible)\n kube_node_labels{label_cloud_google_com_gke_preemptible!=\"true\"}\n ) * ($costcpu - ($costcpu / 100 * $costDiscount))\n )\n) \n\n+ \n\n# Storage\nsum (\n sum(kube_persistentvolumeclaim_info{storageclass=~\".*ssd.*\"}) by (persistentvolumeclaim, namespace, storageclass)\n + on (persistentvolumeclaim, namespace) group_right(storageclass)\n sum(kube_persistentvolumeclaim_resource_requests_storage_bytes) by (persistentvolumeclaim, namespace)\n) / 1024 / 1024 /1024 * $costStorageSSD\n\n+\n\nsum (\n sum(kube_persistentvolumeclaim_info{storageclass!~\".*ssd.*\"}) by (persistentvolumeclaim, namespace, storageclass)\n + on (persistentvolumeclaim, namespace) group_right(storageclass)\n sum(kube_persistentvolumeclaim_resource_requests_storage_bytes) by (persistentvolumeclaim, namespace)\n) / 1024 / 1024 /1024 * $costStorageStandard\n\n+ \n\nsum(container_fs_limit_bytes{device=~\"^/dev/[sv]d[a-z][1-9]$\",id=\"/\"}) / 1024 / 1024 / 1024 * $costStorageStandard\n\n+ \n# RAM\nsum(\n (\n (\n sum(kube_node_status_capacity_memory_bytes) by (node)\n * on (node) group_left (label_cloud_google_com_gke_preemptible)\n kube_node_labels{label_cloud_google_com_gke_preemptible=\"true\"}\n ) /1024/1024/1024 * $costpram\n )\n or\n (\n (\n sum(kube_node_status_capacity_memory_bytes) by (node)\n * on (node) group_left (label_cloud_google_com_gke_preemptible)\n kube_node_labels{label_cloud_google_com_gke_preemptible!=\"true\"}\n ) /1024/1024/1024 * ($costram - ($costram / 100 * $costDiscount))\n)\n) ", + "format": "time_series", + "instant": true, + "interval": "", + "intervalFactor": 1, + "legendFormat": " {{ node }}", + "refId": "A" + } + ], + "thresholds": "", + "timeShift": null, + "title": "Total Cost", + "type": "singlestat", + "valueFontSize": "110%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "current" + }, + { + "columns": [ + { + "text": "Avg", + "value": "avg" + } + ], + "datasource": "Prometheus", + "fontSize": "100%", + "gridPos": { + "h": 11, + "w": 14, + "x": 0, + "y": 10 + }, + "hideTimeOverride": false, + "id": 73, + "links": [], + "pageSize": 10, + "repeat": null, + "repeatDirection": "v", + "scroll": true, + "showHeader": true, + "sort": { + "col": 7, + "desc": true + }, + "styles": [ + { + "alias": "Namespace", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(50, 172, 45, 0.97)", + "#c15c17" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "link": true, + "linkTooltip": "View namespace cost analysis", + "linkUrl": "d/at-cost-analysis-namespace/cost-analysis-by-namespace?&var-namespace=$__cell", + "pattern": "namespace", + "thresholds": [ + "30", + "80" + ], + "type": "string", + "unit": "currencyUSD" + }, + { + "alias": "RAM", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "pattern": "Value #B", + "thresholds": [], + "type": "number", + "unit": "currencyUSD" + }, + { + "alias": "CPU", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "mappingType": 1, + "pattern": "Value #A", + "thresholds": [], + "type": "number", + "unit": "currencyUSD" + }, + { + "alias": "", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "mappingType": 1, + "pattern": "Time", + "thresholds": [], + "type": "hidden", + "unit": "short" + }, + { + "alias": "Storage", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "mappingType": 1, + "pattern": "Value #C", + "thresholds": [], + "type": "number", + "unit": "currencyUSD" + }, + { + "alias": "Total", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "mappingType": 1, + "pattern": "Value #D", + "thresholds": [], + "type": "number", + "unit": "currencyUSD" + }, + { + "alias": "CPU Utilisation", + "colorMode": "value", + "colors": [ + "#bf1b00", + "rgba(50, 172, 45, 0.97)", + "#ef843c" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "mappingType": 1, + "pattern": "Value #E", + "thresholds": [ + "30", + "80" + ], + "type": "number", + "unit": "percent" + }, + { + "alias": "RAM Utilisation", + "colorMode": "value", + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(50, 172, 45, 0.97)", + "#ef843c" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "mappingType": 1, + "pattern": "Value #F", + "thresholds": [ + "30", + "80" + ], + "type": "number", + "unit": "percent" + } + ], + "targets": [ + { + "expr": "(\n sum(container_spec_cpu_shares{namespace!=\"\",namespace!=\"kube-system\",cloud_google_com_gke_preemptible!=\"true\"}/1000*($costcpu - ($costcpu / 100 * $costDiscount))) by(namespace)\n or\n count(\n count(container_spec_cpu_shares{namespace!=\"\",namespace!=\"kube-system\"}) by(namespace)\n ) by(namespace) -1\n)\n\n+\n\n(\n sum(container_spec_cpu_shares{namespace!=\"\",namespace!=\"kube-system\",cloud_google_com_gke_preemptible=\"true\"}/1000*$costpcpu) by(namespace)\n or\n count(\n count(container_spec_cpu_shares{namespace!=\"\",namespace!=\"kube-system\"}) by(namespace)\n ) by(namespace) -1\n)", + "format": "table", + "hide": false, + "instant": true, + "interval": "", + "intervalFactor": 1, + "legendFormat": "{{ namespace }}", + "refId": "A" + }, + { + "expr": "sum(\n count(count(container_spec_cpu_shares{namespace!=\"\"}) by (pod_name, namespace)) by (pod_name, namespace) \n * on (pod_name, namespace) \n sum(irate(container_cpu_usage_seconds_total{namespace!=\"\"}[1m])) by (pod_name, namespace)\n) by (namespace) * 1000\n/\nsum(container_spec_cpu_shares{namespace!=\"\",namespace!=\"kube-system\"}) by (namespace) * 100\n", + "format": "table", + "instant": true, + "intervalFactor": 1, + "legendFormat": "{{ namespace }}", + "refId": "E" + }, + { + "expr": "(\n sum(container_spec_memory_limit_bytes{namespace!=\"\",namespace!=\"kube-system\",cloud_google_com_gke_preemptible!=\"true\"}/1024/1024/1024*($costram- ($costram / 100 * $costDiscount))) by(namespace)\n or\n count(\n count(container_spec_memory_limit_bytes{namespace!=\"\",namespace!=\"kube-system\"}) by(namespace)\n ) by(namespace) -1\n)\n\n+\n\n(\n sum(container_spec_memory_limit_bytes{namespace!=\"\",namespace!=\"kube-system\",cloud_google_com_gke_preemptible=\"true\"}/1024/1024/1024*$costpram) by(namespace)\n or\n count(\n count(container_spec_memory_limit_bytes{namespace!=\"\",namespace!=\"kube-system\"}) by(namespace)\n ) by(namespace) -1\n)", + "format": "table", + "instant": true, + "intervalFactor": 1, + "legendFormat": "{{ namespace }}", + "refId": "B" + }, + { + "expr": "sum(\n count(count(container_memory_working_set_bytes{namespace!=\"\"}) by (pod_name, namespace)) by (pod_name, namespace) \n * on (pod_name, namespace) \n sum(avg_over_time(container_memory_working_set_bytes{namespace!=\"\"}[1m])) by (pod_name, namespace)\n) by (namespace)\n/\nsum(container_spec_memory_limit_bytes{namespace!=\"\",namespace!=\"kube-system\"}) by (namespace) * 100\n", + "format": "table", + "instant": true, + "intervalFactor": 1, + "legendFormat": "{{ namespace }}", + "refId": "F" + }, + { + "expr": "sum (\n sum(kube_persistentvolumeclaim_info{storageclass=~\".*ssd.*\"}) by (persistentvolumeclaim, namespace, storageclass)\n + on (persistentvolumeclaim, namespace) group_right(storageclass)\n sum(kube_persistentvolumeclaim_resource_requests_storage_bytes) by (persistentvolumeclaim, namespace)\n) by (namespace) / 1024 / 1024 /1024 * $costStorageSSD\n\nor\n\nsum (\n sum(kube_persistentvolumeclaim_info{storageclass!~\".*ssd.*\"}) by (persistentvolumeclaim, namespace, storageclass)\n + on (persistentvolumeclaim, namespace) group_right(storageclass)\n sum(kube_persistentvolumeclaim_resource_requests_storage_bytes) by (persistentvolumeclaim, namespace)\n) by (namespace) / 1024 / 1024 /1024 * $costStorageStandard\n\nor\n\ncount(\n count(container_spec_cpu_shares{namespace!=\"\",namespace!=\"kube-system\"}) by(namespace)\n) by(namespace) -1", + "format": "table", + "instant": true, + "intervalFactor": 1, + "legendFormat": "{{ namespace }}", + "refId": "C" + }, + { + "expr": "# Add the CPU\n(\n (\n sum(container_spec_cpu_shares{namespace!=\"\",namespace!=\"kube-system\",cloud_google_com_gke_preemptible!=\"true\"}/1000*($costcpu - ($costcpu / 100 * $costDiscount))) by(namespace)\n or\n count(\n count(container_spec_cpu_shares{namespace!=\"\",namespace!=\"kube-system\"}) by(namespace)\n ) by(namespace) -1\n )\n \n +\n \n (\n sum(container_spec_cpu_shares{namespace!=\"\",namespace!=\"kube-system\",cloud_google_com_gke_preemptible=\"true\"}/1000*$costpcpu) by(namespace)\n or\n count(\n count(container_spec_cpu_shares{namespace!=\"\",namespace!=\"kube-system\"}) by(namespace)\n ) by(namespace) -1\n )\n)\n\n+ \n# Add the RAM\n(\n (\n sum(container_spec_memory_limit_bytes{namespace!=\"\",namespace!=\"kube-system\",cloud_google_com_gke_preemptible!=\"true\"}/1024/1024/1024*($costram - ($costram / 100 * $costDiscount))) by(namespace)\n or\n count(\n count(container_spec_memory_limit_bytes{namespace!=\"\",namespace!=\"kube-system\"}) by(namespace)\n ) by(namespace) -1\n )\n \n +\n \n (\n sum(container_spec_memory_limit_bytes{namespace!=\"\",namespace!=\"kube-system\",cloud_google_com_gke_preemptible=\"true\"}/1024/1024/1024*$costpram) by(namespace)\n or\n count(\n count(container_spec_memory_limit_bytes{namespace!=\"\",namespace!=\"kube-system\"}) by(namespace)\n ) by(namespace) -1\n )\n)\n\n+\n# Add the storage\n(\n\n sum (\n sum(kube_persistentvolumeclaim_info{storageclass=~\".*ssd.*\"}) by (persistentvolumeclaim, namespace, storageclass)\n + on (persistentvolumeclaim, namespace) group_right(storageclass)\n sum(kube_persistentvolumeclaim_resource_requests_storage_bytes) by (persistentvolumeclaim, namespace)\n ) by (namespace) / 1024 / 1024 /1024 * $costStorageSSD\n \n or\n \n sum (\n sum(kube_persistentvolumeclaim_info{storageclass!~\".*ssd.*\"}) by (persistentvolumeclaim, namespace, storageclass)\n + on (persistentvolumeclaim, namespace) group_right(storageclass)\n sum(kube_persistentvolumeclaim_resource_requests_storage_bytes) by (persistentvolumeclaim, namespace)\n ) by (namespace) / 1024 / 1024 /1024 * $costStorageStandard\n \n or\n \n count(\n count(container_spec_cpu_shares{namespace!=\"\",namespace!=\"kube-system\"}) by(namespace)\n ) by(namespace) -1\n\n)", + "format": "table", + "instant": true, + "intervalFactor": 1, + "refId": "D" + } + ], + "timeFrom": "", + "timeShift": null, + "title": "Namespace cost and utilisation analysis", + "transform": "table", + "transparent": false, + "type": "table" + }, + { + "columns": [ + { + "text": "Avg", + "value": "avg" + } + ], + "datasource": "Prometheus", + "fontSize": "100%", + "gridPos": { + "h": 11, + "w": 10, + "x": 14, + "y": 10 + }, + "hideTimeOverride": true, + "id": 94, + "links": [], + "pageSize": 10, + "repeatDirection": "v", + "scroll": true, + "showHeader": true, + "sort": { + "col": 4, + "desc": true + }, + "styles": [ + { + "alias": "Namespace", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "mappingType": 1, + "pattern": "namespace", + "thresholds": [], + "type": "string", + "unit": "short" + }, + { + "alias": "PVC Name", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "mappingType": 1, + "pattern": "persistentvolumeclaim", + "thresholds": [], + "type": "number", + "unit": "short" + }, + { + "alias": "Storage Class", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "mappingType": 1, + "pattern": "storageclass", + "thresholds": [], + "type": "number", + "unit": "short" + }, + { + "alias": "Cost", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "mappingType": 1, + "pattern": "Value", + "thresholds": [], + "type": "number", + "unit": "currencyUSD" + }, + { + "alias": "", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "mappingType": 1, + "pattern": "Time", + "thresholds": [], + "type": "hidden", + "unit": "short" + } + ], + "targets": [ + { + "expr": "sum (\n sum(kube_persistentvolumeclaim_info{storageclass=~\".*ssd.*\"}) by (persistentvolumeclaim, namespace, storageclass)\n + on (persistentvolumeclaim, namespace) group_right(storageclass)\n sum(kube_persistentvolumeclaim_resource_requests_storage_bytes) by (persistentvolumeclaim, namespace)\n) by (namespace,persistentvolumeclaim,storageclass) / 1024 / 1024 /1024 * $costStorageSSD\n\nor\n\nsum (\n sum(kube_persistentvolumeclaim_info{storageclass!~\".*ssd.*\"}) by (persistentvolumeclaim, namespace, storageclass)\n + on (persistentvolumeclaim, namespace) group_right(storageclass)\n sum(kube_persistentvolumeclaim_resource_requests_storage_bytes) by (persistentvolumeclaim, namespace)\n) by (namespace,persistentvolumeclaim,storageclass) / 1024 / 1024 /1024 * $costStorageStandard\n", + "format": "table", + "hide": false, + "instant": true, + "interval": "", + "intervalFactor": 1, + "legendFormat": "{{ persistentvolumeclaim }}", + "refId": "A" + } + ], + "timeFrom": null, + "timeShift": null, + "title": "Persistent Volume Claims", + "transform": "table", + "transparent": false, + "type": "table" + } + ], + "refresh": "10s", + "schemaVersion": 16, + "style": "dark", + "tags": [ + "cost", + "utilisation", + "metrics" + ], + "templating": { + "list": [ + { + "current": { + "value": "${VAR_COSTCPU}", + "text": "${VAR_COSTCPU}" + }, + "hide": 0, + "label": "CPU", + "name": "costcpu", + "options": [ + { + "value": "${VAR_COSTCPU}", + "text": "${VAR_COSTCPU}" + } + ], + "query": "${VAR_COSTCPU}", + "type": "constant" + }, + { + "current": { + "value": "${VAR_COSTPCPU}", + "text": "${VAR_COSTPCPU}" + }, + "hide": 0, + "label": "PE CPU", + "name": "costpcpu", + "options": [ + { + "value": "${VAR_COSTPCPU}", + "text": "${VAR_COSTPCPU}" + } + ], + "query": "${VAR_COSTPCPU}", + "type": "constant" + }, + { + "current": { + "value": "${VAR_COSTRAM}", + "text": "${VAR_COSTRAM}" + }, + "hide": 0, + "label": "RAM", + "name": "costram", + "options": [ + { + "value": "${VAR_COSTRAM}", + "text": "${VAR_COSTRAM}" + } + ], + "query": "${VAR_COSTRAM}", + "type": "constant" + }, + { + "current": { + "value": "${VAR_COSTPRAM}", + "text": "${VAR_COSTPRAM}" + }, + "hide": 0, + "label": "PE RAM", + "name": "costpram", + "options": [ + { + "value": "${VAR_COSTPRAM}", + "text": "${VAR_COSTPRAM}" + } + ], + "query": "${VAR_COSTPRAM}", + "type": "constant" + }, + { + "current": { + "value": "${VAR_COSTSTORAGESTANDARD}", + "text": "${VAR_COSTSTORAGESTANDARD}" + }, + "hide": 0, + "label": "Storage", + "name": "costStorageStandard", + "options": [ + { + "value": "${VAR_COSTSTORAGESTANDARD}", + "text": "${VAR_COSTSTORAGESTANDARD}" + } + ], + "query": "${VAR_COSTSTORAGESTANDARD}", + "type": "constant" + }, + { + "current": { + "value": "${VAR_COSTSTORAGESSD}", + "text": "${VAR_COSTSTORAGESSD}" + }, + "hide": 0, + "label": "SSD", + "name": "costStorageSSD", + "options": [ + { + "value": "${VAR_COSTSTORAGESSD}", + "text": "${VAR_COSTSTORAGESSD}" + } + ], + "query": "${VAR_COSTSTORAGESSD}", + "type": "constant" + }, + { + "current": { + "value": "${VAR_COSTDISCOUNT}", + "text": "${VAR_COSTDISCOUNT}" + }, + "hide": 0, + "label": "Disc.", + "name": "costDiscount", + "options": [ + { + "value": "${VAR_COSTDISCOUNT}", + "text": "${VAR_COSTDISCOUNT}" + } + ], + "query": "${VAR_COSTDISCOUNT}", + "type": "constant" + } + ] + }, + "time": { + "from": "now-15m", + "to": "now" + }, + "timepicker": { + "hidden": false, + "refresh_intervals": [ + "5s", + "10s", + "30s", + "1m", + "5m", + "15m", + "30m", + "1h", + "2h", + "1d" + ], + "time_options": [ + "5m", + "15m", + "1h", + "6h", + "12h", + "24h", + "2d", + "7d", + "30d" + ] + }, + "timezone": "browser", + "title": "Analysis by Cluster", + "uid": "at-cost-analysis", + "version": 6 + } diff --git a/old/kubernetes/helm/prometheus-operator/dashboards/analysis-by-namespace.yaml b/old/kubernetes/helm/prometheus-operator/dashboards/analysis-by-namespace.yaml new file mode 100644 index 000000000..b224d0893 --- /dev/null +++ b/old/kubernetes/helm/prometheus-operator/dashboards/analysis-by-namespace.yaml @@ -0,0 +1,1085 @@ +# source: https://grafana.com/dashboards/6876 +--- +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + grafana_dashboard: "1" + name: analysis-by-namespace-dashboard +data: + analysis-by-namespace-dashboard.json: |- + { + "__inputs": [ + { + "name": "DS_PROMETHEUS", + "label": "Prometheus", + "description": "", + "type": "datasource", + "pluginId": "prometheus", + "pluginName": "Prometheus" + }, + { + "name": "VAR_COSTCPU", + "type": "constant", + "label": "CPU", + "value": "17.78", + "description": "" + }, + { + "name": "VAR_COSTPCPU", + "type": "constant", + "label": "PE CPU", + "value": "5.35", + "description": "" + }, + { + "name": "VAR_COSTRAM", + "type": "constant", + "label": "RAM", + "value": "2.38", + "description": "" + }, + { + "name": "VAR_COSTPRAM", + "type": "constant", + "label": "PE RAM", + "value": "0.72", + "description": "" + }, + { + "name": "VAR_COSTSTORAGESTANDARD", + "type": "constant", + "label": "Storage", + "value": "0.044", + "description": "" + }, + { + "name": "VAR_COSTSTORAGESSD", + "type": "constant", + "label": "SSD", + "value": "0.187", + "description": "" + }, + { + "name": "VAR_COSTDISCOUNT", + "type": "constant", + "label": "Disc.", + "value": "30", + "description": "" + } + ], + "__requires": [ + { + "type": "grafana", + "id": "grafana", + "name": "Grafana", + "version": "5.2.1" + }, + { + "type": "panel", + "id": "graph", + "name": "Graph", + "version": "5.0.0" + }, + { + "type": "datasource", + "id": "prometheus", + "name": "Prometheus", + "version": "5.0.0" + }, + { + "type": "panel", + "id": "table", + "name": "Table", + "version": "5.0.0" + } + ], + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": "-- Grafana --", + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "type": "dashboard" + } + ] + }, + "description": "A dashboard to help with cost and utilisation", + "editable": true, + "gnetId": 6876, + "graphTooltip": 0, + "id": null, + "iteration": 1530978809451, + "links": [], + "panels": [ + { + "columns": [ + { + "text": "Avg", + "value": "avg" + } + ], + "datasource": "Prometheus", + "fontSize": "100%", + "gridPos": { + "h": 9, + "w": 16, + "x": 0, + "y": 0 + }, + "hideTimeOverride": true, + "id": 73, + "links": [], + "pageSize": 8, + "repeat": null, + "repeatDirection": "v", + "scroll": true, + "showHeader": true, + "sort": { + "col": 6, + "desc": true + }, + "styles": [ + { + "alias": "Pod", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(50, 172, 45, 0.97)", + "#c15c17" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "link": true, + "linkTooltip": "Click to drill down into pod", + "linkUrl": "d/at-cost-analysis-pod/cost-analysis-by-pod?&var-namespace=$namespace&var-pod=$__cell", + "pattern": "pod_name", + "thresholds": [ + "30", + "80" + ], + "type": "string", + "unit": "currencyUSD" + }, + { + "alias": "RAM", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "pattern": "Value #B", + "thresholds": [], + "type": "number", + "unit": "currencyUSD" + }, + { + "alias": "CPU", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "mappingType": 1, + "pattern": "Value #A", + "thresholds": [], + "type": "number", + "unit": "currencyUSD" + }, + { + "alias": "", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "mappingType": 1, + "pattern": "Time", + "thresholds": [], + "type": "hidden", + "unit": "short" + }, + { + "alias": "Storage", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "mappingType": 1, + "pattern": "Value #C", + "thresholds": [], + "type": "number", + "unit": "currencyUSD" + }, + { + "alias": "Total", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "mappingType": 1, + "pattern": "Value #D", + "thresholds": [], + "type": "number", + "unit": "currencyUSD" + }, + { + "alias": "CPU Utilisation", + "colorMode": "value", + "colors": [ + "#bf1b00", + "rgba(50, 172, 45, 0.97)", + "#ef843c" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "mappingType": 1, + "pattern": "Value #E", + "thresholds": [ + "30", + "80" + ], + "type": "number", + "unit": "percent" + }, + { + "alias": "RAM Utilisation", + "colorMode": "value", + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(50, 172, 45, 0.97)", + "#ef843c" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "mappingType": 1, + "pattern": "Value #F", + "thresholds": [ + "30", + "80" + ], + "type": "number", + "unit": "percent" + } + ], + "targets": [ + { + "expr": "(\n sum(container_spec_cpu_shares{namespace=\"$namespace\",cloud_google_com_gke_preemptible!=\"true\"}/1000*($costcpu - ($costcpu / 100 * $costDiscount))) by(pod_name)\n or\n count(\n count(container_spec_cpu_shares{namespace=\"$namespace\"}) by(pod_name)\n ) by(pod_name) -1\n)\n\n+\n\n(\n sum(container_spec_cpu_shares{namespace=\"$namespace\",cloud_google_com_gke_preemptible=\"true\"}/1000*$costpcpu) by(pod_name)\n or\n count(\n count(container_spec_cpu_shares{namespace=\"$namespace\"}) by(pod_name)\n ) by(pod_name) -1\n)", + "format": "table", + "hide": false, + "instant": true, + "interval": "", + "intervalFactor": 1, + "legendFormat": "{{ pod_name }}", + "refId": "A" + }, + { + "expr": "sum(\n count(count(container_spec_cpu_shares{namespace=\"$namespace\"}) by (pod_name)) by (pod_name) \n * on (pod_name) \n sum(irate(container_cpu_usage_seconds_total{namespace=\"$namespace\"}[1m])) by (pod_name)\n) by (pod_name) * 1000\n/\nsum(container_spec_cpu_shares{namespace=\"$namespace\"}) by (pod_name) * 100", + "format": "table", + "hide": false, + "instant": true, + "intervalFactor": 1, + "legendFormat": "{{ pod_name }}", + "refId": "E" + }, + { + "expr": "(\n sum(container_spec_memory_limit_bytes{namespace=\"$namespace\",cloud_google_com_gke_preemptible!=\"true\"}/1024/1024/1024*($costram- ($costram / 100 * $costDiscount))) by(pod_name)\n or\n count(\n count(container_spec_memory_limit_bytes{namespace=\"$namespace\"}) by(pod_name)\n ) by(pod_name) -1\n)\n\n+\n\n(\n sum(container_spec_memory_limit_bytes{namespace=\"$namespace\",cloud_google_com_gke_preemptible=\"true\"}/1024/1024/1024*$costpram) by(pod_name)\n or\n count(\n count(container_spec_memory_limit_bytes{namespace=\"$namespace\"}) by(pod_name)\n ) by(pod_name) -1\n)", + "format": "table", + "hide": false, + "instant": true, + "intervalFactor": 1, + "legendFormat": "{{ namespace }}", + "refId": "B" + }, + { + "expr": "sum(\n count(count(container_memory_working_set_bytes{namespace=\"$namespace\"}) by (pod_name)) by (pod_name) \n * on (pod_name) \n sum(avg_over_time(container_memory_working_set_bytes{namespace=\"$namespace\"}[1m])) by (pod_name)\n) by (pod_name)\n/\nsum(container_spec_memory_limit_bytes{namespace=\"$namespace\"}) by (pod_name) * 100", + "format": "table", + "hide": false, + "instant": true, + "intervalFactor": 1, + "legendFormat": "{{ namespace }}", + "refId": "F" + }, + { + "expr": "(\n sum(container_spec_cpu_shares{namespace=\"$namespace\",cloud_google_com_gke_preemptible!=\"true\"}/1000*($costcpu - ($costcpu / 100 * $costDiscount))) by(pod_name)\n or\n count(\n count(container_spec_cpu_shares{namespace=\"$namespace\"}) by(pod_name)\n ) by(pod_name) -1\n)\n\n+\n\n(\n sum(container_spec_cpu_shares{namespace=\"$namespace\",cloud_google_com_gke_preemptible=\"true\"}/1000*$costpcpu) by(pod_name)\n or\n count(\n count(container_spec_cpu_shares{namespace=\"$namespace\"}) by(pod_name)\n ) by(pod_name) -1\n)\n\n# Now ram\n\n+ \n(\n sum(container_spec_memory_limit_bytes{namespace=\"$namespace\",cloud_google_com_gke_preemptible!=\"true\"}/1024/1024/1024*($costram- ($costram / 100 * $costDiscount))) by(pod_name)\n or\n count(\n count(container_spec_memory_limit_bytes{namespace=\"$namespace\"}) by(pod_name)\n ) by(pod_name) -1\n)\n\n+\n\n(\n sum(container_spec_memory_limit_bytes{namespace=\"$namespace\",cloud_google_com_gke_preemptible=\"true\"}/1024/1024/1024*$costpram) by(pod_name)\n or\n count(\n count(container_spec_memory_limit_bytes{namespace=\"$namespace\"}) by(pod_name)\n ) by(pod_name) -1\n)\n\n", + "format": "table", + "hide": false, + "instant": true, + "intervalFactor": 1, + "refId": "D" + } + ], + "timeFrom": "1M", + "timeShift": null, + "title": "Pod cost and utilisation analysis", + "transform": "table", + "transparent": false, + "type": "table" + }, + { + "columns": [ + { + "text": "Avg", + "value": "avg" + } + ], + "datasource": "Prometheus", + "fontSize": "100%", + "gridPos": { + "h": 9, + "w": 8, + "x": 16, + "y": 0 + }, + "hideTimeOverride": true, + "id": 90, + "links": [], + "pageSize": 8, + "repeatDirection": "v", + "scroll": true, + "showHeader": true, + "sort": { + "col": 4, + "desc": true + }, + "styles": [ + { + "alias": "Namespace", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "mappingType": 1, + "pattern": "namespace", + "thresholds": [], + "type": "hidden", + "unit": "short" + }, + { + "alias": "PVC Name", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "mappingType": 1, + "pattern": "persistentvolumeclaim", + "thresholds": [], + "type": "number", + "unit": "short" + }, + { + "alias": "Storage Class", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "mappingType": 1, + "pattern": "storageclass", + "thresholds": [], + "type": "number", + "unit": "short" + }, + { + "alias": "Cost", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "mappingType": 1, + "pattern": "Value", + "thresholds": [], + "type": "number", + "unit": "currencyUSD" + }, + { + "alias": "", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "mappingType": 1, + "pattern": "Time", + "thresholds": [], + "type": "hidden", + "unit": "short" + } + ], + "targets": [ + { + "expr": "sum (\n sum(kube_persistentvolumeclaim_info{storageclass=~\".*ssd.*\"}) by (persistentvolumeclaim, namespace, storageclass)\n + on (persistentvolumeclaim, namespace) group_right(storageclass)\n sum(kube_persistentvolumeclaim_resource_requests_storage_bytes{namespace=~\"$namespace\"}) by (persistentvolumeclaim, namespace)\n) by (namespace,persistentvolumeclaim,storageclass) / 1024 / 1024 /1024 * $costStorageSSD\n\nor\n\nsum (\n sum(kube_persistentvolumeclaim_info{storageclass!~\".*ssd.*\"}) by (persistentvolumeclaim, namespace, storageclass)\n + on (persistentvolumeclaim, namespace) group_right(storageclass)\n sum(kube_persistentvolumeclaim_resource_requests_storage_bytes{namespace=~\"$namespace\"}) by (persistentvolumeclaim, namespace)\n) by (namespace,persistentvolumeclaim,storageclass) / 1024 / 1024 /1024 * $costStorageStandard\n", + "format": "table", + "hide": false, + "instant": true, + "interval": "", + "intervalFactor": 1, + "legendFormat": "{{ persistentvolumeclaim }}", + "refId": "A" + } + ], + "timeFrom": null, + "timeShift": null, + "title": "Persistent Volume Claims", + "transform": "table", + "transparent": false, + "type": "table" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "decimals": 3, + "description": "This panel shows historical utilisation as an average across all pods in this namespace. It only accounts for currently deployed pods", + "editable": true, + "error": false, + "fill": 0, + "grid": {}, + "gridPos": { + "h": 6, + "w": 12, + "x": 0, + "y": 9 + }, + "height": "", + "id": 94, + "isNew": true, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": false, + "hideZero": false, + "max": false, + "min": false, + "rightSide": false, + "show": false, + "sideWidth": null, + "sort": "current", + "sortDesc": true, + "total": false, + "values": true + }, + "lines": true, + "linewidth": 2, + "links": [], + "nullPointMode": "connected", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": true, + "targets": [ + { + "expr": "sum (rate (container_cpu_usage_seconds_total{namespace=\"$namespace\"}[1m])) by (namespace) * 1000\n/\nsum(avg_over_time(container_spec_cpu_shares{namespace=\"$namespace\"}[1m])) by (namespace) * 100", + "format": "time_series", + "hide": false, + "instant": false, + "interval": "10s", + "intervalFactor": 1, + "legendFormat": "cpu", + "metric": "container_cpu", + "refId": "A", + "step": 10 + } + ], + "thresholds": [], + "timeFrom": "", + "timeShift": null, + "title": "Overall CPU Utilisation", + "tooltip": { + "msResolution": true, + "shared": true, + "sort": 2, + "value_type": "cumulative" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "decimals": null, + "format": "percent", + "label": "", + "logBase": 1, + "max": "110", + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "decimals": 2, + "description": "This panel shows historical utilisation as an average across all pods in this namespace. It only accounts for currently deployed pods", + "editable": true, + "error": false, + "fill": 0, + "grid": {}, + "gridPos": { + "h": 6, + "w": 12, + "x": 12, + "y": 9 + }, + "id": 92, + "isNew": true, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "max": false, + "min": false, + "rightSide": false, + "show": false, + "sideWidth": 200, + "sort": "current", + "sortDesc": true, + "total": false, + "values": true + }, + "lines": true, + "linewidth": 2, + "links": [], + "nullPointMode": "connected", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": true, + "targets": [ + { + "expr": "sum (container_memory_working_set_bytes{namespace=\"$namespace\"}) by (namespace)\n/\nsum(container_spec_memory_limit_bytes{namespace=\"$namespace\"}) by (namespace) * 100", + "format": "time_series", + "interval": "10s", + "intervalFactor": 1, + "legendFormat": "ram", + "metric": "container_memory_usage:sort_desc", + "refId": "A", + "step": 10 + } + ], + "thresholds": [], + "timeFrom": "", + "timeShift": null, + "title": "Overall RAM Utilisation", + "tooltip": { + "msResolution": false, + "shared": true, + "sort": 2, + "value_type": "cumulative" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "decimals": null, + "format": "percent", + "label": null, + "logBase": 1, + "max": "110", + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "decimals": 2, + "description": "Traffic in and out of this namespace, as a sum of the pods within it", + "editable": true, + "error": false, + "fill": 1, + "grid": {}, + "gridPos": { + "h": 6, + "w": 12, + "x": 0, + "y": 15 + }, + "height": "", + "id": 96, + "isNew": true, + "legend": { + "alignAsTable": false, + "avg": true, + "current": true, + "hideEmpty": false, + "hideZero": false, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "sideWidth": null, + "sort": "current", + "sortDesc": true, + "total": false, + "values": true + }, + "lines": true, + "linewidth": 2, + "links": [], + "nullPointMode": "connected", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum (rate (container_network_receive_bytes_total{namespace=\"$namespace\"}[1m])) by (namespace)", + "format": "time_series", + "hide": false, + "instant": false, + "interval": "", + "intervalFactor": 1, + "legendFormat": "<- in", + "metric": "container_cpu", + "refId": "A", + "step": 10 + }, + { + "expr": "- sum (rate (container_network_transmit_bytes_total{namespace=\"$namespace\"}[1m])) by (namespace)", + "format": "time_series", + "hide": false, + "instant": false, + "interval": "", + "intervalFactor": 1, + "legendFormat": "-> out", + "refId": "B" + } + ], + "thresholds": [], + "timeFrom": "", + "timeShift": null, + "title": "Network IO", + "tooltip": { + "msResolution": true, + "shared": true, + "sort": 2, + "value_type": "cumulative" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "Bps", + "label": "", + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "decimals": 2, + "description": "Disk reads and writes for the namespace, as a sum of the pods within it", + "editable": true, + "error": false, + "fill": 1, + "grid": {}, + "gridPos": { + "h": 6, + "w": 12, + "x": 12, + "y": 15 + }, + "height": "", + "id": 98, + "isNew": true, + "legend": { + "alignAsTable": false, + "avg": true, + "current": true, + "hideEmpty": false, + "hideZero": false, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "sideWidth": null, + "sort": "current", + "sortDesc": true, + "total": false, + "values": true + }, + "lines": true, + "linewidth": 2, + "links": [], + "nullPointMode": "connected", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum (rate (container_fs_writes_bytes_total{namespace=\"$namespace\"}[1m])) by (namespace)", + "format": "time_series", + "hide": false, + "instant": false, + "interval": "", + "intervalFactor": 1, + "legendFormat": "<- write", + "metric": "container_cpu", + "refId": "A", + "step": 10 + }, + { + "expr": "- sum (rate (container_fs_reads_bytes_total{namespace=\"$namespace\"}[1m])) by (namespace)", + "format": "time_series", + "hide": false, + "instant": false, + "interval": "", + "intervalFactor": 1, + "legendFormat": "-> read", + "refId": "B" + } + ], + "thresholds": [], + "timeFrom": "", + "timeShift": null, + "title": "Disk IO", + "tooltip": { + "msResolution": true, + "shared": true, + "sort": 2, + "value_type": "cumulative" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "Bps", + "label": "", + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + } + ], + "refresh": "10s", + "schemaVersion": 16, + "style": "dark", + "tags": [ + "cost", + "utilisation", + "metrics" + ], + "templating": { + "list": [ + { + "current": { + "value": "${VAR_COSTCPU}", + "text": "${VAR_COSTCPU}" + }, + "hide": 0, + "label": "CPU", + "name": "costcpu", + "options": [ + { + "value": "${VAR_COSTCPU}", + "text": "${VAR_COSTCPU}" + } + ], + "query": "${VAR_COSTCPU}", + "type": "constant" + }, + { + "current": { + "value": "${VAR_COSTPCPU}", + "text": "${VAR_COSTPCPU}" + }, + "hide": 0, + "label": "PE CPU", + "name": "costpcpu", + "options": [ + { + "value": "${VAR_COSTPCPU}", + "text": "${VAR_COSTPCPU}" + } + ], + "query": "${VAR_COSTPCPU}", + "type": "constant" + }, + { + "current": { + "value": "${VAR_COSTRAM}", + "text": "${VAR_COSTRAM}" + }, + "hide": 0, + "label": "RAM", + "name": "costram", + "options": [ + { + "value": "${VAR_COSTRAM}", + "text": "${VAR_COSTRAM}" + } + ], + "query": "${VAR_COSTRAM}", + "type": "constant" + }, + { + "current": { + "value": "${VAR_COSTPRAM}", + "text": "${VAR_COSTPRAM}" + }, + "hide": 0, + "label": "PE RAM", + "name": "costpram", + "options": [ + { + "value": "${VAR_COSTPRAM}", + "text": "${VAR_COSTPRAM}" + } + ], + "query": "${VAR_COSTPRAM}", + "type": "constant" + }, + { + "current": { + "value": "${VAR_COSTSTORAGESTANDARD}", + "text": "${VAR_COSTSTORAGESTANDARD}" + }, + "hide": 0, + "label": "Storage", + "name": "costStorageStandard", + "options": [ + { + "value": "${VAR_COSTSTORAGESTANDARD}", + "text": "${VAR_COSTSTORAGESTANDARD}" + } + ], + "query": "${VAR_COSTSTORAGESTANDARD}", + "type": "constant" + }, + { + "current": { + "value": "${VAR_COSTSTORAGESSD}", + "text": "${VAR_COSTSTORAGESSD}" + }, + "hide": 0, + "label": "SSD", + "name": "costStorageSSD", + "options": [ + { + "value": "${VAR_COSTSTORAGESSD}", + "text": "${VAR_COSTSTORAGESSD}" + } + ], + "query": "${VAR_COSTSTORAGESSD}", + "type": "constant" + }, + { + "current": { + "value": "${VAR_COSTDISCOUNT}", + "text": "${VAR_COSTDISCOUNT}" + }, + "hide": 0, + "label": "Disc.", + "name": "costDiscount", + "options": [ + { + "value": "${VAR_COSTDISCOUNT}", + "text": "${VAR_COSTDISCOUNT}" + } + ], + "query": "${VAR_COSTDISCOUNT}", + "type": "constant" + }, + { + "allValue": null, + "current": {}, + "datasource": "Prometheus", + "hide": 0, + "includeAll": false, + "label": "NS", + "multi": false, + "name": "namespace", + "options": [], + "query": "query_result(sum(container_memory_working_set_bytes{namespace!=\"\"}) by (namespace))", + "refresh": 1, + "regex": "/namespace=\\\"(.*?)(\\\")/", + "sort": 0, + "tagValuesQuery": "", + "tags": [], + "tagsQuery": "", + "type": "query", + "useTags": false + } + ] + }, + "time": { + "from": "now-15m", + "to": "now" + }, + "timepicker": { + "hidden": false, + "refresh_intervals": [ + "5s", + "10s", + "30s", + "1m", + "5m", + "15m", + "30m", + "1h", + "2h", + "1d" + ], + "time_options": [ + "5m", + "15m", + "1h", + "6h", + "12h", + "24h", + "2d", + "7d", + "30d" + ] + }, + "timezone": "browser", + "title": "Analysis by Namespace", + "uid": "at-cost-analysis-namespace", + "version": 8 + } diff --git a/old/kubernetes/helm/prometheus-operator/dashboards/analysis-by-pod.yaml b/old/kubernetes/helm/prometheus-operator/dashboards/analysis-by-pod.yaml new file mode 100644 index 000000000..cc70f85e1 --- /dev/null +++ b/old/kubernetes/helm/prometheus-operator/dashboards/analysis-by-pod.yaml @@ -0,0 +1,996 @@ +# source: https://grafana.com/dashboards/6879 +--- +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + grafana_dashboard: "1" + name: analysis-by-pod-dashboard +data: + analysis-by-pod-dashboard.json: |- + { + "__inputs": [ + { + "name": "DS_PROMETHEUS", + "label": "Prometheus", + "description": "", + "type": "datasource", + "pluginId": "prometheus", + "pluginName": "Prometheus" + }, + { + "name": "VAR_COSTCPU", + "type": "constant", + "label": "CPU", + "value": "17.78", + "description": "" + }, + { + "name": "VAR_COSTPCPU", + "type": "constant", + "label": "PE CPU", + "value": "5.35", + "description": "" + }, + { + "name": "VAR_COSTRAM", + "type": "constant", + "label": "RAM", + "value": "2.38", + "description": "" + }, + { + "name": "VAR_COSTPRAM", + "type": "constant", + "label": "PE RAM", + "value": "0.72", + "description": "" + }, + { + "name": "VAR_COSTSTORAGESTANDARD", + "type": "constant", + "label": "Storage", + "value": "0.044", + "description": "" + }, + { + "name": "VAR_COSTSTORAGESSD", + "type": "constant", + "label": "SSD", + "value": "0.187", + "description": "" + }, + { + "name": "VAR_COSTDISCOUNT", + "type": "constant", + "label": "Disc.", + "value": "30", + "description": "" + } + ], + "__requires": [ + { + "type": "grafana", + "id": "grafana", + "name": "Grafana", + "version": "5.2.1" + }, + { + "type": "panel", + "id": "graph", + "name": "Graph", + "version": "5.0.0" + }, + { + "type": "datasource", + "id": "prometheus", + "name": "Prometheus", + "version": "5.0.0" + }, + { + "type": "panel", + "id": "table", + "name": "Table", + "version": "5.0.0" + } + ], + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": "-- Grafana --", + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "type": "dashboard" + } + ] + }, + "description": "Part 3 of 3 dashboards to help you visualise your kubernetes costs.", + "editable": true, + "gnetId": 6879, + "graphTooltip": 0, + "id": null, + "iteration": 1530978819826, + "links": [], + "panels": [ + { + "columns": [ + { + "text": "Avg", + "value": "avg" + } + ], + "datasource": "Prometheus", + "fontSize": "100%", + "gridPos": { + "h": 6, + "w": 24, + "x": 0, + "y": 0 + }, + "hideTimeOverride": true, + "id": 73, + "links": [], + "pageSize": 3, + "repeat": null, + "repeatDirection": "v", + "scroll": true, + "showHeader": true, + "sort": { + "col": 6, + "desc": true + }, + "styles": [ + { + "alias": "Container", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(50, 172, 45, 0.97)", + "#c15c17" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "link": false, + "pattern": "container_name", + "thresholds": [ + "30", + "80" + ], + "type": "string", + "unit": "currencyUSD" + }, + { + "alias": "RAM", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "pattern": "Value #B", + "thresholds": [], + "type": "number", + "unit": "currencyUSD" + }, + { + "alias": "CPU", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "mappingType": 1, + "pattern": "Value #A", + "thresholds": [], + "type": "number", + "unit": "currencyUSD" + }, + { + "alias": "", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "mappingType": 1, + "pattern": "Time", + "thresholds": [], + "type": "hidden", + "unit": "short" + }, + { + "alias": "Storage", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "mappingType": 1, + "pattern": "Value #C", + "thresholds": [], + "type": "number", + "unit": "currencyUSD" + }, + { + "alias": "Total", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "mappingType": 1, + "pattern": "Value #D", + "thresholds": [], + "type": "number", + "unit": "currencyUSD" + }, + { + "alias": "CPU Utilisation", + "colorMode": "value", + "colors": [ + "#bf1b00", + "rgba(50, 172, 45, 0.97)", + "#ef843c" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "mappingType": 1, + "pattern": "Value #E", + "thresholds": [ + "30", + "80" + ], + "type": "number", + "unit": "percent" + }, + { + "alias": "RAM Utilisation", + "colorMode": "value", + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(50, 172, 45, 0.97)", + "#ef843c" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "mappingType": 1, + "pattern": "Value #F", + "thresholds": [ + "30", + "80" + ], + "type": "number", + "unit": "percent" + } + ], + "targets": [ + { + "expr": "(\n sum(container_spec_cpu_shares{namespace=\"$namespace\",pod_name=\"$pod\",container_name!=\"POD\",cloud_google_com_gke_preemptible!=\"true\"}/1000*($costcpu - ($costcpu / 100 * $costDiscount))) by(container_name)\n or\n count(\n count(container_spec_cpu_shares{namespace=\"$namespace\",container_name!=\"POD\",pod_name=\"$pod\"}) by(container_name)\n ) by(container_name) -1\n)\n\n+\n\n(\n sum(container_spec_cpu_shares{namespace=\"$namespace\",pod_name=\"$pod\",container_name!=\"POD\",cloud_google_com_gke_preemptible=\"true\"}/1000*$costpcpu) by(container_name)\n or\n count(\n count(container_spec_cpu_shares{namespace=\"$namespace\",pod_name=\"$pod\",container_name!=\"POD\"}) by(container_name)\n ) by(container_name) -1\n)", + "format": "table", + "hide": false, + "instant": true, + "interval": "", + "intervalFactor": 1, + "legendFormat": "{{ pod_name }}", + "refId": "A" + }, + { + "expr": "sum(\n count(count(container_spec_cpu_shares{namespace=\"$namespace\",pod_name=\"$pod\",container_name!=\"POD\"}) by (container_name)) by (container_name) \n * on (container_name) \n sum(irate(container_cpu_usage_seconds_total{namespace=\"$namespace\",pod_name=\"$pod\",container_name!=\"POD\"}[1m])) by (container_name)\n) by (container_name) * 1000\n/\nsum(container_spec_cpu_shares{namespace=\"$namespace\",pod_name=\"$pod\",container_name!=\"POD\"}) by (container_name) * 100", + "format": "table", + "hide": false, + "instant": true, + "intervalFactor": 1, + "legendFormat": "{{ pod_name }}", + "refId": "E" + }, + { + "expr": "(\n sum(container_spec_memory_limit_bytes{namespace=\"$namespace\",pod_name=\"$pod\",container_name!=\"POD\",cloud_google_com_gke_preemptible!=\"true\"}/1024/1024/1024*($costram- ($costram / 100 * $costDiscount))) by(container_name)\n or\n count(\n count(container_spec_memory_limit_bytes{namespace=\"$namespace\",pod_name=\"$pod\",container_name!=\"POD\"}) by(container_name)\n ) by(container_name) -1\n)\n\n+\n\n(\n sum(container_spec_memory_limit_bytes{namespace=\"$namespace\",pod_name=\"$pod\",container_name!=\"POD\",cloud_google_com_gke_preemptible=\"true\"}/1024/1024/1024*$costpram) by(container_name)\n or\n count(\n count(container_spec_memory_limit_bytes{namespace=\"$namespace\",pod_name=\"$pod\",container_name!=\"POD\"}) by(container_name)\n ) by(container_name) -1\n)", + "format": "table", + "hide": false, + "instant": true, + "intervalFactor": 1, + "legendFormat": "{{ namespace }}", + "refId": "B" + }, + { + "expr": "sum(\n count(count(container_memory_working_set_bytes{namespace=\"$namespace\",pod_name=\"$pod\",container_name!=\"POD\"}) by (container_name)) by (container_name) \n * on (container_name) \n sum(avg_over_time(container_memory_working_set_bytes{namespace=\"$namespace\",pod_name=\"$pod\",container_name!=\"POD\"}[1m])) by (container_name)\n) by (container_name)\n/\nsum(container_spec_memory_limit_bytes{namespace=\"$namespace\",pod_name=\"$pod\",container_name!=\"POD\"}) by (container_name) * 100", + "format": "table", + "hide": false, + "instant": true, + "intervalFactor": 1, + "legendFormat": "{{ namespace }}", + "refId": "F" + }, + { + "expr": "(\n sum(container_spec_cpu_shares{namespace=\"$namespace\",pod_name=\"$pod\",container_name!=\"POD\",cloud_google_com_gke_preemptible!=\"true\"}/1000*($costcpu - ($costcpu / 100 * $costDiscount))) by(container_name)\n or\n count(\n count(container_spec_cpu_shares{namespace=\"$namespace\",container_name!=\"POD\",pod_name=\"$pod\"}) by(container_name)\n ) by(container_name) -1\n)\n\n+\n\n(\n sum(container_spec_cpu_shares{namespace=\"$namespace\",pod_name=\"$pod\",container_name!=\"POD\",cloud_google_com_gke_preemptible=\"true\"}/1000*$costpcpu) by(container_name)\n or\n count(\n count(container_spec_cpu_shares{namespace=\"$namespace\",pod_name=\"$pod\",container_name!=\"POD\"}) by(container_name)\n ) by(container_name) -1\n)\n\n+\n\n(\n sum(container_spec_memory_limit_bytes{namespace=\"$namespace\",pod_name=\"$pod\",container_name!=\"POD\",cloud_google_com_gke_preemptible!=\"true\"}/1024/1024/1024*($costram- ($costram / 100 * $costDiscount))) by(container_name)\n or\n count(\n count(container_spec_memory_limit_bytes{namespace=\"$namespace\",pod_name=\"$pod\",container_name!=\"POD\"}) by(container_name)\n ) by(container_name) -1\n)\n\n+\n\n(\n sum(container_spec_memory_limit_bytes{namespace=\"$namespace\",pod_name=\"$pod\",container_name!=\"POD\",cloud_google_com_gke_preemptible=\"true\"}/1024/1024/1024*$costpram) by(container_name)\n or\n count(\n count(container_spec_memory_limit_bytes{namespace=\"$namespace\",pod_name=\"$pod\",container_name!=\"POD\"}) by(container_name)\n ) by(container_name) -1\n)", + "format": "table", + "hide": false, + "instant": true, + "intervalFactor": 1, + "refId": "D" + } + ], + "timeFrom": "1M", + "timeShift": null, + "title": "Container cost and utilisation analysis", + "transform": "table", + "transparent": false, + "type": "table" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "decimals": 3, + "description": "This graph attempts to show you CPU use of your application vs its requests", + "editable": true, + "error": false, + "fill": 0, + "grid": {}, + "gridPos": { + "h": 7, + "w": 12, + "x": 0, + "y": 6 + }, + "height": "", + "id": 94, + "isNew": true, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": false, + "hideZero": false, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "sideWidth": null, + "sort": "current", + "sortDesc": true, + "total": false, + "values": true + }, + "lines": true, + "linewidth": 2, + "links": [], + "nullPointMode": "connected", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": true, + "targets": [ + { + "expr": "sum (rate (container_cpu_usage_seconds_total{namespace=~\"$namespace\", pod_name=\"$pod\", container_name!=\"POD\"}[1m])) by (container_name)", + "format": "time_series", + "hide": false, + "instant": false, + "interval": "", + "intervalFactor": 1, + "legendFormat": "{{ container_name }}", + "metric": "container_cpu", + "refId": "A", + "step": 10 + }, + { + "expr": "sum(container_spec_cpu_shares{namespace=~\"$namespace\", pod_name=\"$pod\", container_name!=\"POD\"}) by (container_name) / 1000", + "format": "time_series", + "instant": false, + "intervalFactor": 1, + "legendFormat": "{{ container_name }} (requested)", + "refId": "B" + } + ], + "thresholds": [], + "timeFrom": "", + "timeShift": null, + "title": "CPU Core Usage vs Requested", + "tooltip": { + "msResolution": true, + "shared": true, + "sort": 2, + "value_type": "cumulative" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "none", + "label": "", + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "decimals": 3, + "description": "This graph attempts to show you RAM use of your application vs its requests", + "editable": true, + "error": false, + "fill": 0, + "grid": {}, + "gridPos": { + "h": 7, + "w": 12, + "x": 12, + "y": 6 + }, + "height": "", + "id": 96, + "isNew": true, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": false, + "hideZero": false, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "sideWidth": null, + "sort": "current", + "sortDesc": true, + "total": false, + "values": true + }, + "lines": true, + "linewidth": 2, + "links": [], + "nullPointMode": "connected", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": true, + "targets": [ + { + "expr": "sum (avg_over_time (container_memory_working_set_bytes{namespace=\"$namespace\", pod_name=\"$pod\", container_name!=\"POD\"}[1m])) by (container_name)", + "format": "time_series", + "hide": false, + "instant": false, + "interval": "", + "intervalFactor": 1, + "legendFormat": "{{ container_name }}", + "metric": "container_cpu", + "refId": "A", + "step": 10 + }, + { + "expr": "sum(container_spec_memory_limit_bytes{namespace=~\"$namespace\", pod_name=\"$pod\", container_name!=\"POD\"}) by (container_name)", + "format": "time_series", + "hide": false, + "instant": false, + "intervalFactor": 1, + "legendFormat": "{{ container_name }} (requested)", + "refId": "B" + } + ], + "thresholds": [], + "timeFrom": "", + "timeShift": null, + "title": "RAM Usage vs Requested", + "tooltip": { + "msResolution": true, + "shared": true, + "sort": 2, + "value_type": "cumulative" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "bytes", + "label": "", + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "decimals": 2, + "description": "Traffic in and out of this pod, as a sum of its containers", + "editable": true, + "error": false, + "fill": 1, + "grid": {}, + "gridPos": { + "h": 7, + "w": 12, + "x": 0, + "y": 13 + }, + "height": "", + "id": 95, + "isNew": true, + "legend": { + "alignAsTable": false, + "avg": true, + "current": true, + "hideEmpty": false, + "hideZero": false, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "sideWidth": null, + "sort": "current", + "sortDesc": true, + "total": false, + "values": true + }, + "lines": true, + "linewidth": 2, + "links": [], + "nullPointMode": "connected", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum (rate (container_network_receive_bytes_total{namespace=\"$namespace\",pod_name=\"$pod\"}[1m])) by (pod_name)", + "format": "time_series", + "hide": false, + "instant": false, + "interval": "", + "intervalFactor": 1, + "legendFormat": "<- in", + "metric": "container_cpu", + "refId": "A", + "step": 10 + }, + { + "expr": "- sum (rate (container_network_transmit_bytes_total{namespace=\"$namespace\",pod_name=\"$pod\"}[1m])) by (pod_name)", + "format": "time_series", + "hide": false, + "instant": false, + "interval": "", + "intervalFactor": 1, + "legendFormat": "-> out", + "refId": "B" + } + ], + "thresholds": [], + "timeFrom": "", + "timeShift": null, + "title": "Network IO", + "tooltip": { + "msResolution": true, + "shared": true, + "sort": 2, + "value_type": "cumulative" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "Bps", + "label": "", + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "decimals": 2, + "description": "Disk read writes", + "editable": true, + "error": false, + "fill": 1, + "grid": {}, + "gridPos": { + "h": 7, + "w": 12, + "x": 12, + "y": 13 + }, + "height": "", + "id": 97, + "isNew": true, + "legend": { + "alignAsTable": false, + "avg": true, + "current": true, + "hideEmpty": false, + "hideZero": false, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "sideWidth": null, + "sort": "current", + "sortDesc": true, + "total": false, + "values": true + }, + "lines": true, + "linewidth": 2, + "links": [], + "nullPointMode": "connected", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum (rate (container_fs_writes_bytes_total{namespace=\"$namespace\",pod_name=\"$pod\"}[1m])) by (pod_name)", + "format": "time_series", + "hide": false, + "instant": false, + "interval": "", + "intervalFactor": 1, + "legendFormat": "<- write", + "metric": "container_cpu", + "refId": "A", + "step": 10 + }, + { + "expr": "- sum (rate (container_fs_reads_bytes_total{namespace=\"$namespace\",pod_name=\"$pod\"}[1m])) by (pod_name)", + "format": "time_series", + "hide": false, + "instant": false, + "interval": "", + "intervalFactor": 1, + "legendFormat": "-> read", + "refId": "B" + } + ], + "thresholds": [], + "timeFrom": "", + "timeShift": null, + "title": "Disk IO", + "tooltip": { + "msResolution": true, + "shared": true, + "sort": 2, + "value_type": "cumulative" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "Bps", + "label": "", + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + } + ], + "refresh": "10s", + "schemaVersion": 16, + "style": "dark", + "tags": [ + "cost", + "utilisation", + "metrics" + ], + "templating": { + "list": [ + { + "current": { + "value": "${VAR_COSTCPU}", + "text": "${VAR_COSTCPU}" + }, + "hide": 0, + "label": "CPU", + "name": "costcpu", + "options": [ + { + "value": "${VAR_COSTCPU}", + "text": "${VAR_COSTCPU}" + } + ], + "query": "${VAR_COSTCPU}", + "type": "constant" + }, + { + "current": { + "value": "${VAR_COSTPCPU}", + "text": "${VAR_COSTPCPU}" + }, + "hide": 0, + "label": "PE CPU", + "name": "costpcpu", + "options": [ + { + "value": "${VAR_COSTPCPU}", + "text": "${VAR_COSTPCPU}" + } + ], + "query": "${VAR_COSTPCPU}", + "type": "constant" + }, + { + "current": { + "value": "${VAR_COSTRAM}", + "text": "${VAR_COSTRAM}" + }, + "hide": 0, + "label": "RAM", + "name": "costram", + "options": [ + { + "value": "${VAR_COSTRAM}", + "text": "${VAR_COSTRAM}" + } + ], + "query": "${VAR_COSTRAM}", + "type": "constant" + }, + { + "current": { + "value": "${VAR_COSTPRAM}", + "text": "${VAR_COSTPRAM}" + }, + "hide": 0, + "label": "PE RAM", + "name": "costpram", + "options": [ + { + "value": "${VAR_COSTPRAM}", + "text": "${VAR_COSTPRAM}" + } + ], + "query": "${VAR_COSTPRAM}", + "type": "constant" + }, + { + "current": { + "value": "${VAR_COSTSTORAGESTANDARD}", + "text": "${VAR_COSTSTORAGESTANDARD}" + }, + "hide": 0, + "label": "Storage", + "name": "costStorageStandard", + "options": [ + { + "value": "${VAR_COSTSTORAGESTANDARD}", + "text": "${VAR_COSTSTORAGESTANDARD}" + } + ], + "query": "${VAR_COSTSTORAGESTANDARD}", + "type": "constant" + }, + { + "current": { + "value": "${VAR_COSTSTORAGESSD}", + "text": "${VAR_COSTSTORAGESSD}" + }, + "hide": 0, + "label": "SSD", + "name": "costStorageSSD", + "options": [ + { + "value": "${VAR_COSTSTORAGESSD}", + "text": "${VAR_COSTSTORAGESSD}" + } + ], + "query": "${VAR_COSTSTORAGESSD}", + "type": "constant" + }, + { + "current": { + "value": "${VAR_COSTDISCOUNT}", + "text": "${VAR_COSTDISCOUNT}" + }, + "hide": 0, + "label": "Disc.", + "name": "costDiscount", + "options": [ + { + "value": "${VAR_COSTDISCOUNT}", + "text": "${VAR_COSTDISCOUNT}" + } + ], + "query": "${VAR_COSTDISCOUNT}", + "type": "constant" + }, + { + "allValue": null, + "current": {}, + "datasource": "Prometheus", + "hide": 0, + "includeAll": false, + "label": "NS", + "multi": false, + "name": "namespace", + "options": [], + "query": "query_result(sum(container_memory_working_set_bytes{namespace!=\"\"}) by (namespace))", + "refresh": 1, + "regex": "/namespace=\\\"(.*?)(\\\")/", + "sort": 0, + "tagValuesQuery": "", + "tags": [], + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "allValue": null, + "current": {}, + "datasource": "Prometheus", + "hide": 0, + "includeAll": false, + "label": "Pod", + "multi": false, + "name": "pod", + "options": [], + "query": "query_result(sum(container_memory_working_set_bytes{namespace=\"$namespace\"}) by (pod_name))", + "refresh": 1, + "regex": "/pod_name=\\\"(.*?)(\\\")/", + "sort": 0, + "tagValuesQuery": "", + "tags": [], + "tagsQuery": "", + "type": "query", + "useTags": false + } + ] + }, + "time": { + "from": "now-15m", + "to": "now" + }, + "timepicker": { + "hidden": false, + "refresh_intervals": [ + "5s", + "10s", + "30s", + "1m", + "5m", + "15m", + "30m", + "1h", + "2h", + "1d" + ], + "time_options": [ + "5m", + "15m", + "1h", + "6h", + "12h", + "24h", + "2d", + "7d", + "30d" + ] + }, + "timezone": "browser", + "title": "Analysis by Pod", + "uid": "at-cost-analysis-pod", + "version": 4 + } diff --git a/old/kubernetes/helm/prometheus-operator/environments/dev/values.yaml b/old/kubernetes/helm/prometheus-operator/environments/dev/values.yaml new file mode 100644 index 000000000..2229a752b --- /dev/null +++ b/old/kubernetes/helm/prometheus-operator/environments/dev/values.yaml @@ -0,0 +1,247 @@ +--- +prometheus-operator: + + ## Deploy a Prometheus instance + ## + prometheus: + + ingress: + enabled: true + + annotations: + external-dns.alpha.kubernetes.io/hostname: prometheus.internal.dev.managedkube.com + kubernetes.io/ingress.class: nginx-internal + certmanager.k8s.io/cluster-issuer: prod + certmanager.k8s.io/acme-http01-edit-in-place: "true" + + hosts: + - prometheus.internal.dev.managedkube.com + + tls: + - secretName: grafana-general-tls + hosts: + - prometheus.internal.dev.managedkube.com + + ## Service type + ## + # type: LoadBalancer + + ## Settings affecting prometheusSpec + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#prometheusspec + ## + prometheusSpec: + + ## External URL at which Prometheus will be reachable. + ## + externalUrl: "https://prometheus.internal.dev.managedkube.com" + + ## Resource limits & requests + ## + resources: + requests: + memory: 1000Mi + + ## Prometheus StorageSpec for persistent data + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/user-guides/storage.md + ## + storageSpec: + volumeClaimTemplate: + spec: + # storageClassName: gluster + accessModes: ["ReadWriteOnce"] + resources: + requests: + storage: 50Gi + selector: {} + + ## The remote_write spec configuration for Prometheus. + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#remotewritespec + # remoteWrite: + # - url: https://prometheus-us-central1.grafana.net/api/prom/push + # basic_auth: + # username: 6482 + # password: xxxx + + ## Configuration for alertmanager + ## ref: https://prometheus.io/docs/alerting/alertmanager/ + ## + alertmanager: + + ingress: + enabled: true + + annotations: + external-dns.alpha.kubernetes.io/hostname: alertmanager.internal.dev.managedkube.com + kubernetes.io/ingress.class: nginx-internal + certmanager.k8s.io/cluster-issuer: prod + certmanager.k8s.io/acme-http01-edit-in-place: "true" + + hosts: + - alertmanager.internal.dev.managedkube.com + + tls: + - secretName: grafana-general-tls + hosts: + - alertmanager.internal.dev.managedkube.com + + ## Alertmanager configuration directives + ## ref: https://prometheus.io/docs/alerting/configuration/#configuration-file + ## https://prometheus.io/webtools/alerting/routing-tree-editor/ + ## + config: + route: + receiver: 'slack-tests' + routes: + - match: + alertname: DeadMansSwitch + receiver: 'null' + # These are causing a lot of false positives right now. Turning off for now. + - match_re: + alertname: CPUThrottlingHigh + receiver: 'null' + # Silencing these alarms because it is from the test namespace + # - match_re: + # # alertname: CPUThrottlingHigh + # # container_name: "prometheus-config-reloader|rules-configmap-reloader" + # namespace: ibm-system|dev-k8sbot-test-pods + # receiver: 'null' + # # Couldnt find the config to make this configurable, so just turning it off for now + # # https://github.com/coreos/prometheus-operator/issues/2171#issuecomment-465525316 + # - match_re: + # alertname: CPUThrottlingHigh + # container_name: "prometheus-config-reloader|config-reloader|rules-configmap-reloader|metrics-server-nanny|metrics-server|heapster-nanny|heapster|default-http-backend" + # receiver: 'null' + # # GKE does not have the kube-* pods running in the kube-system namespace. Silencing them. + # - match_re: + # # alertname: CPUThrottlingHigh + # # container_name: "prometheus-config-reloader|rules-configmap-reloader" + # alertname: KubeControllerManagerDown|KubeSchedulerDown + # receiver: 'null' + # # Silencing CPU/memory over commit since it is a little chatty and we are over commiting + # - match_re: + # alertname: KubeCPUOvercommit|KubeMemOvercommit + # receiver: 'null' + - match_re: + severity: critical|page|alert + receiver: slack-critical + continue: true + - match: + severity: warning + receiver: slack-warning + continue: true + - match_re: + severity: critical|page|alert + receiver: pagerduty-critical + continue: true + + receivers: + - name: 'null' + + - name: 'slack-tests' + slack_configs: + - api_url: https://hooks.slack.com/services/xxx/xxx/xxx + channel: kube-alerts + send_resolved: true + text: |- + {{ range .Alerts }} + Annotations: + {{ range $key, $value := .Annotations }} - {{ $key }}: {{ $value }} + {{ end }} + Details: + {{ range .Labels.SortedPairs }} - {{ .Name }} = {{ .Value }} + {{ end }} + {{ end }} + title: '{{ if ne .Status "firing" }}[{{ .Status | toUpper }}]{{ end }} {{ .CommonAnnotations.summary }}{{ .CommonAnnotations.message }}' + title_link: https://alertmanager.internal.dev.managedkube.com + username: slack-test-dev-us + + - name: slack-critical + slack_configs: + - api_url: https://hooks.slack.com/services/xxx/xxx/xxx + channel: kube-alerts + send_resolved: true + text: |- + {{ range .Alerts }} + Annotations: + {{ range $key, $value := .Annotations }} - {{ $key }}: {{ $value }} + {{ end }} + Details: + {{ range .Labels.SortedPairs }} - {{ .Name }} = {{ .Value }} + {{ end }} + {{ end }} + title: '{{ if ne .Status "firing" }}[{{ .Status | toUpper }}]{{ end }} {{ .CommonAnnotations.summary }}{{ .CommonAnnotations.message }}' + title_link: https://alertmanager.internal.dev.managedkube.com + username: slack-critical-dev-us + + - name: 'slack-warning' + slack_configs: + - api_url: https://hooks.slack.com/services/xxx/xxx/xxx + channel: kube-alerts + send_resolved: true + text: |- + {{ range .Alerts }} + Annotations: + {{ range $key, $value := .Annotations }} - {{ $key }}: {{ $value }} + {{ end }} + Details: + {{ range .Labels.SortedPairs }} - {{ .Name }} = {{ .Value }} + {{ end }} + {{ end }} + title: '{{ if ne .Status "firing" }}[{{ .Status | toUpper }}]{{ end }} {{ .CommonAnnotations.summary }}{{ .CommonAnnotations.message }}' + title_link: https://alertmanager.internal.dev.managedkube.com + username: slack-warning-dev-us + + - name: 'pagerduty-critical' + pagerduty_configs: + - service_key: xxxxx + + ## Configuration for Alertmanager service + ## + # service: + # annotations: + # service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:us-east-1:xxxx:certificate/7385702b-7ef5-4233-b5c4-ab48a88eef58 + # service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "3600" + # service.beta.kubernetes.io/aws-load-balancer-internal: "0.0.0.0/0" + # external-dns.alpha.kubernetes.io/hostname: "alertmanager.example.com" + + ## Service type + ## + # type: LoadBalancer + + alertmanagerSpec: + # externalUrl: https://example.com:9093 + logLevel: debug + + grafana: + ingress: + enabled: true + + annotations: + external-dns.alpha.kubernetes.io/hostname: grafana.internal.dev.managedkube.com + kubernetes.io/ingress.class: nginx-internal + certmanager.k8s.io/cluster-issuer: prod + certmanager.k8s.io/acme-http01-edit-in-place: "true" + + hosts: + - grafana.internal.dev.managedkube.com + + tls: + - secretName: grafana-general-tls + hosts: + - grafana.internal.dev.managedkube.com + + ## Configure additional grafana datasources + ## ref: http://docs.grafana.org/administration/provisioning/#datasources + # additionalDataSources: + # - name: prometheus-sample + # access: proxy + # basicAuth: true + # basicAuthPassword: pass + # basicAuthUser: daco + # editable: false + # jsonData: + # tlsSkipVerify: true + # orgId: 1 + # type: prometheus + # url: https://prometheus.svc:9090 + # version: 1 diff --git a/old/kubernetes/helm/prometheus-operator/requirements.lock b/old/kubernetes/helm/prometheus-operator/requirements.lock new file mode 100644 index 000000000..173bb795f --- /dev/null +++ b/old/kubernetes/helm/prometheus-operator/requirements.lock @@ -0,0 +1,6 @@ +dependencies: +- name: prometheus-operator + repository: https://kubernetes-charts.storage.googleapis.com/ + version: 8.11.1 +digest: sha256:95e28ca145d943625b90e9045f9b6106fe873ee2a28828bb59909f4bd26f710e +generated: "2020-03-09T07:08:15.992630096-07:00" diff --git a/old/kubernetes/helm/prometheus-operator/values.yaml b/old/kubernetes/helm/prometheus-operator/values.yaml new file mode 100644 index 000000000..8d8a509f4 --- /dev/null +++ b/old/kubernetes/helm/prometheus-operator/values.yaml @@ -0,0 +1,97 @@ + +prometheus-operator: + + ## Create default rules for monitoring the cluster + ## + defaultRules: + create: true + rules: + alertmanager: true + etcd: false + general: true + k8s: true + kubeApiserver: true + kubePrometheusNodeAlerting: true + kubePrometheusNodeRecording: true + kubeScheduler: true + kubernetesAbsent: true + kubernetesApps: true + kubernetesResources: true + kubernetesStorage: true + kubernetesSystem: true + node: true + prometheusOperator: true + prometheus: true + + ## Deploy a Prometheus instance + ## + prometheus: + + ## Settings affecting prometheusSpec + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#prometheusspec + ## + prometheusSpec: + + retention: "14d" + + ## If true, a nil or {} value for prometheus.prometheusSpec.serviceMonitorSelector will cause the + ## prometheus resource to be created with selectors based on values in the helm deployment, + ## which will also match the servicemonitors created + ## + # serviceMonitorSelectorNilUsesHelmValues: false + + ## serviceMonitorSelector will limit which servicemonitors are used to create scrape + ## configs in Prometheus. See serviceMonitorSelectorUseHelmLabels + ## + # serviceMonitorSelector: {} + + # serviceMonitorSelector: + # matchLabels: + # prometheus-monitoring-scrape: "true" + # matchExpressions: + # - key: prometheus-scrape + # operator: Exists + + ## serviceMonitorNamespaceSelector will limit namespaces from which serviceMonitors are used to create scrape + ## configs in Prometheus. By default all namespaces will be used + ## + # serviceMonitorNamespaceSelector: + # any: true + # matchLabels: + # prometheus: doScrape + + ## Resource limits & requests + ## + resources: {} + # requests: + # memory: 400Mi + + ## Prometheus StorageSpec for persistent data + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/user-guides/storage.md + ## + storageSpec: + volumeClaimTemplate: + spec: + # storageClassName: gluster + accessModes: ["ReadWriteOnce"] + resources: + requests: + storage: 10Gi + # selector: {} + + + ## Using default values from https://github.com/helm/charts/blob/master/stable/grafana/values.yaml + ## + grafana: + enabled: true + + adminPassword: grafana1234 + + grafana.ini: + auth.anonymous: + enabled: true + + ## Component scraping etcd + ## + kubeEtcd: + enabled: false diff --git a/old/kubernetes/helm/sealed-secrets/README.md b/old/kubernetes/helm/sealed-secrets/README.md new file mode 100644 index 000000000..292bca1d4 --- /dev/null +++ b/old/kubernetes/helm/sealed-secrets/README.md @@ -0,0 +1,45 @@ +sealed-secrets +=============== + +Source: https://github.com/bitnami-labs/sealed-secrets + +# Getting the pub key + +``` +kubeseal --fetch-cert \ +--controller-namespace=sealed-secrets \ +--controller-name=sealed-secrets \ +> pub-cert.pem +``` +Doesnt seem to work on a GKE cluster + + +# Creating a secret + +``` +# Secret source information +NAMESPACE=external-dns +SECRET_NAME=gcp-credentials-json +FILE_PATH=/media/veracrypt1/managedkube/sa-managedkube-admin.json + +# kubeseal info +PUB_CERT=./kubernetes/helm/sealed-secrets/environments/gcp-dev/pub-cert.pem +KUBESEAL_SECRET_OUTPUT_FILE=${SECRET_NAME}.yaml + +kubectl -n ${NAMESPACE} create secret generic ${SECRET_NAME} \ +--from-file=${FILE_PATH} \ +--dry-run \ +-o json > ${SECRET_NAME}.json + +kubeseal --format=yaml --cert=${PUB_CERT} < ${SECRET_NAME}.json > ${KUBESEAL_SECRET_OUTPUT_FILE} +``` + +# Backup and restore of the private key + +https://github.com/bitnami-labs/sealed-secrets#how-can-i-do-a-backup-of-my-sealedsecrets + +``` +kubectl get secret -n sealed-secrets -l sealedsecrets.bitnami.com/sealed-secrets-key -o yaml >master.key +``` + +This key file should be kept in a safe place diff --git a/old/kubernetes/helm/sealed-secrets/environments/gcp-dev/pub-cert.pem b/old/kubernetes/helm/sealed-secrets/environments/gcp-dev/pub-cert.pem new file mode 100644 index 000000000..5e7fc6535 --- /dev/null +++ b/old/kubernetes/helm/sealed-secrets/environments/gcp-dev/pub-cert.pem @@ -0,0 +1,28 @@ +-----BEGIN CERTIFICATE----- +MIIErTCCApWgAwIBAgIQCUoqnIQCKzcXhOhJLxKMQDANBgkqhkiG9w0BAQsFADAA +MB4XDTIwMDMxMTA0MjEzNVoXDTMwMDMwOTA0MjEzNVowADCCAiIwDQYJKoZIhvcN +AQEBBQADggIPADCCAgoCggIBAMBvPiCuP4UaM2a10peIQtfYUPSXItAvkRJ/xC/x +x8OmR6uLoyBwUeM4gpYN1Y903eTI71+k7vPoh3YiBw6rbhxXgKc/r0vrCp7wXIKF +Hbx8+ipk4jJEczoijUhuG4qH12mdk+RUfUXwWsiwLKJhC1osg+xQV27RdSW5sU0u +oMOLB69/wdTo+zGAe1FDy4OfUzOCxt8pRIxnhwAO8LxbyCTeG5XPiXlwu6c8AW41 +6P09gxgd33ZEALiJRA5UXnZOXkjCT3EavONG/KNiwU67+nLlAAKX+ZmFhEOLNw1G +nLIUiRlAS2HVfXAVh50n7gVg3L0OIEI3Ve+Oc24eDC96RDGll2ziXu4usBJYAIRa +yoZMc96/TDr8PnB4ZCC6X9yOWIp0jWj+y2RzB1KuoVeKOKzGCgozdJ/FTyMYQslV +BopuRrtHWs1XR4K8DwjGOrlNkjnFoKbD2sIzFlLd1sBhhhUEJfdWzzcRW+5ZgSiF +UOhrB6lNrnOsBI2u88+fy2CnrrDDq5jkHfchyjDdh514I1HnZL0Yju08mYnuyodt +uqefY4WvsqD3weOwnZwck8NbD7uUfDZnS2X6PRugh5B+mB1dnGEUOQkGRTUg6gLm +urBhSnzuegtmUTYMv6gptWiuZkk9QWYDoLfmFRshBif5lXyPtrniqMe+Nsxo1n1J +2g9vAgMBAAGjIzAhMA4GA1UdDwEB/wQEAwIAATAPBgNVHRMBAf8EBTADAQH/MA0G +CSqGSIb3DQEBCwUAA4ICAQBEPeuIBRaQ0Qmj2yqxd/7b6kgv9lg7o0Et7bZIXRtF +fN6V4scTW5c1MkdQl2Tik2aNz1QlRJO7FKvOPFN2TnId+ogoV4fCVpXidV2Jn4La +BQkLfooyo1KTzMPeCL+KolSmUgTrNZNtm/OpKGC49jv37gHzqPmGs3V4z84s/3pq +qrDqwwgV5bsfc3z2exBz6Vb2mnml3WzUP3bRMu4AwRj4N/aVchk2GYh5EGVIJ1sO +io3WiqdIqGGKME5uQ/hNFnZBSOsCP1XQuNnSx8BHM2W3D+uYGr0b2KBqPb33a9W+ +kOjzCdRCx7lOiNp2coYs5SGp5+Bll+YJp4VNLwWHkRtdenxph+IoQI6/o51K5t8v ++yT7PfZ6IDR72lAvbpClWElMlsLY2RQ75/kUD7y4zYG7xbljp/23LIniq60Prm9Z +4aBtRkM2ASi82aYtI1CHFR8RnWXz7nferYrqGkVBiInPD+iZEU45Qn40Pr6cRN9/ +zOtCzdjm319Owq1V5RDxliiAyeuvPzCl5ZvfKZJUKDPvkoyRvIevket8YisZCgYI +JHEj+1nXEWeW9XAnRVngy/pb0KCh+vZ+Ir5DYlKp2p4DA7S0IhzQTbpv8ZPcAM38 +EpAMRcCKD8DC1iwFLnKBncJz+hfPKoz6NP8+mBDXzEx6s6xiuwBKRMulRqOrnIKo +SA== +-----END CERTIFICATE----- \ No newline at end of file diff --git a/ops/vpc.sh b/old/ops/vpc.sh similarity index 86% rename from ops/vpc.sh rename to old/ops/vpc.sh index 004b2ecce..f6c074486 100755 --- a/ops/vpc.sh +++ b/old/ops/vpc.sh @@ -8,8 +8,8 @@ TIME_NOW=$(date +"%x %r %Z") -TERRAFORM_VERSION="v0.11." -TERRAGRUNT_VERSION="v0.18." +TERRAFORM_VERSION="v0.12." +TERRAGRUNT_VERSION="v0.21." ########################################## ##### Functions @@ -49,19 +49,19 @@ check_terragrunt_version() create() { # Checks - if [ ! -f ../tf-environments/$vpc_name/_env_defaults/main.tf ]; then - echo "File does not exist: ../tf-environments/$vpc_name/_env_defaults/main.tf" + if [ ! -f ../tf-environments/${cloud}/${vpc_name}/_env_defaults/main.tf ]; then + echo "File does not exist: ../tf-environments/${cloud}/${vpc_name}/_env_defaults/main.tf " exit 1 fi - if [ ! -f ../tf-environments/$vpc_name/${cloud}/vpc/main.tf ]; then - echo "File does not exist: ../tf-environments/$vpc_name/${cloud}/vpc/main.tf" + if [ ! -f ../tf-environments/${cloud}/${vpc_name}/vpc/terragrunt.hcl ]; then + echo "File does not exist: ../tf-environments/${cloud}/${vpc_name}/vpc/terragrunt.hcl" exit 1 fi echo "[INFO] Adding new VPC named: $vpc_name" - cd ../tf-environments/$vpc_name/${cloud}/vpc + cd ../tf-environments/${cloud}/${vpc_name}/vpc/ terragrunt init terragrunt plan @@ -89,7 +89,7 @@ delete() { echo "[INFO] Deleting vpc named: ${vpc_name}" - cd ../tf-environments/$vpc_name/${cloud}/vpc + cd ../tf-environments/${cloud}/${vpc_name}/vpc if [ "${dry_run}" == "false" ]; then echo "[INFO] Not a dry run" diff --git a/old/tf-environments/README.md b/old/tf-environments/README.md new file mode 100644 index 000000000..cf4bcdd5b --- /dev/null +++ b/old/tf-environments/README.md @@ -0,0 +1,25 @@ +Folder Layout +============== + +The folders are split into clouds. There is a folder for `aws` and another folder for `gcp`. The main reason for this is that the state store configurations are a little different for each of these clouds. To keep everything "DRY" it is easier to split them up by clouds instead of by the environment it is. + +# AWS + +In the `aws` folder there is a `terragrunt.hcl` file the puts the state store into: + +``` +bucket = "kubernetes-ops-tf-state-${get_aws_account_id()}-terraform-state" +``` + +S3 buckets has to be globally unique accross all of their customers. The `terragrunt.hcl` file is set to get the current AWS account number and put it in the bucket name making it unique. For most cases this should work well. + +Usually you would use new account for dev, qa, and prod. This means launching those environments, it would put the state store in the correct account's S3 bucket with the accounts ID in the bucket name. + +# GCP +In the `gcp` folder there is a `terragrunt.hcl` file that puts the state store into: + +``` +bucket = "kubernetes-ops-terraform-state-${get_env("STATE_STORE_UNIQUE_KEY", "default-value-1234")}" +``` + +Terragrunt does not provide us with a handy function to get the account or project id. We have to set that as a unique key. A good key to use would be the project name or the ID. You have to export the variable to your environment: `STATE_STORE_UNIQUE_KEY` diff --git a/old/tf-environments/aws/dev/_env_defaults/aws.tfvars b/old/tf-environments/aws/dev/_env_defaults/aws.tfvars new file mode 100644 index 000000000..f626632b4 --- /dev/null +++ b/old/tf-environments/aws/dev/_env_defaults/aws.tfvars @@ -0,0 +1,6 @@ +environment_name = "dev" +region = "us-east-1" +vpc_cidr = "10.10.0.0/16" +aws_availability_zone_1 = "a" +aws_availability_zone_2 = "b" +aws_availability_zone_3 = "c" diff --git a/tf-environments/dev/_env_defaults/main.tf b/old/tf-environments/aws/dev/_env_defaults/main.tf similarity index 100% rename from tf-environments/dev/_env_defaults/main.tf rename to old/tf-environments/aws/dev/_env_defaults/main.tf diff --git a/old/tf-environments/aws/dev/rds/terragrunt.hcl b/old/tf-environments/aws/dev/rds/terragrunt.hcl new file mode 100644 index 000000000..8887a8151 --- /dev/null +++ b/old/tf-environments/aws/dev/rds/terragrunt.hcl @@ -0,0 +1,37 @@ +include { + path = find_in_parent_folders() +} + +terraform { + source = "../../../../tf-modules/aws/rds/" +} + +dependency "vpc" { + config_path = "../vpc" +} + +inputs = { + name = "rds-dev" + identifier = "rds-dev" + group = "foo" + application = "bar" + + vpc_id = dependency.vpc.outputs.aws_vpc_id + + subnet_1_cidr = "10.10.100.0/28" + subnet_2_cidr = "10.10.100.16/28" + ingress_cidr_blocks = ["10.10.0.0/16"] + + az_1 = "us-east-1a" + az_2 = "us-east-1b" + + instance_class = "db.t3.medium" + + username = "foo" + password = "barbarbar" + + replicate_source_db = "" + kms_key_id = "" + multi_az = true + +} diff --git a/old/tf-environments/aws/dev/ssm/documents/sessions/user-no-sudo/terragrunt.hcl b/old/tf-environments/aws/dev/ssm/documents/sessions/user-no-sudo/terragrunt.hcl new file mode 100644 index 000000000..3143d24f5 --- /dev/null +++ b/old/tf-environments/aws/dev/ssm/documents/sessions/user-no-sudo/terragrunt.hcl @@ -0,0 +1,42 @@ +include { + path = find_in_parent_folders() +} + +terraform { + source = "git::ssh://git@github.q-internal.tech/qadium/terraform-modules.git//aws/ssm/documents/sessions?ref=v1.14.12" + +} + +inputs = { + + document_name = "SSM-no-sudo" + + document_content = </cidr-ranges.md + subnets_cidr = ["172.17.104.16/28", "172.17.104.32/28", "172.17.104.48/28"] +} + +dependencies { + paths = ["../../transit-gateway", "../../vpc/dev-us"] +} diff --git a/old/tf-environments/aws/infrastructure/aws/transit-gateway/us-east-1/tg-internal-attach-vpc/production-test-vpc/terragrunt.hcl b/old/tf-environments/aws/infrastructure/aws/transit-gateway/us-east-1/tg-internal-attach-vpc/production-test-vpc/terragrunt.hcl new file mode 100644 index 000000000..6b47b0652 --- /dev/null +++ b/old/tf-environments/aws/infrastructure/aws/transit-gateway/us-east-1/tg-internal-attach-vpc/production-test-vpc/terragrunt.hcl @@ -0,0 +1,47 @@ +include { + path = find_in_parent_folders() +} + +terraform { + source = "../../../../../../../../tf-modules/aws/networks/tg-internal-attach-to-vpc/" + + extra_arguments "common_vars" { + commands = get_terraform_commands_that_need_vars() + + arguments = [ + "-var-file=${get_parent_terragrunt_dir()}/_env_defaults/transit-gateway.tfvars", + ] + } +} + +inputs = { + + aws_region = "us-east-1" + + name-postfix = "production-test-vpc" + + tags = { + Environment = "production-test-vpc", + Account = "infrastructure", + Group = "devops", + Region = "us-east-1" + managed_by = "Terraform" + purpose = "transit-gateway" + terraform_module = "tg-internal-attach-to-vpc" + terragrunt_dir = get_terragrunt_dir() + last_callers_identity = get_aws_caller_identity_arn() + last_callers_user_id = get_aws_caller_identity_user_id() + } + + transit-gateway-arn = trimspace(run_cmd("terragrunt", "output", "aws_ec2_transit_gateway_arn", "--terragrunt-working-dir", "../../transit-gateway")) + transit-gateway-id = trimspace(run_cmd("terragrunt", "output", "aws_ec2_transit_gateway_id", "--terragrunt-working-dir", "../../transit-gateway")) + + vpc_id_first = trimspace(run_cmd("terragrunt", "output", "aws_vpc_id", "--terragrunt-working-dir", "../../vpc/production-test-vpc")) + + availability_zone = ["us-east-1a", "us-east-1b", "us-east-1c"] + subnets_cidr = ["10.35.20.0/24", "10.35.21.0/24", "10.35.22.0/24"] +} + +dependencies { + paths = ["../../transit-gateway", "../../vpc/production-test-vpc"] +} diff --git a/old/tf-environments/aws/infrastructure/aws/transit-gateway/us-east-1/transit-gateway-route-table/us-east-2/production-test-vpc/terragrunt.hcl b/old/tf-environments/aws/infrastructure/aws/transit-gateway/us-east-1/transit-gateway-route-table/us-east-2/production-test-vpc/terragrunt.hcl new file mode 100644 index 000000000..043241589 --- /dev/null +++ b/old/tf-environments/aws/infrastructure/aws/transit-gateway/us-east-1/transit-gateway-route-table/us-east-2/production-test-vpc/terragrunt.hcl @@ -0,0 +1,36 @@ +include { + path = find_in_parent_folders() +} + +terraform { + source = "../../../../../../../../../tf-modules/aws/networks/transit-gateway-route-table/" + + # This module uses AWS keys from the local shell's environment + + # extra_arguments "common_vars" { + # commands = get_terraform_commands_that_need_vars() + + # arguments = [ + # "-var-file=${get_parent_terragrunt_dir()}/_env_defaults/transit-gateway.tfvars", + # ] + # } +} + +inputs = { + + aws_region = "us-east-1" + + destination_cidr_block_list = ["10.36.0.0/16"] + + blackhole_list = ["false"] + + # This is hardcoded right now b/c the transit-gateway to transit-gateway peering has to be done manually. Terraform has a PR open for this functionality but it has not landed yet. + transit_gateway_attachment_id = "tgw-attach-07ff6a0a0ca3ced71" + + transit_gateway_route_table_id = trimspace(run_cmd("terragrunt", "output", "aws_ec2_transit_gateway_propagation_default_route_table_id", "--terragrunt-working-dir", "../../../transit-gateway")) + +} + +dependencies { + paths = ["../../../transit-gateway"] +} diff --git a/old/tf-environments/aws/infrastructure/aws/transit-gateway/us-east-1/transit-gateway-route-table/us-west-2/production-test-vpc/terragrunt.hcl b/old/tf-environments/aws/infrastructure/aws/transit-gateway/us-east-1/transit-gateway-route-table/us-west-2/production-test-vpc/terragrunt.hcl new file mode 100644 index 000000000..0cb6d7844 --- /dev/null +++ b/old/tf-environments/aws/infrastructure/aws/transit-gateway/us-east-1/transit-gateway-route-table/us-west-2/production-test-vpc/terragrunt.hcl @@ -0,0 +1,36 @@ +include { + path = find_in_parent_folders() +} + +terraform { + source = "../../../../../../../../../tf-modules/aws/networks/transit-gateway-route-table/" + + # This module uses AWS keys from the local shell's environment + + # extra_arguments "common_vars" { + # commands = get_terraform_commands_that_need_vars() + + # arguments = [ + # "-var-file=${get_parent_terragrunt_dir()}/_env_defaults/transit-gateway.tfvars", + # ] + # } +} + +inputs = { + + aws_region = "us-east-1" + + destination_cidr_block_list = ["10.37.0.0/16"] + + blackhole_list = ["false"] + + # This is hardcoded right now b/c the transit-gateway to transit-gateway peering has to be done manually. Terraform has a PR open for this functionality but it has not landed yet. + transit_gateway_attachment_id = "tgw-attach-07ed65746271a3316" + + transit_gateway_route_table_id = trimspace(run_cmd("terragrunt", "output", "aws_ec2_transit_gateway_propagation_default_route_table_id", "--terragrunt-working-dir", "../../../transit-gateway")) + +} + +dependencies { + paths = ["../../../transit-gateway"] +} diff --git a/old/tf-environments/aws/infrastructure/aws/transit-gateway/us-east-1/transit-gateway/terragrunt.hcl b/old/tf-environments/aws/infrastructure/aws/transit-gateway/us-east-1/transit-gateway/terragrunt.hcl new file mode 100644 index 000000000..71b09b636 --- /dev/null +++ b/old/tf-environments/aws/infrastructure/aws/transit-gateway/us-east-1/transit-gateway/terragrunt.hcl @@ -0,0 +1,38 @@ +include { + path = find_in_parent_folders() +} + +terraform { + source = "../../../../../tf-modules/aws/networks/transit-gateway/" + + + # This module uses AWS keys from the local shell's environment + + # extra_arguments "common_vars" { + # commands = get_terraform_commands_that_need_vars() + + # arguments = [ + # "-var-file=${get_parent_terragrunt_dir()}/_env_defaults/transit-gateway.tfvars", + # ] + # } +} + +inputs = { + + aws_region = "us-east-1" + + amazon_side_asn = "64601" + + tags = { + Name = "tg-production", + Environment = "tg-production", + Account = "infrastructure", + Group = "devops", + Region = "us-east-1" + managed_by = "Terraform" + purpose = "transit-gateway" + terragrunt_dir = get_terragrunt_dir() + last_callers_identity = get_aws_caller_identity_arn() + last_callers_user_id = get_aws_caller_identity_user_id() + } +} diff --git a/old/tf-environments/aws/infrastructure/aws/transit-gateway/us-east-1/vpc/production-test-vpc/terragrunt.hcl b/old/tf-environments/aws/infrastructure/aws/transit-gateway/us-east-1/vpc/production-test-vpc/terragrunt.hcl new file mode 100644 index 000000000..174711c09 --- /dev/null +++ b/old/tf-environments/aws/infrastructure/aws/transit-gateway/us-east-1/vpc/production-test-vpc/terragrunt.hcl @@ -0,0 +1,39 @@ +include { + path = find_in_parent_folders() +} + +terraform { + source = "../../../../../../../../tf-modules/aws/vpc/" + + extra_arguments "common_vars" { + commands = get_terraform_commands_that_need_vars() + + arguments = [ + "-var-file=${get_parent_terragrunt_dir()}/us-east-1/_env_defaults/aws.tfvars", + ] + } +} + +inputs = { + + region = "us-east-1" + availability_zones = ["us-east-1a"] + + public_cidrs = ["10.35.10.0/24"] + + private_cidrs = ["10.35.11.0/24"] + + tags = { + Name = "production-test-vpc", + Environment = "production-test-vpc", + Account = "infrastructure", + Group = "devops", + Region = "us-east-1" + managed_by = "Terraform" + terraform_module = "vpc" + terragrunt_dir = get_terragrunt_dir() + last_callers_identity = get_aws_caller_identity_arn() + last_callers_user_id = get_aws_caller_identity_user_id() + } + +} diff --git a/old/tf-environments/aws/infrastructure/aws/transit-gateway/us-east-2/_env_defaults/aws.tfvars b/old/tf-environments/aws/infrastructure/aws/transit-gateway/us-east-2/_env_defaults/aws.tfvars new file mode 100644 index 000000000..30f0e59c7 --- /dev/null +++ b/old/tf-environments/aws/infrastructure/aws/transit-gateway/us-east-2/_env_defaults/aws.tfvars @@ -0,0 +1,3 @@ +environment_name = "production-test-vpc" +region = "us-east-2" +vpc_cidr = "10.36.0.0/16" diff --git a/old/tf-environments/aws/infrastructure/aws/transit-gateway/us-east-2/add-tg-routes/production-test-vpc/terragrunt.hcl b/old/tf-environments/aws/infrastructure/aws/transit-gateway/us-east-2/add-tg-routes/production-test-vpc/terragrunt.hcl new file mode 100644 index 000000000..289b12e28 --- /dev/null +++ b/old/tf-environments/aws/infrastructure/aws/transit-gateway/us-east-2/add-tg-routes/production-test-vpc/terragrunt.hcl @@ -0,0 +1,34 @@ +include { + path = find_in_parent_folders() +} + +terraform { + source = "../../../../../../../../tf-modules/aws/networks/add-tg-routes/" + + # This module uses AWS keys from the local shell's environment + + # extra_arguments "common_vars" { + # commands = get_terraform_commands_that_need_vars() + + # arguments = [ + # "-var-file=${get_parent_terragrunt_dir()}/_env_defaults/transit-gateway.tfvars", + # ] + # } +} + +inputs = { + + aws_region = "us-east-2" + + transit-gateway-id = trimspace(run_cmd("terragrunt", "output", "aws_ec2_transit_gateway_id", "--terragrunt-working-dir", "../../transit-gateway")) + + # Routing table associated with the VPC subnets + route_table_id_list = ["rtb-04b71b62aa6fb03d6", "rtb-0707cf615945ad25d"] + + # External destination routes list CIDR + routes-list = ["10.35.0.0/16", "10.37.0.0/16", "10.38.0.0/16"] +} + +dependencies { + paths = ["../../transit-gateway"] +} diff --git a/old/tf-environments/aws/infrastructure/aws/transit-gateway/us-east-2/tg-internal-attach-vpc/production-test-vpc/terragrunt.hcl b/old/tf-environments/aws/infrastructure/aws/transit-gateway/us-east-2/tg-internal-attach-vpc/production-test-vpc/terragrunt.hcl new file mode 100644 index 000000000..48d33d805 --- /dev/null +++ b/old/tf-environments/aws/infrastructure/aws/transit-gateway/us-east-2/tg-internal-attach-vpc/production-test-vpc/terragrunt.hcl @@ -0,0 +1,47 @@ +include { + path = find_in_parent_folders() +} + +terraform { + source = "../../../../../../../../tf-modules/aws/networks/tg-internal-attach-to-vpc/" + + extra_arguments "common_vars" { + commands = get_terraform_commands_that_need_vars() + + arguments = [ + "-var-file=${get_parent_terragrunt_dir()}/_env_defaults/transit-gateway.tfvars", + ] + } +} + +inputs = { + + aws_region = "us-east-2" + + name-postfix = "production-test-vpc" + + tags = { + Environment = "production-test-vpc", + Account = "infrastructure", + Group = "devops", + Region = "us-east-2" + managed_by = "Terraform" + purpose = "transit-gateway" + terraform_module = "tg-internal-attach-to-vpc" + terragrunt_dir = get_terragrunt_dir() + last_callers_identity = get_aws_caller_identity_arn() + last_callers_user_id = get_aws_caller_identity_user_id() + } + + transit-gateway-arn = trimspace(run_cmd("terragrunt", "output", "aws_ec2_transit_gateway_arn", "--terragrunt-working-dir", "../../transit-gateway")) + transit-gateway-id = trimspace(run_cmd("terragrunt", "output", "aws_ec2_transit_gateway_id", "--terragrunt-working-dir", "../../transit-gateway")) + + vpc_id_first = trimspace(run_cmd("terragrunt", "output", "aws_vpc_id", "--terragrunt-working-dir", "../../vpc/production-test-vpc")) + + availability_zone = ["us-east-2a", "us-east-2b", "us-east-2c"] + subnets_cidr = ["10.36.20.0/24", "10.36.21.0/24", "10.36.22.0/24"] +} + +dependencies { + paths = ["../../transit-gateway", "../../vpc/production-test-vpc"] +} diff --git a/old/tf-environments/aws/infrastructure/aws/transit-gateway/us-east-2/transit-gateway-route-table/us-east-1/terragrunt.hcl b/old/tf-environments/aws/infrastructure/aws/transit-gateway/us-east-2/transit-gateway-route-table/us-east-1/terragrunt.hcl new file mode 100644 index 000000000..a26369bbd --- /dev/null +++ b/old/tf-environments/aws/infrastructure/aws/transit-gateway/us-east-2/transit-gateway-route-table/us-east-1/terragrunt.hcl @@ -0,0 +1,36 @@ +include { + path = find_in_parent_folders() +} + +terraform { + source = "../../../../../../../../tf-modules/aws/networks/transit-gateway-route-table/" + + # This module uses AWS keys from the local shell's environment + + # extra_arguments "common_vars" { + # commands = get_terraform_commands_that_need_vars() + + # arguments = [ + # "-var-file=${get_parent_terragrunt_dir()}/_env_defaults/transit-gateway.tfvars", + # ] + # } +} + +inputs = { + + aws_region = "us-east-2" + + destination_cidr_block_list = ["10.35.0.0/16", "10.37.0.0/16", "10.38.0.0/16"] + + blackhole_list = ["false", "false", "false"] + + # This is hardcoded right now b/c the transit-gateway to transit-gateway peering has to be done manually. Terraform has a PR open for this functionality but it has not landed yet. + transit_gateway_attachment_id = "tgw-attach-07ff6a0a0ca3ced71" + + transit_gateway_route_table_id = trimspace(run_cmd("terragrunt", "output", "aws_ec2_transit_gateway_propagation_default_route_table_id", "--terragrunt-working-dir", "../../transit-gateway")) + +} + +dependencies { + paths = ["../../transit-gateway"] +} diff --git a/old/tf-environments/aws/infrastructure/aws/transit-gateway/us-east-2/transit-gateway/terragrunt.hcl b/old/tf-environments/aws/infrastructure/aws/transit-gateway/us-east-2/transit-gateway/terragrunt.hcl new file mode 100644 index 000000000..1765c6163 --- /dev/null +++ b/old/tf-environments/aws/infrastructure/aws/transit-gateway/us-east-2/transit-gateway/terragrunt.hcl @@ -0,0 +1,37 @@ +include { + path = find_in_parent_folders() +} + +terraform { + source = "../../../../../tf-modules/aws/networks/transit-gateway/" + + # This module uses AWS keys from the local shell's environment + + # extra_arguments "common_vars" { + # commands = get_terraform_commands_that_need_vars() + + # arguments = [ + # "-var-file=${get_parent_terragrunt_dir()}/_env_defaults/transit-gateway.tfvars", + # ] + # } +} + +inputs = { + + aws_region = "us-east-2" + + amazon_side_asn = "64602" + + tags = { + Name = "tg-production", + Environment = "tg-production", + Account = "infrastructure", + Group = "devops", + Region = "us-east-2" + managed_by = "Terraform" + purpose = "transit-gateway" + terragrunt_dir = get_terragrunt_dir() + last_callers_identity = get_aws_caller_identity_arn() + last_callers_user_id = get_aws_caller_identity_user_id() + } +} diff --git a/old/tf-environments/aws/infrastructure/aws/transit-gateway/us-east-2/vpc/production-test-vpc/terragrunt.hcl b/old/tf-environments/aws/infrastructure/aws/transit-gateway/us-east-2/vpc/production-test-vpc/terragrunt.hcl new file mode 100644 index 000000000..09356953e --- /dev/null +++ b/old/tf-environments/aws/infrastructure/aws/transit-gateway/us-east-2/vpc/production-test-vpc/terragrunt.hcl @@ -0,0 +1,40 @@ +include { + path = find_in_parent_folders() +} + +terraform { + source = "../../../../../../../../tf-modules/aws/vpc/" + + extra_arguments "common_vars" { + commands = get_terraform_commands_that_need_vars() + + arguments = [ + "-var-file=${get_parent_terragrunt_dir()}/us-east-2/_env_defaults/aws.tfvars", + ] + } +} + +inputs = { + + region = "us-east-2" + availability_zones = ["us-east-2a"] + + public_cidrs = ["10.36.10.0/24"] + + private_cidrs = ["10.36.11.0/24"] + + tags = { + Name = "production-test-vpc", + Environment = "production-test-vpc", + Account = "infrastructure", + Group = "devops", + Region = "us-east-2" + managed_by = "Terraform" + terraform_module = "vpc" + terragrunt_dir = get_terragrunt_dir() + last_callers_identity = get_aws_caller_identity_arn() + last_callers_user_id = get_aws_caller_identity_user_id() + + } + +} diff --git a/old/tf-environments/aws/infrastructure/aws/transit-gateway/us-west-2/_env_defaults/aws.tfvars b/old/tf-environments/aws/infrastructure/aws/transit-gateway/us-west-2/_env_defaults/aws.tfvars new file mode 100644 index 000000000..93e8e5514 --- /dev/null +++ b/old/tf-environments/aws/infrastructure/aws/transit-gateway/us-west-2/_env_defaults/aws.tfvars @@ -0,0 +1,3 @@ +environment_name = "production-test-vpc" +region = "us-west-2" +vpc_cidr = "10.37.0.0/16" diff --git a/old/tf-environments/aws/infrastructure/aws/transit-gateway/us-west-2/add-tg-routes/production-test-vpc/terragrunt.hcl b/old/tf-environments/aws/infrastructure/aws/transit-gateway/us-west-2/add-tg-routes/production-test-vpc/terragrunt.hcl new file mode 100644 index 000000000..295aa2bd1 --- /dev/null +++ b/old/tf-environments/aws/infrastructure/aws/transit-gateway/us-west-2/add-tg-routes/production-test-vpc/terragrunt.hcl @@ -0,0 +1,35 @@ +include { + path = find_in_parent_folders() +} + +terraform { + source = "../../../../../../../../tf-modules/aws/networks/add-tg-routes/" + + # This module uses AWS keys from the local shell's environment + + # extra_arguments "common_vars" { + # commands = get_terraform_commands_that_need_vars() + + # arguments = [ + # "-var-file=${get_parent_terragrunt_dir()}/_env_defaults/transit-gateway.tfvars", + # ] + # } +} + +inputs = { + + aws_region = "us-west-2" + + transit-gateway-id = trimspace(run_cmd("terragrunt", "output", "aws_ec2_transit_gateway_id", "--terragrunt-working-dir", "../../transit-gateway")) + + # Routing table associated with the VPC subnets + route_table_id_list = ["rtb-09efef60458f61005", "rtb-0ab2a8c517e45a5e4"] + + # External destination routes list CIDR + routes-list = ["10.35.0.0/16", "10.36.0.0/16", "10.38.0.0/16", "172.17.0.0/16"] + +} + +dependencies { + paths = ["../../transit-gateway"] +} diff --git a/old/tf-environments/aws/infrastructure/aws/transit-gateway/us-west-2/tg-internal-attach-vpc/production-test-vpc/terragrunt.hcl b/old/tf-environments/aws/infrastructure/aws/transit-gateway/us-west-2/tg-internal-attach-vpc/production-test-vpc/terragrunt.hcl new file mode 100644 index 000000000..89b7c2144 --- /dev/null +++ b/old/tf-environments/aws/infrastructure/aws/transit-gateway/us-west-2/tg-internal-attach-vpc/production-test-vpc/terragrunt.hcl @@ -0,0 +1,47 @@ +include { + path = find_in_parent_folders() +} + +terraform { + source = "../../../../../../../../tf-modules/aws/networks/tg-internal-attach-to-vpc/" + + extra_arguments "common_vars" { + commands = get_terraform_commands_that_need_vars() + + arguments = [ + "-var-file=${get_parent_terragrunt_dir()}/_env_defaults/transit-gateway.tfvars", + ] + } +} + +inputs = { + + aws_region = "us-west-2" + + name-postfix = "production-test-vpc" + + tags = { + Environment = "production-test-vpc", + Account = "infrastructure", + Group = "devops", + Region = "us-west-2" + managed_by = "Terraform" + purpose = "transit-gateway" + terraform_module = "tg-internal-attach-to-vpc" + terragrunt_dir = get_terragrunt_dir() + last_callers_identity = get_aws_caller_identity_arn() + last_callers_user_id = get_aws_caller_identity_user_id() + } + + transit-gateway-arn = trimspace(run_cmd("terragrunt", "output", "aws_ec2_transit_gateway_arn", "--terragrunt-working-dir", "../../transit-gateway")) + transit-gateway-id = trimspace(run_cmd("terragrunt", "output", "aws_ec2_transit_gateway_id", "--terragrunt-working-dir", "../../transit-gateway")) + + vpc_id_first = trimspace(run_cmd("terragrunt", "output", "aws_vpc_id", "--terragrunt-working-dir", "../../vpc/production-test-vpc")) + + availability_zone = ["us-west-2a", "us-west-2b", "us-west-2c"] + subnets_cidr = ["10.37.20.0/24", "10.37.21.0/24", "10.37.22.0/24"] +} + +dependencies { + paths = ["../../transit-gateway", "../../vpc/production-test-vpc"] +} diff --git a/old/tf-environments/aws/infrastructure/aws/transit-gateway/us-west-2/transit-gateway-route-table/us-east-1/terragrunt.hcl b/old/tf-environments/aws/infrastructure/aws/transit-gateway/us-west-2/transit-gateway-route-table/us-east-1/terragrunt.hcl new file mode 100644 index 000000000..42cc4297a --- /dev/null +++ b/old/tf-environments/aws/infrastructure/aws/transit-gateway/us-west-2/transit-gateway-route-table/us-east-1/terragrunt.hcl @@ -0,0 +1,36 @@ +include { + path = find_in_parent_folders() +} + +terraform { + source = "../../../../../../../../tf-modules/aws/networks/transit-gateway-route-table/" + + # This module uses AWS keys from the local shell's environment + + # extra_arguments "common_vars" { + # commands = get_terraform_commands_that_need_vars() + + # arguments = [ + # "-var-file=${get_parent_terragrunt_dir()}/_env_defaults/transit-gateway.tfvars", + # ] + # } +} + +inputs = { + + aws_region = "us-west-2" + + destination_cidr_block_list = ["10.35.0.0/16", "10.36.0.0/16", "10.38.0.0/16", "172.17.0.0/16"] + + blackhole_list = ["false", "false", "false", "false"] + + # This is hardcoded right now b/c the transit-gateway to transit-gateway peering has to be done manually. Terraform has a PR open for this functionality but it has not landed yet. + transit_gateway_attachment_id = "tgw-attach-07ed65746271a3316" + + transit_gateway_route_table_id = trimspace(run_cmd("terragrunt", "output", "aws_ec2_transit_gateway_propagation_default_route_table_id", "--terragrunt-working-dir", "../../transit-gateway")) + +} + +dependencies { + paths = ["../../transit-gateway"] +} diff --git a/old/tf-environments/aws/infrastructure/aws/transit-gateway/us-west-2/transit-gateway/terragrunt.hcl b/old/tf-environments/aws/infrastructure/aws/transit-gateway/us-west-2/transit-gateway/terragrunt.hcl new file mode 100644 index 000000000..2c0725c61 --- /dev/null +++ b/old/tf-environments/aws/infrastructure/aws/transit-gateway/us-west-2/transit-gateway/terragrunt.hcl @@ -0,0 +1,37 @@ +include { + path = find_in_parent_folders() +} + +terraform { + source = "../../../../../tf-modules/aws/networks/transit-gateway/" + + # This module uses AWS keys from the local shell's environment + + # extra_arguments "common_vars" { + # commands = get_terraform_commands_that_need_vars() + + # arguments = [ + # "-var-file=${get_parent_terragrunt_dir()}/_env_defaults/transit-gateway.tfvars", + # ] + # } +} + +inputs = { + + aws_region = "us-west-2" + + amazon_side_asn = "64603" + + tags = { + Name = "tg-production", + Environment = "tg-production", + Account = "infrastructure", + Group = "devops", + Region = "us-west-2" + managed_by = "Terraform" + purpose = "transit-gateway" + terragrunt_dir = get_terragrunt_dir() + last_callers_identity = get_aws_caller_identity_arn() + last_callers_user_id = get_aws_caller_identity_user_id() + } +} diff --git a/old/tf-environments/aws/infrastructure/aws/transit-gateway/us-west-2/vpc/production-test-vpc/terragrunt.hcl b/old/tf-environments/aws/infrastructure/aws/transit-gateway/us-west-2/vpc/production-test-vpc/terragrunt.hcl new file mode 100644 index 000000000..cf93620f9 --- /dev/null +++ b/old/tf-environments/aws/infrastructure/aws/transit-gateway/us-west-2/vpc/production-test-vpc/terragrunt.hcl @@ -0,0 +1,39 @@ +include { + path = find_in_parent_folders() +} + +terraform { + source = "../../../../../../../../tf-modules/aws/vpc/" + + extra_arguments "common_vars" { + commands = get_terraform_commands_that_need_vars() + + arguments = [ + "-var-file=${get_parent_terragrunt_dir()}/us-west-2/_env_defaults/aws.tfvars", + ] + } +} + +inputs = { + + region = "us-west-2" + availability_zones = ["us-west-2a"] + + public_cidrs = ["10.37.10.0/24"] + + private_cidrs = ["10.37.11.0/24"] + + tags = { + Name = "production-test-vpc", + Environment = "production-test-vpc", + Account = "infrastructure", + Group = "devops", + Region = "us-west-2" + managed_by = "Terraform" + terraform_module = "vpc" + terragrunt_dir = get_terragrunt_dir() + last_callers_identity = get_aws_caller_identity_arn() + last_callers_user_id = get_aws_caller_identity_user_id() + } + +} diff --git a/old/tf-environments/aws/terragrunt.hcl b/old/tf-environments/aws/terragrunt.hcl new file mode 100644 index 000000000..9d61f334b --- /dev/null +++ b/old/tf-environments/aws/terragrunt.hcl @@ -0,0 +1,21 @@ +remote_state { + backend = "s3" + config = { + bucket = "kubernetes-ops-tf-state-${get_aws_account_id()}-terraform-state" + + key = "${path_relative_to_include()}/terraform.tfstate" + region = "us-east-1" + encrypt = true + dynamodb_table = "kubernetes-ops-lock-table" + } +} + +terraform { + // extra_arguments "common_vars" { + // commands = get_terraform_commands_that_need_vars() + // + // arguments = [ + // "-var-file=${get_parent_terragrunt_dir()}/_env_defaults/gcp.tfvars", + // ] + // } +} diff --git a/old/tf-environments/azure/dev/aks/cluster/terragrunt.hcl b/old/tf-environments/azure/dev/aks/cluster/terragrunt.hcl new file mode 100644 index 000000000..57e0fe082 --- /dev/null +++ b/old/tf-environments/azure/dev/aks/cluster/terragrunt.hcl @@ -0,0 +1,30 @@ +include { + path = find_in_parent_folders() +} + +terraform { + source = "git::ssh://git@github.com/ManagedKube/kubernetes-ops.git//tf-modules/azure/aks/cluster/?ref=v0.1.23" +} + +inputs = { + cluster_name = "dev" + location = "eastus2" + dns_prefix = "dev" + + default_node_pool_instance_size = "Standard_B2s" + + api_server_authorized_ip_ranges = [ + "38.30.0.0/8", + "136.24.0.0/8", + ] + + tags = { + Environment = "dev", + Account = "dev", + Group = "devops", + Location = "eastus2", + managed_by = "Terraform" + terraform_module = "aks" + terragrunt_dir = get_terragrunt_dir() + } +} diff --git a/old/tf-environments/azure/dev/aks/node_pools/generic-1/terragrunt.hcl b/old/tf-environments/azure/dev/aks/node_pools/generic-1/terragrunt.hcl new file mode 100644 index 000000000..6abcdfbc3 --- /dev/null +++ b/old/tf-environments/azure/dev/aks/node_pools/generic-1/terragrunt.hcl @@ -0,0 +1,42 @@ +include { + path = find_in_parent_folders() +} + +terraform { + source = "git::ssh://git@github.com/ManagedKube/kubernetes-ops.git//tf-modules/azure/aks/node_pool/?ref=v0.1.23" +} + +dependency "kubernetes_cluster" { + config_path = "../../cluster" + mock_outputs = { + cluster_id = "12345" + } +} + +dependencies { + paths = [ + "../../cluster", + ] +} + +inputs = { + kubernetes_cluster_id = dependency.kubernetes_cluster.outputs.cluster_id + + node_pool_name = "generic1" + vm_size = "Standard_B2s" + + node_count = 1 + max_count = 1 + min_count = 1 + + tags = { + Environment = "dev", + Account = "dev", + Group = "devops", + Location = "eastus2", + managed_by = "Terraform" + terraform_module = "aks" + node_pool = "generic1" + terragrunt_dir = get_terragrunt_dir() + } +} diff --git a/old/tf-environments/azure/terragrunt.hcl b/old/tf-environments/azure/terragrunt.hcl new file mode 100644 index 000000000..f56397dfb --- /dev/null +++ b/old/tf-environments/azure/terragrunt.hcl @@ -0,0 +1,21 @@ +remote_state { + backend = "azurerm" + config = { + key = "${path_relative_to_include()}/terraform.tfstate" + resource_group_name = "kubernetes-ops" + storage_account_name = "kubernetesops" + container_name = "tfstate" + } +} + +# terraform { +# extra_arguments "common_vars" { +# commands = get_terraform_commands_that_need_vars() + +# arguments = [ +# # "-var-file=${get_parent_terragrunt_dir()}/_env_defaults/gcp.tfvars", +# # "-var-file=${get_terragrunt_dir()}/../_env_defaults/gcp.tfvars", +# "-var-file=${get_terragrunt_dir()}/../_env_defaults/gcp.tfvars", +# ] +# } +# } diff --git a/old/tf-environments/gcp/dev/_env_defaults/gcp.tfvars b/old/tf-environments/gcp/dev/_env_defaults/gcp.tfvars new file mode 100644 index 000000000..1fb82dffb --- /dev/null +++ b/old/tf-environments/gcp/dev/_env_defaults/gcp.tfvars @@ -0,0 +1,6 @@ +region = "us-central1" +project_name = "managedkube" + +# regional cluster with 3 masters use the region with the zone (eg. us-central1). This cost $0.10/hour. +# zonal cluster that has only one master and in one zone. Add the zone to the region. (eg. us-central1-a). There is no GCP charge for this. +google_container_cluster_location = "us-central1-a" \ No newline at end of file diff --git a/old/tf-environments/gcp/dev/firewall-rules/prometheus/terragrunt.hcl b/old/tf-environments/gcp/dev/firewall-rules/prometheus/terragrunt.hcl new file mode 100644 index 000000000..153701153 --- /dev/null +++ b/old/tf-environments/gcp/dev/firewall-rules/prometheus/terragrunt.hcl @@ -0,0 +1,17 @@ +include { + path = find_in_parent_folders() +} + +terraform { + source = "../../../../../tf-modules/gcp/firewall-rules/prometheus" + +} + +inputs = { + region = "us-central1-a" + project_name = "managedkube" + + network_name = trimspace(run_cmd("terragrunt", "output", "network_name", "--terragrunt-working-dir", "../../vpc")) + + source_range_list = ["10.0.0.0/8"] +} diff --git a/old/tf-environments/gcp/dev/gke-cluster/terragrunt.hcl b/old/tf-environments/gcp/dev/gke-cluster/terragrunt.hcl new file mode 100644 index 000000000..a9b77de44 --- /dev/null +++ b/old/tf-environments/gcp/dev/gke-cluster/terragrunt.hcl @@ -0,0 +1,63 @@ +include { + path = find_in_parent_folders() +} + +terraform { + source = "../../../../tf-modules/gcp/private-gke-cluster/" + + extra_arguments "common_vars" { + commands = get_terraform_commands_that_need_vars() + + arguments = [ + "-var-file=${get_terragrunt_dir()}/../_env_defaults/gcp.tfvars", + ] + } +} + +inputs = { + vpc_name = trimspace(run_cmd("terragrunt", "output", "network_name", "--terragrunt-working-dir", "../vpc")) + network_name = trimspace(run_cmd("terragrunt", "output", "network_name", "--terragrunt-working-dir", "../vpc")) + cluster_name = "dev" + private_subnet_name = trimspace(run_cmd("terragrunt", "output", "private_subnet_name", "--terragrunt-working-dir", "../gke-subnets")) + + enable_private_kube_master_endpoint = false + + gke_version = "1.16.6-gke.4" + initial_node_count = "1" + + master_ipv4_cidr_block="10.32.11.0/28" + + master_authorized_networks_cidr = [ + { cidr_block = "10.0.0.0/8", display_name = "10x" }, + { cidr_block = "172.16.0.0/12", display_name = "172x" }, + { cidr_block = "192.168.0.0/16", display_name = "192x" }, + { cidr_block = "38.30.8.138/32", display_name = "home" }, + { cidr_block = "35.222.67.76/32", display_name = "gar-vpn" }, + { cidr_block = "12.190.239.210/32", display_name = "gar-vpn-2" }, + { cidr_block = "136.24.163.48/32", display_name = "gar-vpn-2" }, + ] + + outbound_through_nat_tags=["private-subnet", "gke-private-nodes"] + + cluster_autoscaling_enabled = true + + resource_limits_enable = [ + { + type = "cpu", + max = 10, + min = 0, + }, { + type = "memory", + max = 16, + min = 0, + } + ] + + release_channel_channel = "RAPID" + + enable_intranode_visibility = true +} + +dependencies { + paths = ["../vpc"] +} diff --git a/old/tf-environments/gcp/dev/gke-subnets/terragrunt.hcl b/old/tf-environments/gcp/dev/gke-subnets/terragrunt.hcl new file mode 100644 index 000000000..ab65e4fff --- /dev/null +++ b/old/tf-environments/gcp/dev/gke-subnets/terragrunt.hcl @@ -0,0 +1,35 @@ +include { + path = find_in_parent_folders() +} + +terraform { + source = "../../../../tf-modules/gcp/gke-subnets/" + + extra_arguments "common_vars" { + commands = get_terraform_commands_that_need_vars() + + arguments = [ + "-var-file=${get_terragrunt_dir()}/../_env_defaults/gcp.tfvars", + ] + } +} + +inputs = { + vpc_name = trimspace(run_cmd("terragrunt", "output", "network_name", "--terragrunt-working-dir", "../vpc")) + region = trimspace(run_cmd("terragrunt", "output", "region", "--terragrunt-working-dir", "../vpc")) + network_name = trimspace(run_cmd("terragrunt", "output", "network_name", "--terragrunt-working-dir", "../vpc")) + + services_ip_cidr_range="10.32.64.0/19" + pods_ip_cidr_range="10.36.0.0/14" # 1024 max nodes + + ##################### + # networking + ##################### + public_subnet_cidr_range = "10.32.16.0/20" + private_subnet_cidr_range = "10.32.32.0/20" + +} + +dependencies { + paths = ["../vpc"] +} diff --git a/old/tf-environments/gcp/dev/nodepools/pool-1/terragrunt.hcl b/old/tf-environments/gcp/dev/nodepools/pool-1/terragrunt.hcl new file mode 100644 index 000000000..f163720da --- /dev/null +++ b/old/tf-environments/gcp/dev/nodepools/pool-1/terragrunt.hcl @@ -0,0 +1,73 @@ +include { + path = find_in_parent_folders() +} + +terraform { + source = "../../../../../tf-modules/gcp/nodepool/" + + extra_arguments "common_vars" { + commands = get_terraform_commands_that_need_vars() + + arguments = [ + "-var-file=${get_terragrunt_dir()}/../../_env_defaults/gcp.tfvars", + ] + } +} + +inputs = { + + cluster_name = trimspace(run_cmd("terragrunt", "output", "cluster_name", "--terragrunt-working-dir", "../../gke-cluster")) + + node_pool_name = "pool-1" + + initial_node_count = "1" + min_node_count = "0" + max_node_count = "2" + is_preemtible = true + machine_type = "n1-standard-2" + disk_size_gb = "100" + auto_upgrade = true + + image_type = "COS" + + # These represent the "gke-defaults" scope list + oauth_scopes = [ + "https://www.googleapis.com/auth/devstorage.read_only", + "https://www.googleapis.com/auth/logging.write", + "https://www.googleapis.com/auth/monitoring", + "https://www.googleapis.com/auth/service.management.readonly", + "https://www.googleapis.com/auth/servicecontrol", + "https://www.googleapis.com/auth/trace.append", + ] + + # Kubernetes node labels + labels = {} + // { + // foo = "bar", + // foo2 = "bar2", + // } + + # GCP node labels and firewall labels + tags = [] + // ["foo", "bar"] + + # Kubernetes taints + taints = [] + // [ + // { + // effect = "NO_SCHEDULE" + // key = "bar" + // value = "foo" + // }, + // { + // effect = "NO_SCHEDULE" + // key = "bar2" + // value = "foo2" + // }, + // ] + +} + +dependencies { + paths = ["../gke-cluster"] +} diff --git a/old/tf-environments/gcp/dev/nodepools/pool-2/terragrunt.hcl b/old/tf-environments/gcp/dev/nodepools/pool-2/terragrunt.hcl new file mode 100644 index 000000000..12cee00e0 --- /dev/null +++ b/old/tf-environments/gcp/dev/nodepools/pool-2/terragrunt.hcl @@ -0,0 +1,59 @@ +include { + path = find_in_parent_folders() +} + +terraform { + source = "../../../../../../tf-modules/gcp/nodepool/" +} + +inputs = { + + cluster_name = "dev" + node_pool_name = "pool-2" + + initial_node_count = "1" + is_preemtible = true + min_node_count = "0" + max_node_count = "6" + machine_type = "n1-standard-8" + disk_size_gb = "100" + + image_type = "COS" + + # These represent the "gke-defaults" scope list + oauth_scopes = [ + "https://www.googleapis.com/auth/devstorage.read_only", + "https://www.googleapis.com/auth/logging.write", + "https://www.googleapis.com/auth/monitoring", + "https://www.googleapis.com/auth/service.management.readonly", + "https://www.googleapis.com/auth/servicecontrol", + "https://www.googleapis.com/auth/trace.append", + ] + + # Kubernetes node labels + labels = {} + // { + // foo = "bar", + // foo2 = "bar2", + // } + + # GCP node labels and firewall labels + tags = [] + // ["foo", "bar"] + + # Kubernetes taints + taints = [] + // [ + // { + // effect = "NO_SCHEDULE" + // key = "bar" + // value = "foo" + // }, + // { + // effect = "NO_SCHEDULE" + // key = "bar2" + // value = "foo2" + // }, + // ] + +} diff --git a/old/tf-environments/gcp/dev/vpc/terragrunt.hcl b/old/tf-environments/gcp/dev/vpc/terragrunt.hcl new file mode 100644 index 000000000..01223f542 --- /dev/null +++ b/old/tf-environments/gcp/dev/vpc/terragrunt.hcl @@ -0,0 +1,26 @@ +include { + path = find_in_parent_folders() +} + +terraform { + source = "../../../../tf-modules/gcp/vpc/" + + extra_arguments "common_vars" { + commands = get_terraform_commands_that_need_vars() + + arguments = [ + "-var-file=${get_terragrunt_dir()}/../_env_defaults/gcp.tfvars", + ] + } +} + +inputs = { + vpc_name = "dev" + + public_subnet_cidr_range = "10.32.1.0/24" + private_subnet_cidr_range = "10.32.5.0/24" + + number_of_nat_ip_address_to_use = 1 + + outbound_through_nat_tags=["private-subnet", "gke-private-nodes"] +} diff --git a/old/tf-environments/gcp/terragrunt.hcl b/old/tf-environments/gcp/terragrunt.hcl new file mode 100644 index 000000000..958c541d2 --- /dev/null +++ b/old/tf-environments/gcp/terragrunt.hcl @@ -0,0 +1,21 @@ +remote_state { + backend = "gcs" + config = { + bucket = "kubernetes-ops-terraform-state-${get_env("STATE_STORE_UNIQUE_KEY", "default-value-1234")}" + prefix = path_relative_to_include() + project = "managedkube" + location = "us-central1" + } +} + +# terraform { +# extra_arguments "common_vars" { +# commands = get_terraform_commands_that_need_vars() + +# arguments = [ +# # "-var-file=${get_parent_terragrunt_dir()}/_env_defaults/gcp.tfvars", +# # "-var-file=${get_terragrunt_dir()}/../_env_defaults/gcp.tfvars", +# "-var-file=${get_terragrunt_dir()}/../_env_defaults/gcp.tfvars", +# ] +# } +# } diff --git a/old/tf-modules/aws/iam/policies/source-ip-controls/main.tf b/old/tf-modules/aws/iam/policies/source-ip-controls/main.tf new file mode 100644 index 000000000..1e5dc6799 --- /dev/null +++ b/old/tf-modules/aws/iam/policies/source-ip-controls/main.tf @@ -0,0 +1,26 @@ +terraform { + backend "s3" {} +} + +data "aws_iam_policy_document" "policy-doc" { + statement { + + effect = "Deny" + actions = ["*"] + resources = ["*"] + + condition { + test = "NotIpAddress" + variable = "aws:SourceIp" + + values = var.source-ip-list + } + } +} + +resource "aws_iam_policy" "policy" { + name = var.name + description = var.description + path = var.path + policy = data.aws_iam_policy_document.policy-doc.json +} diff --git a/old/tf-modules/aws/iam/policies/source-ip-controls/outputs.tf b/old/tf-modules/aws/iam/policies/source-ip-controls/outputs.tf new file mode 100644 index 000000000..9ee383114 --- /dev/null +++ b/old/tf-modules/aws/iam/policies/source-ip-controls/outputs.tf @@ -0,0 +1,7 @@ +output "name" { + value = aws_iam_policy.policy.name +} + +output "arn" { + value = aws_iam_policy.policy.arn +} diff --git a/old/tf-modules/aws/iam/policies/source-ip-controls/vars.tf b/old/tf-modules/aws/iam/policies/source-ip-controls/vars.tf new file mode 100644 index 000000000..594585c06 --- /dev/null +++ b/old/tf-modules/aws/iam/policies/source-ip-controls/vars.tf @@ -0,0 +1,16 @@ +variable "name" { + default = "source-ip-control" +} + +variable "description" { + default = "Controls the source IP allowed to access the AWS API. Managed by Terraform." +} + +variable "path" { + default = "/" +} + +variable "source-ip-list" { + type = list + default = [] +} diff --git a/old/tf-modules/aws/iam/policies/source-ip-controls/versions.tf b/old/tf-modules/aws/iam/policies/source-ip-controls/versions.tf new file mode 100644 index 000000000..ac97c6ac8 --- /dev/null +++ b/old/tf-modules/aws/iam/policies/source-ip-controls/versions.tf @@ -0,0 +1,4 @@ + +terraform { + required_version = ">= 0.12" +} diff --git a/old/tf-modules/aws/networks/README.md b/old/tf-modules/aws/networks/README.md new file mode 100644 index 000000000..8e722571c --- /dev/null +++ b/old/tf-modules/aws/networks/README.md @@ -0,0 +1,154 @@ +AWS Networks +============= + +This is a series of modules to help build a global AWS transit gateway network. + +# Creation flow: + +## [1] transit-gateway +Creates a Transit Gateway + +## [2] VPC +Create a VPC or use an exiting VPC that will connect up to the Transit Gateway + +## [3] tg-internal-attach-vpc / tg-external-attach-vpc +The `internal` one uses one AWS account while the `external` one uses two AWS accounts. + +The `external` module uses the `./_env_defaults/transit-gateway.tfvars` credential file to handle orchestrating resources in two accounts. The first AWS account owns the Transit Gateway and the second AWS account is where you want to attach the Transit Gateway to. This module will share the Transit Gateway from the first AWS account with the second AWS account and then accept it on both sides. Then it will set it up to connect to the second's AWS account's VPC. + +It will create: +* 3 subnets created so that the transit gateway can route into +* the TG needs to be in all subnets/zones if you want to route there +* transit gateway attachment to the test-vpc +* routes in the vpc route table associated with these subnets + +## [4] transit-gateway-route-table +* This route table should be owned by the infrastructure AWS account +* These are all of the routes routing through the Transit Gateway +* The individual sub accounts should not have to add this step because they do not control the global Transit Network routing + +## [5] add-tg-routes + -These are individual routes that goes into the VPC route table + -This should go into the local env where the VPC lives and that AWS account should launch this since they own the routes to their own VPC. + +### This holds +The input variables for the `route_table_id_list` and the `routes-list` are the destination routes from the perspective of the subnet(s) this VPC route-table is associated with wants to route to. + +It will set these routes and then set the destination to the Transit Gateway. + +## [6] A full example +There is a full example of the network it can create in the diagram in the next section. + +The example is in: `/tf-environments/aws/infrastructure/aws/transit-gateway` + +# A detailed walk through on how to troubleshoot a routing path through the AWS Transit Gateway +Troubleshooting a path through the transit gateway can seem like a hard task since you won't have visibility into every single piece of networking that the packet will go through. By following a systematic approach you can make sure that everything that is needed to be able to route successfully from an EC2 host in one VPC in a region going through a transit gateway to another region and back down to another EC2 host in that VPC is setup correctly. + +Im not going to lie. This is a very tedious troubleshooting scenario. If the IDs for each piece don't match up or if the CIDR range is no correct for a route table, trying to reach the other side via a ping or opening a connection to the other host will just fail silently. We don't have visibility into AWS's routers to see where it is failing on this path. + +In the following diagram we are going to map out how `EC2-1` will reach `EC2-2` and trace out the path. + +![transit gateway network](./diagrams/transit-gateway-diagram.png "Transit Gateway Network") + +As you can see, to make this setup work, there are a bunch of components to it. The main items to look at are the correct routing tables associated with each components and are the correct routes in there? + +Lets start. + +## [1] Transit Gateway Configuration (us-west-2) +The first thing to check is to make sure the Transit Gateway is setup correctly. Without this, you will not be able to add the routes to the EC2's instances routing tables. + +In the AWS console go to: VPC->Transit Gateway + +![us-west-2 transit gateway](./diagrams/us-west-2-transit-gateway.png "us-west-2 transit gateway") + +You should have a Transit Gateway here =) + +### Attachments +The Transit Gateway has a bunch of functionality and ways you can use it and it is just a resource. You have to attach this resource to something. + +![us-west-2 transit gateway attachments](./diagrams/us-west-2-tg-attachments.png "us-west-2 transit gateway attachments") + +I have highlighted the second row (we'll talk about the first row later on). This is a Transit Gateway attachment to a VPC. This binds the transit gateway to the VPC where our `EC2-1` host lives. + +Another important thing is to note the `Subnet IDs` in this page. These are not the subnets that our `EC2-1` host is in but these are subnets in the same VPC. For the Transit Gateway to route properly, it has to be in all of the AWS Availability Zones that you want it to route into for that VPC. There are 3 subnets here because we are in 3 different availability zones. This is a side fact that you will just have to remember on how the Transit Gateway works. + +## [2] EC2-1 Instance Configuration (us-west-2) + +We have the instance named `EC2-1` which is in the us-west-2 region: + +![ec2-1](./diagrams/ec2-1-instance.png "ec2-1") + +There two things we want to check in here. + +Note: You will notice that this subnet is not in the list of subnets in the Transit Gateway Attachments. It doesn't have to be. + +### Check is the EC2-1's security group +The first thing to check is the `EC2-1`'s security group: + +![ec2-1 security group](./diagrams/ec2-1-security-group.png "ec2-1 security group") + +Make sure that it is allowing network traffic in. This is showing it is allowing everything in. + +### The EC2-1's subnet settings +The second thing is to click on the `Subnet ID`. When you get on that page, you can click on the `Route Table` tab and it will show you the following: + +![ec2-1 subnet](./diagrams/ec2-1-subnet.png "ec2-1 subnet") + +The following is the route table that is associated with this subnet and the routing configurations for it. It lists out destination CIDR ranges where traffic to go and where it should send that traffic via the `Target` location. + +Per our network above, the `EC2-2` host we are trying to reach is on the `10.35.0.0/16` network. This route table don't have all of the information on how to get there but it knows the next hop on where it should go. Also per our network diagram above, the next hop would be the Transit Gateway in this region that is attached to this VPC. In this case, the transit gateway ID is `tgw-065a441dc990254ca`. You can also see that this is the only transit gateway in this region for us which means that all othe routes to the other parts of the network will go through this transit gateway also. You will notice that the other routes point to the same transit gateway. That is because to get traffic to those networks, we just have to push the packets to this transit gateway and this transit gateway will handle forwarding it onward for us (per it's own configurations which we will go through below). + +If you don't have the proper routes here you can click on the `Route Table` link (`rtb-09efef60458f61005 | production-test-vpc`) and that will bring you to the routing table's configuration. From here, you can click on the `Routes` tab and add the destination CIDR and to which Transit Gateway should be the next hop. + +![ec2-1 vpc route table](./diagrams/ec2-1-vpc-route-table.png "ec2-1 vpc- route table") + +## [3] Transit Gateway Peering Attachment (us-west-2) +Earlier we looked at the VPC attachment. The following hightlights the peering attachment. This attachment peers this Transit Gateway with another Transit Gateway. In this case, it is peered with a Transit Gateway in `us-east-1`. + +![us-west-2-tg-attachment-peering.png](./diagrams/us-west-2-tg-attachment-peering.png "us-west-2-tg-attachment-peering.png") + +We will need this peering attachment active to continue to push traffic through to the other side. + +## [4] Transit Gateway Route Table (us-west-2) +The Transit Gateway routing table is similar to the previous VPC routing table we were looking at. It basicially needs the same information but the next hop is the peering connection. The reason we have yet another routing table is becuase a Transit Gateway is a hub and spoke device. This Transit Gateway can be connected up to multiple Transit Gateway or other devices like a VPN or a router. This then mean that you need to know where to route traffic to and at which endpoint to send that traffic to. + +![us-west-2-tg-route-table.png](./diagrams/us-west-2-tg-route-table.png "us-west-2-tg-route-table.png") + +In this setup it is fairly simple since there is only one other Transit Gateway and our VPC. We have the `10.37.0.0/16` route pointed to our VPC and the route to `EC2-2` (10.35.0.0/16) pointed to the only peering connection we have in this setup. + +## [5] Transit Gateway Configuration (us-east-1) +Now we start to look on the other side in `us-east-1`'s configuration to make sure it is correct. This configuration is essentially the same as what we have gone through above. We will go through the same sequence but with `us-east-1'`s configs. I will only point out the differences here and not repeat what was sadi above. + +Again, here we have a Transit Gateway (no picture). The Transit Gateway itself don't have much configurations. The interesting bits to it are in it's attachments. + +## [6] Transit Gateway Attachments (us-east-1) +This Transit Gateway attchement is a little bit more interesting than the one in the other region because this is the "hub". Both us-west-2 and us-east-2 peers with this Transit Gateway. It just has more attachments and the configuration is about the same. + +![us-east-1-tg-attachments.png](./diagrams/us-east-1-tg-attachments.png "us-east-1-tg-attachments.png") + +We want to make sure the VPC where the `EC2-2` instance is located in is attached here and for this particular troubleshooting exercise we only care about the peering with `us-west-2` is active. + +## [7] EC2-2 Instance configuration (us-east-1) +Let's jump over to the `EC2-2`'s configuration and start there. + +![ec2-2-instance.png](./diagrams/ec2-2-instance.png "ec2-2-instance.png") + +We want to check the same thing as we did before. The security group and then click on the `Subnet ID`. + +### VPC route table +This route table is the same as the other sides. We just want to make sure everything is correct in here. + +![ec2-2-vpc-route-table.png](./diagrams/ec2-2-vpc-route-table.png "ec2-2-vpc-route-table.png") + +We want to make sure there is a route to the `10.37.0.0/16` subnet through the Transit Gateway. Since we only have one Transit Gateway in each region for this example scenario, it is pretty hard to get this wrong but if you have more than one Transit Gateway in a region, make sure the IDs matches up to the correct one. If you don't the packets wouldn't get to the final destination and it would basically silently fail here or at any other point where the IDs don't match up. + +## [8] Transit Gateway Route Table (us-east-1) +Same thing here as above. This is the Transit Gateway's route table with basically the same info as the VPC route table but just on another level. + +![us-east-1-tg-route-table.png](./diagrams/us-east-1-tg-route-table.png "us-east-1-tg-route-table.png") + +What we want to note here is that the destination route for this side we want to get to is `10.37.0.0/16` and that the route table points this destination CIDR to the correct Transit Gateway peer. Rememer in this region this Transit Gateway is the hub connecting two different regions to it. + +# Conclusion +Yes, this is tedious. I wish it wasn't so. You have to maticulously go through the path and make sure that each route table is in place and that the IDs that it is using is the correct one. There isn't such great visiblity into the networking and this is the only way I found that is effective. If there is a routing problem, I first make sure everything is in the correct place. Then expand my troubleshooting efforts out from there. + diff --git a/old/tf-modules/aws/networks/add-tg-routes/README.md b/old/tf-modules/aws/networks/add-tg-routes/README.md new file mode 100644 index 000000000..f26992846 --- /dev/null +++ b/old/tf-modules/aws/networks/add-tg-routes/README.md @@ -0,0 +1,17 @@ +add-tg-routes +=============== + +This module adds transit gateway routes to a VPC routing table + +## AWS credentials + +This module uses the local shell's environment to get the AWS credentials. + +(not from the `./_env_defaults/transit-gateway.tfvars`) + +If you are exporting the AWS credentials to your environment, you need at the minimum: + +``` +AWS_SECRET_ACCESS_KEY=xxxx +AWS_ACCESS_KEY_ID=xxxx +``` \ No newline at end of file diff --git a/old/tf-modules/aws/networks/add-tg-routes/main.tf b/old/tf-modules/aws/networks/add-tg-routes/main.tf new file mode 100644 index 000000000..909abf3e7 --- /dev/null +++ b/old/tf-modules/aws/networks/add-tg-routes/main.tf @@ -0,0 +1,19 @@ +terraform { + backend "s3" { + } +} + +provider "aws" { + alias = "first" + + region = "${var.aws_region}" +} + +resource "aws_route" "route-first" { + provider = "aws.first" + count = length(var.route_table_id_list) * length(var.routes-list) + + route_table_id = var.route_table_id_list[floor(count.index / length(var.routes-list))] + destination_cidr_block = var.routes-list[count.index % length(var.routes-list)] + transit_gateway_id = var.transit-gateway-id +} diff --git a/old/tf-modules/aws/networks/add-tg-routes/vars.tf b/old/tf-modules/aws/networks/add-tg-routes/vars.tf new file mode 100644 index 000000000..ec846ce75 --- /dev/null +++ b/old/tf-modules/aws/networks/add-tg-routes/vars.tf @@ -0,0 +1,17 @@ +variable "aws_region" {} + +variable "route_table_id_list" { + type = list(string) + description = "route table ID to add route to" +} + +variable "transit-gateway-id" { + description = "Transit gateway ID for the route" +} + +variable "routes-list" { + type = list(string) + description = "Route list for the first AWS account. A list of destination CIDRs to route to via the this transit gateway id." + + default = [] +} diff --git a/old/tf-modules/aws/networks/add-tg-routes/versions.tf b/old/tf-modules/aws/networks/add-tg-routes/versions.tf new file mode 100644 index 000000000..ac97c6ac8 --- /dev/null +++ b/old/tf-modules/aws/networks/add-tg-routes/versions.tf @@ -0,0 +1,4 @@ + +terraform { + required_version = ">= 0.12" +} diff --git a/old/tf-modules/aws/networks/diagrams/ec2-1-instance.png b/old/tf-modules/aws/networks/diagrams/ec2-1-instance.png new file mode 100644 index 000000000..fc44734de Binary files /dev/null and b/old/tf-modules/aws/networks/diagrams/ec2-1-instance.png differ diff --git a/old/tf-modules/aws/networks/diagrams/ec2-1-security-group.png b/old/tf-modules/aws/networks/diagrams/ec2-1-security-group.png new file mode 100644 index 000000000..e7e3ea0c3 Binary files /dev/null and b/old/tf-modules/aws/networks/diagrams/ec2-1-security-group.png differ diff --git a/old/tf-modules/aws/networks/diagrams/ec2-1-subnet.png b/old/tf-modules/aws/networks/diagrams/ec2-1-subnet.png new file mode 100644 index 000000000..2ee89a85f Binary files /dev/null and b/old/tf-modules/aws/networks/diagrams/ec2-1-subnet.png differ diff --git a/old/tf-modules/aws/networks/diagrams/ec2-1-vpc-route-table.png b/old/tf-modules/aws/networks/diagrams/ec2-1-vpc-route-table.png new file mode 100644 index 000000000..e47a46d72 Binary files /dev/null and b/old/tf-modules/aws/networks/diagrams/ec2-1-vpc-route-table.png differ diff --git a/old/tf-modules/aws/networks/diagrams/ec2-2-instance.png b/old/tf-modules/aws/networks/diagrams/ec2-2-instance.png new file mode 100644 index 000000000..acf53a0fc Binary files /dev/null and b/old/tf-modules/aws/networks/diagrams/ec2-2-instance.png differ diff --git a/old/tf-modules/aws/networks/diagrams/ec2-2-vpc-route-table.png b/old/tf-modules/aws/networks/diagrams/ec2-2-vpc-route-table.png new file mode 100644 index 000000000..8b8cc1a8f Binary files /dev/null and b/old/tf-modules/aws/networks/diagrams/ec2-2-vpc-route-table.png differ diff --git a/old/tf-modules/aws/networks/diagrams/transit-gateway-diagram.png b/old/tf-modules/aws/networks/diagrams/transit-gateway-diagram.png new file mode 100644 index 000000000..23d6acdef Binary files /dev/null and b/old/tf-modules/aws/networks/diagrams/transit-gateway-diagram.png differ diff --git a/old/tf-modules/aws/networks/diagrams/transit-gateway.drawio b/old/tf-modules/aws/networks/diagrams/transit-gateway.drawio new file mode 100644 index 000000000..69e936f8b --- /dev/null +++ b/old/tf-modules/aws/networks/diagrams/transit-gateway.drawio @@ -0,0 +1 @@ +7Vxbd5s4EP41Pmf3AY4uXMRj4jRpuyddb92m7b7skUG22WLwAo6T/voV5mKQ8CUx+Bb3nLYwSDKa+WY+aQbo4O7k6S6k0/F94DCvg4Dz1ME3HYSgBgj/L5E8pxIFWZlkFLpO1mop6Lu/WCYEmXTmOiyqNIyDwIvdaVVoB77P7Lgio2EYzKvNhoFX/dUpHTFJ0LepJ0u/uU48TqVEB0v5e+aOxvkvQ5BdmdC8cSaIxtQJ5iURftfB3TAI4vRo8tRlXqK9XC9pv9sVV4sbC5kfb9PBGlvTH9/u/nyYf9WNpy+9j6blK8hIh3mk3iyb8T0L6U+XyxT+l/8K+K1/++fv2Rzi51wxYTDzHZaMDTv4ej52Y9afUju5OudY4LJxPPGyy0PX87qBF4SLvtihjAxtLo/iMPjJSlcMm7DBkF+RZ5dN+JGFMXsqibLZ3rFgwuLwmTfJr5oo7ZJhDxJgpoL50pIwN8+4ZEUjk9EMPKNi7KV++UGm4peo25TUffWt30EGnSQa8wfRdDF3w+N3cj0I+dEoOfoSUj9yY2VEYzanz3KDWaTMWRQraPNYlLsEn5rN9X+V3K8/DCm3w8yOZyGTm1/1P6UNDc0AuFEYDIdDZNfCwDEGhm40AwONaKpeBYJpIRkIui4DwWoNCEQCgqRa5jtXSQTjZ7ZHo8hNVUXDWBaXlMye3Ph76fgHPwZcA+nZTaIVkJ885yc+n9T38kmpV3K67LY4y/utNE8UzEKbbRF4+HRGLN7CZZhTCdSyuUu21Gt8OpeFzKOx+1gN73X2zX6hF7h8bgWasGEKQUU3q2OkU8+6leOxMJIGxZGAMFKqG2mkBeCKie+AQUvC4EPvkwRD7mZxFWEhi9xfdLBokKBgmtzh4p71645+k8QYzx35CUA5Lhj36evEXV3OqlfZhYnrOEn/a48OmHdN7Z+jRSSpRgf+pxZk611KjAzF4iC75Qr/1kUMBagYYVKxjgJ3g0/eJBgOI9aKObFszsa4hdGMWxrkEjngHT+XQKwBgUpIzZrCqKGSYmHYOJfkt/R2ucSUucT825x+eCSB4vWoob83GO7dKuioqMTAAgFY8JVUQrCASoIEsLVMJVruSUsIZmGFC+9WBZYeY6Hrj06WcQrHa4Jx+MoCV4yIGgGZ0KER+lnnW62xD2yWfaCEuuNnHwuI5LPPfUyt1fHboZ51qN+4i8kXZ0dCPbBIexTcYwoQ2ZZ7ICZA3F9LgzVHP7VW0M6cfda63oV8bhVdAsA0DBxOBG7gK3GSGHuc2uuzZrtxS/fDzedFyyrfQb6TNFWgcgPcQqNhymHGCsoxrQFYG9ZesOER4gT3bSBTTt1+x8QtUY6csW6acoAKzTLtQBXA/HwF8fCTHg8nfIaJ++9tPwOPilV0KeGer09eSiriSAho2+XGuH2TWF80y0L1ylvWLAHfAFSqKPwgHbLRcCVXAR56fCRw6pSUu+bOlMQ9kBABTLtBtH0OkjP623JQQ/ubNRyknzIHmaKPoro63l45SE61vsjWra43jFO2NUQ6OjZjw/bzq9xs0Nh5xbHc/qq6hspbYL7EB5s2wYuzVy1itt0Z17fTjmoNAwHhygfChpaYRLWIVfwhr1vWWNhS+VJGtzQITGxqwp4LbJm1Xb3IaZrToJzXPY+VCmwsdXuKSxWI9hDRkF4OaFvm7VQdYzFwQbO1yLU2V7c5dOnHFbqwZahWtWwNiaGr2u6RC2IpWEGBbw8frORk9JkEq9xd32awkpN78aai0edgFvNVM/iyUIx0ecLX6onCpPWzMLASJuMoqXpF9ERjOk0Oufmo5zEvGIV0kmCmFIgq10oR6ijX3pr4bENRbyrFL5SDsennJettLyf7Fi7dlL2p4yjxKDVzdP4WJuJG2jy4geVU2MW5WzG9cXzOLWfMLs69Q5pM0wTvrinV7NnCcp7s4t2tpM2wmLGw4KGNj+S02cW9d8mMwqPzb7QqPUTjmNrjCVtsEQrDpf826PIjxU12YT71lPQX07T72UNBeNxzWaU/HBLkR3AuSNgD5xMhJkDt4EiQt+sXJOylcCYGhX1Cgf333firP/YJurLvHybB7cc/oCKzw7sukkxxAkXJXGu5arWaeNvai6S1qkVnolpTTEloNajdr2rlLPJpqlYupe9Vtw9Tm3z4as8sGtzo/94HX/9h85qIICn2tXWnZQlJ00mnVEKCKiBFTeklFaRlKatcySqKV7WVrHQ6QkFoYxlqXfTcWIVKc6QHKzppogOL77ltXWISH/PBujBSc0+R14JTjqlvFJyHwhKRsJQ8uIZeByei8b6WcVhItfh6zAVS29XEockV1BysIEZI1bUD40reY8lfbfn0o3ugr7bU1Km3AETx1RbxLbe9fralVt3n9LGOI/ZVHYgPr2Ajf7XsxX7KYSS+llYzXMt+elJf2Nj68ZIqZlZ7zEofP7YPbPDT5Xe40ubLz5nhd/8D \ No newline at end of file diff --git a/old/tf-modules/aws/networks/diagrams/us-east-1-tg-attachments.png b/old/tf-modules/aws/networks/diagrams/us-east-1-tg-attachments.png new file mode 100644 index 000000000..4440f6a0f Binary files /dev/null and b/old/tf-modules/aws/networks/diagrams/us-east-1-tg-attachments.png differ diff --git a/old/tf-modules/aws/networks/diagrams/us-east-1-tg-route-table.png b/old/tf-modules/aws/networks/diagrams/us-east-1-tg-route-table.png new file mode 100644 index 000000000..a8f20117e Binary files /dev/null and b/old/tf-modules/aws/networks/diagrams/us-east-1-tg-route-table.png differ diff --git a/old/tf-modules/aws/networks/diagrams/us-west-2-tg-attachment-peering.png b/old/tf-modules/aws/networks/diagrams/us-west-2-tg-attachment-peering.png new file mode 100644 index 000000000..6a9aab417 Binary files /dev/null and b/old/tf-modules/aws/networks/diagrams/us-west-2-tg-attachment-peering.png differ diff --git a/old/tf-modules/aws/networks/diagrams/us-west-2-tg-attachments.png b/old/tf-modules/aws/networks/diagrams/us-west-2-tg-attachments.png new file mode 100644 index 000000000..0cbcc93d3 Binary files /dev/null and b/old/tf-modules/aws/networks/diagrams/us-west-2-tg-attachments.png differ diff --git a/old/tf-modules/aws/networks/diagrams/us-west-2-tg-route-table.png b/old/tf-modules/aws/networks/diagrams/us-west-2-tg-route-table.png new file mode 100644 index 000000000..48e29fac0 Binary files /dev/null and b/old/tf-modules/aws/networks/diagrams/us-west-2-tg-route-table.png differ diff --git a/old/tf-modules/aws/networks/diagrams/us-west-2-transit-gateway.png b/old/tf-modules/aws/networks/diagrams/us-west-2-transit-gateway.png new file mode 100644 index 000000000..330ed9353 Binary files /dev/null and b/old/tf-modules/aws/networks/diagrams/us-west-2-transit-gateway.png differ diff --git a/old/tf-modules/aws/networks/peer-transit-gateway-internal/README.md b/old/tf-modules/aws/networks/peer-transit-gateway-internal/README.md new file mode 100644 index 000000000..1ea5ead63 --- /dev/null +++ b/old/tf-modules/aws/networks/peer-transit-gateway-internal/README.md @@ -0,0 +1,13 @@ +# peer-transit-gateway-internal + +This module uses one AWS accounts (#1). + +It will peer two transit gateways together + +## Assumptions + +- AWS account #1 owns both of the Transit Gateway and it is already created. + +## This module will: + +- diff --git a/old/tf-modules/aws/networks/peer-transit-gateway-internal/main.tf b/old/tf-modules/aws/networks/peer-transit-gateway-internal/main.tf new file mode 100644 index 000000000..4da1b5635 --- /dev/null +++ b/old/tf-modules/aws/networks/peer-transit-gateway-internal/main.tf @@ -0,0 +1,32 @@ +terraform { + backend "s3" { + } +} + +// First account owns the transit gateway and accepts the VPC attachment. +provider "aws" { + alias = "first" + + region = var.aws_region + access_key = var.aws_first_access_key + secret_key = var.aws_first_secret_key +} + +// Create the transit gateway attachment in the second account... +resource "aws_ec2_transit_gateway_vpc_attachment" "transit-gateway" { + provider = "aws.first" + + subnet_ids = [ + for item in aws_subnet.transit-gateway: + item.id + ] + transit_gateway_id = var.transit-gateway-id + vpc_id = data.aws_vpc.transit-gateway.id + + tags = merge( + { + "Name" = format("%s-%s", "tg-att", var.name-postfix) + }, + var.tags, + ) +} diff --git a/old/tf-modules/aws/networks/peer-transit-gateway-internal/vars.tf b/old/tf-modules/aws/networks/peer-transit-gateway-internal/vars.tf new file mode 100644 index 000000000..e69de29bb diff --git a/old/tf-modules/aws/networks/tg-external-attach-to-vpc/README.md b/old/tf-modules/aws/networks/tg-external-attach-to-vpc/README.md new file mode 100644 index 000000000..bbdeb83b6 --- /dev/null +++ b/old/tf-modules/aws/networks/tg-external-attach-to-vpc/README.md @@ -0,0 +1,34 @@ +# tg-external-attach-to-vpc + +This module uses two AWS accounts (#1 and #2). + +You need to have access to both AWS accounts. + +## Assumptions + +- AWS account #1 owns the Transit Gateway and it is already created. The transit gateway's ARN and ID will be passed into this module. +- AWS account #2 has a VPC already created and the VPC ID will be passed into this module. + +## This module will: + +- AWS account #1 shares the Transit Gateway with AWS account #2 +- AWS account #2 accepts the share invite +- AWS account #2 attaches the VPC's subnet(s) to the transit gateway + +## AWS credentials + +This module uses the credentials from the `./_env_defaults/transit-gateway.tfvars` file or it needs these parameters: + +``` +# AWS Account #1: +aws_first_access_key = "xxx" +aws_first_secret_key = "xxx" + +# AWS Account #2 +# aws_second_access_key = "xxx" +# aws_second_secret_key = "xxx" +``` + +The reason this needs two accounts is to support the external account setting when attaching a VPC to an external Transit Gateway +that belongs in another account. While the `internal` one doesn't need this and hence it only needs one account, making this module +and the `external` module work in a similar fashion should make it easier to use both. diff --git a/old/tf-modules/aws/networks/tg-external-attach-to-vpc/main.tf b/old/tf-modules/aws/networks/tg-external-attach-to-vpc/main.tf new file mode 100644 index 000000000..a9d10e8cf --- /dev/null +++ b/old/tf-modules/aws/networks/tg-external-attach-to-vpc/main.tf @@ -0,0 +1,143 @@ +terraform { + backend "s3" { + } +} + +// First account owns the transit gateway and accepts the VPC attachment. +provider "aws" { + alias = "first" + + region = var.aws_region + access_key = var.aws_first_access_key + secret_key = var.aws_first_secret_key +} + +// Second account owns the VPC and creates the VPC attachment. +provider "aws" { + alias = "second" + + region = var.aws_region + access_key = var.aws_second_access_key + secret_key = var.aws_second_secret_key +} + +data "aws_availability_zones" "available" { + provider = "aws.second" + + state = "available" +} + +data "aws_caller_identity" "second" { + provider = "aws.second" +} + +resource "aws_ram_resource_share" "resource-share" { + provider = aws.first + name = "tgw-share-us-west-2-mock" + allow_external_principals = true + + tags = merge( + { + "Name" = format("%s-%s", "tg-share", var.name-postfix) + }, + var.tags, + ) +} + +resource "aws_ram_resource_association" "tgw" { + provider = aws.first + resource_arn = var.transit-gateway-arn + resource_share_arn = aws_ram_resource_share.resource-share.arn +} + +resource "aws_ram_principal_association" "principal-association" { + provider = aws.first + principal = data.aws_caller_identity.second.account_id + resource_share_arn = aws_ram_resource_share.resource-share.arn +} + +# account #2 +resource "aws_ram_resource_share_accepter" "resource-share-accepter" { + provider = aws.second + share_arn = aws_ram_principal_association.principal-association.resource_share_arn +} + +data "aws_vpc" "transit-gateway" { + provider = "aws.second" + id = var.vpc_id_second +} + +resource "aws_subnet" "transit-gateway" { + provider = "aws.second" + + count = length(var.subnets_cidr) + + availability_zone = var.availability_zone[count.index] + cidr_block = var.subnets_cidr[count.index] + vpc_id = data.aws_vpc.transit-gateway.id + + tags = merge( + { + "Name" = format("%s-%s", "tg-subnet", var.name-postfix) + }, + var.tags, + ) +} + +resource "aws_route_table" "route-table" { + provider = "aws.second" + + vpc_id = var.vpc_id_second + + tags = merge( + { + "Name" = format("%s-%s", "tg-routes", var.name-postfix) + }, + var.tags, + ) +} + +resource "aws_route_table_association" "route-table-association" { + provider = "aws.second" + + count = length(var.subnets_cidr) + + subnet_id = aws_subnet.transit-gateway[count.index].id + route_table_id = aws_route_table.route-table.id +} + +// Create the VPC attachment in the second account... +resource "aws_ec2_transit_gateway_vpc_attachment" "transit-gateway" { + provider = "aws.second" + + depends_on = [aws_ram_principal_association.principal-association, aws_ram_resource_association.tgw, aws_ram_resource_share_accepter.resource-share-accepter] + + subnet_ids = [ + for num in aws_subnet.transit-gateway: + num.id + ] + transit_gateway_id = var.transit-gateway-id + vpc_id = data.aws_vpc.transit-gateway.id + + tags = merge( + { + "Name" = format("%s-%s", "tg-att", var.name-postfix) + }, + var.tags, + ) +} + +resource "aws_ec2_transit_gateway_vpc_attachment_accepter" "transit-gateway" { + provider = "aws.first" + + depends_on = [aws_ec2_transit_gateway_vpc_attachment.transit-gateway] + + transit_gateway_attachment_id = "${aws_ec2_transit_gateway_vpc_attachment.transit-gateway.id}" + + tags = merge( + { + "Name" = format("%s-%s", "tg-accepter", var.name-postfix) + }, + var.tags, + ) +} \ No newline at end of file diff --git a/old/tf-modules/aws/networks/tg-external-attach-to-vpc/outputs.tf b/old/tf-modules/aws/networks/tg-external-attach-to-vpc/outputs.tf new file mode 100644 index 000000000..9b6ef343c --- /dev/null +++ b/old/tf-modules/aws/networks/tg-external-attach-to-vpc/outputs.tf @@ -0,0 +1,3 @@ +output "aws_route_table_id" { + value = aws_route_table.route-table.id +} diff --git a/old/tf-modules/aws/networks/tg-external-attach-to-vpc/vars.tf b/old/tf-modules/aws/networks/tg-external-attach-to-vpc/vars.tf new file mode 100644 index 000000000..fcfa1c9bc --- /dev/null +++ b/old/tf-modules/aws/networks/tg-external-attach-to-vpc/vars.tf @@ -0,0 +1,50 @@ +variable "name-postfix" { + default = "" +} + +variable "tags" { + type = map(string) + + default = { + Name = "dev" + Environment = "env" + Account = "dev" + Group = "devops" + Region = "us-east-1" + managed_by = "Terraform" + } +} + +variable "aws_first_access_key" {} + +variable "aws_first_secret_key" {} + +variable "aws_second_access_key" {} + +variable "aws_second_secret_key" {} + +variable "aws_region" {} + +variable "transit-gateway-arn" { + description = "The transit gateways arn to attach to" +} + +variable "transit-gateway-id" { + description = "The transit gateways id to attach to" +} + +variable "vpc_id_second" { + description = "The VPC to create and attach the transit gateway to" +} + +variable "subnets_cidr" { + type = list(string) + + default = ["192.168.1.0/24", "192.168.2.0/24", "192.168.3.0/24"] +} + +variable "availability_zone" { + type = list(string) + + default = ["us-west-2a", "us-west-2b", "us-west-2c"] +} diff --git a/old/tf-modules/aws/networks/tg-external-attach-to-vpc/versions.tf b/old/tf-modules/aws/networks/tg-external-attach-to-vpc/versions.tf new file mode 100644 index 000000000..ac97c6ac8 --- /dev/null +++ b/old/tf-modules/aws/networks/tg-external-attach-to-vpc/versions.tf @@ -0,0 +1,4 @@ + +terraform { + required_version = ">= 0.12" +} diff --git a/old/tf-modules/aws/networks/tg-internal-attach-to-vpc/README.md b/old/tf-modules/aws/networks/tg-internal-attach-to-vpc/README.md new file mode 100644 index 000000000..fde31850a --- /dev/null +++ b/old/tf-modules/aws/networks/tg-internal-attach-to-vpc/README.md @@ -0,0 +1,30 @@ +# tg-external-attach-to-vpc + +This module uses one AWS accounts (#1). + +## Assumptions + +- AWS account #1 owns the Transit Gateway and it is already created. The transit gateway's ARN and ID will be passed into this module. +- AWS account #1 has a VPC already created and the VPC ID will be passed into this module. + +## This module will: + +- AWS account #1 attaches the VPC's subnet(s) to the transit gateway + +## AWS credentials + +This module uses the credentials from the `./_env_defaults/transit-gateway.tfvars` file or it needs these parameters: + +``` +# AWS Account #1: +aws_first_access_key = "xxx" +aws_first_secret_key = "xxx" + +# AWS Account #2 +# aws_second_access_key = "xxx" +# aws_second_secret_key = "xxx" +``` + +The reason this needs two accounts is to support the external account setting when attaching a VPC to an external Transit Gateway +that belongs in another account. While the `internal` one doesn't need this and hence it only needs one account, making this module +and the `external` module work in a similar fashion should make it easier to use both. diff --git a/old/tf-modules/aws/networks/tg-internal-attach-to-vpc/main.tf b/old/tf-modules/aws/networks/tg-internal-attach-to-vpc/main.tf new file mode 100644 index 000000000..eba18d56f --- /dev/null +++ b/old/tf-modules/aws/networks/tg-internal-attach-to-vpc/main.tf @@ -0,0 +1,80 @@ +terraform { + backend "s3" { + } +} + +// First account owns the transit gateway and accepts the VPC attachment. +provider "aws" { + alias = "first" + + region = var.aws_region + access_key = var.aws_first_access_key + secret_key = var.aws_first_secret_key +} + +data "aws_caller_identity" "second" { + provider = "aws.first" +} + +data "aws_vpc" "transit-gateway" { + provider = "aws.first" + id = var.vpc_id_first +} + +resource "aws_subnet" "transit-gateway" { + provider = "aws.first" + + count = length(var.subnets_cidr) + + availability_zone = var.availability_zone[count.index] + cidr_block = var.subnets_cidr[count.index] + vpc_id = data.aws_vpc.transit-gateway.id + + tags = merge( + { + "Name" = format("%s-%s", "tg-subnet", var.name-postfix) + }, + var.tags, + ) +} + +resource "aws_route_table" "route-table" { + provider = "aws.first" + + vpc_id = var.vpc_id_first + + tags = merge( + { + "Name" = format("%s-%s", "tg-routes", var.name-postfix) + }, + var.tags, + ) +} + +resource "aws_route_table_association" "route-table-association" { + provider = "aws.first" + + count = length(var.subnets_cidr) + + subnet_id = aws_subnet.transit-gateway[count.index].id + route_table_id = aws_route_table.route-table.id +} + +// Create the VPC attachment in the second account... +resource "aws_ec2_transit_gateway_vpc_attachment" "transit-gateway" { + provider = "aws.first" + + subnet_ids = [ + for item in aws_subnet.transit-gateway: + item.id + ] + transit_gateway_id = var.transit-gateway-id + vpc_id = data.aws_vpc.transit-gateway.id + + tags = merge( + { + "Name" = format("%s-%s", "tg-att", var.name-postfix) + }, + var.tags, + ) +} diff --git a/old/tf-modules/aws/networks/tg-internal-attach-to-vpc/outputs.tf b/old/tf-modules/aws/networks/tg-internal-attach-to-vpc/outputs.tf new file mode 100644 index 000000000..c018132f2 --- /dev/null +++ b/old/tf-modules/aws/networks/tg-internal-attach-to-vpc/outputs.tf @@ -0,0 +1,11 @@ +output "aws_route_table_id" { + value = aws_route_table.route-table.id +} + +output "aws_ec2_transit_gateway_vpc_attachment_id" { + value = aws_ec2_transit_gateway_vpc_attachment.transit-gateway.id +} + +output "aws_ec2_transit_gateway_vpc_attachment_vpc_owner_id" { + value = aws_ec2_transit_gateway_vpc_attachment.transit-gateway.vpc_owner_id +} diff --git a/old/tf-modules/aws/networks/tg-internal-attach-to-vpc/vars.tf b/old/tf-modules/aws/networks/tg-internal-attach-to-vpc/vars.tf new file mode 100644 index 000000000..159d1f2df --- /dev/null +++ b/old/tf-modules/aws/networks/tg-internal-attach-to-vpc/vars.tf @@ -0,0 +1,46 @@ +variable "name-postfix" { + default = "" +} + +variable "tags" { + type = map(string) + + default = { + Name = "dev" + Environment = "env" + Account = "dev" + Group = "devops" + Region = "us-east-1" + managed_by = "Terraform" + } +} + +variable "aws_first_access_key" {} + +variable "aws_first_secret_key" {} + +variable "aws_region" {} + +variable "transit-gateway-arn" { + description = "The transit gateways arn to attach to" +} + +variable "transit-gateway-id" { + description = "The transit gateways id to attach to" +} + +variable "vpc_id_first" { + description = "The VPC to create and attach the transit gateway to" +} + +variable "subnets_cidr" { + type = list(string) + + default = ["192.168.1.0/24", "192.168.2.0/24", "192.168.3.0/24"] +} + +variable "availability_zone" { + type = list(string) + + default = ["us-west-2a", "us-west-2b", "us-west-2c"] +} diff --git a/old/tf-modules/aws/networks/tg-internal-attach-to-vpc/versions.tf b/old/tf-modules/aws/networks/tg-internal-attach-to-vpc/versions.tf new file mode 100644 index 000000000..ac97c6ac8 --- /dev/null +++ b/old/tf-modules/aws/networks/tg-internal-attach-to-vpc/versions.tf @@ -0,0 +1,4 @@ + +terraform { + required_version = ">= 0.12" +} diff --git a/old/tf-modules/aws/networks/transit-gateway-route-table/README.md b/old/tf-modules/aws/networks/transit-gateway-route-table/README.md new file mode 100644 index 000000000..a05d30219 --- /dev/null +++ b/old/tf-modules/aws/networks/transit-gateway-route-table/README.md @@ -0,0 +1,19 @@ +transit-gateway-route-table +=========================== + +This module adds routes into the Transit Gateway's Route table for all of the destination routes this side will want to reach on the remote Transit Gateways. + +If this region wants to reach any other subnets via the Transit Gateways going through this Transit Gateway then the CIDR blocks of the destinations needs to be in this list or it won't route it through this Transit Gateway. + +## AWS credentials + +This module uses the local shell's environment to get the AWS credentials. + +(not from the `./_env_defaults/transit-gateway.tfvars`) + +If you are exporting the AWS credentials to your environment, you need at the minimum: + +``` +AWS_SECRET_ACCESS_KEY=xxxx +AWS_ACCESS_KEY_ID=xxxx +``` \ No newline at end of file diff --git a/old/tf-modules/aws/networks/transit-gateway-route-table/main.tf b/old/tf-modules/aws/networks/transit-gateway-route-table/main.tf new file mode 100644 index 000000000..b45f0ffb0 --- /dev/null +++ b/old/tf-modules/aws/networks/transit-gateway-route-table/main.tf @@ -0,0 +1,19 @@ +terraform { + backend "s3" { + } +} + +provider "aws" { + alias = "first" + + region = "${var.aws_region}" +} + +resource "aws_ec2_transit_gateway_route" "tg-route" { + provider = aws.first + count = length(var.destination_cidr_block_list) + destination_cidr_block = var.destination_cidr_block_list[count.index] + blackhole = var.blackhole_list[count.index] + transit_gateway_attachment_id = var.transit_gateway_attachment_id + transit_gateway_route_table_id = var.transit_gateway_route_table_id +} diff --git a/old/tf-modules/aws/networks/transit-gateway-route-table/outputs.tf b/old/tf-modules/aws/networks/transit-gateway-route-table/outputs.tf new file mode 100644 index 000000000..e69de29bb diff --git a/old/tf-modules/aws/networks/transit-gateway-route-table/vars.tf b/old/tf-modules/aws/networks/transit-gateway-route-table/vars.tf new file mode 100644 index 000000000..22d7fefa9 --- /dev/null +++ b/old/tf-modules/aws/networks/transit-gateway-route-table/vars.tf @@ -0,0 +1,25 @@ +variable "aws_region" {} + +variable "destination_cidr_block_list" { + type = list(string) + description = "Route list for the first AWS account. A list of CIDRs." + + default = [] +} + +variable "blackhole_list" { + type = list(string) + description = "Route list for the first AWS account to black hole. A list of CIDRs." + + default = [] +} + +variable "transit_gateway_attachment_id" { + description = "The transit gateway for the routes" + type = string +} + +variable "transit_gateway_route_table_id" { + description = "The transit gateway route table id" + type = string +} diff --git a/old/tf-modules/aws/networks/transit-gateway/README.md b/old/tf-modules/aws/networks/transit-gateway/README.md new file mode 100644 index 000000000..2cb11d8c9 --- /dev/null +++ b/old/tf-modules/aws/networks/transit-gateway/README.md @@ -0,0 +1,17 @@ +transit-gateway +=========================== + +This module creates a Transit Gateway in the specified region. + +## AWS credentials + +This module uses the local shell's environment to get the AWS credentials. + +(not from the `./_env_defaults/transit-gateway.tfvars`) + +If you are exporting the AWS credentials to your environment, you need at the minimum: + +``` +AWS_SECRET_ACCESS_KEY=xxxx +AWS_ACCESS_KEY_ID=xxxx +``` \ No newline at end of file diff --git a/old/tf-modules/aws/networks/transit-gateway/main.tf b/old/tf-modules/aws/networks/transit-gateway/main.tf new file mode 100644 index 000000000..16f94f94f --- /dev/null +++ b/old/tf-modules/aws/networks/transit-gateway/main.tf @@ -0,0 +1,24 @@ +terraform { + backend "s3" { + } +} + +// First account owns the transit gateway and accepts the VPC attachment. +provider "aws" { + alias = "first" + + region = "${var.aws_region}" +} + +# account #1 +resource "aws_ec2_transit_gateway" "transit-gateway" { + provider = aws.first + + amazon_side_asn = var.amazon_side_asn + auto_accept_shared_attachments = var.auto_accept_shared_attachments + description = var.description + dns_support = var.dns_support + vpn_ecmp_support = var.vpn_ecmp_support + + tags = var.tags +} diff --git a/old/tf-modules/aws/networks/transit-gateway/outputs.tf b/old/tf-modules/aws/networks/transit-gateway/outputs.tf new file mode 100644 index 000000000..99c6bf9fa --- /dev/null +++ b/old/tf-modules/aws/networks/transit-gateway/outputs.tf @@ -0,0 +1,15 @@ +output "aws_ec2_transit_gateway_arn" { + value = aws_ec2_transit_gateway.transit-gateway.arn +} + +output "aws_ec2_transit_gateway_id" { + value = aws_ec2_transit_gateway.transit-gateway.id +} + +output "aws_ec2_transit_gateway_association_default_route_table_id" { + value = aws_ec2_transit_gateway.transit-gateway.association_default_route_table_id +} + +output "aws_ec2_transit_gateway_propagation_default_route_table_id" { + value = aws_ec2_transit_gateway.transit-gateway.propagation_default_route_table_id +} diff --git a/old/tf-modules/aws/networks/transit-gateway/vars.tf b/old/tf-modules/aws/networks/transit-gateway/vars.tf new file mode 100644 index 000000000..bc49ce6ce --- /dev/null +++ b/old/tf-modules/aws/networks/transit-gateway/vars.tf @@ -0,0 +1,34 @@ +variable "tags" { + type = map(string) + + default = { + Name = "dev" + Environment = "env" + Account = "dev" + Group = "devops" + Region = "us-east-1" + managed_by = "Terraform" + } +} + +variable "aws_region" {} + +variable "amazon_side_asn" { + default = "64512" +} + +variable "auto_accept_shared_attachments" { + default = "disable" +} + +variable "description" { + default = "Transit gateway created via Terraform" +} + +variable "dns_support" { + default = "enable" +} + +variable "vpn_ecmp_support" { + default = "enable" +} diff --git a/old/tf-modules/aws/networks/transit-gateway/versions.tf b/old/tf-modules/aws/networks/transit-gateway/versions.tf new file mode 100644 index 000000000..ac97c6ac8 --- /dev/null +++ b/old/tf-modules/aws/networks/transit-gateway/versions.tf @@ -0,0 +1,4 @@ + +terraform { + required_version = ">= 0.12" +} diff --git a/old/tf-modules/aws/rds/README.md b/old/tf-modules/aws/rds/README.md new file mode 100644 index 000000000..cec9452da --- /dev/null +++ b/old/tf-modules/aws/rds/README.md @@ -0,0 +1,11 @@ +RDS +============== +This module creates a single instance of an AWS RDS resource. + +It also creates all auxiliary items (subnets, security groups, etc) this resource needs to run in a VPC. By +creating all resources the RDS needs to run in oppose to piggy backing on +other resources, it allows us to change this resource and it's "world" without +affecting other resources. This allows us to perform CRUD operations in an +isolated fashion against this resource. + +This resource has it's subnets published in the [cidr-range.md](../../cidr-range.md) document. diff --git a/old/tf-modules/aws/rds/main.tf b/old/tf-modules/aws/rds/main.tf new file mode 100644 index 000000000..867344c4e --- /dev/null +++ b/old/tf-modules/aws/rds/main.tf @@ -0,0 +1,143 @@ +locals { + # Common tags to be assigned to all resources + common_tags = { + name = var.name + resource_for = var.resource_for + env = var.env + group = var.group + application = var.application + managed_by = "Terraform" + } +} + +terraform { + backend "s3" { + } +} + +provider "aws" { + region = var.aws_region +} + +data "aws_vpc" "vpc" { + id = var.vpc_id +} + +resource "aws_subnet" "subnet_1" { + vpc_id = data.aws_vpc.vpc.id + cidr_block = var.subnet_1_cidr + availability_zone = var.az_1 + + tags = merge( + local.common_tags, + { + "Name" = var.name + }, + ) +} + +resource "aws_subnet" "subnet_2" { + vpc_id = data.aws_vpc.vpc.id + cidr_block = var.subnet_2_cidr + availability_zone = var.az_2 + + tags = merge( + local.common_tags, + { + "Name" = var.name + }, + ) +} + +resource "aws_db_subnet_group" "subnet_group" { + name = "${var.name}-${var.env}-${var.application}" + subnet_ids = [aws_subnet.subnet_1.id, aws_subnet.subnet_2.id] + + tags = merge( + local.common_tags, + { + "Name" = var.name + }, + ) +} + +resource "aws_db_instance" "database" { + depends_on = [aws_security_group.security_group] + allow_major_version_upgrade = var.allow_major_version_upgrade + backup_retention_period = var.backup_retention_period + deletion_protection = var.deletion_protection + identifier = "${var.identifier}-${var.env}" + instance_class = var.instance_class + snapshot_identifier = var.snapshot_id + name = var.name + username = var.username + password = var.password + parameter_group_name = aws_db_parameter_group.parameter_group.id + skip_final_snapshot = var.skip_final_snapshot + storage_encrypted = var.storage_encrypted + storage_type = var.storage_type + allocated_storage = var.storage + engine = var.engine + engine_version = var.engine_version[var.engine] + db_subnet_group_name = aws_db_subnet_group.subnet_group.id + vpc_security_group_ids = [aws_security_group.security_group.id] + apply_immediately = var.apply_immediately + replicate_source_db = var.replicate_source_db + kms_key_id = var.kms_key_id + multi_az = var.multi_az + + tags = merge( + local.common_tags, + { + "Name" = var.name + }, + ) +} + +resource "aws_security_group" "security_group" { + name = "Database-${var.name}-${var.env}" + description = "Allow traffic to the database" + vpc_id = data.aws_vpc.vpc.id + + ingress { + from_port = var.ingress_allow_port_from + protocol = "tcp" + to_port = var.ingress_allow_port_to + cidr_blocks = var.ingress_cidr_blocks + } + + egress { + from_port = var.egress_allow_port_from + protocol = "tcp" + to_port = var.egress_allow_port_to + cidr_blocks = var.egress_cidr_blocks + } + + tags = merge( + local.common_tags, + { + "Name" = var.name + }, + ) +} + +resource "aws_db_parameter_group" "parameter_group" { + name = "${var.name}-${var.env}-${var.application}" + family = var.parameter_group_family + + dynamic "parameter" { + iterator = item + for_each = var.parameter_group_items + content { + name = item.value.name + value = item.value.value + } + } + + tags = merge( + local.common_tags, + { + "Name" = var.name + }, + ) +} diff --git a/old/tf-modules/aws/rds/outputs.tf b/old/tf-modules/aws/rds/outputs.tf new file mode 100644 index 000000000..83458a82d --- /dev/null +++ b/old/tf-modules/aws/rds/outputs.tf @@ -0,0 +1,16 @@ +output "aws_db_instance_id" { + value = aws_db_instance.database.id +} + +output "aws_db_instance_address" { + value = aws_db_instance.database.address +} + +output "aws_db_instance_arn" { + value = aws_db_instance.database.arn +} + +output "aws_db_instance_endpoint" { + value = aws_db_instance.database.endpoint +} + diff --git a/old/tf-modules/aws/rds/vars.tf b/old/tf-modules/aws/rds/vars.tf new file mode 100644 index 000000000..3de1739e2 --- /dev/null +++ b/old/tf-modules/aws/rds/vars.tf @@ -0,0 +1,187 @@ +# Networking + +variable "aws_region" { + default = "us-east-1" +} + +variable "vpc_id" { + description = "VPC ID" + default = "vpc-xxxxxx" +} + +variable "subnet_1_cidr" { + default = "172.16.0.0/28" + description = "Your AZ" +} + +variable "subnet_2_cidr" { + default = "172.16.0.16/28" + description = "Your AZ" +} + +variable "az_1" { + default = "us-east-1b" + description = "Your Az1, use AWS CLI to find your account specific" +} + +variable "az_2" { + default = "us-east-1c" + description = "Your Az2, use AWS CLI to find your account specific" +} + +# RDS Parameters + +variable "username" { + default = "DB_USER" + description = "User name" +} + +variable "password" { + default = "DB_PASSWORD" + description = "password, provide through your ENV variables" +} + +variable "instance_class" { + default = "db.t3.medium" +} + +variable "name" { + default = "rds-generic" +} + +variable "identifier" { + default = "rds-generic" +} + +variable "env" { + default = "dev" +} + +variable "group" { + description = "The team or group this resource belongs to" + default = "default" +} + +variable "application" { + description = "The application this belongs to" + default = "default" +} + +variable "resource_for" { + description = "The type of resource this is for" + default = "rds" +} + +variable "region" { + default = "us-east-1" +} + +variable "ingress_cidr_blocks" { + type = list(string) + default = ["0.0.0.0/0"] +} + +variable "ingress_allow_port_from" { + default = 3306 +} + +variable "ingress_allow_port_to" { + default = 3306 +} + +variable "egress_cidr_blocks" { + type = list(string) + default = ["0.0.0.0/0"] +} + +variable "egress_allow_port_from" { + default = 3306 +} + +variable "egress_allow_port_to" { + default = 3306 +} + +variable "storage" { + default = "10" + description = "Storage size in GB" +} + +variable "engine" { + default = "mysql" + description = "Engine type, example values mysql, postgres" +} + +variable "engine_version" { + description = "Engine version" + type = map(string) + default = { + mysql = "5.6.41" + postgres = "9.6.8" + } +} + +variable "parameter_group_family" { + default = "mysql5.6" +} + +variable "allow_major_version_upgrade" { + default = false +} + +variable "snapshot_id" { + default = "" +} + +variable "apply_immediately" { + description = "When to apply change. Set to true if right now or false if on next maintenance window" + default = "false" +} + +variable "replicate_source_db" { + default = "" +} + +variable "kms_key_id" { + default = "" + description = "The local KMS Key ARN to use. Local to this replica." +} + +variable "multi_az" { + default = true +} + +variable "storage_encrypted" { + default = true +} + +variable "storage_type" { + default = "gp2" +} + +variable "skip_final_snapshot" { + default = true +} + +variable "deletion_protection" { + default = true +} + +variable "backup_retention_period" { + default = 10 +} + +variable "parameter_group_items" { + type = list + description = "list of ingress ports" + default = [ + { + name = "character_set_server" + value = "utf8" + }, + { + name = "character_set_client" + value = "utf8" + }, + ] +} diff --git a/old/tf-modules/aws/rds/versions.tf b/old/tf-modules/aws/rds/versions.tf new file mode 100644 index 000000000..ac97c6ac8 --- /dev/null +++ b/old/tf-modules/aws/rds/versions.tf @@ -0,0 +1,4 @@ + +terraform { + required_version = ">= 0.12" +} diff --git a/old/tf-modules/aws/ssm/AWS-SSM.png b/old/tf-modules/aws/ssm/AWS-SSM.png new file mode 100644 index 000000000..950fe0835 Binary files /dev/null and b/old/tf-modules/aws/ssm/AWS-SSM.png differ diff --git a/old/tf-modules/aws/ssm/AWS-SSM.xml b/old/tf-modules/aws/ssm/AWS-SSM.xml new file mode 100644 index 000000000..3103ef988 --- /dev/null +++ b/old/tf-modules/aws/ssm/AWS-SSM.xml @@ -0,0 +1 @@ +7Vxrc9u2Ev01mqZ3ph6+9PqoKHHjpr31RJn6M0RCIiYkwYKgZd1fX7z4BCTTsiipV5okLQWSC+Cc3cUusNLAnccvvxKQhn/gAEYDxwpeBu6ngePYnuMM+F8r2MqWieXJhjVBgXqoalig/0HVaKnWHAUwazxIMY4oSpuNPk4S6NNGGyAEb5qPrXDU7DUFa6g1LHwQ6a1PKKChmsXQqtq/QLQOi55tS92JQfGwashCEOBNrcn9PHDnBGMqr+KXOYw4eAUu8r37HXfLgRGY0C4vWOOn9IdPv6Zzkn0Jnn6bjb6OfinEPIMoVzNWo6XbAgKC8ySAXIo9cD9uQkThIgU+v7thpLO2kMaRuq3EQULhy86B2uX0md5AHENKtuwR9cLUU4gplbEn6vOmIsBzVVtYA79sBIr0dSm7woVdKGjeAJMJpVHEuv24wmxSdbhGf+e4uPFLJvR5xh5wrfSlusmu1vz/s6cFu7dY/FGIY6OTEuV9jQuGKm0CnlGCf8A5jjBhLQlOIO8cRVGrCURonbCPPmMBsvaPnCPEFH2mbsQoCHg3RoYrHbCOQ/KoRbKrc2yPDRw7fVHsaBTPfMoAbDPAzDjll3kcyQcqJH8HSxg94gxRhDmiS0wpjg1QU9yyGpzTCCWMxcKJHQnlcRNkE8omQxr1BbKrgfzAtTGBVMOZSWM+nutjgbgf4Tw4iQcqV589uNmOAbhJX8B5unYK1zF7fNjjr62ToDW0Wmh5HdHqTc2GO9ASjtZawCxjBpqdHbixd2nAjTTgPs95w0OSUZAwJM4NmW05l4bZxBAb7FgzVhF8mfGglIEBk0BdMscGmEb6YjEHhOrNGoYw0KLWVxGsATQ04FO0ERgBip6b4k2gqR4eMRIRUEGQ2+JnNL0bNoVkOCc+VO/VA9aWKM0L66IYXGtINVGCx3Lqh1M7vVFb48OdHI1ab3RuagvdunErvePwaNyOX/cAfXPbIam9Im6n7fjscG6nr7uAvrnV87Qidw7QczOvfpjxcK+4vSRVVl0m27V3DGL+w8HHEWSh4n0KSYyKwNH8/oXF4e703KGRred712yIw2FpLQVF7YSxqyEaRFktUX0bop6SFnaRR22bilDR8oUNz7ESzHnJlxGjkI04CAjLyWpmVT2/VwIqNw8s4PvdRdwTHAuKCeQA4pz91weJYBj4IReXbDfqNuLtNOSXfz3O93oTvU/WWEejpfvv382L4IqefS9vOm05Hkd3PI7J8fS2mWfrOwCmVSIPENedCK85xQSgqPPS8GETYvnqmkEpVJF/3oSA/tx9xbmwDYgLWDH0HYhrXjEm7SX90PVCE3Tq1WLcxSDFZjDwBWDlPp2yMpSs3xHJfSDQxyTgKwcQo53//sCdPo5jkATZv8dktQ0wb3h2m73tgDV2wKxxOzbzvAPN1iDLbfPYt+WaNsHedvbpeKazzwVllgcIXzwNu/Ps6j5iSnBt56KtzZPyDPS1s+/+zkV3J9xd+bcnJv5rwfTVsGvbLe89HBn4PSm9HVL0kxeAtIxg2tUI+isAcQwHsP/+8oDWLnwVW5yrPsDR87bLLBCwOiB32goBR8+cLqdEwJu28epaUdGfqukZyWUWCbQjgguATg/4L65MwL481G6nyY3UxmkzNDy8UkBzx7qsntOkQr1u7MqoYXw8dr3h+dm9nSg3qgXaFdrvYHfcwQ/0za4pxb1edidasHY4u9MOfqBvdk0Z7q1iwBiWm75qcdooyTUdK1+vLQ699v6vXW4JvrlmQJdlTVuy+rbF3eeyt6KBKysamLR9j637ntNWDbimw+db1cCrOxIXsGqYjpevd9UYa+v6oWuGJunUK0aRaRz9+HHfmaM1CwKxSw/4+L7Bv3NEYMy4ra8V13Fi1bL1kcHUh9NTOmnv/d/FvZ1HVueR7X1S11BOctIDSW93XWltEfwuQitQN1PSMNMiTtuIwI+yBZand+xfgJOfqLghlEWsvyEQBUfiOs9gGbrJXW0hAbB/S5BR6SaW+EXEe3wNJzlvkVVFMce2KCpilysZM1I+mDs2dhBzGpNllgr+xIDqA1mKWS2jcjTFzxqoj7WI0hIDER1G2BcIxCwMRQksRyansuMRIU+OXUothm0a5zsy4ne8+mdKRfLMjfaNve3LJp5gGblnkOapYpdFcjVt+uvxvwVIWQoqlJiCYVqRoMI3qWvyCYY64UrO+V/mQtV4c4ACXfECXCpnpxxEqn196fJDwDQkkhrIf+2CD6DUHpaZiMHy+X2fP4oZF0tdTaHKSYU442NDSYYC/hmv6kpn0ozvIZIGBrnMNYtZqiFIG12iCNGtPqREzOFLpeRsWKYenhANS5TmBZySv7qxVh49y8KcUm5ElY8XvxpixKV6SnIeoR/NN6vhVRbNwqfdVmXUFJZxbjD5UXZgodUeORupURmiVBQ+apQI1JXMu7dkk5rJPEnfKAQyPhRyyoWEIhwS+Q7v6ei2+FD41iyWHjTd0lAAnRK8JiAumedc84cZueXotk342PKo0KINH1pnu86xkdntXmpBndhO8NfmSoW8BKU5i+7FZAwTkJOs/IIEf4XJBsj6Vald84dP33boW6VpNGQS12HVkQSvMe1yWtVMZbvs3TTZHT6gMH65NSIHtYIwUpRIefImINIlEjaMaFsNSSTFak5C5k6sD9tK6X/Neuurr+T2/yebPa1Co7EhyBya8uH+dgw8fSfS1tCvSoxe2VUBWSoLs1boheN2lNhcq86ydNRM1Vm9FcF5ty9n7K1gsK1DT8m0/RrLO/EpmafvoOnkXpY9lPifzR52l8Y3fLrLnrGPGjbJPCCrKuhlMsBXyJXcwZJJ6xI/m8OgRghwjDX1WKsnx8o5KlZ/ioI0FXgUmb6MLuoozFvBSZ4VcQuUgVMRGKtEokix60+lBD4jnGclIfs6YLl3Il+WUVkVrKEdgR3Pzszxl0i+amNsRpkZ0/eByhzM4e1PWT36FH2riJO/DrgV2tadfWfdMWW551/Sqw1XA9M0xoVKlJMSheLUDOdlOswHyqQJUFSILrplf9jlh89fFxLGb5/Uhdyg4bj8vHNuwkFEZXg9UBG1Pv4yk2bOTYxMvRZJqrFhE0D2j8qyR6UVKhsu+0toLZ5X6SAmPOPZ9hjQXkdo2T5GdAzfYTXHlu0vZXVYF9jH6gc75dJb/eyp+/kf \ No newline at end of file diff --git a/old/tf-modules/aws/ssm/README.md b/old/tf-modules/aws/ssm/README.md new file mode 100644 index 000000000..3337fc6e5 --- /dev/null +++ b/old/tf-modules/aws/ssm/README.md @@ -0,0 +1,302 @@ +# SSM Session Manager +Session Manager is a fully managed AWS Systems Manager capability that lets you manage your EC2 instances, on-premises instances, and virtual machines (VMs) through an interactive one-click browser-based shell or through the AWS CLI. + +Main doc: https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager.html + +The goals: +* Be able to trace back to exactly what happened on an EC2 system +* Have two classes of users. One that can sudo and one that can not + +## Be able to answer the 5 Ws +1. What happened? +1. Where did it take place? +1. When did it occur? +1. Why did it happen? +1. Who was involved? + +# How users can use SSM to get a interactive shell on an EC2 node + +1. Via the AWS console: AWS System Manger -> Instances & Nodes -> Session Manager -> Start session +1. Via the AWS CLI (requires the SSM plugin). Instructions below + +# Terraform Modules + +## EC2 Instance IAM Role +Modules: +* `ec2-role` + +There is a role that is created that is assigned to an EC2 instance that wants to participate in this setup. + +This role gives permission for: +* SSM permissions for the node to be able to send/recieve messsages in the AWS SSM setup +* S3 bucket permissions to write logs +* KMS permissions for encryption keys + +A new role for each type of SSM groups should be created. For example, if you have a `dev` and a `prod` group, you should create two groups mirroring this structure. The EC2 instance is given a role with write permissions to a S3 bucket and a certain part of the path. If the role grants all access to S3 (which is a bad choice) or the entire bucket and it is shared for logs from other SSM groups, other SSM groups would be able to write to any of the paths in the bucket. This is potentially bad if an EC2 node is compromized it would have access to overwrite logs anywhere in the bucket which then can overwrite logs for other SSM group's logs. By creating an EC2 instance role for each group, we can then set a more restrictive S3 bucket write access to limit it to a certain path. + +## User SSM Permissions +Modules: +* `user-policies/restrict-by-ssm-document` +* `user-policies/attach-policy-to-group` +* `user-policies/attach-opolicy-to-user` + +Users that wants to connect to an instance via the AWS SSM setup, will need IAM permissions to do so. + +* What instances a user can connect to +* What SSM document this user must use +* SSM permissions + +## VPC-Endpoints +Modules: +* `vpc-endpoints` + +The EC2 nodes needs a way to get to the AWS SSM API endpoint to be able to get information and talk to the SSM control servers. This `vpc-endpoint` puts the SSM control endpoint in the VPC where the EC2 nodes are. + +## SSM Session Document +Modules: +* `documents/sessions` + +This is basically configuration for the SSM session. When a user connects through SSM, SSM needs to know what parameters to apply to the connection. This `document` gives SSM that information. + +Info this document/config holds: +* What user to connect to the remote system as +* S3 bucket to send the session logs to +* Encryption to use + +## S3 bucket +Modules: +* `s3` + +Doc: https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-logging-auditing.html#session-manager-logging-auditing-s3 + +A bucket needs to be setup with encryption enabled to receive the SSM session logs. This bucket name is used in the EC2 instance role and SSM Session document. + +# SSM with run-as + +## Users +Will have two shared users. Can we still answer the 5 Ws? + +### user-sudo +This user can sudo. + +What happened? +* SSM has full interactive session capture +* Will be able to get a log of everything this user did + +Where did it take place? +* Via SSM the user will be using Okta which is tied to a unique account +* CloudTrail should be tell us which machine this user login to + +When did it occur? +* Logs from SSM session capture has a time stamp +* Logs from the EC2 machines has the timestamp on when the shared user did something + +Why did it happen? +* With full session recording we can see what caused something +* The EC2 logs will also tell us why something happened + +Who was involved? +* The SSM session is tied to a unique Okta account + +### user-no-sudo +This user has not sudo abilities. + +The 5ws are the same as the `user-sudo` answers + +# Discussions/caveats + +## No unique users on the EC2 machine? +That is correct. A user will be uniquely identified via SSM but when SSM places the user onto an EC2 instance, it will assume a shared user. This is a limitation of the SSM feature set. However, we are still able to answer the 5 Ws accurately. SSM will uniquely identify the person on session start. It will also capture the entire interactive SSH session. By using this information, we can see exactly what the user was doing. We can also "pretty" closely tie it back to the EC2 Linux logs on what happened and who was responsible. + +Since we have the full capture, we can say we have a compensating control for the shared login on the machine and thus have accountability. + +## EC2 Instance needs ssm-agent installed +Any EC2 instance that wants to participate in this setup, needs to have the AWS ssm-agent installed on it. This is a prerequisite for this setup. + +Prerequisites: https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-prerequisites.html + +## Should not use `aws ssm start-session` on a shared machine +You probably should not use the `aws ssm start-session` to connect to a remote machine on a shared machine. The AWS temporary token value shows up in the `ps` list: + +``` +ps aux | grep ssm +g44 1322389 0.0 0.0 2716 524 pts/3 S+ 20:49 0:00 aws ssm start-session --target i-0efbd22c010b703bf --document-name SSM-gar-test-sudoer +g44 1322390 0.3 0.1 141432 47940 pts/3 S+ 20:49 0:00 aws ssm start-session --target i-0efbd22c010b703bf --document-name SSM-gar-test-sudoer +g44 1322395 0.3 0.0 856848 11916 pts/3 Sl+ 20:49 0:00 session-manager-plugin {"SessionId": "garland.kan-0191f0eae08e1b4f8", "TokenValue": "AAEAAbgY78NB2V5KlbYS3hpjegONznprdtIhAYhfZfWRp+zTAAAAAF6+EUjaUDZXp05OWxxhFMOChSpVAlbUiV5ozjiztSzhRUpyzUVLL9XjlcW5FEKumgt1/uzq2HSFG2jF31GoCqRKQcKhlDMdu2vKHRLsJ7jxT5M51Mmoo2EQKQ2DggJ6oz++byhQyh6osqZjH9SBme+eSkCkQLTvG+P7/i+DblvCOBwWFWooS1jfRqS4jai3+7jsd/eFncLVrdWFwDwND8cltwoW4bMVIML97eZ8x4Sraq1ioCJ0EtZ//TcIWiJ/I7jGMG7LsjB1ipI57Axd7hRbGaKtAIOv9JlF4Io43OeKhzd1DI3NFg==", "StreamUrl": "wss://ssmmessages.us-east-1.amazonaws.com/v1/data-channel/garland.kan-0191f0eae08e1b4f8?role=publish_subscribe", "ResponseMetadata": {"RequestId": "1cf7099e-1fdf-47f6-9cdb-101eab7abddf", "HTTPStatusCode": 200, "HTTPHeaders": {"x-amzn-requestid": "1cf7099e-1fdf-47f6-9cdb-101eab7abddf", "content-type": "application/x-amz-json-1.1", "content-length": "610", "date": "Fri, 15 May 2020 03:49:27 GMT"}, "RetryAttempts": 0}} us-east-1 StartSession {"Target": "i-0efbd22c010b703bf", "DocumentName": "SSM-gar-test-sudoer"} https://ssm.us-east-1.amazonaws.com +``` + +## Where do I view Session Manager's activities + +### User login sessions +You can view session login activities in `CloudTrails`. + +Go to: +* AWS Console -> CloudTrails -> Event History +* Filter by Event name: `StartSession` + +This will list all of the sessions that were started. Here is an example of the event: +```json +{ + "eventVersion": "1.05", + "userIdentity": { + "type": "IAMUser", + "principalId": "AIDAVE4W5C6YOXXF5XPOR", + "arn": "arn:aws:iam::354114410416:user/garland.kan.temp", + "accountId": "354114410416", + "accessKeyId": "AKIAVE4W5C6YJPLGCFU5", + "userName": "garland.kan.temp" + }, + "eventTime": "2020-05-18T17:00:24Z", + "eventSource": "ssm.amazonaws.com", + "eventName": "StartSession", + "awsRegion": "us-east-1", + "sourceIPAddress": "38.30.8.138", + "userAgent": "aws-cli/2.0.0 Python/3.7.3 Linux/5.4.0-29-generic botocore/2.0.0dev4", + "requestParameters": { + "target": "i-02311671588e96626", + "documentName": "SSM-sudo" + }, + "responseElements": { + "sessionId": "garland.kan.temp-0e34861185201706f", + "tokenValue": "Value hidden due to security reasons.", + "streamUrl": "wss://ssmmessages.us-east-1.amazonaws.com/v1/data-channel/garland.kan.temp-0e34861185201706f?role=publish_subscribe" + }, + "requestID": "35714caa-4b64-47c1-9842-2dc6d4786070", + "eventID": "4b7a66fc-bffb-4179-be64-69bba2bf714c", + "readOnly": false, + "eventType": "AwsApiCall", + "recipientAccountId": "354114410416" +} +``` + +## How do I troubleshoot the SSM Agent? +The SSM Agent runs on each EC2 node that wants to participate in the SSM interactive session setup. This agent has IAM permissions via the instance role we created to talk to the AWS SSM API (vpc endpoint) that we created. When someone initiates a session from the console or the CLI, there is an API call to the AWS SSM API and SSM performs authentication and authorization at this point. If that succeeds, AWS SSM contacts the requested EC2 instance via the AWS SSM Agent that is running on it. If the SSM agent on the EC2 machine answers, a connection will be created with the appropriate settings via the SSM Document (either the default or a custom document). + +### Where are the SSM Agents logs? +Doc: https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-agent-logs.html +* `/var/log/amazon/ssm/amazon-ssm-agent.log` +* `/var/log/amazon/ssm/errors.log` + +The Session log: +* Has the session id: `garland.kan.temp-0073b0a9869ded8de`. This can be used to tie it back to the CloudTrail logs +``` +Script started on 2020-05-27 23:00:48+0000 +[?1034hsh-4.2# /usr/bin/ssm-session-logger /var/lib/amazon/ssm/i-0c76bc102a2c8324b/sess +ion/orchestration/garland.kan.temp-0073b0a9869ded8de/Standard_Stream/ipcTempFile +.log false +Error occurred fetching the seelog config file path: open /etc/amazon/ssm/seelog.xml: no such file or directory +Initializing new seelog logger +New Seelog Logger Creation Complete +[?1034hsh-4.2$ +sh-4.2$ + +sh-4.2$ + +sh-4.2$ + +sh-4.2$ # test 1 + +sh-4.2$ ls / + +bin boot dev etc home lib lib64 local media mnt opt proc root run sbin srv sys tmp usr var + +sh-4.2$ exit + +exit + +sh-4.2# exit +exit + +Script done on 2020-05-27 23:01:53+0000 +``` + +#### Not writing session logs to the S3 bucket +The EC2 instance needs access to the bucket. In the `/var/log/amazon/ssm/errors.log` logs on the EC2 instance you might see logs like this which is an indication that the node does not have access to S3: + +``` +2020-05-26 18:11:59 ERROR [S3Upload @ s3util.go.114] [ssm-session-worker] [garland.kan.temp-075bd0a4981d0a426] [DataBackend] [pluginName=Standard_Stream] Failed uploading /var/lib/amazon/ssm/i-0be867147d0c364b8/session/orchestration/garland.kan.temp-075bd0a4981d0a426/Standard_Stream/garland.kan.temp-075bd0a4981d0a426.log to s3://expanse-ssm-session-logs-dev/dev/garland.kan.temp-075bd0a4981d0a426.log err:AccessDenied: Access Denied +``` + +You can give the EC2 instance access to the bucket by giving attaching a policy to the instance role: + +```json +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "s3:*", + "Resource": [ + "arn:aws:s3:::expanse-ssm-session-logs-dev", + "arn:aws:s3:::expanse-ssm-session-logs-dev/*" + ] + } + ] +} +``` + +### Enabling debug on the SSM Agent +Doc: https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-agent-logs.html#ssm-agent-debug-log-files + + +# Testing + +## Login as both classes of user + +### Users in the sudoers class can login with the sudoers user + + +### Users in the non sudoers class can login + + +### Users in the non sudoers class can NOT login as the sudoer's user + + +## Answering the 5 Ws + +### What happened? +Can we get the SSM interactive session logs? + +Does it tell us who the user is? + +### Where did it take place? +Does it tell us which machine this all took place on? + +### When did it occur? +Timestamps? + +### Why did it happen? +The sequence of activities? + +### Who was involved? +Who was the unique user involved? + + +# Usage + +## Requirements + +### aws cli +If using the CLI, you need the `aws cli` + +Install doc: https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-install.html + +### session manager plugin +If you want to use the AWS CLI to start and end sessions that connect you to your managed instances, you must first install the Session Manager plugin on your local machine. The plugin can be installed on supported versions of Microsoft Windows, macOS, Linux, and Ubuntu Server. + +Install doc: https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-working-with-install-plugin.html + +## starting a session + +``` +aws ssm start-session --target i-0061375d1e98e81fc --document-name SSM-sudo +``` + +# Tunnelling +https://aws.amazon.com/blogs/aws/new-port-forwarding-using-aws-system-manager-sessions-manager/ + +``` +aws ssm start-session --target $INSTANCE_ID \ +--document-name AWS-StartPortForwardingSession \ +--parameters '{"portNumber":["80"],"localPortNumber":["9999"]}' +``` diff --git a/old/tf-modules/aws/ssm/documents/sessions/README.md b/old/tf-modules/aws/ssm/documents/sessions/README.md new file mode 100644 index 000000000..393c6b97c --- /dev/null +++ b/old/tf-modules/aws/ssm/documents/sessions/README.md @@ -0,0 +1,41 @@ +AWS SSM Document for Sessions +============================== +These SSM Documents provides configurations for an SSM session + +Main docs: https://docs.aws.amazon.com/systems-manager/latest/userguide/getting-started-sessiondocumentaccesscheck.html + +The purpose of this document is to provide configuration for an SSM interactive session. You can force a user to use a particular document which can force them to run as a certain user on the end host. Then if this user on the end host does not have sudo access this, mean this user will not have sudo access either. + +Example SSM Document: +```json +{ + "schemaVersion": "1.0", + "description": "Document to hold regional settings for Session Manager", + "sessionType": "Standard_Stream", + "inputs": { + "s3BucketName": "expanse-ssm-session-logs-dev", + "s3KeyPrefix": "dev", + "s3EncryptionEnabled": false, + "cloudWatchLogGroupName": "", + "cloudWatchEncryptionEnabled": true, + "kmsKeyId": "", + "runAsEnabled": true, + "runAsDefaultUser": "user-sudo" + } +} +``` + +# Setting `s3EncryptionEnabled` to `false +When we created our S3 bucket for the log output, we enabled encryption on it. Anything placed in here will be encrypted. + +https://aws.amazon.com/premiumsupport/knowledge-center/bucket-policy-encryption-s3/ + +This is set to `false` since we are not using the `kms` key for encryption and just the S3 default key. + +# Restricting the commands a user can run +Doc: https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-restrict-command-access.html + +This allows you to restrict the commands a user can run. +* Setup one or more SSM Session Document that defines what commands are allowed +* Associate these documents to the user's IAM +* User will use this document name when running an interactive command diff --git a/old/tf-modules/aws/ssm/documents/sessions/main.tf b/old/tf-modules/aws/ssm/documents/sessions/main.tf new file mode 100644 index 000000000..4d2ba04e3 --- /dev/null +++ b/old/tf-modules/aws/ssm/documents/sessions/main.tf @@ -0,0 +1,14 @@ +terraform { + backend "s3" { + } +} + +resource "aws_ssm_document" "ssm_document" { + name = var.document_name + document_type = var.document_type + + content = var.document_content + + tags = var.tags + +} diff --git a/old/tf-modules/aws/ssm/documents/sessions/outputs.tf b/old/tf-modules/aws/ssm/documents/sessions/outputs.tf new file mode 100644 index 000000000..e69de29bb diff --git a/old/tf-modules/aws/ssm/documents/sessions/vars.tf b/old/tf-modules/aws/ssm/documents/sessions/vars.tf new file mode 100644 index 000000000..903bc667b --- /dev/null +++ b/old/tf-modules/aws/ssm/documents/sessions/vars.tf @@ -0,0 +1,23 @@ +variable "tags" { + type = map(string) + + default = { + Environment = "env" + Account = "dev" + Group = "devops" + Region = "us-east-1" + managed_by = "Terraform" + } +} + +variable "document_name" { + default = "" +} + +variable "document_type" { + default = "Session" +} + +variable "document_content" { + default = "" +} diff --git a/old/tf-modules/aws/ssm/documents/sessions/versions.tf b/old/tf-modules/aws/ssm/documents/sessions/versions.tf new file mode 100644 index 000000000..ac97c6ac8 --- /dev/null +++ b/old/tf-modules/aws/ssm/documents/sessions/versions.tf @@ -0,0 +1,4 @@ + +terraform { + required_version = ">= 0.12" +} diff --git a/old/tf-modules/aws/ssm/ec2-role/README.md b/old/tf-modules/aws/ssm/ec2-role/README.md new file mode 100644 index 000000000..816eeb799 --- /dev/null +++ b/old/tf-modules/aws/ssm/ec2-role/README.md @@ -0,0 +1,6 @@ +EC2 SSM Role +============= + +This is a required role that is created to be attached EC2 instances to give it access to SSM and the S3 bucket for the interactive session logs output. + +https://docs.aws.amazon.com/systems-manager/latest/userguide/what-is-systems-manager.html diff --git a/old/tf-modules/aws/ssm/ec2-role/main.tf b/old/tf-modules/aws/ssm/ec2-role/main.tf new file mode 100644 index 000000000..12af1f507 --- /dev/null +++ b/old/tf-modules/aws/ssm/ec2-role/main.tf @@ -0,0 +1,123 @@ +terraform { + backend "s3" { + } +} + +provider "aws" { + region = var.region +} + +resource "aws_iam_instance_profile" "test_profile" { + name = "OpsEC2SSM${var.name}" + role = aws_iam_role.role.name +} + +resource "aws_iam_role" "role" { + name = "OpsEC2SSM${var.name}" + + description = "Allows EC2 instances to call AWS services on your behalf with SSM." + + force_detach_policies = true + + assume_role_policy = <> DiG 9.10.6 <<>> foobar.terragrunt-dev.managedkube.com +;; global options: +cmd +;; Got answer: +;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55064 +;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 + +;; OPT PSEUDOSECTION: +; EDNS: version: 0, flags:; udp: 512 +;; QUESTION SECTION: +;foobar.terragrunt-dev.managedkube.com. IN A + +;; ANSWER SECTION: +foobar.terragrunt-dev.managedkube.com. 60 IN A 52.206.197.145 +foobar.terragrunt-dev.managedkube.com. 60 IN A 54.152.224.149 + +;; Query time: 99 msec +;; SERVER: 192.168.86.1#53(192.168.86.1) +;; WHEN: Tue Jun 28 15:31:48 PDT 2022 +;; MSG SIZE rcvd: 98 +``` + +# 510-sample-app-opentel-2 +Second sample app that has opentelemetry tracing enabled + +PR: https://github.com/ManagedKube/kubernetes-ops/pull/354 + +Was having a problem getting sub pages that are required for the entire page to load. +In the web browser it was saing that it was not able to get: `https://sample-app-2.terragrunt-dev.managedkube.com/jquery-3.1.1.min.js` + +Trying it out in cURL shows the same things. + + +```bash +curl https://sample-app-2.terragrunt-dev.managedkube.com/jquery-3.1.1.min.js -v +* Trying 54.152.224.149:443... +* Connected to sample-app-2.terragrunt-dev.managedkube.com (54.152.224.149) port 443 (#0) +* ALPN, offering h2 +* ALPN, offering http/1.1 +* successfully set certificate verify locations: +* CAfile: /etc/ssl/cert.pem +* CApath: none +* (304) (OUT), TLS handshake, Client hello (1): +* (304) (IN), TLS handshake, Server hello (2): +* (304) (IN), TLS handshake, Unknown (8): +* (304) (IN), TLS handshake, Certificate (11): +* (304) (IN), TLS handshake, CERT verify (15): +* (304) (IN), TLS handshake, Finished (20): +* (304) (OUT), TLS handshake, Finished (20): +* SSL connection using TLSv1.3 / AEAD-AES256-GCM-SHA384 +* ALPN, server accepted to use h2 +* Server certificate: +* subject: CN=*.terragrunt-dev.managedkube.com +* start date: Jun 23 22:56:41 2022 GMT +* expire date: Sep 21 22:56:40 2022 GMT +* subjectAltName: host "sample-app-2.terragrunt-dev.managedkube.com" matched cert's "*.terragrunt-dev.managedkube.com" +* issuer: C=US; O=Let's Encrypt; CN=R3 +* SSL certificate verify ok. +* Using HTTP2, server supports multiplexing +* Connection state changed (HTTP/2 confirmed) +* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0 +* Using Stream ID: 1 (easy handle 0x7f92ce011a00) +> GET /jquery-3.1.1.min.js HTTP/2 +> Host: sample-app-2.terragrunt-dev.managedkube.com +> user-agent: curl/7.79.1 +> accept: */* +> +* Connection state changed (MAX_CONCURRENT_STREAMS == 2147483647)! +< HTTP/2 404 +< date: Wed, 29 Jun 2022 19:38:21 GMT +< server: istio-envoy +< +* Connection #0 to host sample-app-2.terragrunt-dev.managedkube.com left intact +``` + +Manually testing the change on the ingress to add a `*` in the path: +``` +Rules: + Host Path Backends + ---- ---- -------- + sample-app-2.terragrunt-dev.managedkube.com /* + +``` + +This fixes the problem. + +Rolling that fix into code: + +PR: https://github.com/ManagedKube/kubernetes-ops/pull/355 + +# Problem: HTTP/2 connection reuse +After getting both sample applications up and running I found a problem. + +Each sample app seems to have worked indepedantly. While I was bringing up each app and testing +it, I was able to hit the URLs of each app and it returned the expected webpage. DNS was working +and I was even able to hit the https endpoint as well. + +However, after setting up both apps up and testing to see if the OpenTelemetry tracing worked, I had +to hit 3 URLs on the system that were all going through the istio ingress: +1. Grafana: https://grafana.terragrunt-dev.managedkube.com - to see the traces +1. sample app 1: https://sample-app-1.terragrunt-dev.managedkube.com/ +1. sample app 2: https://sample-app-2.terragrunt-dev.managedkube.com/ + +This is where the problem started. + +In my browser (Firefox and Chrome), I first went to the Grafana endpoint. That loaded up fine. + +Then I went to sample app 1 and that loaded up fine. + +Then I went to sample app 2 and I got back a 404 not found. This was odd because this was working +before when I was testing it out. In the browser, in debug mode and inspecting the details of the +request headers returned and things, the `server: istio-envoy` which means that the Istio ingress +was returning the 404. + +I did all the usual dig on all 3 of the hostnames and it all pointed back to the AWS NLB. DNS was not +the issue. + +Using cURL to retrieve each endpoint gave successful responses as in not a 404 and the webpage content +that I was expecting. This was interesting that it works with cURL but not in my two browsers. + +I even thought it might be my laptop and I even tried to hit up the 3 endpoints on another machine that +I have and it yielded the same results. + +This was leading me to think that it was something to do with my browser and the interaction with Istio. +Somehow maybe the host headers and things were not being passed correctly or interpereted correctly? Inspecting +the browser requests in debug mode, everything looked ok. Im pretty sure I wasnt looking at the correct thing +in there. I just didnt see anything out of the normal. I didnt have much to go on here. + +I started to look at my Istio ingress usage. The way this was exposing all of these endpoints out on the +Istio ingress was through the regular Kubernetes Ingress resource type: https://istio.io/latest/docs/tasks/traffic-management/ingress/kubernetes-ingress/#configuring-ingress-using-an-ingress-resource. The configuration +at this time is here: https://github.com/ManagedKube/kubernetes-ops/blob/26e5fc0167634ccbe2c5dda80b890244a1630c8a/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/500-sample-app-opentel-1/app/helm_values.tpl.yaml#L30. This is sort of a cheat or maybe more of a shortcut to exposing out an endpoint +via the Istio Ingress without having to create an Istio Gateway and VirtualService resource. So I used it, +I like shortcuts (if it works). + +Since I still didnt know why this was happening, I needed more information, so I went back to the Istio +docs. In the same Istio docs but further down in the same page: https://istio.io/latest/docs/tasks/traffic-management/ingress/kubernetes-ingress/#specifying-ingressclass. It talks about enabling TLS and using +the newer Kubernetes resource type `IngressClass` (which I was not using). This is starting to look interesting. +I knew the requests were making it to the Istio ingress but that was returning a 404. Perhaps without the +`IngressClass` it was getting confused on which endpoints this hostname was for? + +I updated the `standard-application` helm chart used to deploy out the sample apps with to add in +the `IngressClass` resources: https://github.com/ManagedKube/helm-charts/pull/44. Then updating the +usage of sample app to use this new helm chart version release: https://github.com/ManagedKube/kubernetes-ops/pull/357/commits/aab554fa868edd8b7b45290c21b1d5d318791019. After having the IaC deploy that out, I tested reaching +the endpoints again. +* cURL worked for all 3 endpoints (was working before) +* The browser still had the same behavior. The first of the 3 endpoint I would go to would work but the other two would not. + +I guess that was not the fix since nothing has changed. Things just can't be that easy. I was however shooting +in the dark a little bit. I didnt have specific information that that would have fixed it nor did I have +specific information from Istio itself on why it was returning a 404. I did try to use `istioctl` trying to +get more information but that path didn't yield anything useful. So I'm still shooting a little bit in the dark +here. + +At this point, you do what any one else would do. Start searching google to see if others are seeing this problem =). + +I think mostly by luck and refining my search here and there I landed on this Istio doc: https://istio.io/latest/docs/ops/common-problems/network-issues/#404-errors-occur-when-multiple-gateways-configured-with-same-tls-certificate + +This explains pretty much exactly what I was experiencing!! + +It just goes to show that nothing I'm doing here is new and others has already ran into pretty much all of the +problems that I have and more importantly they have solved it! + +You can read this but the TL;DR is saying that since the hostnames resolved to the same IP, your browser is +re-using the HTTP/2 connection which is resulting in returning the 404 because on the Istio Ingress side, the +hostname for the second request of the hostname wouldn't match. + +Then this doc goes on to say that you should create an Istio `Gateway` and a `VirtualService` for each endpoint. + +I guess I can't do the Kubernetes `Ingress` shortcut anymore. + +We will first have to create an Istio `Gateway`. I decided for this example, I will create one Istio `Gateway` +that any applications can use in this cluster. The idea would be that the "DevOps" team would provide manage +the `Gateway` and then application teams can use this gateway for ingressess that they want. This can expand +to more gateways over time as the need fo the company changes and different requirements for the gateway arrise. + +This addition was added to the PR trying to fix the ingress: https://github.com/ManagedKube/kubernetes-ops/pull/357/commits/218473f0829ee2beed8b804178c440faedfd1e68#diff-65ccd470fca6177a755868fd694b60ec33969ea1231f1d97c2b1977fb2113e88R2-R27 + +After applying there is a `gateway`: +``` +kubectl -n istio-system get gateway +NAME AGE +main-gateway 80s +``` + +The next steps were to test this out to see if it works. I modified the `standard-application` helm chart we +are using to deploy the sample apps with to add in the Istio `VirtualService`: https://github.com/ManagedKube/helm-charts/pull/47. This will allow each application to add in it's own `VirtualService` and then bind to +the Istio `Gateway` that each app wants to bind to. + +This commit in the same PR adds the virtual service params to the helm chart: +* sample application 1 +* https://github.com/ManagedKube/kubernetes-ops/pull/357/commits/f39b77c4a7602fbb6407f1bd4f3c9e2932bab3a4 +* This worked + +The commit for the sample app 2 +* https://github.com/ManagedKube/kubernetes-ops/pull/357/commits/d7c2a1ae79148b6c77eddbc08588cd098a024ff1 +* This is working + +After all of the previous changes, everything is working as expected: +* In the same browser I can go to all three endpoints http or https + +# eks-update-1-22 +Updating the cluster to the EKS 1.22 version + +PR: https://github.com/ManagedKube/kubernetes-ops/pull/358 + +# Kiali + +PR: https://github.com/ManagedKube/kubernetes-ops/pull/364 + +Updating Kiali to the latest version PR: +* https://github.com/ManagedKube/kubernetes-ops/pull/365 diff --git a/terraform-environments/aws/terragrunt-dev/provider_k8s_helm_for_eks.template.hcl b/terraform-environments/aws/terragrunt-dev/provider_k8s_helm_for_eks.template.hcl new file mode 100644 index 000000000..9b4c5be5f --- /dev/null +++ b/terraform-environments/aws/terragrunt-dev/provider_k8s_helm_for_eks.template.hcl @@ -0,0 +1,33 @@ +data "aws_eks_cluster" "cluster" { + name = "${eks_cluster_name}" +} + +provider "kubernetes" { + host = data.aws_eks_cluster.cluster.endpoint + cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority.0.data) + + # EKS clusters use short-lived authentication tokens that can expire in the middle of an 'apply' or 'destroy'. To + # avoid this issue, we use an exec-based plugin here to fetch an up-to-date token. Note that this code requires the + # kubergrunt binary to be installed and on your PATH. + exec { + api_version = "client.authentication.k8s.io/v1alpha1" + command = "${kubergrunt_exec}" + args = ["eks", "token", "--cluster-id", "${eks_cluster_name}"] + } +} + +provider "helm" { + kubernetes { + host = data.aws_eks_cluster.cluster.endpoint + cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority.0.data) + + # EKS clusters use short-lived authentication tokens that can expire in the middle of an 'apply' or 'destroy'. To + # avoid this issue, we use an exec-based plugin here to fetch an up-to-date token. Note that this code requires the + # kubergrunt binary to be installed and on your PATH. + exec { + api_version = "client.authentication.k8s.io/v1alpha1" + command = "${kubergrunt_exec}" + args = ["eks", "token", "--cluster-id", "${eks_cluster_name}"] + } + } +} diff --git a/terraform-environments/aws/terragrunt-dev/terragrunt.hcl b/terraform-environments/aws/terragrunt-dev/terragrunt.hcl new file mode 100644 index 000000000..b5d5a3c79 --- /dev/null +++ b/terraform-environments/aws/terragrunt-dev/terragrunt.hcl @@ -0,0 +1,35 @@ +locals { + # Load common variables shared across all accounts + common_vars = read_terragrunt_config(find_in_parent_folders("common.hcl")) + + # Load region-level variables + region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl")) + +} + +# Generate an AWS provider block +generate "provider" { + path = "provider.tf" + if_exists = "skip" + contents = <= 2.23.0"... +- Installing hashicorp/aws v4.13.0... +- Installed hashicorp/aws v4.13.0 (signed by HashiCorp) + +Terraform has created a lock file .terraform.lock.hcl to record the provider +selections it made above. Include this file in your version control repository +so that Terraform can guarantee to make the same selections by default when +you run "terraform init" in the future. + +Terraform has been successfully initialized! + +You may now begin working with Terraform. Try running "terraform plan" to see +any changes that are required for your infrastructure. All Terraform commands +should now work. + +If you ever set or change modules or backend configuration for Terraform, +rerun this command to reinitialize your working directory. If you forget, other +commands will detect it and remind you to do so if necessary. +``` + +It will ask you to confirm creating the S3 bucket or not. This S3 bucket is used to store the +Terraform state file. + +Apply: +``` +terragrunt apply +``` + +The output: +``` +Terraform used the selected providers to generate the following execution +plan. Resource actions are indicated with the following symbols: + + create + +Terraform will perform the following actions: + + # aws_iam_openid_connect_provider.this[0] will be created + + resource "aws_iam_openid_connect_provider" "this" { + + arn = (known after apply) + + client_id_list = [ + + "sts.amazonaws.com", + ] + + id = (known after apply) + + tags = { + + "ops_env" = "terraform-dev" + + "ops_managed_by" = "terraform" + + "ops_owners" = "devops" + + "ops_source_repo" = "managedkube/kubernetes-ops" + + "ops_source_repo_path" = "terraform-environments/aws/terraform-dev/us-east-1/terragrunt-dev/050-github-aws-permissions" + } + + tags_all = { + + "ops_env" = "terraform-dev" + + "ops_managed_by" = "terraform" + + "ops_owners" = "devops" + + "ops_source_repo" = "managedkube/kubernetes-ops" + + "ops_source_repo_path" = "terraform-environments/aws/terraform-dev/us-east-1/terragrunt-dev/050-github-aws-permissions" + } + + thumbprint_list = [ + + "6938fd4d98bab03faadb97b34396831e3780aea1", + ] + + url = "https://token.actions.githubusercontent.com" + } + + # aws_iam_policy.iam_policy will be created + + resource "aws_iam_policy" "iam_policy" { + + arn = (known after apply) + + description = "IAM Policy for the Github OIDC Federation permissions" + + id = (known after apply) + + name = (known after apply) + + name_prefix = "github_oidc_terraform-dev" + + path = "/" + + policy = jsonencode( + { + + Statement = [ + + { + + Action = "*" + + Effect = "Allow" + + Resource = "*" + }, + ] + + Version = "2012-10-17" + } + ) + + policy_id = (known after apply) + + tags = { + + "ops_env" = "terraform-dev" + + "ops_managed_by" = "terraform" + + "ops_owners" = "devops" + + "ops_source_repo" = "managedkube/kubernetes-ops" + + "ops_source_repo_path" = "terraform-environments/aws/terraform-dev/us-east-1/terragrunt-dev/050-github-aws-permissions" + } + + tags_all = { + + "ops_env" = "terraform-dev" + + "ops_managed_by" = "terraform" + + "ops_owners" = "devops" + + "ops_source_repo" = "managedkube/kubernetes-ops" + + "ops_source_repo_path" = "terraform-environments/aws/terraform-dev/us-east-1/terragrunt-dev/050-github-aws-permissions" + } + } + + # module.iam_assumable_role_admin.aws_iam_role.this[0] will be created + + resource "aws_iam_role" "this" { + + arn = (known after apply) + + assume_role_policy = jsonencode( + { + + Statement = [ + + { + + Action = "sts:AssumeRoleWithWebIdentity" + + Condition = { + + StringEquals = { + + "token.actions.githubusercontent.com:sub" = [ + + "repo:managedkube/kubernetes-ops:pull_request", + + "repo:managedkube/kubernetes-ops:ref:refs/heads/main", + + "repo:managedkube/kubernetes-ops:workflow_dispatch", + ] + } + + StringLike = { + + "token.actions.githubusercontent.com:sub" = "repo:octo-org/octo-repo:ref:refs/heads/feature/*" + } + } + + Effect = "Allow" + + Principal = { + + Federated = "arn:aws:iam::xxxxxxxxxxxxxx:oidc-provider/token.actions.githubusercontent.com" + } + + Sid = "" + }, + ] + + Version = "2012-10-17" + } + ) + + create_date = (known after apply) + + force_detach_policies = false + + id = (known after apply) + + managed_policy_arns = (known after apply) + + max_session_duration = 3600 + + name = "github_oidc_terraform-dev" + + name_prefix = (known after apply) + + path = "/" + + tags = { + + "ops_env" = "terraform-dev" + + "ops_managed_by" = "terraform" + + "ops_owners" = "devops" + + "ops_source_repo" = "managedkube/kubernetes-ops" + + "ops_source_repo_path" = "terraform-environments/aws/terraform-dev/us-east-1/terragrunt-dev/050-github-aws-permissions" + } + + tags_all = { + + "ops_env" = "terraform-dev" + + "ops_managed_by" = "terraform" + + "ops_owners" = "devops" + + "ops_source_repo" = "managedkube/kubernetes-ops" + + "ops_source_repo_path" = "terraform-environments/aws/terraform-dev/us-east-1/terragrunt-dev/050-github-aws-permissions" + } + + unique_id = (known after apply) + + + inline_policy { + + name = (known after apply) + + policy = (known after apply) + } + } + + # module.iam_assumable_role_admin.aws_iam_role_policy_attachment.custom[0] will be created + + resource "aws_iam_role_policy_attachment" "custom" { + + id = (known after apply) + + policy_arn = (known after apply) + + role = "github_oidc_terraform-dev" + } + +Plan: 4 to add, 0 to change, 0 to destroy. + +Changes to Outputs: + + arn = (known after apply) + +Do you want to perform these actions? + Terraform will perform the actions described above. + Only 'yes' will be accepted to approve. + + Enter a value: yes + +aws_iam_openid_connect_provider.this[0]: Creating... +aws_iam_policy.iam_policy: Creating... +module.iam_assumable_role_admin.aws_iam_role.this[0]: Creating... +aws_iam_openid_connect_provider.this[0]: Creation complete after 0s [id=arn:aws:iam::xxxxxxxxxxxxxx:oidc-provider/token.actions.githubusercontent.com] +aws_iam_policy.iam_policy: Creation complete after 0s [id=arn:aws:iam::xxxxxxxxxxxxxx:policy/github_oidc_terraform-dev20220512182828671900000001] +module.iam_assumable_role_admin.aws_iam_role.this[0]: Creation complete after 1s [id=github_oidc_terraform-dev] +module.iam_assumable_role_admin.aws_iam_role_policy_attachment.custom[0]: Creating... +module.iam_assumable_role_admin.aws_iam_role_policy_attachment.custom[0]: Creation complete after 0s [id=github_oidc_terraform-dev-20220512182829972200000002] +Releasing state lock. This may take a few moments... + +Apply complete! Resources: 4 added, 0 changed, 0 destroyed. + +Outputs: + +arn = "arn:aws:iam::xxxxxxxxxxxxxx:role/github_oidc_terraform-dev" +``` + +The output will be used in the Github Action workflow file as an input +to assuming the role. This will have to be manually done. diff --git a/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/050-github-aws-permissions/policy.json b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/050-github-aws-permissions/policy.json new file mode 100644 index 000000000..1a6a7b915 --- /dev/null +++ b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/050-github-aws-permissions/policy.json @@ -0,0 +1,10 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "*", + "Resource": "*" + } + ] +} diff --git a/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/050-github-aws-permissions/terragrunt.hcl b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/050-github-aws-permissions/terragrunt.hcl new file mode 100644 index 000000000..a11c7cbea --- /dev/null +++ b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/050-github-aws-permissions/terragrunt.hcl @@ -0,0 +1,46 @@ +# Include all settings from the root terragrunt.hcl file +include { + path = find_in_parent_folders() +} + +terraform { + source = "github.com/ManagedKube/terraform-aws-github-oidc-provider.git//?ref=v1.0.3" +} + +# --------------------------------------------------------------------------------------------------------------------- +# Locals are named constants that are reusable within the configuration. +# --------------------------------------------------------------------------------------------------------------------- +locals { + # Load common variables shared across all accounts + common_vars = read_terragrunt_config(find_in_parent_folders("common.hcl")) + + # Load region-level variables + region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl")) + + # Load environment-level variables + environment_vars = read_terragrunt_config(find_in_parent_folders("environment.hcl")) + + tags = { + ops_env = local.common_vars.locals.environment_name + ops_managed_by = "terraform" + ops_source_repo = local.common_vars.locals.repository_name + ops_source_repo_path = "${local.common_vars.locals.base_repository_path}/${path_relative_to_include()}" + ops_owners = "devops" + } +} + +# --------------------------------------------------------------------------------------------------------------------- +# MODULE PARAMETERS +# These are the variables we have to pass in to use the module specified in the terragrunt configuration above +# --------------------------------------------------------------------------------------------------------------------- +inputs = { + name = "github_oidc_${local.common_vars.locals.environment_name}" + + validate_conditions = [ + "repo:${local.common_vars.locals.repository_name}:ref:refs/heads/main", + "repo:${local.common_vars.locals.repository_name}:pull_request", + "repo:${local.common_vars.locals.repository_name}:workflow_dispatch", + ] + aws_policy_json = file("policy.json") + tags = local.tags +} \ No newline at end of file diff --git a/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/100-route53-hostedzone/terraform.lock.hcl b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/100-route53-hostedzone/terraform.lock.hcl new file mode 100644 index 000000000..2b3ab4beb --- /dev/null +++ b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/100-route53-hostedzone/terraform.lock.hcl @@ -0,0 +1,20 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. +provider "registry.terraform.io/hashicorp/aws" { + version = "4.18.0" + hashes = [ + "h1:6gkWNVTtIlpniC188RP43f9PrcXG9v5CqQS2xw1dVgM=", + "zh:100a11324326bf849b4c85d3c40a81e485726eee99c5a229387b8485a7a8da8b", + "zh:2226bbf97101af90e43cd5606d8678f35d7e7b477657d9297c42a1bd2ed42750", + "zh:27d51694300c08c32312f8832b889c57a2821dc022d49d38f9b1e14810f8a3fb", + "zh:2b8792c76986facfd415f967c5d61022f7ceeaa46c158037fe8939e36d954f99", + "zh:3ea787967de772cc3a13469753080c8fa81be5aefc735d3753c7627f63c948e5", + "zh:64d58463cbb2b93d5202ef311a101890a1e083f9587f3eabb9f2e26dd0cf8f43", + "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", + "zh:b10eecf4c034a229712825124e7c0b765c5904648550dc8f844f68638531d337", + "zh:d9a3cc46e2746c40ea69bcfb2d12e765ee6bda3e1ed8ce73f272d492ff4836bb", + "zh:df625e57aa3b5fb3e4562da44daf6565289818ba2a7e66f86ad968b43fdb5148", + "zh:eaaa3a5d2a15a87b346e521872120a3ca7f6777a04226a55f51022eaf4097963", + "zh:ec6f4b00ae4f9d536f2a6c2e5a5f149867194268ce9068a9c348bc3e678fbfce", + ] +} diff --git a/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/100-route53-hostedzone/terragrunt.hcl b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/100-route53-hostedzone/terragrunt.hcl new file mode 100644 index 000000000..99d5076d6 --- /dev/null +++ b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/100-route53-hostedzone/terragrunt.hcl @@ -0,0 +1,39 @@ +# Include all settings from the root terragrunt.hcl file +include { + path = find_in_parent_folders() +} + +terraform { + source = "github.com/ManagedKube/kubernetes-ops//terraform-modules/aws/route53/hosted-zone?ref=v2.0.21" +} + +# --------------------------------------------------------------------------------------------------------------------- +# Locals are named constants that are reusable within the configuration. +# --------------------------------------------------------------------------------------------------------------------- +locals { + # Load common variables shared across all accounts + common_vars = read_terragrunt_config(find_in_parent_folders("common.hcl")) + + # Load region-level variables + region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl")) + + # Load environment-level variables + environment_vars = read_terragrunt_config(find_in_parent_folders("environment.hcl")) + + tags = { + ops_env = local.common_vars.locals.environment_name + ops_managed_by = "terraform" + ops_source_repo = local.common_vars.locals.repository_name + ops_source_repo_path = "${local.common_vars.locals.base_repository_path}/${path_relative_to_include()}" + ops_owners = "devops" + } +} + +# --------------------------------------------------------------------------------------------------------------------- +# MODULE PARAMETERS +# These are the variables we have to pass in to use the module specified in the terragrunt configuration above +# --------------------------------------------------------------------------------------------------------------------- +inputs = { + domain_name = local.environment_vars.locals.domain_name + tags = local.tags +} diff --git a/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/150-vpc/.terraform.lock.hcl b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/150-vpc/.terraform.lock.hcl new file mode 100644 index 000000000..fed6c94eb --- /dev/null +++ b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/150-vpc/.terraform.lock.hcl @@ -0,0 +1,22 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/aws" { + version = "4.13.0" + constraints = ">= 3.38.0" + hashes = [ + "h1:DK3+k7Yxeenw945TqdHD2RBHcgbxpM1Z+Cw5Q4mndKw=", + "zh:215226bc0372077d2ae6dba4e2f08f6361f8e4953d20bc4c682d40fdf5002544", + "zh:42777cbdc046181986c0260ea17027ef1364c31d73a57eb0ab539f6e1a3e0780", + "zh:78079d2f5fc35f3c43eb2a131cb49c2c77ddd04943bca97080f33355808d39cc", + "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", + "zh:9c0404a044eae741f10f3d217dc28658e0f04082963918913b024d3305c11e79", + "zh:a1b5a53f60d4f7bff1cc84180fef6205c95b8793741dbc8c0564a6200424ca73", + "zh:ba6711064a855ddb55924342b70667e9bed660bde8552dc0bde4b7f8947a2ec4", + "zh:d0f77ed514d54f7380d7e1ef585d853f50f1bee381d6abbf3a68429b68de6045", + "zh:d5c454d2ac9aed01ae00c477192c93d54c8362357a87684a3171055dcec25f44", + "zh:dfd381ed7da945cb85b99df843ee7eab339dd1799fa70d1ad3e94331605aad01", + "zh:eb6dc84414714f61b9de0ac190c69f598af9b16d144a44f573df484c06c8d4ef", + "zh:f02e79599af3f8f63e4b885c5715be3a4060cbf98eb4bf46d616aa0d9f2b5cd3", + ] +} diff --git a/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/150-vpc/terragrunt.hcl b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/150-vpc/terragrunt.hcl new file mode 100644 index 000000000..c49b787af --- /dev/null +++ b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/150-vpc/terragrunt.hcl @@ -0,0 +1,52 @@ +# Include all settings from the root terragrunt.hcl file +include { + path = find_in_parent_folders() +} + +terraform { + source = "github.com/ManagedKube/kubernetes-ops//terraform-modules/aws/vpc?ref=v1.0.53" +} + +# --------------------------------------------------------------------------------------------------------------------- +# Locals are named constants that are reusable within the configuration. +# --------------------------------------------------------------------------------------------------------------------- +locals { + # Load common variables shared across all accounts + common_vars = read_terragrunt_config(find_in_parent_folders("common.hcl")) + + # Load region-level variables + region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl")) + + # Load environment-level variables + environment_vars = read_terragrunt_config(find_in_parent_folders("environment.hcl")) + + tags = { + ops_env = local.common_vars.locals.environment_name + ops_managed_by = "terraform" + ops_source_repo = local.common_vars.locals.repository_name + ops_source_repo_path = "${local.common_vars.locals.base_repository_path}/${path_relative_to_include()}" + ops_owners = "devops" + } +} + +# --------------------------------------------------------------------------------------------------------------------- +# MODULE PARAMETERS +# These are the variables we have to pass in to use the module specified in the terragrunt configuration above +# --------------------------------------------------------------------------------------------------------------------- +inputs = { + aws_region = local.region_vars.locals.aws_region + azs = ["${local.region_vars.locals.aws_region}${local.environment_vars.locals.vpc["availability_zones"][0]}", + "${local.region_vars.locals.aws_region}${local.environment_vars.locals.vpc["availability_zones"][1]}", + "${local.region_vars.locals.aws_region}${local.environment_vars.locals.vpc["availability_zones"][2]}", + ] + + vpc_cidr = local.environment_vars.locals.vpc["cidr"] + private_subnets = local.environment_vars.locals.vpc["private_subnets"] + public_subnets = local.environment_vars.locals.vpc["public_subnets"] + single_nat_gateway = true + + environment_name = local.environment_vars.locals.cluster_name + cluster_name = local.environment_vars.locals.cluster_name + + tags = local.tags +} diff --git a/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/200-eks/.terraform.lock.hcl b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/200-eks/.terraform.lock.hcl new file mode 100644 index 000000000..f4775bf9b --- /dev/null +++ b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/200-eks/.terraform.lock.hcl @@ -0,0 +1,100 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/aws" { + version = "4.13.0" + constraints = ">= 3.37.0, >= 3.72.0" + hashes = [ + "h1:DK3+k7Yxeenw945TqdHD2RBHcgbxpM1Z+Cw5Q4mndKw=", + "zh:215226bc0372077d2ae6dba4e2f08f6361f8e4953d20bc4c682d40fdf5002544", + "zh:42777cbdc046181986c0260ea17027ef1364c31d73a57eb0ab539f6e1a3e0780", + "zh:78079d2f5fc35f3c43eb2a131cb49c2c77ddd04943bca97080f33355808d39cc", + "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", + "zh:9c0404a044eae741f10f3d217dc28658e0f04082963918913b024d3305c11e79", + "zh:a1b5a53f60d4f7bff1cc84180fef6205c95b8793741dbc8c0564a6200424ca73", + "zh:ba6711064a855ddb55924342b70667e9bed660bde8552dc0bde4b7f8947a2ec4", + "zh:d0f77ed514d54f7380d7e1ef585d853f50f1bee381d6abbf3a68429b68de6045", + "zh:d5c454d2ac9aed01ae00c477192c93d54c8362357a87684a3171055dcec25f44", + "zh:dfd381ed7da945cb85b99df843ee7eab339dd1799fa70d1ad3e94331605aad01", + "zh:eb6dc84414714f61b9de0ac190c69f598af9b16d144a44f573df484c06c8d4ef", + "zh:f02e79599af3f8f63e4b885c5715be3a4060cbf98eb4bf46d616aa0d9f2b5cd3", + ] +} + +provider "registry.terraform.io/hashicorp/cloudinit" { + version = "2.2.0" + constraints = ">= 2.0.0" + hashes = [ + "h1:siiI0wK6/jUDdA5P8ifTO0yc9YmXHml4hz5K9I9N+MA=", + "zh:76825122171f9ea2287fd27e23e80a7eb482f6491a4f41a096d77b666896ee96", + "zh:795a36dee548e30ca9c9d474af9ad6d29290e0a9816154ad38d55381cd0ab12d", + "zh:9200f02cb917fb99e44b40a68936fd60d338e4d30a718b7e2e48024a795a61b9", + "zh:a33cf255dc670c20678063aa84218e2c1b7a67d557f480d8ec0f68bc428ed472", + "zh:ba3c1b2cd0879286c1f531862c027ec04783ece81de67c9a3b97076f1ce7f58f", + "zh:bd575456394428a1a02191d2e46af0c00e41fd4f28cfe117d57b6aeb5154a0fb", + "zh:c68dd1db83d8437c36c92dc3fc11d71ced9def3483dd28c45f8640cfcd59de9a", + "zh:cbfe34a90852ed03cc074601527bb580a648127255c08589bc3ef4bf4f2e7e0c", + "zh:d6ffd7398c6d1f359b96f5b757e77b99b339fbb91df1b96ac974fe71bc87695c", + "zh:d9c15285f847d7a52df59e044184fb3ba1b7679fd0386291ed183782683d9517", + "zh:f7dd02f6d36844da23c9a27bb084503812c29c1aec4aba97237fec16860fdc8c", + ] +} + +provider "registry.terraform.io/hashicorp/kubernetes" { + version = "2.11.0" + constraints = ">= 2.1.0" + hashes = [ + "h1:T65SZhN/tQgsAsHe/G5PCgpjofi+aTKPZ+nZg6WOJpc=", + "zh:143a19dd0ea3b07fc5e3d9231f3c2d01f92894385c98a67327de74c76c715843", + "zh:1fc757d209e09c3cf7848e4274daa32408c07743698fbed10ee52a4a479b62b6", + "zh:22dfebd0685749c51a8f765d51a1090a259778960ac1cd4f32021a325b2b9b72", + "zh:3039b3b76e870cd8fc404cf75a29c66b171c6ba9b6182e131b6ae2ca648ec7c0", + "zh:3af0a15562fcab4b5684b18802e0239371b2b8ff9197ed069ff4827f795a002b", + "zh:50aaf20336d1296a73315adb66f7687f75bd5c6b1f93a894b95c75cc142810ec", + "zh:682064fabff895ec351860b4fe0321290bbbb17c2a410b62c9bea0039400650e", + "zh:70ac914d5830b3371a2679d8f77cc20c419a6e12925145afae6c977c8eb90934", + "zh:710aa02cccf7b0f3fb50880d6d2a7a8b8c9435248666616844ba71f74648cddc", + "zh:88e418118cd5afbdec4984944c7ab36950bf48e8d3e09e090232e55eecfb470b", + "zh:9cef159377bf23fa331f8724fdc6ce27ad39a217a4bae6df3b1ca408fc643da6", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} + +provider "registry.terraform.io/hashicorp/null" { + version = "3.1.1" + hashes = [ + "h1:Pctug/s/2Hg5FJqjYcTM0kPyx3AoYK1MpRWO0T9V2ns=", + "zh:063466f41f1d9fd0dd93722840c1314f046d8760b1812fa67c34de0afcba5597", + "zh:08c058e367de6debdad35fc24d97131c7cf75103baec8279aba3506a08b53faf", + "zh:73ce6dff935150d6ddc6ac4a10071e02647d10175c173cfe5dca81f3d13d8afe", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:8fdd792a626413502e68c195f2097352bdc6a0df694f7df350ed784741eb587e", + "zh:976bbaf268cb497400fd5b3c774d218f3933271864345f18deebe4dcbfcd6afa", + "zh:b21b78ca581f98f4cdb7a366b03ae9db23a73dfa7df12c533d7c19b68e9e72e5", + "zh:b7fc0c1615dbdb1d6fd4abb9c7dc7da286631f7ca2299fb9cd4664258ccfbff4", + "zh:d1efc942b2c44345e0c29bc976594cb7278c38cfb8897b344669eafbc3cddf46", + "zh:e356c245b3cd9d4789bab010893566acace682d7db877e52d40fc4ca34a50924", + "zh:ea98802ba92fcfa8cf12cbce2e9e7ebe999afbf8ed47fa45fc847a098d89468b", + "zh:eff8872458806499889f6927b5d954560f3d74bf20b6043409edf94d26cd906f", + ] +} + +provider "registry.terraform.io/hashicorp/tls" { + version = "3.3.0" + constraints = ">= 2.2.0" + hashes = [ + "h1:A4xOtHhD4jCmn4nO1xCTk2Nl5IP5JpjicjF+Fuu2ZFQ=", + "zh:16140e8cc880f95b642b6bf6564f4e98760e9991864aacc8e21273423571e561", + "zh:16338b8457759c97fdd73153965d6063b037f2954fd512e569fcdc42b7fef743", + "zh:348bd44b7cd0c6d663bba36cecb474c17635a8f22b02187d034b8e57a8729c5a", + "zh:3832ac73c2335c0fac26138bacbd18160efaa3f06c562869acc129e814e27f86", + "zh:756d1e60690d0164eee9c93b498b4c8beabbfc1d8b7346cb6d2fa719055089d6", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:93b911bcddba8dadc5339edb004c8019c230ea67477c73c4f741c236dd9511b1", + "zh:c0c4e5742e8ac004c507540423db52af3f44b8ec04443aa8e14669340819344f", + "zh:c78296a1dff8ccd5d50203aac353422fc18d425072ba947c88cf5b46de7d32d2", + "zh:d7143f444e0f7e6cd67fcaf080398b4f1487cf05de3e0e79af6c14e22812e38b", + "zh:e600ac76b118816ad72132eee4c22ab5fc044f67c3babc54537e1fc1ad53d295", + "zh:fca07af5f591e12d2dc178a550da69a4847bdb34f8180a5b8e04fde6b528cf99", + ] +} diff --git a/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/200-eks/terragrunt.hcl b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/200-eks/terragrunt.hcl new file mode 100644 index 000000000..4aef3ee18 --- /dev/null +++ b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/200-eks/terragrunt.hcl @@ -0,0 +1,110 @@ +# Include all settings from the root terragrunt.hcl file +include { + path = find_in_parent_folders() +} + +terraform { + source = "github.com/ManagedKube/kubernetes-ops.git//terraform-modules/aws/eks?ref=v2.0.29" +} + +dependency "vpc" { + config_path = "${get_terragrunt_dir()}/../150-vpc" + + mock_outputs = { + vpc_id = "vpc-abcd1234" + vpc_cidr_block = "10.0.0.0/16" + public_subnet_ids = ["subnet-abcd1234", "subnet-bcd1234a", ] + } + mock_outputs_allowed_terraform_commands = ["validate", ] +} + +# --------------------------------------------------------------------------------------------------------------------- +# Locals are named constants that are reusable within the configuration. +# --------------------------------------------------------------------------------------------------------------------- +locals { + # Load common variables shared across all accounts + common_vars = read_terragrunt_config(find_in_parent_folders("common.hcl")) + + # Load region-level variables + region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl")) + + # Load environment-level variables + environment_vars = read_terragrunt_config(find_in_parent_folders("environment.hcl")) + + eks_cluster_version = "1.22" + + tags = { + ops_env = local.common_vars.locals.environment_name + ops_managed_by = "terraform" + ops_source_repo = local.common_vars.locals.repository_name + ops_source_repo_path = "${local.common_vars.locals.base_repository_path}/${path_relative_to_include()}" + ops_owners = "devops" + } +} + +# --------------------------------------------------------------------------------------------------------------------- +# MODULE PARAMETERS +# These are the variables we have to pass in to use the module specified in the terragrunt configuration above +# --------------------------------------------------------------------------------------------------------------------- +inputs = { + aws_region = local.region_vars.locals.aws_region + environment_name = local.common_vars.locals.environment_name + tags = local.tags + + cluster_name = local.common_vars.locals.environment_name + + vpc_id = dependency.vpc.outputs.vpc_id + k8s_subnets = dependency.vpc.outputs.k8s_subnets + public_subnets = dependency.vpc.outputs.public_subnets + + cluster_version = local.eks_cluster_version + cluster_endpoint_public_access = true + cluster_endpoint_public_access_cidrs = ["0.0.0.0/0"] + kubectl_binary = "/github/workspace/kubectl" + + aws_auth_roles = [ + { + rolearn = "arn:aws:iam::${get_aws_account_id()}:role/github_oidc_${local.common_vars.locals.environment_name}" + username = "github-actions-pipeline-access" + groups = ["system:masters"] + }, + { + rolearn = "arn:aws:iam::${get_aws_account_id()}:role/AWSReservedSSO_AdministratorAccess_1f8d5e80fd7b3359" + username = "sso-admin-users" + groups = ["system:masters"] + }, + ] + aws_auth_users = [ + { + userarn = "arn:aws:iam::${get_aws_account_id()}:user/gkan-temp" + username = "gkan-temp" + groups = ["system:masters"] + }, + ] + + eks_managed_node_groups = { + ng1 = { + create_launch_template = false + launch_template_name = "" + + # Doc: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_node_group + # (Optional) Force version update if existing pods are unable to be drained due to a pod disruption budget issue. + force_update_version = true + + # doc: https://docs.aws.amazon.com/eks/latest/userguide/launch-templates.html#launch-template-custom-ami + # doc: https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami-bottlerocket.html + ami_type = "BOTTLEROCKET_x86_64" + platform = "bottlerocket" + version = local.eks_cluster_version + + disk_size = 20 + desired_size = 2 + max_size = 3 + min_size = 0 + instance_types = ["t3.medium"] + additional_tags = local.tags + k8s_labels = {} + } + } +} + diff --git a/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/250-eks-cluster-autoscaler/.terraform.lock.hcl b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/250-eks-cluster-autoscaler/.terraform.lock.hcl new file mode 100644 index 000000000..249e4a68a --- /dev/null +++ b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/250-eks-cluster-autoscaler/.terraform.lock.hcl @@ -0,0 +1,77 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/aws" { + version = "4.13.0" + constraints = ">= 2.23.0" + hashes = [ + "h1:wJ9zY+k27og9sc7A9VWVYUIGJQkXiWOd5B0UuQF8mOk=", + "zh:215226bc0372077d2ae6dba4e2f08f6361f8e4953d20bc4c682d40fdf5002544", + "zh:42777cbdc046181986c0260ea17027ef1364c31d73a57eb0ab539f6e1a3e0780", + "zh:78079d2f5fc35f3c43eb2a131cb49c2c77ddd04943bca97080f33355808d39cc", + "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", + "zh:9c0404a044eae741f10f3d217dc28658e0f04082963918913b024d3305c11e79", + "zh:a1b5a53f60d4f7bff1cc84180fef6205c95b8793741dbc8c0564a6200424ca73", + "zh:ba6711064a855ddb55924342b70667e9bed660bde8552dc0bde4b7f8947a2ec4", + "zh:d0f77ed514d54f7380d7e1ef585d853f50f1bee381d6abbf3a68429b68de6045", + "zh:d5c454d2ac9aed01ae00c477192c93d54c8362357a87684a3171055dcec25f44", + "zh:dfd381ed7da945cb85b99df843ee7eab339dd1799fa70d1ad3e94331605aad01", + "zh:eb6dc84414714f61b9de0ac190c69f598af9b16d144a44f573df484c06c8d4ef", + "zh:f02e79599af3f8f63e4b885c5715be3a4060cbf98eb4bf46d616aa0d9f2b5cd3", + ] +} + +provider "registry.terraform.io/hashicorp/helm" { + version = "2.5.1" + hashes = [ + "h1:NasRPC0qqlpGqcF3dsSoOFu7uc5hM+zJm+okd8FgrnQ=", + "zh:140b9748f0ad193a20d69e59d672f3c4eda8a56cede56a92f931bd3af020e2e9", + "zh:17ae319466ed6538ad49e011998bb86565fe0e97bc8b9ad7c8dda46a20f90669", + "zh:3a8bd723c21ba70e19f0395ed7096fc8e08bfc23366f1c3f06a9107eb37c572c", + "zh:3aae3b82adbe6dca52f1a1c8cf51575446e6b0f01f1b1f3b30de578c9af4a933", + "zh:3f65221f40148df57d2888e4f31ef3bf430b8c5af41de0db39a2b964e1826d7c", + "zh:650c74c4f46f5eb01df11d8392bdb7ebee3bba59ac0721000a6ad731ff0e61e2", + "zh:930fb8ab4cd6634472dfd6aa3123f109ef5b32cbe6ef7b4695fae6751353e83f", + "zh:ae57cd4b0be4b9ca252bc5d347bc925e35b0ed74d3dcdebf06c11362c1ac3436", + "zh:d15b1732a8602b6726eac22628b2f72f72d98b75b9c6aabceec9fd696fda696a", + "zh:d730ede1656bd193e2aea5302acec47c4905fe30b96f550196be4a0ed5f41936", + "zh:f010d4f9d8cd15936be4df12bf256cb2175ca1dedb728bd3a866c03d2ee7591f", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} + +provider "registry.terraform.io/hashicorp/kubernetes" { + version = "2.11.0" + hashes = [ + "h1:pJiAJwZKUaoAJ4x+3ONJkwEVkjrwGROCGFgj7noPO58=", + "zh:143a19dd0ea3b07fc5e3d9231f3c2d01f92894385c98a67327de74c76c715843", + "zh:1fc757d209e09c3cf7848e4274daa32408c07743698fbed10ee52a4a479b62b6", + "zh:22dfebd0685749c51a8f765d51a1090a259778960ac1cd4f32021a325b2b9b72", + "zh:3039b3b76e870cd8fc404cf75a29c66b171c6ba9b6182e131b6ae2ca648ec7c0", + "zh:3af0a15562fcab4b5684b18802e0239371b2b8ff9197ed069ff4827f795a002b", + "zh:50aaf20336d1296a73315adb66f7687f75bd5c6b1f93a894b95c75cc142810ec", + "zh:682064fabff895ec351860b4fe0321290bbbb17c2a410b62c9bea0039400650e", + "zh:70ac914d5830b3371a2679d8f77cc20c419a6e12925145afae6c977c8eb90934", + "zh:710aa02cccf7b0f3fb50880d6d2a7a8b8c9435248666616844ba71f74648cddc", + "zh:88e418118cd5afbdec4984944c7ab36950bf48e8d3e09e090232e55eecfb470b", + "zh:9cef159377bf23fa331f8724fdc6ce27ad39a217a4bae6df3b1ca408fc643da6", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} + +provider "registry.terraform.io/hashicorp/template" { + version = "2.2.0" + hashes = [ + "h1:94qn780bi1qjrbC3uQtjJh3Wkfwd5+tTtJHOb7KTg9w=", + "zh:01702196f0a0492ec07917db7aaa595843d8f171dc195f4c988d2ffca2a06386", + "zh:09aae3da826ba3d7df69efeb25d146a1de0d03e951d35019a0f80e4f58c89b53", + "zh:09ba83c0625b6fe0a954da6fbd0c355ac0b7f07f86c91a2a97849140fea49603", + "zh:0e3a6c8e16f17f19010accd0844187d524580d9fdb0731f675ffcf4afba03d16", + "zh:45f2c594b6f2f34ea663704cc72048b212fe7d16fb4cfd959365fa997228a776", + "zh:77ea3e5a0446784d77114b5e851c970a3dde1e08fa6de38210b8385d7605d451", + "zh:8a154388f3708e3df5a69122a23bdfaf760a523788a5081976b3d5616f7d30ae", + "zh:992843002f2db5a11e626b3fc23dc0c87ad3729b3b3cff08e32ffb3df97edbde", + "zh:ad906f4cebd3ec5e43d5cd6dc8f4c5c9cc3b33d2243c89c5fc18f97f7277b51d", + "zh:c979425ddb256511137ecd093e23283234da0154b7fa8b21c2687182d9aea8b2", + ] +} diff --git a/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/250-eks-cluster-autoscaler/terragrunt.hcl b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/250-eks-cluster-autoscaler/terragrunt.hcl new file mode 100644 index 000000000..1d5e732e9 --- /dev/null +++ b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/250-eks-cluster-autoscaler/terragrunt.hcl @@ -0,0 +1,66 @@ +# Include all settings from the root terragrunt.hcl file +include { + path = find_in_parent_folders() +} + +terraform { + source = "github.com/ManagedKube/kubernetes-ops.git//terraform-modules/aws/cluster-autoscaler?ref=v1.0.12" +} + +dependency "eks" { + config_path = "${get_terragrunt_dir()}/../200-eks" + + mock_outputs = { + vpc_id = "vpc-abcd1234" + vpc_cidr_block = "10.0.0.0/16" + public_subnet_ids = ["subnet-abcd1234", "subnet-bcd1234a", ] + } + mock_outputs_allowed_terraform_commands = ["validate", ] +} + +# Generate a Kubernetes provider configuration for authenticating against the EKS cluster. +generate "k8s_helm" { + path = "k8s_helm_provider.tf" + if_exists = "overwrite_terragrunt" + contents = templatefile( + find_in_parent_folders("provider_k8s_helm_for_eks.template.hcl"), + { + eks_cluster_name = dependency.eks.outputs.cluster_id, + kubergrunt_exec = get_env("KUBERGRUNT_EXEC", "kubergrunt") + }, + ) +} + +# --------------------------------------------------------------------------------------------------------------------- +# Locals are named constants that are reusable within the configuration. +# --------------------------------------------------------------------------------------------------------------------- +locals { + # Load common variables shared across all accounts + common_vars = read_terragrunt_config(find_in_parent_folders("common.hcl")) + + # Load region-level variables + region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl")) + + # Load environment-level variables + environment_vars = read_terragrunt_config(find_in_parent_folders("environment.hcl")) + + tags = { + ops_env = local.common_vars.locals.environment_name + ops_managed_by = "terraform" + ops_source_repo = local.common_vars.locals.repository_name + ops_source_repo_path = "${local.common_vars.locals.base_repository_path}/${path_relative_to_include()}" + ops_owners = "devops" + } +} + +# --------------------------------------------------------------------------------------------------------------------- +# MODULE PARAMETERS +# These are the variables we have to pass in to use the module specified in the terragrunt configuration above +# --------------------------------------------------------------------------------------------------------------------- +inputs = { + aws_region = local.region_vars.locals.aws_region + cluster_name = local.common_vars.locals.environment_name + eks_cluster_id = dependency.eks.outputs.cluster_id + eks_cluster_oidc_issuer_url = dependency.eks.outputs.cluster_oidc_issuer_url +} + diff --git a/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/100-cert-manager/10-cert-manager/terraform.lock.hcl b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/100-cert-manager/10-cert-manager/terraform.lock.hcl new file mode 100644 index 000000000..e72c89124 --- /dev/null +++ b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/100-cert-manager/10-cert-manager/terraform.lock.hcl @@ -0,0 +1,73 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. +provider "registry.terraform.io/hashicorp/aws" { + version = "4.18.0" + constraints = ">= 2.23.0" + hashes = [ + "h1:6gkWNVTtIlpniC188RP43f9PrcXG9v5CqQS2xw1dVgM=", + "zh:100a11324326bf849b4c85d3c40a81e485726eee99c5a229387b8485a7a8da8b", + "zh:2226bbf97101af90e43cd5606d8678f35d7e7b477657d9297c42a1bd2ed42750", + "zh:27d51694300c08c32312f8832b889c57a2821dc022d49d38f9b1e14810f8a3fb", + "zh:2b8792c76986facfd415f967c5d61022f7ceeaa46c158037fe8939e36d954f99", + "zh:3ea787967de772cc3a13469753080c8fa81be5aefc735d3753c7627f63c948e5", + "zh:64d58463cbb2b93d5202ef311a101890a1e083f9587f3eabb9f2e26dd0cf8f43", + "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", + "zh:b10eecf4c034a229712825124e7c0b765c5904648550dc8f844f68638531d337", + "zh:d9a3cc46e2746c40ea69bcfb2d12e765ee6bda3e1ed8ce73f272d492ff4836bb", + "zh:df625e57aa3b5fb3e4562da44daf6565289818ba2a7e66f86ad968b43fdb5148", + "zh:eaaa3a5d2a15a87b346e521872120a3ca7f6777a04226a55f51022eaf4097963", + "zh:ec6f4b00ae4f9d536f2a6c2e5a5f149867194268ce9068a9c348bc3e678fbfce", + ] +} +provider "registry.terraform.io/hashicorp/helm" { + version = "2.5.1" + hashes = [ + "h1:NasRPC0qqlpGqcF3dsSoOFu7uc5hM+zJm+okd8FgrnQ=", + "zh:140b9748f0ad193a20d69e59d672f3c4eda8a56cede56a92f931bd3af020e2e9", + "zh:17ae319466ed6538ad49e011998bb86565fe0e97bc8b9ad7c8dda46a20f90669", + "zh:3a8bd723c21ba70e19f0395ed7096fc8e08bfc23366f1c3f06a9107eb37c572c", + "zh:3aae3b82adbe6dca52f1a1c8cf51575446e6b0f01f1b1f3b30de578c9af4a933", + "zh:3f65221f40148df57d2888e4f31ef3bf430b8c5af41de0db39a2b964e1826d7c", + "zh:650c74c4f46f5eb01df11d8392bdb7ebee3bba59ac0721000a6ad731ff0e61e2", + "zh:930fb8ab4cd6634472dfd6aa3123f109ef5b32cbe6ef7b4695fae6751353e83f", + "zh:ae57cd4b0be4b9ca252bc5d347bc925e35b0ed74d3dcdebf06c11362c1ac3436", + "zh:d15b1732a8602b6726eac22628b2f72f72d98b75b9c6aabceec9fd696fda696a", + "zh:d730ede1656bd193e2aea5302acec47c4905fe30b96f550196be4a0ed5f41936", + "zh:f010d4f9d8cd15936be4df12bf256cb2175ca1dedb728bd3a866c03d2ee7591f", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} +provider "registry.terraform.io/hashicorp/kubernetes" { + version = "2.11.0" + hashes = [ + "h1:pJiAJwZKUaoAJ4x+3ONJkwEVkjrwGROCGFgj7noPO58=", + "zh:143a19dd0ea3b07fc5e3d9231f3c2d01f92894385c98a67327de74c76c715843", + "zh:1fc757d209e09c3cf7848e4274daa32408c07743698fbed10ee52a4a479b62b6", + "zh:22dfebd0685749c51a8f765d51a1090a259778960ac1cd4f32021a325b2b9b72", + "zh:3039b3b76e870cd8fc404cf75a29c66b171c6ba9b6182e131b6ae2ca648ec7c0", + "zh:3af0a15562fcab4b5684b18802e0239371b2b8ff9197ed069ff4827f795a002b", + "zh:50aaf20336d1296a73315adb66f7687f75bd5c6b1f93a894b95c75cc142810ec", + "zh:682064fabff895ec351860b4fe0321290bbbb17c2a410b62c9bea0039400650e", + "zh:70ac914d5830b3371a2679d8f77cc20c419a6e12925145afae6c977c8eb90934", + "zh:710aa02cccf7b0f3fb50880d6d2a7a8b8c9435248666616844ba71f74648cddc", + "zh:88e418118cd5afbdec4984944c7ab36950bf48e8d3e09e090232e55eecfb470b", + "zh:9cef159377bf23fa331f8724fdc6ce27ad39a217a4bae6df3b1ca408fc643da6", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} +provider "registry.terraform.io/hashicorp/template" { + version = "2.2.0" + hashes = [ + "h1:94qn780bi1qjrbC3uQtjJh3Wkfwd5+tTtJHOb7KTg9w=", + "zh:01702196f0a0492ec07917db7aaa595843d8f171dc195f4c988d2ffca2a06386", + "zh:09aae3da826ba3d7df69efeb25d146a1de0d03e951d35019a0f80e4f58c89b53", + "zh:09ba83c0625b6fe0a954da6fbd0c355ac0b7f07f86c91a2a97849140fea49603", + "zh:0e3a6c8e16f17f19010accd0844187d524580d9fdb0731f675ffcf4afba03d16", + "zh:45f2c594b6f2f34ea663704cc72048b212fe7d16fb4cfd959365fa997228a776", + "zh:77ea3e5a0446784d77114b5e851c970a3dde1e08fa6de38210b8385d7605d451", + "zh:8a154388f3708e3df5a69122a23bdfaf760a523788a5081976b3d5616f7d30ae", + "zh:992843002f2db5a11e626b3fc23dc0c87ad3729b3b3cff08e32ffb3df97edbde", + "zh:ad906f4cebd3ec5e43d5cd6dc8f4c5c9cc3b33d2243c89c5fc18f97f7277b51d", + "zh:c979425ddb256511137ecd093e23283234da0154b7fa8b21c2687182d9aea8b2", + ] +} diff --git a/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/100-cert-manager/10-cert-manager/terragrunt.hcl b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/100-cert-manager/10-cert-manager/terragrunt.hcl new file mode 100644 index 000000000..39ff839d2 --- /dev/null +++ b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/100-cert-manager/10-cert-manager/terragrunt.hcl @@ -0,0 +1,79 @@ +# Include all settings from the root terragrunt.hcl file +include { + path = find_in_parent_folders() +} + +terraform { + source = "github.com/ManagedKube/kubernetes-ops//terraform-modules/aws/helm/cert-manager?ref=v2.0.30" +} + +dependency "eks" { + config_path = "${get_terragrunt_dir()}/../../../200-eks" + + mock_outputs = { + zone_id = "zzzz" + } + mock_outputs_allowed_terraform_commands = ["validate", ] +} + +dependency "route53_hosted_zone" { + config_path = "${get_terragrunt_dir()}/../../../100-route53-hostedzone" + + mock_outputs = { + vpc_id = "vpc-abcd1234" + vpc_cidr_block = "10.0.0.0/16" + public_subnet_ids = ["subnet-abcd1234", "subnet-bcd1234a", ] + } + mock_outputs_allowed_terraform_commands = ["validate", ] +} + +# Generate a Kubernetes provider configuration for authenticating against the EKS cluster. +generate "k8s_helm" { + path = "k8s_helm_provider.tf" + if_exists = "overwrite_terragrunt" + contents = templatefile( + find_in_parent_folders("provider_k8s_helm_for_eks.template.hcl"), + { + eks_cluster_name = dependency.eks.outputs.cluster_id, + kubergrunt_exec = get_env("KUBERGRUNT_EXEC", "kubergrunt") + }, + ) +} + +# --------------------------------------------------------------------------------------------------------------------- +# Locals are named constants that are reusable within the configuration. +# --------------------------------------------------------------------------------------------------------------------- +locals { + # Load common variables shared across all accounts + common_vars = read_terragrunt_config(find_in_parent_folders("common.hcl")) + + # Load region-level variables + region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl")) + + # Load environment-level variables + environment_vars = read_terragrunt_config(find_in_parent_folders("environment.hcl")) + + tags = { + ops_env = local.common_vars.locals.environment_name + ops_managed_by = "terraform" + ops_source_repo = local.common_vars.locals.repository_name + ops_source_repo_path = "${local.common_vars.locals.base_repository_path}/${path_relative_to_include()}" + ops_owners = "devops" + } +} + +# --------------------------------------------------------------------------------------------------------------------- +# MODULE PARAMETERS +# These are the variables we have to pass in to use the module specified in the terragrunt configuration above +# --------------------------------------------------------------------------------------------------------------------- +inputs = { + aws_region = local.region_vars.locals.aws_region + cluster_name = local.common_vars.locals.environment_name + eks_cluster_id = dependency.eks.outputs.cluster_id + eks_cluster_oidc_issuer_url = dependency.eks.outputs.cluster_oidc_issuer_url + route53_hosted_zones = dependency.route53_hosted_zone.outputs.zone_id + domain_name = local.environment_vars.locals.domain_name + lets_encrypt_email = local.common_vars.locals.lets_encrypt_email + helm_values_2 = file("./values.yaml") +} + diff --git a/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/100-cert-manager/10-cert-manager/values.yaml b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/100-cert-manager/10-cert-manager/values.yaml new file mode 100644 index 000000000..ed97d539c --- /dev/null +++ b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/100-cert-manager/10-cert-manager/values.yaml @@ -0,0 +1 @@ +--- diff --git a/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/100-cert-manager/20-issuers/terraform.lock.hcl b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/100-cert-manager/20-issuers/terraform.lock.hcl new file mode 100644 index 000000000..9391e8334 --- /dev/null +++ b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/100-cert-manager/20-issuers/terraform.lock.hcl @@ -0,0 +1,72 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. +provider "registry.terraform.io/hashicorp/aws" { + version = "4.18.0" + hashes = [ + "h1:6gkWNVTtIlpniC188RP43f9PrcXG9v5CqQS2xw1dVgM=", + "zh:100a11324326bf849b4c85d3c40a81e485726eee99c5a229387b8485a7a8da8b", + "zh:2226bbf97101af90e43cd5606d8678f35d7e7b477657d9297c42a1bd2ed42750", + "zh:27d51694300c08c32312f8832b889c57a2821dc022d49d38f9b1e14810f8a3fb", + "zh:2b8792c76986facfd415f967c5d61022f7ceeaa46c158037fe8939e36d954f99", + "zh:3ea787967de772cc3a13469753080c8fa81be5aefc735d3753c7627f63c948e5", + "zh:64d58463cbb2b93d5202ef311a101890a1e083f9587f3eabb9f2e26dd0cf8f43", + "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", + "zh:b10eecf4c034a229712825124e7c0b765c5904648550dc8f844f68638531d337", + "zh:d9a3cc46e2746c40ea69bcfb2d12e765ee6bda3e1ed8ce73f272d492ff4836bb", + "zh:df625e57aa3b5fb3e4562da44daf6565289818ba2a7e66f86ad968b43fdb5148", + "zh:eaaa3a5d2a15a87b346e521872120a3ca7f6777a04226a55f51022eaf4097963", + "zh:ec6f4b00ae4f9d536f2a6c2e5a5f149867194268ce9068a9c348bc3e678fbfce", + ] +} +provider "registry.terraform.io/hashicorp/helm" { + version = "2.5.1" + hashes = [ + "h1:NasRPC0qqlpGqcF3dsSoOFu7uc5hM+zJm+okd8FgrnQ=", + "zh:140b9748f0ad193a20d69e59d672f3c4eda8a56cede56a92f931bd3af020e2e9", + "zh:17ae319466ed6538ad49e011998bb86565fe0e97bc8b9ad7c8dda46a20f90669", + "zh:3a8bd723c21ba70e19f0395ed7096fc8e08bfc23366f1c3f06a9107eb37c572c", + "zh:3aae3b82adbe6dca52f1a1c8cf51575446e6b0f01f1b1f3b30de578c9af4a933", + "zh:3f65221f40148df57d2888e4f31ef3bf430b8c5af41de0db39a2b964e1826d7c", + "zh:650c74c4f46f5eb01df11d8392bdb7ebee3bba59ac0721000a6ad731ff0e61e2", + "zh:930fb8ab4cd6634472dfd6aa3123f109ef5b32cbe6ef7b4695fae6751353e83f", + "zh:ae57cd4b0be4b9ca252bc5d347bc925e35b0ed74d3dcdebf06c11362c1ac3436", + "zh:d15b1732a8602b6726eac22628b2f72f72d98b75b9c6aabceec9fd696fda696a", + "zh:d730ede1656bd193e2aea5302acec47c4905fe30b96f550196be4a0ed5f41936", + "zh:f010d4f9d8cd15936be4df12bf256cb2175ca1dedb728bd3a866c03d2ee7591f", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} +provider "registry.terraform.io/hashicorp/kubernetes" { + version = "2.11.0" + hashes = [ + "h1:pJiAJwZKUaoAJ4x+3ONJkwEVkjrwGROCGFgj7noPO58=", + "zh:143a19dd0ea3b07fc5e3d9231f3c2d01f92894385c98a67327de74c76c715843", + "zh:1fc757d209e09c3cf7848e4274daa32408c07743698fbed10ee52a4a479b62b6", + "zh:22dfebd0685749c51a8f765d51a1090a259778960ac1cd4f32021a325b2b9b72", + "zh:3039b3b76e870cd8fc404cf75a29c66b171c6ba9b6182e131b6ae2ca648ec7c0", + "zh:3af0a15562fcab4b5684b18802e0239371b2b8ff9197ed069ff4827f795a002b", + "zh:50aaf20336d1296a73315adb66f7687f75bd5c6b1f93a894b95c75cc142810ec", + "zh:682064fabff895ec351860b4fe0321290bbbb17c2a410b62c9bea0039400650e", + "zh:70ac914d5830b3371a2679d8f77cc20c419a6e12925145afae6c977c8eb90934", + "zh:710aa02cccf7b0f3fb50880d6d2a7a8b8c9435248666616844ba71f74648cddc", + "zh:88e418118cd5afbdec4984944c7ab36950bf48e8d3e09e090232e55eecfb470b", + "zh:9cef159377bf23fa331f8724fdc6ce27ad39a217a4bae6df3b1ca408fc643da6", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} +provider "registry.terraform.io/hashicorp/template" { + version = "2.2.0" + hashes = [ + "h1:94qn780bi1qjrbC3uQtjJh3Wkfwd5+tTtJHOb7KTg9w=", + "zh:01702196f0a0492ec07917db7aaa595843d8f171dc195f4c988d2ffca2a06386", + "zh:09aae3da826ba3d7df69efeb25d146a1de0d03e951d35019a0f80e4f58c89b53", + "zh:09ba83c0625b6fe0a954da6fbd0c355ac0b7f07f86c91a2a97849140fea49603", + "zh:0e3a6c8e16f17f19010accd0844187d524580d9fdb0731f675ffcf4afba03d16", + "zh:45f2c594b6f2f34ea663704cc72048b212fe7d16fb4cfd959365fa997228a776", + "zh:77ea3e5a0446784d77114b5e851c970a3dde1e08fa6de38210b8385d7605d451", + "zh:8a154388f3708e3df5a69122a23bdfaf760a523788a5081976b3d5616f7d30ae", + "zh:992843002f2db5a11e626b3fc23dc0c87ad3729b3b3cff08e32ffb3df97edbde", + "zh:ad906f4cebd3ec5e43d5cd6dc8f4c5c9cc3b33d2243c89c5fc18f97f7277b51d", + "zh:c979425ddb256511137ecd093e23283234da0154b7fa8b21c2687182d9aea8b2", + ] +} diff --git a/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/100-cert-manager/20-issuers/terragrunt.hcl b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/100-cert-manager/20-issuers/terragrunt.hcl new file mode 100644 index 000000000..8966c7eb6 --- /dev/null +++ b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/100-cert-manager/20-issuers/terragrunt.hcl @@ -0,0 +1,75 @@ +# Include all settings from the root terragrunt.hcl file +include { + path = find_in_parent_folders() +} + +terraform { + source = "github.com/ManagedKube/kubernetes-ops//terraform-modules/aws/helm/cert-manager-issuers?ref=v2.0.30" +} + +dependency "eks" { + config_path = "${get_terragrunt_dir()}/../../../200-eks" + + mock_outputs = { + zone_id = "zzzz" + } + mock_outputs_allowed_terraform_commands = ["validate", ] +} + +dependency "route53_hosted_zone" { + config_path = "${get_terragrunt_dir()}/../../../100-route53-hostedzone" + + mock_outputs = { + vpc_id = "vpc-abcd1234" + vpc_cidr_block = "10.0.0.0/16" + public_subnet_ids = ["subnet-abcd1234", "subnet-bcd1234a", ] + } + mock_outputs_allowed_terraform_commands = ["validate", ] +} + +# Generate a Kubernetes provider configuration for authenticating against the EKS cluster. +generate "k8s_helm" { + path = "k8s_helm_provider.tf" + if_exists = "overwrite_terragrunt" + contents = templatefile( + find_in_parent_folders("provider_k8s_helm_for_eks.template.hcl"), + { + eks_cluster_name = dependency.eks.outputs.cluster_id, + kubergrunt_exec = get_env("KUBERGRUNT_EXEC", "kubergrunt") + }, + ) +} + +# --------------------------------------------------------------------------------------------------------------------- +# Locals are named constants that are reusable within the configuration. +# --------------------------------------------------------------------------------------------------------------------- +locals { + # Load common variables shared across all accounts + common_vars = read_terragrunt_config(find_in_parent_folders("common.hcl")) + + # Load region-level variables + region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl")) + + # Load environment-level variables + environment_vars = read_terragrunt_config(find_in_parent_folders("environment.hcl")) + + tags = { + ops_env = local.common_vars.locals.environment_name + ops_managed_by = "terraform" + ops_source_repo = local.common_vars.locals.repository_name + ops_source_repo_path = "${local.common_vars.locals.base_repository_path}/${path_relative_to_include()}" + ops_owners = "devops" + } +} + +# --------------------------------------------------------------------------------------------------------------------- +# MODULE PARAMETERS +# These are the variables we have to pass in to use the module specified in the terragrunt configuration above +# --------------------------------------------------------------------------------------------------------------------- +inputs = { + aws_region = local.region_vars.locals.aws_region + cluster_name = local.common_vars.locals.environment_name + route53_hosted_zones = dependency.route53_hosted_zone.outputs.zone_id + domain_name = local.environment_vars.locals.domain_name + ingress_class = local.environment_vars.locals.ingress_class +} diff --git a/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/110-testkube/10-testkube/terraform.lock.hcl b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/110-testkube/10-testkube/terraform.lock.hcl new file mode 100644 index 000000000..51af5b9bc --- /dev/null +++ b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/110-testkube/10-testkube/terraform.lock.hcl @@ -0,0 +1,56 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. +provider "registry.terraform.io/hashicorp/aws" { + version = "4.19.0" + hashes = [ + "h1:4vAZv9/3q5z78CV+YAumfuaoSNSNwAXDEhI/XnGVM5E=", + "zh:22820bfa0065f583298015367f8dc015dffa5b19b76dbd78ecf5da8d7d599573", + "zh:31a5c5fade4bd30dbc2b15f448cebb9ed527793c607e8687d3b2101bcf2c4471", + "zh:37c9e469e51aa835a5542510561397541de08b62fc15292588382932624fcf88", + "zh:398bfe1ba7428ef03293c6618067ddd8c0aaae8bbe764177ae951259228af724", + "zh:4610f5a93ef956103d719ae73872a52ecd6cb321452c26a879896348bc27eed9", + "zh:4a0d570dc5f01f41538b4eb70086a00dfb25c5d00fd27c950ac209d3609486f6", + "zh:4fb65ce84801f82a3beb4e2cb72c5d52ca04d4717ed3890b206da346f02d5def", + "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", + "zh:9bb3919bd6d94fb22025540f0c1db5eceec8927bd71b8fbdcd295609c999065f", + "zh:ce2623a13f74677cdb948607e456ce00407c57333b8310d5c9d053fc3defbc78", + "zh:e0d57e8784e6ccfa96fdd07ae1ddcc947be242bc11e7a5dd16b520b4204e0d09", + "zh:f988b7c37e95a5b3a493a6b9dcc5ed270136f97d5c0effa84a51940f71626c12", + ] +} +provider "registry.terraform.io/hashicorp/helm" { + version = "2.5.1" + hashes = [ + "h1:NasRPC0qqlpGqcF3dsSoOFu7uc5hM+zJm+okd8FgrnQ=", + "zh:140b9748f0ad193a20d69e59d672f3c4eda8a56cede56a92f931bd3af020e2e9", + "zh:17ae319466ed6538ad49e011998bb86565fe0e97bc8b9ad7c8dda46a20f90669", + "zh:3a8bd723c21ba70e19f0395ed7096fc8e08bfc23366f1c3f06a9107eb37c572c", + "zh:3aae3b82adbe6dca52f1a1c8cf51575446e6b0f01f1b1f3b30de578c9af4a933", + "zh:3f65221f40148df57d2888e4f31ef3bf430b8c5af41de0db39a2b964e1826d7c", + "zh:650c74c4f46f5eb01df11d8392bdb7ebee3bba59ac0721000a6ad731ff0e61e2", + "zh:930fb8ab4cd6634472dfd6aa3123f109ef5b32cbe6ef7b4695fae6751353e83f", + "zh:ae57cd4b0be4b9ca252bc5d347bc925e35b0ed74d3dcdebf06c11362c1ac3436", + "zh:d15b1732a8602b6726eac22628b2f72f72d98b75b9c6aabceec9fd696fda696a", + "zh:d730ede1656bd193e2aea5302acec47c4905fe30b96f550196be4a0ed5f41936", + "zh:f010d4f9d8cd15936be4df12bf256cb2175ca1dedb728bd3a866c03d2ee7591f", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} +provider "registry.terraform.io/hashicorp/kubernetes" { + version = "2.11.0" + hashes = [ + "h1:pJiAJwZKUaoAJ4x+3ONJkwEVkjrwGROCGFgj7noPO58=", + "zh:143a19dd0ea3b07fc5e3d9231f3c2d01f92894385c98a67327de74c76c715843", + "zh:1fc757d209e09c3cf7848e4274daa32408c07743698fbed10ee52a4a479b62b6", + "zh:22dfebd0685749c51a8f765d51a1090a259778960ac1cd4f32021a325b2b9b72", + "zh:3039b3b76e870cd8fc404cf75a29c66b171c6ba9b6182e131b6ae2ca648ec7c0", + "zh:3af0a15562fcab4b5684b18802e0239371b2b8ff9197ed069ff4827f795a002b", + "zh:50aaf20336d1296a73315adb66f7687f75bd5c6b1f93a894b95c75cc142810ec", + "zh:682064fabff895ec351860b4fe0321290bbbb17c2a410b62c9bea0039400650e", + "zh:70ac914d5830b3371a2679d8f77cc20c419a6e12925145afae6c977c8eb90934", + "zh:710aa02cccf7b0f3fb50880d6d2a7a8b8c9435248666616844ba71f74648cddc", + "zh:88e418118cd5afbdec4984944c7ab36950bf48e8d3e09e090232e55eecfb470b", + "zh:9cef159377bf23fa331f8724fdc6ce27ad39a217a4bae6df3b1ca408fc643da6", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} diff --git a/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/110-testkube/10-testkube/terragrunt.hcl b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/110-testkube/10-testkube/terragrunt.hcl new file mode 100644 index 000000000..c9ab2044c --- /dev/null +++ b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/110-testkube/10-testkube/terragrunt.hcl @@ -0,0 +1,65 @@ +# Include all settings from the root terragrunt.hcl file +include { + path = find_in_parent_folders() +} + +terraform { + source = "github.com/ManagedKube/kubernetes-ops.git//terraform-modules/aws/helm/helm_generic?ref=v1.0.9" +} + +dependency "eks" { + config_path = "${get_terragrunt_dir()}/../../../200-eks" + + mock_outputs = { + zone_id = "zzzz" + } + mock_outputs_allowed_terraform_commands = ["validate", ] +} + +# Generate a Kubernetes provider configuration for authenticating against the EKS cluster. +generate "k8s_helm" { + path = "k8s_helm_provider.tf" + if_exists = "overwrite_terragrunt" + contents = templatefile( + find_in_parent_folders("provider_k8s_helm_for_eks.template.hcl"), + { + eks_cluster_name = dependency.eks.outputs.cluster_id, + kubergrunt_exec = get_env("KUBERGRUNT_EXEC", "kubergrunt") + }, + ) +} + +# --------------------------------------------------------------------------------------------------------------------- +# Locals are named constants that are reusable within the configuration. +# --------------------------------------------------------------------------------------------------------------------- +locals { + # Load common variables shared across all accounts + common_vars = read_terragrunt_config(find_in_parent_folders("common.hcl")) + + # Load region-level variables + region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl")) + + # Load environment-level variables + environment_vars = read_terragrunt_config(find_in_parent_folders("environment.hcl")) + + tags = { + ops_env = local.common_vars.locals.environment_name + ops_managed_by = "terraform" + ops_source_repo = local.common_vars.locals.repository_name + ops_source_repo_path = "${local.common_vars.locals.base_repository_path}/${path_relative_to_include()}" + ops_owners = "devops" + } +} + +# --------------------------------------------------------------------------------------------------------------------- +# MODULE PARAMETERS +# These are the variables we have to pass in to use the module specified in the terragrunt configuration above +# --------------------------------------------------------------------------------------------------------------------- +inputs = { + repository = "https://kubeshop.github.io/helm-charts" + official_chart_name = "testkube" + user_chart_name = "testkube" + helm_version = "1.0.25" + namespace = "testkube" + helm_values = file("values.yaml") +} diff --git a/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/110-testkube/10-testkube/values.yaml b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/110-testkube/10-testkube/values.yaml new file mode 100644 index 000000000..d4aca1fde --- /dev/null +++ b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/110-testkube/10-testkube/values.yaml @@ -0,0 +1,3 @@ +# Doc: https://github.com/kubeshop/helm-charts/tree/main/charts/testkube +# https://kubeshop.github.io +--- diff --git a/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/110-testkube/20-infra-base/terraform.lock.hcl b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/110-testkube/20-infra-base/terraform.lock.hcl new file mode 100644 index 000000000..51af5b9bc --- /dev/null +++ b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/110-testkube/20-infra-base/terraform.lock.hcl @@ -0,0 +1,56 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. +provider "registry.terraform.io/hashicorp/aws" { + version = "4.19.0" + hashes = [ + "h1:4vAZv9/3q5z78CV+YAumfuaoSNSNwAXDEhI/XnGVM5E=", + "zh:22820bfa0065f583298015367f8dc015dffa5b19b76dbd78ecf5da8d7d599573", + "zh:31a5c5fade4bd30dbc2b15f448cebb9ed527793c607e8687d3b2101bcf2c4471", + "zh:37c9e469e51aa835a5542510561397541de08b62fc15292588382932624fcf88", + "zh:398bfe1ba7428ef03293c6618067ddd8c0aaae8bbe764177ae951259228af724", + "zh:4610f5a93ef956103d719ae73872a52ecd6cb321452c26a879896348bc27eed9", + "zh:4a0d570dc5f01f41538b4eb70086a00dfb25c5d00fd27c950ac209d3609486f6", + "zh:4fb65ce84801f82a3beb4e2cb72c5d52ca04d4717ed3890b206da346f02d5def", + "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", + "zh:9bb3919bd6d94fb22025540f0c1db5eceec8927bd71b8fbdcd295609c999065f", + "zh:ce2623a13f74677cdb948607e456ce00407c57333b8310d5c9d053fc3defbc78", + "zh:e0d57e8784e6ccfa96fdd07ae1ddcc947be242bc11e7a5dd16b520b4204e0d09", + "zh:f988b7c37e95a5b3a493a6b9dcc5ed270136f97d5c0effa84a51940f71626c12", + ] +} +provider "registry.terraform.io/hashicorp/helm" { + version = "2.5.1" + hashes = [ + "h1:NasRPC0qqlpGqcF3dsSoOFu7uc5hM+zJm+okd8FgrnQ=", + "zh:140b9748f0ad193a20d69e59d672f3c4eda8a56cede56a92f931bd3af020e2e9", + "zh:17ae319466ed6538ad49e011998bb86565fe0e97bc8b9ad7c8dda46a20f90669", + "zh:3a8bd723c21ba70e19f0395ed7096fc8e08bfc23366f1c3f06a9107eb37c572c", + "zh:3aae3b82adbe6dca52f1a1c8cf51575446e6b0f01f1b1f3b30de578c9af4a933", + "zh:3f65221f40148df57d2888e4f31ef3bf430b8c5af41de0db39a2b964e1826d7c", + "zh:650c74c4f46f5eb01df11d8392bdb7ebee3bba59ac0721000a6ad731ff0e61e2", + "zh:930fb8ab4cd6634472dfd6aa3123f109ef5b32cbe6ef7b4695fae6751353e83f", + "zh:ae57cd4b0be4b9ca252bc5d347bc925e35b0ed74d3dcdebf06c11362c1ac3436", + "zh:d15b1732a8602b6726eac22628b2f72f72d98b75b9c6aabceec9fd696fda696a", + "zh:d730ede1656bd193e2aea5302acec47c4905fe30b96f550196be4a0ed5f41936", + "zh:f010d4f9d8cd15936be4df12bf256cb2175ca1dedb728bd3a866c03d2ee7591f", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} +provider "registry.terraform.io/hashicorp/kubernetes" { + version = "2.11.0" + hashes = [ + "h1:pJiAJwZKUaoAJ4x+3ONJkwEVkjrwGROCGFgj7noPO58=", + "zh:143a19dd0ea3b07fc5e3d9231f3c2d01f92894385c98a67327de74c76c715843", + "zh:1fc757d209e09c3cf7848e4274daa32408c07743698fbed10ee52a4a479b62b6", + "zh:22dfebd0685749c51a8f765d51a1090a259778960ac1cd4f32021a325b2b9b72", + "zh:3039b3b76e870cd8fc404cf75a29c66b171c6ba9b6182e131b6ae2ca648ec7c0", + "zh:3af0a15562fcab4b5684b18802e0239371b2b8ff9197ed069ff4827f795a002b", + "zh:50aaf20336d1296a73315adb66f7687f75bd5c6b1f93a894b95c75cc142810ec", + "zh:682064fabff895ec351860b4fe0321290bbbb17c2a410b62c9bea0039400650e", + "zh:70ac914d5830b3371a2679d8f77cc20c419a6e12925145afae6c977c8eb90934", + "zh:710aa02cccf7b0f3fb50880d6d2a7a8b8c9435248666616844ba71f74648cddc", + "zh:88e418118cd5afbdec4984944c7ab36950bf48e8d3e09e090232e55eecfb470b", + "zh:9cef159377bf23fa331f8724fdc6ce27ad39a217a4bae6df3b1ca408fc643da6", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} diff --git a/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/110-testkube/20-infra-base/terragrunt.hcl b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/110-testkube/20-infra-base/terragrunt.hcl new file mode 100644 index 000000000..4038ba667 --- /dev/null +++ b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/110-testkube/20-infra-base/terragrunt.hcl @@ -0,0 +1,58 @@ +# Include all settings from the root terragrunt.hcl file +include { + path = find_in_parent_folders() +} + +terraform { + source = "github.com/ManagedKube/kubernetes-ops.git//terraform-modules/aws/testkube/base-tests/test-suites/infra-base?ref=v2.0.11" +} + +dependency "eks" { + config_path = "${get_terragrunt_dir()}/../../../200-eks" + + mock_outputs = { + zone_id = "zzzz" + } + mock_outputs_allowed_terraform_commands = ["validate", ] +} + +# Generate a Kubernetes provider configuration for authenticating against the EKS cluster. +generate "k8s_helm" { + path = "k8s_helm_provider.tf" + if_exists = "overwrite_terragrunt" + contents = templatefile( + find_in_parent_folders("provider_k8s_helm_for_eks.template.hcl"), + { + eks_cluster_name = dependency.eks.outputs.cluster_id, + kubergrunt_exec = get_env("KUBERGRUNT_EXEC", "kubergrunt") + }, + ) +} + +# --------------------------------------------------------------------------------------------------------------------- +# Locals are named constants that are reusable within the configuration. +# --------------------------------------------------------------------------------------------------------------------- +locals { + # Load common variables shared across all accounts + common_vars = read_terragrunt_config(find_in_parent_folders("common.hcl")) + + # Load region-level variables + region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl")) + + # Load environment-level variables + environment_vars = read_terragrunt_config(find_in_parent_folders("environment.hcl")) + + tags = { + ops_env = local.common_vars.locals.environment_name + ops_managed_by = "terraform" + ops_source_repo = local.common_vars.locals.repository_name + ops_source_repo_path = "${local.common_vars.locals.base_repository_path}/${path_relative_to_include()}" + ops_owners = "devops" + } +} + +# --------------------------------------------------------------------------------------------------------------------- +# MODULE PARAMETERS +# These are the variables we have to pass in to use the module specified in the terragrunt configuration above +# --------------------------------------------------------------------------------------------------------------------- +inputs = {} diff --git a/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/110-testkube/30-local-tests/terraform.lock.hcl b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/110-testkube/30-local-tests/terraform.lock.hcl new file mode 100644 index 000000000..51af5b9bc --- /dev/null +++ b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/110-testkube/30-local-tests/terraform.lock.hcl @@ -0,0 +1,56 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. +provider "registry.terraform.io/hashicorp/aws" { + version = "4.19.0" + hashes = [ + "h1:4vAZv9/3q5z78CV+YAumfuaoSNSNwAXDEhI/XnGVM5E=", + "zh:22820bfa0065f583298015367f8dc015dffa5b19b76dbd78ecf5da8d7d599573", + "zh:31a5c5fade4bd30dbc2b15f448cebb9ed527793c607e8687d3b2101bcf2c4471", + "zh:37c9e469e51aa835a5542510561397541de08b62fc15292588382932624fcf88", + "zh:398bfe1ba7428ef03293c6618067ddd8c0aaae8bbe764177ae951259228af724", + "zh:4610f5a93ef956103d719ae73872a52ecd6cb321452c26a879896348bc27eed9", + "zh:4a0d570dc5f01f41538b4eb70086a00dfb25c5d00fd27c950ac209d3609486f6", + "zh:4fb65ce84801f82a3beb4e2cb72c5d52ca04d4717ed3890b206da346f02d5def", + "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", + "zh:9bb3919bd6d94fb22025540f0c1db5eceec8927bd71b8fbdcd295609c999065f", + "zh:ce2623a13f74677cdb948607e456ce00407c57333b8310d5c9d053fc3defbc78", + "zh:e0d57e8784e6ccfa96fdd07ae1ddcc947be242bc11e7a5dd16b520b4204e0d09", + "zh:f988b7c37e95a5b3a493a6b9dcc5ed270136f97d5c0effa84a51940f71626c12", + ] +} +provider "registry.terraform.io/hashicorp/helm" { + version = "2.5.1" + hashes = [ + "h1:NasRPC0qqlpGqcF3dsSoOFu7uc5hM+zJm+okd8FgrnQ=", + "zh:140b9748f0ad193a20d69e59d672f3c4eda8a56cede56a92f931bd3af020e2e9", + "zh:17ae319466ed6538ad49e011998bb86565fe0e97bc8b9ad7c8dda46a20f90669", + "zh:3a8bd723c21ba70e19f0395ed7096fc8e08bfc23366f1c3f06a9107eb37c572c", + "zh:3aae3b82adbe6dca52f1a1c8cf51575446e6b0f01f1b1f3b30de578c9af4a933", + "zh:3f65221f40148df57d2888e4f31ef3bf430b8c5af41de0db39a2b964e1826d7c", + "zh:650c74c4f46f5eb01df11d8392bdb7ebee3bba59ac0721000a6ad731ff0e61e2", + "zh:930fb8ab4cd6634472dfd6aa3123f109ef5b32cbe6ef7b4695fae6751353e83f", + "zh:ae57cd4b0be4b9ca252bc5d347bc925e35b0ed74d3dcdebf06c11362c1ac3436", + "zh:d15b1732a8602b6726eac22628b2f72f72d98b75b9c6aabceec9fd696fda696a", + "zh:d730ede1656bd193e2aea5302acec47c4905fe30b96f550196be4a0ed5f41936", + "zh:f010d4f9d8cd15936be4df12bf256cb2175ca1dedb728bd3a866c03d2ee7591f", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} +provider "registry.terraform.io/hashicorp/kubernetes" { + version = "2.11.0" + hashes = [ + "h1:pJiAJwZKUaoAJ4x+3ONJkwEVkjrwGROCGFgj7noPO58=", + "zh:143a19dd0ea3b07fc5e3d9231f3c2d01f92894385c98a67327de74c76c715843", + "zh:1fc757d209e09c3cf7848e4274daa32408c07743698fbed10ee52a4a479b62b6", + "zh:22dfebd0685749c51a8f765d51a1090a259778960ac1cd4f32021a325b2b9b72", + "zh:3039b3b76e870cd8fc404cf75a29c66b171c6ba9b6182e131b6ae2ca648ec7c0", + "zh:3af0a15562fcab4b5684b18802e0239371b2b8ff9197ed069ff4827f795a002b", + "zh:50aaf20336d1296a73315adb66f7687f75bd5c6b1f93a894b95c75cc142810ec", + "zh:682064fabff895ec351860b4fe0321290bbbb17c2a410b62c9bea0039400650e", + "zh:70ac914d5830b3371a2679d8f77cc20c419a6e12925145afae6c977c8eb90934", + "zh:710aa02cccf7b0f3fb50880d6d2a7a8b8c9435248666616844ba71f74648cddc", + "zh:88e418118cd5afbdec4984944c7ab36950bf48e8d3e09e090232e55eecfb470b", + "zh:9cef159377bf23fa331f8724fdc6ce27ad39a217a4bae6df3b1ca408fc643da6", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} diff --git a/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/110-testkube/30-local-tests/terragrunt.hcl b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/110-testkube/30-local-tests/terragrunt.hcl new file mode 100644 index 000000000..d0dd9acbe --- /dev/null +++ b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/110-testkube/30-local-tests/terragrunt.hcl @@ -0,0 +1,64 @@ +# Include all settings from the root terragrunt.hcl file +include { + path = find_in_parent_folders() +} + +terraform { + // This is an example on how to structure your testkube so that you can use the kubernetes-ops `base-tests` + // and have your own `local` tests (this directory). While this `local` directory resides in this kubernetes-ops + // repo, it is really meant to go into your own repo and you can reference the source from there. The reason + // is that the set of tests here in this module is specific to you and really to no one else. + source = "github.com/ManagedKube/kubernetes-ops.git//terraform-modules/aws/testkube/local?ref=main" +} + +dependency "eks" { + config_path = "${get_terragrunt_dir()}/../../../200-eks" + + mock_outputs = { + zone_id = "zzzz" + } + mock_outputs_allowed_terraform_commands = ["validate", ] +} + +# Generate a Kubernetes provider configuration for authenticating against the EKS cluster. +generate "k8s_helm" { + path = "k8s_helm_provider.tf" + if_exists = "overwrite_terragrunt" + contents = templatefile( + find_in_parent_folders("provider_k8s_helm_for_eks.template.hcl"), + { + eks_cluster_name = dependency.eks.outputs.cluster_id, + kubergrunt_exec = get_env("KUBERGRUNT_EXEC", "kubergrunt") + }, + ) +} + +# --------------------------------------------------------------------------------------------------------------------- +# Locals are named constants that are reusable within the configuration. +# --------------------------------------------------------------------------------------------------------------------- +locals { + # Load common variables shared across all accounts + common_vars = read_terragrunt_config(find_in_parent_folders("common.hcl")) + + # Load region-level variables + region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl")) + + # Load environment-level variables + environment_vars = read_terragrunt_config(find_in_parent_folders("environment.hcl")) + + tags = { + ops_env = local.common_vars.locals.environment_name + ops_managed_by = "terraform" + ops_source_repo = local.common_vars.locals.repository_name + ops_source_repo_path = "${local.common_vars.locals.base_repository_path}/${path_relative_to_include()}" + ops_owners = "devops" + } +} + +# --------------------------------------------------------------------------------------------------------------------- +# MODULE PARAMETERS +# These are the variables we have to pass in to use the module specified in the terragrunt configuration above +# --------------------------------------------------------------------------------------------------------------------- +inputs = { + app_namespace = "my-app" +} diff --git a/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/120-external-dns/.terraform.lock.hcl b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/120-external-dns/.terraform.lock.hcl new file mode 100644 index 000000000..12be14605 --- /dev/null +++ b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/120-external-dns/.terraform.lock.hcl @@ -0,0 +1,73 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. +provider "registry.terraform.io/hashicorp/aws" { + version = "4.19.0" + constraints = ">= 2.23.0" + hashes = [ + "h1:4vAZv9/3q5z78CV+YAumfuaoSNSNwAXDEhI/XnGVM5E=", + "zh:22820bfa0065f583298015367f8dc015dffa5b19b76dbd78ecf5da8d7d599573", + "zh:31a5c5fade4bd30dbc2b15f448cebb9ed527793c607e8687d3b2101bcf2c4471", + "zh:37c9e469e51aa835a5542510561397541de08b62fc15292588382932624fcf88", + "zh:398bfe1ba7428ef03293c6618067ddd8c0aaae8bbe764177ae951259228af724", + "zh:4610f5a93ef956103d719ae73872a52ecd6cb321452c26a879896348bc27eed9", + "zh:4a0d570dc5f01f41538b4eb70086a00dfb25c5d00fd27c950ac209d3609486f6", + "zh:4fb65ce84801f82a3beb4e2cb72c5d52ca04d4717ed3890b206da346f02d5def", + "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", + "zh:9bb3919bd6d94fb22025540f0c1db5eceec8927bd71b8fbdcd295609c999065f", + "zh:ce2623a13f74677cdb948607e456ce00407c57333b8310d5c9d053fc3defbc78", + "zh:e0d57e8784e6ccfa96fdd07ae1ddcc947be242bc11e7a5dd16b520b4204e0d09", + "zh:f988b7c37e95a5b3a493a6b9dcc5ed270136f97d5c0effa84a51940f71626c12", + ] +} +provider "registry.terraform.io/hashicorp/helm" { + version = "2.5.1" + hashes = [ + "h1:NasRPC0qqlpGqcF3dsSoOFu7uc5hM+zJm+okd8FgrnQ=", + "zh:140b9748f0ad193a20d69e59d672f3c4eda8a56cede56a92f931bd3af020e2e9", + "zh:17ae319466ed6538ad49e011998bb86565fe0e97bc8b9ad7c8dda46a20f90669", + "zh:3a8bd723c21ba70e19f0395ed7096fc8e08bfc23366f1c3f06a9107eb37c572c", + "zh:3aae3b82adbe6dca52f1a1c8cf51575446e6b0f01f1b1f3b30de578c9af4a933", + "zh:3f65221f40148df57d2888e4f31ef3bf430b8c5af41de0db39a2b964e1826d7c", + "zh:650c74c4f46f5eb01df11d8392bdb7ebee3bba59ac0721000a6ad731ff0e61e2", + "zh:930fb8ab4cd6634472dfd6aa3123f109ef5b32cbe6ef7b4695fae6751353e83f", + "zh:ae57cd4b0be4b9ca252bc5d347bc925e35b0ed74d3dcdebf06c11362c1ac3436", + "zh:d15b1732a8602b6726eac22628b2f72f72d98b75b9c6aabceec9fd696fda696a", + "zh:d730ede1656bd193e2aea5302acec47c4905fe30b96f550196be4a0ed5f41936", + "zh:f010d4f9d8cd15936be4df12bf256cb2175ca1dedb728bd3a866c03d2ee7591f", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} +provider "registry.terraform.io/hashicorp/kubernetes" { + version = "2.11.0" + hashes = [ + "h1:pJiAJwZKUaoAJ4x+3ONJkwEVkjrwGROCGFgj7noPO58=", + "zh:143a19dd0ea3b07fc5e3d9231f3c2d01f92894385c98a67327de74c76c715843", + "zh:1fc757d209e09c3cf7848e4274daa32408c07743698fbed10ee52a4a479b62b6", + "zh:22dfebd0685749c51a8f765d51a1090a259778960ac1cd4f32021a325b2b9b72", + "zh:3039b3b76e870cd8fc404cf75a29c66b171c6ba9b6182e131b6ae2ca648ec7c0", + "zh:3af0a15562fcab4b5684b18802e0239371b2b8ff9197ed069ff4827f795a002b", + "zh:50aaf20336d1296a73315adb66f7687f75bd5c6b1f93a894b95c75cc142810ec", + "zh:682064fabff895ec351860b4fe0321290bbbb17c2a410b62c9bea0039400650e", + "zh:70ac914d5830b3371a2679d8f77cc20c419a6e12925145afae6c977c8eb90934", + "zh:710aa02cccf7b0f3fb50880d6d2a7a8b8c9435248666616844ba71f74648cddc", + "zh:88e418118cd5afbdec4984944c7ab36950bf48e8d3e09e090232e55eecfb470b", + "zh:9cef159377bf23fa331f8724fdc6ce27ad39a217a4bae6df3b1ca408fc643da6", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} +provider "registry.terraform.io/hashicorp/template" { + version = "2.2.0" + hashes = [ + "h1:94qn780bi1qjrbC3uQtjJh3Wkfwd5+tTtJHOb7KTg9w=", + "zh:01702196f0a0492ec07917db7aaa595843d8f171dc195f4c988d2ffca2a06386", + "zh:09aae3da826ba3d7df69efeb25d146a1de0d03e951d35019a0f80e4f58c89b53", + "zh:09ba83c0625b6fe0a954da6fbd0c355ac0b7f07f86c91a2a97849140fea49603", + "zh:0e3a6c8e16f17f19010accd0844187d524580d9fdb0731f675ffcf4afba03d16", + "zh:45f2c594b6f2f34ea663704cc72048b212fe7d16fb4cfd959365fa997228a776", + "zh:77ea3e5a0446784d77114b5e851c970a3dde1e08fa6de38210b8385d7605d451", + "zh:8a154388f3708e3df5a69122a23bdfaf760a523788a5081976b3d5616f7d30ae", + "zh:992843002f2db5a11e626b3fc23dc0c87ad3729b3b3cff08e32ffb3df97edbde", + "zh:ad906f4cebd3ec5e43d5cd6dc8f4c5c9cc3b33d2243c89c5fc18f97f7277b51d", + "zh:c979425ddb256511137ecd093e23283234da0154b7fa8b21c2687182d9aea8b2", + ] +} diff --git a/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/120-external-dns/README.md b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/120-external-dns/README.md new file mode 100644 index 000000000..18eb1bc9f --- /dev/null +++ b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/120-external-dns/README.md @@ -0,0 +1,3 @@ +# external-dns + +Source chart: https://github.com/kubernetes-sigs/external-dns/tree/master/charts/external-dns diff --git a/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/120-external-dns/terragrunt.hcl b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/120-external-dns/terragrunt.hcl new file mode 100644 index 000000000..80160fe2c --- /dev/null +++ b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/120-external-dns/terragrunt.hcl @@ -0,0 +1,77 @@ +# Include all settings from the root terragrunt.hcl file +include { + path = find_in_parent_folders() +} + +terraform { + source = "github.com/ManagedKube/kubernetes-ops//terraform-modules/aws/helm/external-dns?ref=v2.0.31" +} + +dependency "eks" { + config_path = "${get_terragrunt_dir()}/../../200-eks" + + mock_outputs = { + zone_id = "zzzz" + } + mock_outputs_allowed_terraform_commands = ["validate", ] +} + +dependency "route53_hosted_zone" { + config_path = "${get_terragrunt_dir()}/../../100-route53-hostedzone" + + mock_outputs = { + vpc_id = "vpc-abcd1234" + vpc_cidr_block = "10.0.0.0/16" + public_subnet_ids = ["subnet-abcd1234", "subnet-bcd1234a", ] + } + mock_outputs_allowed_terraform_commands = ["validate", ] +} + +# Generate a Kubernetes provider configuration for authenticating against the EKS cluster. +generate "k8s_helm" { + path = "k8s_helm_provider.tf" + if_exists = "overwrite_terragrunt" + contents = templatefile( + find_in_parent_folders("provider_k8s_helm_for_eks.template.hcl"), + { + eks_cluster_name = dependency.eks.outputs.cluster_id, + kubergrunt_exec = get_env("KUBERGRUNT_EXEC", "kubergrunt") + }, + ) +} + +# --------------------------------------------------------------------------------------------------------------------- +# Locals are named constants that are reusable within the configuration. +# --------------------------------------------------------------------------------------------------------------------- +locals { + # Load common variables shared across all accounts + common_vars = read_terragrunt_config(find_in_parent_folders("common.hcl")) + + # Load region-level variables + region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl")) + + # Load environment-level variables + environment_vars = read_terragrunt_config(find_in_parent_folders("environment.hcl")) + + tags = { + ops_env = local.common_vars.locals.environment_name + ops_managed_by = "terraform" + ops_source_repo = local.common_vars.locals.repository_name + ops_source_repo_path = "${local.common_vars.locals.base_repository_path}/${path_relative_to_include()}" + ops_owners = "devops" + } +} + +# --------------------------------------------------------------------------------------------------------------------- +# MODULE PARAMETERS +# These are the variables we have to pass in to use the module specified in the terragrunt configuration above +# --------------------------------------------------------------------------------------------------------------------- +inputs = { + aws_region = local.region_vars.locals.aws_region + cluster_name = local.common_vars.locals.environment_name + eks_cluster_id = dependency.eks.outputs.cluster_id + eks_cluster_oidc_issuer_url = dependency.eks.outputs.cluster_oidc_issuer_url + route53_hosted_zones = dependency.route53_hosted_zone.outputs.zone_id + helm_values_2 = file("values.yaml") +} + diff --git a/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/120-external-dns/values.yaml b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/120-external-dns/values.yaml new file mode 100644 index 000000000..ae3047085 --- /dev/null +++ b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/120-external-dns/values.yaml @@ -0,0 +1,14 @@ +--- +sources: + - service + - ingress + # # Enabling externa-dns to watch for hostnames in these resources to add DNS entries + # # This PR has to be merged before the external-dns will have permissions to watch the istio resources + # # https://github.com/kubernetes-sigs/external-dns/pull/2248 + # # To enable this, you need to add the following to the clusterrole: external-dns + # # - apiGroups: ["networking.istio.io"] + # # resources: ["gateways", "virtualservices"] + # # verbs: ["get","watch","list"] + # # Then you can enable the following or external-dns will crash + # - istio-gateway + # - istio-virtualservice diff --git a/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/130-external-secrets/10-external-secrets/.terraform.lock.hcl b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/130-external-secrets/10-external-secrets/.terraform.lock.hcl new file mode 100644 index 000000000..12be14605 --- /dev/null +++ b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/130-external-secrets/10-external-secrets/.terraform.lock.hcl @@ -0,0 +1,73 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. +provider "registry.terraform.io/hashicorp/aws" { + version = "4.19.0" + constraints = ">= 2.23.0" + hashes = [ + "h1:4vAZv9/3q5z78CV+YAumfuaoSNSNwAXDEhI/XnGVM5E=", + "zh:22820bfa0065f583298015367f8dc015dffa5b19b76dbd78ecf5da8d7d599573", + "zh:31a5c5fade4bd30dbc2b15f448cebb9ed527793c607e8687d3b2101bcf2c4471", + "zh:37c9e469e51aa835a5542510561397541de08b62fc15292588382932624fcf88", + "zh:398bfe1ba7428ef03293c6618067ddd8c0aaae8bbe764177ae951259228af724", + "zh:4610f5a93ef956103d719ae73872a52ecd6cb321452c26a879896348bc27eed9", + "zh:4a0d570dc5f01f41538b4eb70086a00dfb25c5d00fd27c950ac209d3609486f6", + "zh:4fb65ce84801f82a3beb4e2cb72c5d52ca04d4717ed3890b206da346f02d5def", + "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", + "zh:9bb3919bd6d94fb22025540f0c1db5eceec8927bd71b8fbdcd295609c999065f", + "zh:ce2623a13f74677cdb948607e456ce00407c57333b8310d5c9d053fc3defbc78", + "zh:e0d57e8784e6ccfa96fdd07ae1ddcc947be242bc11e7a5dd16b520b4204e0d09", + "zh:f988b7c37e95a5b3a493a6b9dcc5ed270136f97d5c0effa84a51940f71626c12", + ] +} +provider "registry.terraform.io/hashicorp/helm" { + version = "2.5.1" + hashes = [ + "h1:NasRPC0qqlpGqcF3dsSoOFu7uc5hM+zJm+okd8FgrnQ=", + "zh:140b9748f0ad193a20d69e59d672f3c4eda8a56cede56a92f931bd3af020e2e9", + "zh:17ae319466ed6538ad49e011998bb86565fe0e97bc8b9ad7c8dda46a20f90669", + "zh:3a8bd723c21ba70e19f0395ed7096fc8e08bfc23366f1c3f06a9107eb37c572c", + "zh:3aae3b82adbe6dca52f1a1c8cf51575446e6b0f01f1b1f3b30de578c9af4a933", + "zh:3f65221f40148df57d2888e4f31ef3bf430b8c5af41de0db39a2b964e1826d7c", + "zh:650c74c4f46f5eb01df11d8392bdb7ebee3bba59ac0721000a6ad731ff0e61e2", + "zh:930fb8ab4cd6634472dfd6aa3123f109ef5b32cbe6ef7b4695fae6751353e83f", + "zh:ae57cd4b0be4b9ca252bc5d347bc925e35b0ed74d3dcdebf06c11362c1ac3436", + "zh:d15b1732a8602b6726eac22628b2f72f72d98b75b9c6aabceec9fd696fda696a", + "zh:d730ede1656bd193e2aea5302acec47c4905fe30b96f550196be4a0ed5f41936", + "zh:f010d4f9d8cd15936be4df12bf256cb2175ca1dedb728bd3a866c03d2ee7591f", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} +provider "registry.terraform.io/hashicorp/kubernetes" { + version = "2.11.0" + hashes = [ + "h1:pJiAJwZKUaoAJ4x+3ONJkwEVkjrwGROCGFgj7noPO58=", + "zh:143a19dd0ea3b07fc5e3d9231f3c2d01f92894385c98a67327de74c76c715843", + "zh:1fc757d209e09c3cf7848e4274daa32408c07743698fbed10ee52a4a479b62b6", + "zh:22dfebd0685749c51a8f765d51a1090a259778960ac1cd4f32021a325b2b9b72", + "zh:3039b3b76e870cd8fc404cf75a29c66b171c6ba9b6182e131b6ae2ca648ec7c0", + "zh:3af0a15562fcab4b5684b18802e0239371b2b8ff9197ed069ff4827f795a002b", + "zh:50aaf20336d1296a73315adb66f7687f75bd5c6b1f93a894b95c75cc142810ec", + "zh:682064fabff895ec351860b4fe0321290bbbb17c2a410b62c9bea0039400650e", + "zh:70ac914d5830b3371a2679d8f77cc20c419a6e12925145afae6c977c8eb90934", + "zh:710aa02cccf7b0f3fb50880d6d2a7a8b8c9435248666616844ba71f74648cddc", + "zh:88e418118cd5afbdec4984944c7ab36950bf48e8d3e09e090232e55eecfb470b", + "zh:9cef159377bf23fa331f8724fdc6ce27ad39a217a4bae6df3b1ca408fc643da6", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} +provider "registry.terraform.io/hashicorp/template" { + version = "2.2.0" + hashes = [ + "h1:94qn780bi1qjrbC3uQtjJh3Wkfwd5+tTtJHOb7KTg9w=", + "zh:01702196f0a0492ec07917db7aaa595843d8f171dc195f4c988d2ffca2a06386", + "zh:09aae3da826ba3d7df69efeb25d146a1de0d03e951d35019a0f80e4f58c89b53", + "zh:09ba83c0625b6fe0a954da6fbd0c355ac0b7f07f86c91a2a97849140fea49603", + "zh:0e3a6c8e16f17f19010accd0844187d524580d9fdb0731f675ffcf4afba03d16", + "zh:45f2c594b6f2f34ea663704cc72048b212fe7d16fb4cfd959365fa997228a776", + "zh:77ea3e5a0446784d77114b5e851c970a3dde1e08fa6de38210b8385d7605d451", + "zh:8a154388f3708e3df5a69122a23bdfaf760a523788a5081976b3d5616f7d30ae", + "zh:992843002f2db5a11e626b3fc23dc0c87ad3729b3b3cff08e32ffb3df97edbde", + "zh:ad906f4cebd3ec5e43d5cd6dc8f4c5c9cc3b33d2243c89c5fc18f97f7277b51d", + "zh:c979425ddb256511137ecd093e23283234da0154b7fa8b21c2687182d9aea8b2", + ] +} diff --git a/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/130-external-secrets/10-external-secrets/terragrunt.hcl b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/130-external-secrets/10-external-secrets/terragrunt.hcl new file mode 100644 index 000000000..9006edd76 --- /dev/null +++ b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/130-external-secrets/10-external-secrets/terragrunt.hcl @@ -0,0 +1,73 @@ +# Include all settings from the root terragrunt.hcl file +include { + path = find_in_parent_folders() +} + +terraform { + source = "github.com/ManagedKube/kubernetes-ops.git//terraform-modules/aws/helm/external-secrets/install?ref=v2.0.4" +} + +dependency "eks" { + config_path = "${get_terragrunt_dir()}/../../../200-eks" + + mock_outputs = { + zone_id = "zzzz" + } + mock_outputs_allowed_terraform_commands = ["validate", ] +} + +# Generate a Kubernetes provider configuration for authenticating against the EKS cluster. +generate "k8s_helm" { + path = "k8s_helm_provider.tf" + if_exists = "overwrite_terragrunt" + contents = templatefile( + find_in_parent_folders("provider_k8s_helm_for_eks.template.hcl"), + { + eks_cluster_name = dependency.eks.outputs.cluster_id, + kubergrunt_exec = get_env("KUBERGRUNT_EXEC", "kubergrunt") + }, + ) +} + +# --------------------------------------------------------------------------------------------------------------------- +# Locals are named constants that are reusable within the configuration. +# --------------------------------------------------------------------------------------------------------------------- +locals { + # Load common variables shared across all accounts + common_vars = read_terragrunt_config(find_in_parent_folders("common.hcl")) + + # Load region-level variables + region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl")) + + # Load environment-level variables + environment_vars = read_terragrunt_config(find_in_parent_folders("environment.hcl")) + + tags = { + ops_env = local.common_vars.locals.environment_name + ops_managed_by = "terraform" + ops_source_repo = local.common_vars.locals.repository_name + ops_source_repo_path = "${local.common_vars.locals.base_repository_path}/${path_relative_to_include()}" + ops_owners = "devops" + } + + # Extract the region for easy access + aws_region = local.region_vars.locals.aws_region + + secrets_prefix = "${local.common_vars.locals.environment_name}/" +} + +# --------------------------------------------------------------------------------------------------------------------- +# MODULE PARAMETERS +# These are the variables we have to pass in to use the module specified in the terragrunt configuration above +# --------------------------------------------------------------------------------------------------------------------- +inputs = { + eks_cluster_oidc_issuer_url = dependency.eks.outputs.cluster_oidc_issuer_url + helm_values = templatefile( + "values.tpl.yaml", + { + aws_region = local.aws_region + } + ) + environment_name = local.common_vars.locals.environment_name + secrets_prefix = local.secrets_prefix +} diff --git a/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/130-external-secrets/10-external-secrets/values.tpl.yaml b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/130-external-secrets/10-external-secrets/values.tpl.yaml new file mode 100644 index 000000000..f9bccae48 --- /dev/null +++ b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/130-external-secrets/10-external-secrets/values.tpl.yaml @@ -0,0 +1,4 @@ +--- +env: + AWS_REGION: ${aws_region} + AWS_DEFAULT_REGION: ${aws_region} diff --git a/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/130-external-secrets/20-external-secret-store/.terraform.lock.hcl b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/130-external-secrets/20-external-secret-store/.terraform.lock.hcl new file mode 100644 index 000000000..12be14605 --- /dev/null +++ b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/130-external-secrets/20-external-secret-store/.terraform.lock.hcl @@ -0,0 +1,73 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. +provider "registry.terraform.io/hashicorp/aws" { + version = "4.19.0" + constraints = ">= 2.23.0" + hashes = [ + "h1:4vAZv9/3q5z78CV+YAumfuaoSNSNwAXDEhI/XnGVM5E=", + "zh:22820bfa0065f583298015367f8dc015dffa5b19b76dbd78ecf5da8d7d599573", + "zh:31a5c5fade4bd30dbc2b15f448cebb9ed527793c607e8687d3b2101bcf2c4471", + "zh:37c9e469e51aa835a5542510561397541de08b62fc15292588382932624fcf88", + "zh:398bfe1ba7428ef03293c6618067ddd8c0aaae8bbe764177ae951259228af724", + "zh:4610f5a93ef956103d719ae73872a52ecd6cb321452c26a879896348bc27eed9", + "zh:4a0d570dc5f01f41538b4eb70086a00dfb25c5d00fd27c950ac209d3609486f6", + "zh:4fb65ce84801f82a3beb4e2cb72c5d52ca04d4717ed3890b206da346f02d5def", + "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", + "zh:9bb3919bd6d94fb22025540f0c1db5eceec8927bd71b8fbdcd295609c999065f", + "zh:ce2623a13f74677cdb948607e456ce00407c57333b8310d5c9d053fc3defbc78", + "zh:e0d57e8784e6ccfa96fdd07ae1ddcc947be242bc11e7a5dd16b520b4204e0d09", + "zh:f988b7c37e95a5b3a493a6b9dcc5ed270136f97d5c0effa84a51940f71626c12", + ] +} +provider "registry.terraform.io/hashicorp/helm" { + version = "2.5.1" + hashes = [ + "h1:NasRPC0qqlpGqcF3dsSoOFu7uc5hM+zJm+okd8FgrnQ=", + "zh:140b9748f0ad193a20d69e59d672f3c4eda8a56cede56a92f931bd3af020e2e9", + "zh:17ae319466ed6538ad49e011998bb86565fe0e97bc8b9ad7c8dda46a20f90669", + "zh:3a8bd723c21ba70e19f0395ed7096fc8e08bfc23366f1c3f06a9107eb37c572c", + "zh:3aae3b82adbe6dca52f1a1c8cf51575446e6b0f01f1b1f3b30de578c9af4a933", + "zh:3f65221f40148df57d2888e4f31ef3bf430b8c5af41de0db39a2b964e1826d7c", + "zh:650c74c4f46f5eb01df11d8392bdb7ebee3bba59ac0721000a6ad731ff0e61e2", + "zh:930fb8ab4cd6634472dfd6aa3123f109ef5b32cbe6ef7b4695fae6751353e83f", + "zh:ae57cd4b0be4b9ca252bc5d347bc925e35b0ed74d3dcdebf06c11362c1ac3436", + "zh:d15b1732a8602b6726eac22628b2f72f72d98b75b9c6aabceec9fd696fda696a", + "zh:d730ede1656bd193e2aea5302acec47c4905fe30b96f550196be4a0ed5f41936", + "zh:f010d4f9d8cd15936be4df12bf256cb2175ca1dedb728bd3a866c03d2ee7591f", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} +provider "registry.terraform.io/hashicorp/kubernetes" { + version = "2.11.0" + hashes = [ + "h1:pJiAJwZKUaoAJ4x+3ONJkwEVkjrwGROCGFgj7noPO58=", + "zh:143a19dd0ea3b07fc5e3d9231f3c2d01f92894385c98a67327de74c76c715843", + "zh:1fc757d209e09c3cf7848e4274daa32408c07743698fbed10ee52a4a479b62b6", + "zh:22dfebd0685749c51a8f765d51a1090a259778960ac1cd4f32021a325b2b9b72", + "zh:3039b3b76e870cd8fc404cf75a29c66b171c6ba9b6182e131b6ae2ca648ec7c0", + "zh:3af0a15562fcab4b5684b18802e0239371b2b8ff9197ed069ff4827f795a002b", + "zh:50aaf20336d1296a73315adb66f7687f75bd5c6b1f93a894b95c75cc142810ec", + "zh:682064fabff895ec351860b4fe0321290bbbb17c2a410b62c9bea0039400650e", + "zh:70ac914d5830b3371a2679d8f77cc20c419a6e12925145afae6c977c8eb90934", + "zh:710aa02cccf7b0f3fb50880d6d2a7a8b8c9435248666616844ba71f74648cddc", + "zh:88e418118cd5afbdec4984944c7ab36950bf48e8d3e09e090232e55eecfb470b", + "zh:9cef159377bf23fa331f8724fdc6ce27ad39a217a4bae6df3b1ca408fc643da6", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} +provider "registry.terraform.io/hashicorp/template" { + version = "2.2.0" + hashes = [ + "h1:94qn780bi1qjrbC3uQtjJh3Wkfwd5+tTtJHOb7KTg9w=", + "zh:01702196f0a0492ec07917db7aaa595843d8f171dc195f4c988d2ffca2a06386", + "zh:09aae3da826ba3d7df69efeb25d146a1de0d03e951d35019a0f80e4f58c89b53", + "zh:09ba83c0625b6fe0a954da6fbd0c355ac0b7f07f86c91a2a97849140fea49603", + "zh:0e3a6c8e16f17f19010accd0844187d524580d9fdb0731f675ffcf4afba03d16", + "zh:45f2c594b6f2f34ea663704cc72048b212fe7d16fb4cfd959365fa997228a776", + "zh:77ea3e5a0446784d77114b5e851c970a3dde1e08fa6de38210b8385d7605d451", + "zh:8a154388f3708e3df5a69122a23bdfaf760a523788a5081976b3d5616f7d30ae", + "zh:992843002f2db5a11e626b3fc23dc0c87ad3729b3b3cff08e32ffb3df97edbde", + "zh:ad906f4cebd3ec5e43d5cd6dc8f4c5c9cc3b33d2243c89c5fc18f97f7277b51d", + "zh:c979425ddb256511137ecd093e23283234da0154b7fa8b21c2687182d9aea8b2", + ] +} diff --git a/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/130-external-secrets/20-external-secret-store/terragrunt.hcl b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/130-external-secrets/20-external-secret-store/terragrunt.hcl new file mode 100644 index 000000000..75f2647f2 --- /dev/null +++ b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/130-external-secrets/20-external-secret-store/terragrunt.hcl @@ -0,0 +1,60 @@ +# Include all settings from the root terragrunt.hcl file +include { + path = find_in_parent_folders() +} + +terraform { + source = "github.com/ManagedKube/kubernetes-ops.git//terraform-modules/aws/helm/external-secrets/secret_store?ref=v2.0.4" +} + +dependency "eks" { + config_path = "${get_terragrunt_dir()}/../../../200-eks" + + mock_outputs = { + zone_id = "zzzz" + } + mock_outputs_allowed_terraform_commands = ["validate", ] +} + +# Generate a Kubernetes provider configuration for authenticating against the EKS cluster. +generate "k8s_helm" { + path = "k8s_helm_provider.tf" + if_exists = "overwrite_terragrunt" + contents = templatefile( + find_in_parent_folders("provider_k8s_helm_for_eks.template.hcl"), + { + eks_cluster_name = dependency.eks.outputs.cluster_id, + kubergrunt_exec = get_env("KUBERGRUNT_EXEC", "kubergrunt") + }, + ) +} + +# --------------------------------------------------------------------------------------------------------------------- +# Locals are named constants that are reusable within the configuration. +# --------------------------------------------------------------------------------------------------------------------- +locals { + # Load common variables shared across all accounts + common_vars = read_terragrunt_config(find_in_parent_folders("common.hcl")) + + # Load region-level variables + region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl")) + + # Load environment-level variables + environment_vars = read_terragrunt_config(find_in_parent_folders("environment.hcl")) + + tags = { + ops_env = local.common_vars.locals.environment_name + ops_managed_by = "terraform" + ops_source_repo = local.common_vars.locals.repository_name + ops_source_repo_path = "${local.common_vars.locals.base_repository_path}/${path_relative_to_include()}" + ops_owners = "devops" + } +} + +# --------------------------------------------------------------------------------------------------------------------- +# MODULE PARAMETERS +# These are the variables we have to pass in to use the module specified in the terragrunt configuration above +# --------------------------------------------------------------------------------------------------------------------- +inputs = { + environment_name = local.common_vars.locals.environment_name +} \ No newline at end of file diff --git a/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/200-istio/10-istio/.terraform.lock.hcl b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/200-istio/10-istio/.terraform.lock.hcl new file mode 100644 index 000000000..51af5b9bc --- /dev/null +++ b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/200-istio/10-istio/.terraform.lock.hcl @@ -0,0 +1,56 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. +provider "registry.terraform.io/hashicorp/aws" { + version = "4.19.0" + hashes = [ + "h1:4vAZv9/3q5z78CV+YAumfuaoSNSNwAXDEhI/XnGVM5E=", + "zh:22820bfa0065f583298015367f8dc015dffa5b19b76dbd78ecf5da8d7d599573", + "zh:31a5c5fade4bd30dbc2b15f448cebb9ed527793c607e8687d3b2101bcf2c4471", + "zh:37c9e469e51aa835a5542510561397541de08b62fc15292588382932624fcf88", + "zh:398bfe1ba7428ef03293c6618067ddd8c0aaae8bbe764177ae951259228af724", + "zh:4610f5a93ef956103d719ae73872a52ecd6cb321452c26a879896348bc27eed9", + "zh:4a0d570dc5f01f41538b4eb70086a00dfb25c5d00fd27c950ac209d3609486f6", + "zh:4fb65ce84801f82a3beb4e2cb72c5d52ca04d4717ed3890b206da346f02d5def", + "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", + "zh:9bb3919bd6d94fb22025540f0c1db5eceec8927bd71b8fbdcd295609c999065f", + "zh:ce2623a13f74677cdb948607e456ce00407c57333b8310d5c9d053fc3defbc78", + "zh:e0d57e8784e6ccfa96fdd07ae1ddcc947be242bc11e7a5dd16b520b4204e0d09", + "zh:f988b7c37e95a5b3a493a6b9dcc5ed270136f97d5c0effa84a51940f71626c12", + ] +} +provider "registry.terraform.io/hashicorp/helm" { + version = "2.5.1" + hashes = [ + "h1:NasRPC0qqlpGqcF3dsSoOFu7uc5hM+zJm+okd8FgrnQ=", + "zh:140b9748f0ad193a20d69e59d672f3c4eda8a56cede56a92f931bd3af020e2e9", + "zh:17ae319466ed6538ad49e011998bb86565fe0e97bc8b9ad7c8dda46a20f90669", + "zh:3a8bd723c21ba70e19f0395ed7096fc8e08bfc23366f1c3f06a9107eb37c572c", + "zh:3aae3b82adbe6dca52f1a1c8cf51575446e6b0f01f1b1f3b30de578c9af4a933", + "zh:3f65221f40148df57d2888e4f31ef3bf430b8c5af41de0db39a2b964e1826d7c", + "zh:650c74c4f46f5eb01df11d8392bdb7ebee3bba59ac0721000a6ad731ff0e61e2", + "zh:930fb8ab4cd6634472dfd6aa3123f109ef5b32cbe6ef7b4695fae6751353e83f", + "zh:ae57cd4b0be4b9ca252bc5d347bc925e35b0ed74d3dcdebf06c11362c1ac3436", + "zh:d15b1732a8602b6726eac22628b2f72f72d98b75b9c6aabceec9fd696fda696a", + "zh:d730ede1656bd193e2aea5302acec47c4905fe30b96f550196be4a0ed5f41936", + "zh:f010d4f9d8cd15936be4df12bf256cb2175ca1dedb728bd3a866c03d2ee7591f", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} +provider "registry.terraform.io/hashicorp/kubernetes" { + version = "2.11.0" + hashes = [ + "h1:pJiAJwZKUaoAJ4x+3ONJkwEVkjrwGROCGFgj7noPO58=", + "zh:143a19dd0ea3b07fc5e3d9231f3c2d01f92894385c98a67327de74c76c715843", + "zh:1fc757d209e09c3cf7848e4274daa32408c07743698fbed10ee52a4a479b62b6", + "zh:22dfebd0685749c51a8f765d51a1090a259778960ac1cd4f32021a325b2b9b72", + "zh:3039b3b76e870cd8fc404cf75a29c66b171c6ba9b6182e131b6ae2ca648ec7c0", + "zh:3af0a15562fcab4b5684b18802e0239371b2b8ff9197ed069ff4827f795a002b", + "zh:50aaf20336d1296a73315adb66f7687f75bd5c6b1f93a894b95c75cc142810ec", + "zh:682064fabff895ec351860b4fe0321290bbbb17c2a410b62c9bea0039400650e", + "zh:70ac914d5830b3371a2679d8f77cc20c419a6e12925145afae6c977c8eb90934", + "zh:710aa02cccf7b0f3fb50880d6d2a7a8b8c9435248666616844ba71f74648cddc", + "zh:88e418118cd5afbdec4984944c7ab36950bf48e8d3e09e090232e55eecfb470b", + "zh:9cef159377bf23fa331f8724fdc6ce27ad39a217a4bae6df3b1ca408fc643da6", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} diff --git a/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/200-istio/10-istio/istio_base_values.yaml b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/200-istio/10-istio/istio_base_values.yaml new file mode 100644 index 000000000..ed97d539c --- /dev/null +++ b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/200-istio/10-istio/istio_base_values.yaml @@ -0,0 +1 @@ +--- diff --git a/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/200-istio/10-istio/istio_ingress_values.tpl.yaml b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/200-istio/10-istio/istio_ingress_values.tpl.yaml new file mode 100644 index 000000000..6fd6e68de --- /dev/null +++ b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/200-istio/10-istio/istio_ingress_values.tpl.yaml @@ -0,0 +1,32 @@ +gateways: + istio-ingressgateway: + # ports: + # ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. + # # Note that AWS ELB will by default perform health checks on the first port + # # on this list. Setting this to the health check port will ensure that health + # # checks always work. https://github.com/istio/istio/issues/12503 + # - port: 15021 + # targetPort: 15021 + # name: status-port + # protocol: TCP + # - port: 80 + # targetPort: 8080 + # name: http2 + # protocol: TCP + # # Routing 443/TLS to the http/clear port for now since we have not decided to use cert-manager yet + # # To route it to Istio 443, it needs a cert. + # # example: https://istio.io/latest/docs/tasks/traffic-management/ingress/secure-ingress/ + # - port: 443 + # targetPort: 8080 + # name: http + # protocol: TCP + serviceAnnotations: + # Setting to an internal load balancer + # https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer + # service.beta.kubernetes.io/aws-load-balancer-internal: "true" + # service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:us-west-2:xxxxxxx:certificate/78124ddf-1051-4672-b410-30ca9cf4f05c + service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "443" + service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http + # service.beta.kubernetes.io/aws-load-balancer-ssl-negotiation-policy: "ELBSecurityPolicy-TLS-1-2-2017-01" + external-dns.alpha.kubernetes.io/hostname: "*.${domain_name},my-app.${domain_name},my-app2.${domain_name}" + service.beta.kubernetes.io/aws-load-balancer-type: "nlb" diff --git a/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/200-istio/10-istio/istiod_values.yaml b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/200-istio/10-istio/istiod_values.yaml new file mode 100644 index 000000000..9fe81b876 --- /dev/null +++ b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/200-istio/10-istio/istiod_values.yaml @@ -0,0 +1,10 @@ +--- +## Discovery Settings +# pilot: +# # Resources for a small pilot install +# # This setting is for development only. It is recommended to comment this out for production systems +# # and use the istio defaults. +# resources: +# requests: +# cpu: 10m +# memory: 256Mi diff --git a/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/200-istio/10-istio/terragrunt.hcl b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/200-istio/10-istio/terragrunt.hcl new file mode 100644 index 000000000..91730e3f2 --- /dev/null +++ b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/200-istio/10-istio/terragrunt.hcl @@ -0,0 +1,69 @@ +# Include all settings from the root terragrunt.hcl file +include { + path = find_in_parent_folders() +} + +terraform { + source = "github.com/ManagedKube/kubernetes-ops.git//terraform-modules/aws/istio?ref=v2.0.17" +} + +dependency "eks" { + config_path = "${get_terragrunt_dir()}/../../../200-eks" + + mock_outputs = { + zone_id = "zzzz" + } + mock_outputs_allowed_terraform_commands = ["validate", ] +} + +# Generate a Kubernetes provider configuration for authenticating against the EKS cluster. +generate "k8s_helm" { + path = "k8s_helm_provider.tf" + if_exists = "overwrite_terragrunt" + contents = templatefile( + find_in_parent_folders("provider_k8s_helm_for_eks.template.hcl"), + { + eks_cluster_name = dependency.eks.outputs.cluster_id, + kubergrunt_exec = get_env("KUBERGRUNT_EXEC", "kubergrunt") + }, + ) +} + +# --------------------------------------------------------------------------------------------------------------------- +# Locals are named constants that are reusable within the configuration. +# --------------------------------------------------------------------------------------------------------------------- +locals { + # Load common variables shared across all accounts + common_vars = read_terragrunt_config(find_in_parent_folders("common.hcl")) + + # Load region-level variables + region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl")) + + # Load environment-level variables + environment_vars = read_terragrunt_config(find_in_parent_folders("environment.hcl")) + + tags = { + ops_env = local.common_vars.locals.environment_name + ops_managed_by = "terraform" + ops_source_repo = local.common_vars.locals.repository_name + ops_source_repo_path = "${local.common_vars.locals.base_repository_path}/${path_relative_to_include()}" + ops_owners = "devops" + } +} + +# --------------------------------------------------------------------------------------------------------------------- +# MODULE PARAMETERS +# These are the variables we have to pass in to use the module specified in the terragrunt configuration above +# --------------------------------------------------------------------------------------------------------------------- +inputs = { + helm_values_istio_base = file("istio_base_values.yaml") + helm_values_istiod = file("istiod_values.yaml") + helm_values_istio_ingress = templatefile( + "istio_ingress_values.tpl.yaml", + { + domain_name = local.environment_vars.locals.domain_name + } + ) +} + + diff --git a/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/200-istio/20-domain-wildcard-cert/.terraform.lock.hcl b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/200-istio/20-domain-wildcard-cert/.terraform.lock.hcl new file mode 100644 index 000000000..1a5f057c0 --- /dev/null +++ b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/200-istio/20-domain-wildcard-cert/.terraform.lock.hcl @@ -0,0 +1,56 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. +provider "registry.terraform.io/hashicorp/aws" { + version = "4.20.0" + hashes = [ + "h1:NXdDdRzdG5s1m7Rl+hkY01CNiICtEOD5K81qKtSTLWA=", + "zh:391819f7bf5c6662a71ea534aad1b1260a45153ac74a5d5e6580e86caea215e4", + "zh:466171f08033d1e59b6aac0a9a64bc283b25c859b80e65f20d3072dffcf3123b", + "zh:4b15d65fc61150eef699e6e29459ab0f90585e0fa80f969cbe2b9d9913d073a0", + "zh:52c6bb6c50111074068f7e650ea5185116fcaa164f82663ca11c46e7ba8e603f", + "zh:90fd88d533fc38f5e8133fdcf404009f36054aa70de429ac1971d7124039f305", + "zh:9202423fc4a846e97ba8d3c1e7c61b27cad39784ba4409a31553b564de97111d", + "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", + "zh:c0b72cfac66b408154df4d3fe1e5e5d8a26a04a275017e5e281e0ef2e8887a66", + "zh:cab020c10ed25288d15f2d1333adf0813943024da2c092e9e4035352ddbcafc7", + "zh:d7255656761ff549aa377afb9c69ea917e5a1120c5a2f572440fe7e936476bb6", + "zh:df90cfae77566a51c1668832fde0700cadcfb6de96d09a2b1a097220fab8a6fb", + "zh:e9ee20ff5aa693c7cf5890ff15331134c471d13c57affa993d45e75c8b912000", + ] +} +provider "registry.terraform.io/hashicorp/helm" { + version = "2.6.0" + hashes = [ + "h1:rGVucCeYAqklKupwoLVG5VPQTIkUhO7WGcw3WuHYrm8=", + "zh:0ac248c28acc1a4fd11bd26a85e48ab78dd6abf0f7ac842bf1cd7edd05ac6cf8", + "zh:3d32c8deae3740d8c5310136cc11c8afeffc350fbf88afaca0c34a223a5246f5", + "zh:4055a27489733d19ca7fa2dfce14d323fe99ae9dede7d0fea21ee6db0b9ca74b", + "zh:58a8ed39653fd4c874a2ecb128eccfa24c94266a00e349fd7fb13e22ad81f381", + "zh:6c81508044913f25083de132d0ff81d083732aba07c506cc2db05aa0cefcde2c", + "zh:7db5d18093047bfc4fe597f79610c0a281b21db0d61b0bacb3800585e976f814", + "zh:8269207b7422db99e7be80a5352d111966c3dfc7eb98511f11c8ff7b2e813456", + "zh:b1d7ababfb2374e72532308ff442cc906b79256b66b3fe7a98d42c68c4ddf9c5", + "zh:ca63e226cbdc964a5d63ef21189f059ce45c3fa4a5e972204d6916a9177d2b44", + "zh:d205a72d60e8cc362943d66f5bcdd6b6aaaa9aab2b89fd83bf6f1978ac0b1e4c", + "zh:db47dc579a0e68e5bfe3a61f2e950e6e2af82b1f388d1069de014a937962b56a", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} +provider "registry.terraform.io/hashicorp/kubernetes" { + version = "2.11.0" + hashes = [ + "h1:pJiAJwZKUaoAJ4x+3ONJkwEVkjrwGROCGFgj7noPO58=", + "zh:143a19dd0ea3b07fc5e3d9231f3c2d01f92894385c98a67327de74c76c715843", + "zh:1fc757d209e09c3cf7848e4274daa32408c07743698fbed10ee52a4a479b62b6", + "zh:22dfebd0685749c51a8f765d51a1090a259778960ac1cd4f32021a325b2b9b72", + "zh:3039b3b76e870cd8fc404cf75a29c66b171c6ba9b6182e131b6ae2ca648ec7c0", + "zh:3af0a15562fcab4b5684b18802e0239371b2b8ff9197ed069ff4827f795a002b", + "zh:50aaf20336d1296a73315adb66f7687f75bd5c6b1f93a894b95c75cc142810ec", + "zh:682064fabff895ec351860b4fe0321290bbbb17c2a410b62c9bea0039400650e", + "zh:70ac914d5830b3371a2679d8f77cc20c419a6e12925145afae6c977c8eb90934", + "zh:710aa02cccf7b0f3fb50880d6d2a7a8b8c9435248666616844ba71f74648cddc", + "zh:88e418118cd5afbdec4984944c7ab36950bf48e8d3e09e090232e55eecfb470b", + "zh:9cef159377bf23fa331f8724fdc6ce27ad39a217a4bae6df3b1ca408fc643da6", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} diff --git a/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/200-istio/20-domain-wildcard-cert/terragrunt.hcl b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/200-istio/20-domain-wildcard-cert/terragrunt.hcl new file mode 100644 index 000000000..e8c282c3e --- /dev/null +++ b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/200-istio/20-domain-wildcard-cert/terragrunt.hcl @@ -0,0 +1,66 @@ +# Include all settings from the root terragrunt.hcl file +include { + path = find_in_parent_folders() +} + +terraform { + source = "github.com/ManagedKube/kubernetes-ops.git//terraform-modules/aws/kubernetes/manifest_set?ref=v2.0.12" +} + +dependency "eks" { + config_path = "${get_terragrunt_dir()}/../../../200-eks" + + mock_outputs = { + zone_id = "zzzz" + } + mock_outputs_allowed_terraform_commands = ["validate", ] +} + +# Generate a Kubernetes provider configuration for authenticating against the EKS cluster. +generate "k8s_helm" { + path = "k8s_helm_provider.tf" + if_exists = "overwrite_terragrunt" + contents = templatefile( + find_in_parent_folders("provider_k8s_helm_for_eks.template.hcl"), + { + eks_cluster_name = dependency.eks.outputs.cluster_id, + kubergrunt_exec = get_env("KUBERGRUNT_EXEC", "kubergrunt") + }, + ) +} + +# --------------------------------------------------------------------------------------------------------------------- +# Locals are named constants that are reusable within the configuration. +# --------------------------------------------------------------------------------------------------------------------- +locals { + # Load common variables shared across all accounts + common_vars = read_terragrunt_config(find_in_parent_folders("common.hcl")) + + # Load region-level variables + region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl")) + + # Load environment-level variables + environment_vars = read_terragrunt_config(find_in_parent_folders("environment.hcl")) + + tags = { + ops_env = local.common_vars.locals.environment_name + ops_managed_by = "terraform" + ops_source_repo = local.common_vars.locals.repository_name + ops_source_repo_path = "${local.common_vars.locals.base_repository_path}/${path_relative_to_include()}" + ops_owners = "devops" + } +} + +# --------------------------------------------------------------------------------------------------------------------- +# MODULE PARAMETERS +# These are the variables we have to pass in to use the module specified in the terragrunt configuration above +# --------------------------------------------------------------------------------------------------------------------- +inputs = { + upload_source_path = "./" + upload_directory = "yaml" + fileset_pattern = "**/*.yaml" + template_vars = { + namespace = "istio-system" + domain_name = local.environment_vars.locals.domain_name + } +} diff --git a/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/200-istio/20-domain-wildcard-cert/yaml/certificate.yaml b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/200-istio/20-domain-wildcard-cert/yaml/certificate.yaml new file mode 100644 index 000000000..02a391146 --- /dev/null +++ b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/200-istio/20-domain-wildcard-cert/yaml/certificate.yaml @@ -0,0 +1,18 @@ +# This requires a functioning cert-manager +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: domain-wildcard + namespace: ${namespace} +spec: + secretName: domain-wildcard # use this secret name in the nginx-ingress definition + commonName: "*.${domain_name}" + dnsNames: + - "*.${domain_name}" + issuerRef: + name: letsencrypt-prod-dns01 + # We can reference ClusterIssuers by changing the kind here. + # The default value is Issuer (i.e. a locally namespaced Issuer) + kind: ClusterIssuer + group: cert-manager.io diff --git a/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/200-istio/30-gw-vs/.terraform.lock.hcl b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/200-istio/30-gw-vs/.terraform.lock.hcl new file mode 100644 index 000000000..1a5f057c0 --- /dev/null +++ b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/200-istio/30-gw-vs/.terraform.lock.hcl @@ -0,0 +1,56 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. +provider "registry.terraform.io/hashicorp/aws" { + version = "4.20.0" + hashes = [ + "h1:NXdDdRzdG5s1m7Rl+hkY01CNiICtEOD5K81qKtSTLWA=", + "zh:391819f7bf5c6662a71ea534aad1b1260a45153ac74a5d5e6580e86caea215e4", + "zh:466171f08033d1e59b6aac0a9a64bc283b25c859b80e65f20d3072dffcf3123b", + "zh:4b15d65fc61150eef699e6e29459ab0f90585e0fa80f969cbe2b9d9913d073a0", + "zh:52c6bb6c50111074068f7e650ea5185116fcaa164f82663ca11c46e7ba8e603f", + "zh:90fd88d533fc38f5e8133fdcf404009f36054aa70de429ac1971d7124039f305", + "zh:9202423fc4a846e97ba8d3c1e7c61b27cad39784ba4409a31553b564de97111d", + "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", + "zh:c0b72cfac66b408154df4d3fe1e5e5d8a26a04a275017e5e281e0ef2e8887a66", + "zh:cab020c10ed25288d15f2d1333adf0813943024da2c092e9e4035352ddbcafc7", + "zh:d7255656761ff549aa377afb9c69ea917e5a1120c5a2f572440fe7e936476bb6", + "zh:df90cfae77566a51c1668832fde0700cadcfb6de96d09a2b1a097220fab8a6fb", + "zh:e9ee20ff5aa693c7cf5890ff15331134c471d13c57affa993d45e75c8b912000", + ] +} +provider "registry.terraform.io/hashicorp/helm" { + version = "2.6.0" + hashes = [ + "h1:rGVucCeYAqklKupwoLVG5VPQTIkUhO7WGcw3WuHYrm8=", + "zh:0ac248c28acc1a4fd11bd26a85e48ab78dd6abf0f7ac842bf1cd7edd05ac6cf8", + "zh:3d32c8deae3740d8c5310136cc11c8afeffc350fbf88afaca0c34a223a5246f5", + "zh:4055a27489733d19ca7fa2dfce14d323fe99ae9dede7d0fea21ee6db0b9ca74b", + "zh:58a8ed39653fd4c874a2ecb128eccfa24c94266a00e349fd7fb13e22ad81f381", + "zh:6c81508044913f25083de132d0ff81d083732aba07c506cc2db05aa0cefcde2c", + "zh:7db5d18093047bfc4fe597f79610c0a281b21db0d61b0bacb3800585e976f814", + "zh:8269207b7422db99e7be80a5352d111966c3dfc7eb98511f11c8ff7b2e813456", + "zh:b1d7ababfb2374e72532308ff442cc906b79256b66b3fe7a98d42c68c4ddf9c5", + "zh:ca63e226cbdc964a5d63ef21189f059ce45c3fa4a5e972204d6916a9177d2b44", + "zh:d205a72d60e8cc362943d66f5bcdd6b6aaaa9aab2b89fd83bf6f1978ac0b1e4c", + "zh:db47dc579a0e68e5bfe3a61f2e950e6e2af82b1f388d1069de014a937962b56a", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} +provider "registry.terraform.io/hashicorp/kubernetes" { + version = "2.11.0" + hashes = [ + "h1:pJiAJwZKUaoAJ4x+3ONJkwEVkjrwGROCGFgj7noPO58=", + "zh:143a19dd0ea3b07fc5e3d9231f3c2d01f92894385c98a67327de74c76c715843", + "zh:1fc757d209e09c3cf7848e4274daa32408c07743698fbed10ee52a4a479b62b6", + "zh:22dfebd0685749c51a8f765d51a1090a259778960ac1cd4f32021a325b2b9b72", + "zh:3039b3b76e870cd8fc404cf75a29c66b171c6ba9b6182e131b6ae2ca648ec7c0", + "zh:3af0a15562fcab4b5684b18802e0239371b2b8ff9197ed069ff4827f795a002b", + "zh:50aaf20336d1296a73315adb66f7687f75bd5c6b1f93a894b95c75cc142810ec", + "zh:682064fabff895ec351860b4fe0321290bbbb17c2a410b62c9bea0039400650e", + "zh:70ac914d5830b3371a2679d8f77cc20c419a6e12925145afae6c977c8eb90934", + "zh:710aa02cccf7b0f3fb50880d6d2a7a8b8c9435248666616844ba71f74648cddc", + "zh:88e418118cd5afbdec4984944c7ab36950bf48e8d3e09e090232e55eecfb470b", + "zh:9cef159377bf23fa331f8724fdc6ce27ad39a217a4bae6df3b1ca408fc643da6", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} diff --git a/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/200-istio/30-gw-vs/terragrunt.hcl b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/200-istio/30-gw-vs/terragrunt.hcl new file mode 100644 index 000000000..e8c282c3e --- /dev/null +++ b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/200-istio/30-gw-vs/terragrunt.hcl @@ -0,0 +1,66 @@ +# Include all settings from the root terragrunt.hcl file +include { + path = find_in_parent_folders() +} + +terraform { + source = "github.com/ManagedKube/kubernetes-ops.git//terraform-modules/aws/kubernetes/manifest_set?ref=v2.0.12" +} + +dependency "eks" { + config_path = "${get_terragrunt_dir()}/../../../200-eks" + + mock_outputs = { + zone_id = "zzzz" + } + mock_outputs_allowed_terraform_commands = ["validate", ] +} + +# Generate a Kubernetes provider configuration for authenticating against the EKS cluster. +generate "k8s_helm" { + path = "k8s_helm_provider.tf" + if_exists = "overwrite_terragrunt" + contents = templatefile( + find_in_parent_folders("provider_k8s_helm_for_eks.template.hcl"), + { + eks_cluster_name = dependency.eks.outputs.cluster_id, + kubergrunt_exec = get_env("KUBERGRUNT_EXEC", "kubergrunt") + }, + ) +} + +# --------------------------------------------------------------------------------------------------------------------- +# Locals are named constants that are reusable within the configuration. +# --------------------------------------------------------------------------------------------------------------------- +locals { + # Load common variables shared across all accounts + common_vars = read_terragrunt_config(find_in_parent_folders("common.hcl")) + + # Load region-level variables + region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl")) + + # Load environment-level variables + environment_vars = read_terragrunt_config(find_in_parent_folders("environment.hcl")) + + tags = { + ops_env = local.common_vars.locals.environment_name + ops_managed_by = "terraform" + ops_source_repo = local.common_vars.locals.repository_name + ops_source_repo_path = "${local.common_vars.locals.base_repository_path}/${path_relative_to_include()}" + ops_owners = "devops" + } +} + +# --------------------------------------------------------------------------------------------------------------------- +# MODULE PARAMETERS +# These are the variables we have to pass in to use the module specified in the terragrunt configuration above +# --------------------------------------------------------------------------------------------------------------------- +inputs = { + upload_source_path = "./" + upload_directory = "yaml" + fileset_pattern = "**/*.yaml" + template_vars = { + namespace = "istio-system" + domain_name = local.environment_vars.locals.domain_name + } +} diff --git a/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/200-istio/30-gw-vs/yaml/gateway.yaml b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/200-istio/30-gw-vs/yaml/gateway.yaml new file mode 100644 index 000000000..f049a9ff1 --- /dev/null +++ b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/200-istio/30-gw-vs/yaml/gateway.yaml @@ -0,0 +1,28 @@ +# Doc: https://istio.io/latest/docs/tasks/traffic-management/ingress/secure-ingress/#configure-a-tls-ingress-gateway-for-a-single-host +--- +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: main-gateway + namespace: ${namespace} +spec: + selector: + # use Istio default gateway implementation + app: istio-ingressgateway + istio: ingressgateway + servers: + - port: + number: 80 + name: http + protocol: HTTP + hosts: + - "*" + - port: + number: 443 + name: https + protocol: HTTPS + tls: + mode: SIMPLE + credentialName: domain-wildcard # This should match the Certificate secretName + hosts: + - "*" # This should match a DNS name in the Certificate diff --git a/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/200-istio/40-istio-kiali/.terraform.lock.hcl b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/200-istio/40-istio-kiali/.terraform.lock.hcl new file mode 100644 index 000000000..6bbc21268 --- /dev/null +++ b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/200-istio/40-istio-kiali/.terraform.lock.hcl @@ -0,0 +1,57 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/aws" { + version = "4.5.0" + hashes = [ + "h1:6y12cTFaxpFv4qyU3gkV9M15eSBBrgInoKY1iaHuhvg=", + "zh:0573de96ba316d808be9f8d6fc8e8e68e0e6b614ed4d707bd236c4f7b46ac8b1", + "zh:37560469042f5f43fdb961eb6e6b0a8f95057df68af2c1168d5b8c66ddcb1512", + "zh:44bb4f6bc1f58e19b8bf7041f981a2549a351762d17dd39654eb24d1fa7991c7", + "zh:53af6557b68e547ac5c02cfd0e47ef63c8e9edfacf46921ccc97d73c0cd362c9", + "zh:578a583f69a8e5947d66b2b9d6969690043b6887f6b574263be7ef05f82a82ad", + "zh:6c2d42f30db198a4e7badd7f8037ef9bd951cfd6cf40328c6a7eed96801a374e", + "zh:758f3fc4d833dbdda57a4db743cbbddc8fd8c0492df47771b848447ba7876ce5", + "zh:78241bd45e2f6102055787b3697849fee7e9c28a744ba59cad956639c1aca07b", + "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", + "zh:a3a7f4699c097c7b8364d05a5df9f3bd5d005fd5736c28ec5dc8f8c0ee340512", + "zh:bf875483bf2ad6cfb4029813328cdcd9ea40f50b9f1c265f4e742fe8cc456157", + "zh:f4722596e8b5f012013f87bf4d2b7d302c248a04a144de4563b3e3f754a30c51", + ] +} + +provider "registry.terraform.io/hashicorp/helm" { + version = "2.4.1" + hashes = [ + "h1:CLb4n9f/hLyqqq0zbc+h5SuNOB7KnO65qOOb+ohwsKA=", + "zh:07517b24ea2ce4a1d3be3b88c3efc7fb452cd97aea8fac93ca37a08a8ec06e14", + "zh:11ef6118ed03a1b40ff66adfe21b8707ece0568dae1347ddfbcff8452c0655d5", + "zh:1ae07e9cc6b088a6a68421642c05e2fa7d00ed03e9401e78c258cf22a239f526", + "zh:1c5b4cd44033a0d7bf7546df930c55aa41db27b70b3bca6d145faf9b9a2da772", + "zh:256413132110ddcb0c3ea17c7b01123ad2d5b70565848a77c5ccc22a3f32b0dd", + "zh:4ab46fd9aadddef26604382bc9b49100586647e63ef6384e0c0c3f010ff2f66e", + "zh:5a35d23a9f08c36fceda3cef7ce2c7dc5eca32e5f36494de695e09a5007122f0", + "zh:8e9823a1e5b985b63fe283b755a821e5011a58112447d42fb969c7258ed57ed3", + "zh:8f79722eba9bf77d341edf48a1fd51a52d93ec31d9cac9ba8498a3a061ea4a7f", + "zh:b2ea782848b10a343f586ba8ee0cf4d7ff65aa2d4b144eea5bbd8f9801b54c67", + "zh:e72d1ccf8a75d8e8456c6bb4d843fd4deb0e962ad8f167fa84cf17f12c12304e", + ] +} + +provider "registry.terraform.io/hashicorp/kubernetes" { + version = "2.8.0" + hashes = [ + "h1:tfU8BStZIt2d6KIGTRNjWb09zeVzh3UFGNRGVgFce+A=", + "zh:0cf42c17c05ae5f0f5eb4b2c375dd2068960b97392e50823e47b2cee7b5e01be", + "zh:29e3751eceae92c7400a17fe3a5394ed761627bcadfda66e7ac91d6485c37927", + "zh:2d95584504c651e1e2e49fbb5fae1736e32a505102c3dbd2c319b26884a7d3d5", + "zh:4a5f1d915c19e7c7b4f04d7d68f82db2c872dad75b9e6f33a6ddce43aa160405", + "zh:4b959187fd2c884a4c6606e1c4edc7b506ec4cadb2742831f37aca1463eb349d", + "zh:5e76a2b81c93d9904d50c2a703845f79d2b080c2f87c07ef8f168592033d638f", + "zh:c5aa21a7168f96afa4b4776cbd7eefd3e1f47d48430dce75c7f761f2d2fac77b", + "zh:d45e8bd98fc6752ea087e744efdafb209e7ec5a4224f9affee0a24fb51d26bb9", + "zh:d4739255076ed7f3ac2a06aef89e8e48a87667f3e470c514ce2185c0569cc1fb", + "zh:dbd2f11529a422ffd17040a70c0cc2802b7f1be2499e976dc22f1138d022b1b4", + "zh:dbd5357082b2485bb9978bce5b6d508d6b431d15c53bfa1fcc2781131826b5d8", + ] +} diff --git a/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/200-istio/40-istio-kiali/README.md b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/200-istio/40-istio-kiali/README.md new file mode 100644 index 000000000..87b4655ed --- /dev/null +++ b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/200-istio/40-istio-kiali/README.md @@ -0,0 +1,8 @@ +# Istio Kiali + +Docs: https://kiali.io/docs/installation/installation-guide/install-with-helm/ + +Helm chart: https://github.com/kiali/helm-charts/blob/master/kiali-operator + +Release numbers can be found here: +* https://kiali.io/news/release-notes/ diff --git a/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/200-istio/40-istio-kiali/terragrunt.hcl b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/200-istio/40-istio-kiali/terragrunt.hcl new file mode 100644 index 000000000..74cdac150 --- /dev/null +++ b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/200-istio/40-istio-kiali/terragrunt.hcl @@ -0,0 +1,69 @@ +# Include all settings from the root terragrunt.hcl file +include { + path = find_in_parent_folders() +} + +terraform { + source = "github.com/ManagedKube/kubernetes-ops.git//terraform-modules/aws/helm/helm_generic?ref=v1.0.9" +} + +dependency "eks" { + config_path = "${get_terragrunt_dir()}/../../../200-eks" + + mock_outputs = { + zone_id = "zzzz" + } + mock_outputs_allowed_terraform_commands = ["validate", ] +} + +# Generate a Kubernetes provider configuration for authenticating against the EKS cluster. +generate "k8s_helm" { + path = "k8s_helm_provider.tf" + if_exists = "overwrite_terragrunt" + contents = templatefile( + find_in_parent_folders("provider_k8s_helm_for_eks.template.hcl"), + { + eks_cluster_name = dependency.eks.outputs.cluster_id, + kubergrunt_exec = get_env("KUBERGRUNT_EXEC", "kubergrunt") + }, + ) +} + +# --------------------------------------------------------------------------------------------------------------------- +# Locals are named constants that are reusable within the configuration. +# --------------------------------------------------------------------------------------------------------------------- +locals { + # Load common variables shared across all accounts + common_vars = read_terragrunt_config(find_in_parent_folders("common.hcl")) + + # Load region-level variables + region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl")) + + # Load environment-level variables + environment_vars = read_terragrunt_config(find_in_parent_folders("environment.hcl")) + + tags = { + ops_env = local.common_vars.locals.environment_name + ops_managed_by = "terraform" + ops_source_repo = local.common_vars.locals.repository_name + ops_source_repo_path = "${local.common_vars.locals.base_repository_path}/${path_relative_to_include()}" + ops_owners = "devops" + } +} + +# --------------------------------------------------------------------------------------------------------------------- +# MODULE PARAMETERS +# These are the variables we have to pass in to use the module specified in the terragrunt configuration above +# --------------------------------------------------------------------------------------------------------------------- +inputs = { + repository = "https://kiali.org/helm-charts" + official_chart_name = "kiali-operator" + user_chart_name = "kiali-operator" + helm_version = "1.53.0" + namespace = "kiali-operator" + helm_values = templatefile( + "./values.yaml", { + domain_name = local.environment_vars.locals.domain_name + }, + ) +} diff --git a/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/200-istio/40-istio-kiali/values.yaml b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/200-istio/40-istio-kiali/values.yaml new file mode 100644 index 000000000..41b2d3a75 --- /dev/null +++ b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/200-istio/40-istio-kiali/values.yaml @@ -0,0 +1,44 @@ +# CR spec: https://kiali.io/docs/configuration/kialis.kiali.io/ +cr: + create: true + namespace: istio-system + + # Kiali operator CRD spec/config + # the CRD kind is "Kiali" + spec: + auth: + strategy: anonymous + + external_services: + prometheus: + # Prometheus service name is "metrics" and is in the "telemetry" namespace + url: "http://prometheus-operated.monitoring.svc:9090/" + + deployment: + ingress: + # default: additional_labels is empty + additional_labels: + ingressAdditionalLabel: "ingressAdditionalLabelValue" + class_name: "istio" + # default: enabled is undefined + enabled: true + # default: override_yaml is undefined + override_yaml: + metadata: + annotations: + kubernetes.io/ingress.class: istio + spec: + rules: + - host: "kiali-p2.${domain_name}" + http: + paths: + - path: "/kiali" + pathType: Prefix + backend: + service: + name: kiali + port: + number: 20001 + tls: + - hosts: + - "kiali-p2.${domain_name}" diff --git a/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/210-kube-prometheus-stack/10-kube-prometheus-stack/.terraform.lock.hcl b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/210-kube-prometheus-stack/10-kube-prometheus-stack/.terraform.lock.hcl new file mode 100644 index 000000000..7a596a156 --- /dev/null +++ b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/210-kube-prometheus-stack/10-kube-prometheus-stack/.terraform.lock.hcl @@ -0,0 +1,56 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. +provider "registry.terraform.io/hashicorp/aws" { + version = "4.18.0" + hashes = [ + "h1:6gkWNVTtIlpniC188RP43f9PrcXG9v5CqQS2xw1dVgM=", + "zh:100a11324326bf849b4c85d3c40a81e485726eee99c5a229387b8485a7a8da8b", + "zh:2226bbf97101af90e43cd5606d8678f35d7e7b477657d9297c42a1bd2ed42750", + "zh:27d51694300c08c32312f8832b889c57a2821dc022d49d38f9b1e14810f8a3fb", + "zh:2b8792c76986facfd415f967c5d61022f7ceeaa46c158037fe8939e36d954f99", + "zh:3ea787967de772cc3a13469753080c8fa81be5aefc735d3753c7627f63c948e5", + "zh:64d58463cbb2b93d5202ef311a101890a1e083f9587f3eabb9f2e26dd0cf8f43", + "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", + "zh:b10eecf4c034a229712825124e7c0b765c5904648550dc8f844f68638531d337", + "zh:d9a3cc46e2746c40ea69bcfb2d12e765ee6bda3e1ed8ce73f272d492ff4836bb", + "zh:df625e57aa3b5fb3e4562da44daf6565289818ba2a7e66f86ad968b43fdb5148", + "zh:eaaa3a5d2a15a87b346e521872120a3ca7f6777a04226a55f51022eaf4097963", + "zh:ec6f4b00ae4f9d536f2a6c2e5a5f149867194268ce9068a9c348bc3e678fbfce", + ] +} +provider "registry.terraform.io/hashicorp/helm" { + version = "2.5.1" + hashes = [ + "h1:NasRPC0qqlpGqcF3dsSoOFu7uc5hM+zJm+okd8FgrnQ=", + "zh:140b9748f0ad193a20d69e59d672f3c4eda8a56cede56a92f931bd3af020e2e9", + "zh:17ae319466ed6538ad49e011998bb86565fe0e97bc8b9ad7c8dda46a20f90669", + "zh:3a8bd723c21ba70e19f0395ed7096fc8e08bfc23366f1c3f06a9107eb37c572c", + "zh:3aae3b82adbe6dca52f1a1c8cf51575446e6b0f01f1b1f3b30de578c9af4a933", + "zh:3f65221f40148df57d2888e4f31ef3bf430b8c5af41de0db39a2b964e1826d7c", + "zh:650c74c4f46f5eb01df11d8392bdb7ebee3bba59ac0721000a6ad731ff0e61e2", + "zh:930fb8ab4cd6634472dfd6aa3123f109ef5b32cbe6ef7b4695fae6751353e83f", + "zh:ae57cd4b0be4b9ca252bc5d347bc925e35b0ed74d3dcdebf06c11362c1ac3436", + "zh:d15b1732a8602b6726eac22628b2f72f72d98b75b9c6aabceec9fd696fda696a", + "zh:d730ede1656bd193e2aea5302acec47c4905fe30b96f550196be4a0ed5f41936", + "zh:f010d4f9d8cd15936be4df12bf256cb2175ca1dedb728bd3a866c03d2ee7591f", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} +provider "registry.terraform.io/hashicorp/kubernetes" { + version = "2.11.0" + hashes = [ + "h1:pJiAJwZKUaoAJ4x+3ONJkwEVkjrwGROCGFgj7noPO58=", + "zh:143a19dd0ea3b07fc5e3d9231f3c2d01f92894385c98a67327de74c76c715843", + "zh:1fc757d209e09c3cf7848e4274daa32408c07743698fbed10ee52a4a479b62b6", + "zh:22dfebd0685749c51a8f765d51a1090a259778960ac1cd4f32021a325b2b9b72", + "zh:3039b3b76e870cd8fc404cf75a29c66b171c6ba9b6182e131b6ae2ca648ec7c0", + "zh:3af0a15562fcab4b5684b18802e0239371b2b8ff9197ed069ff4827f795a002b", + "zh:50aaf20336d1296a73315adb66f7687f75bd5c6b1f93a894b95c75cc142810ec", + "zh:682064fabff895ec351860b4fe0321290bbbb17c2a410b62c9bea0039400650e", + "zh:70ac914d5830b3371a2679d8f77cc20c419a6e12925145afae6c977c8eb90934", + "zh:710aa02cccf7b0f3fb50880d6d2a7a8b8c9435248666616844ba71f74648cddc", + "zh:88e418118cd5afbdec4984944c7ab36950bf48e8d3e09e090232e55eecfb470b", + "zh:9cef159377bf23fa331f8724fdc6ce27ad39a217a4bae6df3b1ca408fc643da6", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} diff --git a/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/210-kube-prometheus-stack/10-kube-prometheus-stack/terragrunt.hcl b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/210-kube-prometheus-stack/10-kube-prometheus-stack/terragrunt.hcl new file mode 100644 index 000000000..c0a05c698 --- /dev/null +++ b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/210-kube-prometheus-stack/10-kube-prometheus-stack/terragrunt.hcl @@ -0,0 +1,67 @@ +# Include all settings from the root terragrunt.hcl file +include { + path = find_in_parent_folders() +} + +terraform { + source = "github.com/ManagedKube/kubernetes-ops.git//terraform-modules/aws/helm/kube-prometheus-stack?ref=v2.0.13" +} + +dependency "eks" { + config_path = "${get_terragrunt_dir()}/../../../200-eks" + + mock_outputs = { + zone_id = "zzzz" + } + mock_outputs_allowed_terraform_commands = ["validate", ] +} + +# Generate a Kubernetes provider configuration for authenticating against the EKS cluster. +generate "k8s_helm" { + path = "k8s_helm_provider.tf" + if_exists = "overwrite_terragrunt" + contents = templatefile( + find_in_parent_folders("provider_k8s_helm_for_eks.template.hcl"), + { + eks_cluster_name = dependency.eks.outputs.cluster_id, + kubergrunt_exec = get_env("KUBERGRUNT_EXEC", "kubergrunt") + }, + ) +} + +# --------------------------------------------------------------------------------------------------------------------- +# Locals are named constants that are reusable within the configuration. +# --------------------------------------------------------------------------------------------------------------------- +locals { + # Load common variables shared across all accounts + common_vars = read_terragrunt_config(find_in_parent_folders("common.hcl")) + + # Load region-level variables + region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl")) + + # Load environment-level variables + environment_vars = read_terragrunt_config(find_in_parent_folders("environment.hcl")) + + tags = { + ops_env = local.common_vars.locals.environment_name + ops_managed_by = "terraform" + ops_source_repo = local.common_vars.locals.repository_name + ops_source_repo_path = "${local.common_vars.locals.base_repository_path}/${path_relative_to_include()}" + ops_owners = "devops" + } +} + +# --------------------------------------------------------------------------------------------------------------------- +# MODULE PARAMETERS +# These are the variables we have to pass in to use the module specified in the terragrunt configuration above +# --------------------------------------------------------------------------------------------------------------------- +inputs = { + helm_values = templatefile( + "values.yaml", + { + domain_name = local.environment_vars.locals.domain_name + } + ) +} + + diff --git a/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/210-kube-prometheus-stack/10-kube-prometheus-stack/values.yaml b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/210-kube-prometheus-stack/10-kube-prometheus-stack/values.yaml new file mode 100644 index 000000000..fa9f8f1d9 --- /dev/null +++ b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/210-kube-prometheus-stack/10-kube-prometheus-stack/values.yaml @@ -0,0 +1,265 @@ +--- +namespaceOverride: monitoring + +prometheus: + prometheusSpec: + storageSpec: + volumeClaimTemplate: + spec: + # storageClassName: gluster + accessModes: ["ReadWriteOnce"] + resources: + requests: + storage: 50Gi + additionalScrapeConfigs: + # Istio scrap endpoints + # Doc: https://istio.io/latest/docs/ops/integrations/prometheus/#option-2-customized-scraping-configurations + - job_name: 'istiod' + kubernetes_sd_configs: + - role: endpoints + namespaces: + names: + - istio-system + relabel_configs: + - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] + action: keep + regex: istiod;http-monitoring + - job_name: 'envoy-stats' + metrics_path: /stats/prometheus + kubernetes_sd_configs: + - role: pod + + relabel_configs: + - source_labels: [__meta_kubernetes_pod_container_port_name] + action: keep + regex: '.*-envoy-prom' + # End of istio scrape endpoints + +grafana: + adminPassword: prom-operator + ingress: + enabled: true + annotations: + kubernetes.io/ingress.class: istio + hosts: + - grafana.${domain_name} + tls: + - hosts: + - grafana.${domain_name} # This should match a DNS name in the Certificate + # Istio doc: https://istio.io/latest/docs/ops/integrations/certmanager/#kubernetes-ingress + # If using istio and using the domain-wildcard cert, the cert-manager kind: certificate + # should be created in the istio-system namespace. + secretName: domain-wildcard # This should match the Certificate secretName + additionalDataSources: + # - name: loki + # access: proxy + # basicAuth: false + # basicAuthPassword: pass + # basicAuthUser: daco + # editable: false + # jsonData: + # tlsSkipVerify: true + # orgId: 1 + # type: loki + # url: http://loki-stack:3100 + # isDefault: false + # version: 1 + - name: Tempo + type: tempo + access: proxy + orgId: 1 + url: http://tempo:3100 + basicAuth: false + isDefault: false + version: 1 + editable: false + apiVersion: 1 + uid: tempo + ## dashboardProviders is required when importing "dashboards" + dashboardProviders: + dashboardproviders.yaml: + apiVersion: 1 + providers: + - name: 'default' + orgId: 1 + folder: '' + type: file + disableDeletion: false + editable: true + options: + path: /var/lib/grafana/dashboards/default + dashboards: + default: + k8s-cluster-summary: + gnetId: 8685 + revision: 1 + datasource: Prometheus + node-exporter-full: + gnetId: 1860 + revision: 21 + datasource: Prometheus + prometheus-2-0-overview: + gnetId: 3662 + revision: 2 + datasource: Prometheus + stians-disk-graphs: + gnetId: 9852 + revision: 1 + datasource: Prometheus + kubernetes-apiserver: + gnetId: 12006 + revision: 1 + datasource: Prometheus + ingress-nginx: + gnetId: 9614 + revision: 1 + datasource: Prometheus + ingress-nginx2: + gnetId: 11875 + revision: 1 + datasource: Prometheus + istio-mesh: + gnetId: 7639 + revision: 54 + datasource: Prometheus + istio-performance: + gnetId: 11829 + revision: 54 + datasource: Prometheus + istio-service: + gnetId: 7636 + revision: 54 + datasource: Prometheus + istio-workload: + gnetId: 7630 + revision: 54 + datasource: Prometheus + istio-control-plane: + gnetId: 7645 + revision: 54 + datasource: Prometheus + +## Configuration for alertmanager +## ref: https://prometheus.io/docs/alerting/alertmanager/ +## +alertmanager: + + ingress: + enabled: false + + annotations: + external-dns.alpha.kubernetes.io/hostname: alertmanager.internal.managedkube.com + kubernetes.io/ingress.class: nginx-external + # certmanager.k8s.io/cluster-issuer: prod + # certmanager.k8s.io/acme-http01-edit-in-place: "true" + + hosts: + - alertmanager.internal.managedkube.com + + tls: + - secretName: cert-manager-tls-cert + hosts: + - alertmanager.internal.managedkube.com + + alertmanagerSpec: + alertmanagerConfigSelector: + matchLabels: + # The `AlertmanagerConfig` configs must have this label for + # this alert manager to include in the config. + release: kube-prometheus-stack + + ## AlermanagerConfig to be used as top level configuration + ## doc: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/user-guides/alerting.md#specify-global-alertmanager-config + ## This "alertmanagerconfig" must exist for the Alert Manager to startup + alertmanagerConfiguration: + name: global-alert-config + + # Alertmanager configuration directives + # ref: https://prometheus.io/docs/alerting/configuration/#configuration-file + # https://prometheus.io/webtools/alerting/routing-tree-editor/ + # + # config: + # route: + # receiver: 'null' + # routes: + # ## This alert always "fires" and it is there to give you an alert to check your entire + # ## alerting pipeline. Use this "Watchdog" alert for testing a system. + # ## Uncommenting it means that it will send this alert to null and wont alert anything + # ## Commenting this out means that it will send this alert through your alerting pipeline. + # - match: + # alertname: Watchdog + # receiver: 'null' + # continue: true + # - match: + # alertname: KubeControllerManagerDown + # receiver: 'null' + # - match: + # alertname: KubeProxyDown + # receiver: 'null' + # - match: + # alertname: KubeSchedulerDown + # receiver: 'null' + + # - match_re: + # severity: critical|page|alert|none + # receiver: slack + # continue: true + # - match: + # severity: warning + # receiver: slack + # continue: true + + # - matchers: + # - matchType: =~ + # name: severity + # value: critical|warning|none + # receiver: slack + + # - match_re: + # severity: critical|page|alert + # receiver: pagerduty-critical + # continue: true + + # receivers: + # - name: 'null' + + # - name: 'monitoring/alert-config/slack-ops' + # slack_configs: + # - api_url: https://hooks.slack.com/services/xxx/xxx/xxx + # channel: alerts_ops + # send_resolved: true + # text: |- + # {{ range .Alerts }} + # Annotations: + # {{ range $key, $value := .Annotations }} - {{ $key }}: {{ $value }} + # {{ end }} + # Details: + # {{ range .Labels.SortedPairs }} - {{ .Name }} = {{ .Value }} + # {{ end }} + # {{ end }} + # title: '{{ if ne .Status "firing" }}[{{ .Status | toUpper }}]{{ end }} {{ .CommonAnnotations.summary }}{{ .CommonAnnotations.message }}' + # title_link: https://alertmanager.internal.managedkube.com + # username: slack-kube1 + + # - name: 'slack-warning' + # slack_configs: + # - api_url: https://hooks.slack.com/services/xxx/xxx/xxx + # channel: kube-alerts + # send_resolved: true + # text: |- + # {{ range .Alerts }} + # Annotations: + # {{ range $key, $value := .Annotations }} - {{ $key }}: {{ $value }} + # {{ end }} + # Details: + # {{ range .Labels.SortedPairs }} - {{ .Name }} = {{ .Value }} + # {{ end }} + # {{ end }} + # title: '{{ if ne .Status "firing" }}[{{ .Status | toUpper }}]{{ end }} {{ .CommonAnnotations.summary }}{{ .CommonAnnotations.message }}' + # title_link: https://alertmanager.internal.managedkube.com + # username: slack-warning-dev-us + + # - name: 'pagerduty-critical' + # pagerduty_configs: + # - service_key: xxxxx + diff --git a/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/220-grafana-loki/10-grafana-loki/.terraform.lock.hcl b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/220-grafana-loki/10-grafana-loki/.terraform.lock.hcl new file mode 100644 index 000000000..5d076ada3 --- /dev/null +++ b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/220-grafana-loki/10-grafana-loki/.terraform.lock.hcl @@ -0,0 +1,56 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. +provider "registry.terraform.io/hashicorp/aws" { + version = "4.20.1" + hashes = [ + "h1:HHfwMYY0FDtMzaGgITqsPIBlUWnQNZ5+bTF1dyscsnw=", + "zh:21d064d8fac08376c633e002e2f36e83eb7958535e251831feaf38f51c49dafd", + "zh:3a37912ff43d89ce8d559ec86265d7506801bccb380c7cfb896e8ff24e3fe79d", + "zh:795eb175c85279ec51dbe12e4d1afa0860c2c0b22e5d36a8e8869f60a93b7931", + "zh:8afb61a18b17f8ff249cb23e9d3b5d2530944001ef1d56c1d53f41b0890c7ab8", + "zh:911701040395e0e4da4b7252279e7cf1593cdd26f22835e1a9eddbdb9691a1a7", + "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", + "zh:a46d54a6a5407f569f8178e916af888b2b268f86448c64cad165dc89759c8399", + "zh:c5f71fd5e3519a24fd6af455ef1c26a559cfdde7f626b0afbd2a73bb79f036b1", + "zh:df3b69d6c9b0cdc7e3f90ee08412b22332c32e97ad8ce6ccad528f89f235a7d3", + "zh:e99d6a64c03549d60c2accf792fa04466cfb317f72e895c8f67eff8a02920887", + "zh:eea7a0df8bcb69925c9ce8e15ef403c8bbf16d46c43e8f5607b116531d1bce4a", + "zh:f6a26ce77f7db1d50ce311e32902fd001fb365e5e45e47a9a5cd59d734c89cb6", + ] +} +provider "registry.terraform.io/hashicorp/helm" { + version = "2.5.1" + hashes = [ + "h1:NasRPC0qqlpGqcF3dsSoOFu7uc5hM+zJm+okd8FgrnQ=", + "zh:140b9748f0ad193a20d69e59d672f3c4eda8a56cede56a92f931bd3af020e2e9", + "zh:17ae319466ed6538ad49e011998bb86565fe0e97bc8b9ad7c8dda46a20f90669", + "zh:3a8bd723c21ba70e19f0395ed7096fc8e08bfc23366f1c3f06a9107eb37c572c", + "zh:3aae3b82adbe6dca52f1a1c8cf51575446e6b0f01f1b1f3b30de578c9af4a933", + "zh:3f65221f40148df57d2888e4f31ef3bf430b8c5af41de0db39a2b964e1826d7c", + "zh:650c74c4f46f5eb01df11d8392bdb7ebee3bba59ac0721000a6ad731ff0e61e2", + "zh:930fb8ab4cd6634472dfd6aa3123f109ef5b32cbe6ef7b4695fae6751353e83f", + "zh:ae57cd4b0be4b9ca252bc5d347bc925e35b0ed74d3dcdebf06c11362c1ac3436", + "zh:d15b1732a8602b6726eac22628b2f72f72d98b75b9c6aabceec9fd696fda696a", + "zh:d730ede1656bd193e2aea5302acec47c4905fe30b96f550196be4a0ed5f41936", + "zh:f010d4f9d8cd15936be4df12bf256cb2175ca1dedb728bd3a866c03d2ee7591f", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} +provider "registry.terraform.io/hashicorp/kubernetes" { + version = "2.11.0" + hashes = [ + "h1:pJiAJwZKUaoAJ4x+3ONJkwEVkjrwGROCGFgj7noPO58=", + "zh:143a19dd0ea3b07fc5e3d9231f3c2d01f92894385c98a67327de74c76c715843", + "zh:1fc757d209e09c3cf7848e4274daa32408c07743698fbed10ee52a4a479b62b6", + "zh:22dfebd0685749c51a8f765d51a1090a259778960ac1cd4f32021a325b2b9b72", + "zh:3039b3b76e870cd8fc404cf75a29c66b171c6ba9b6182e131b6ae2ca648ec7c0", + "zh:3af0a15562fcab4b5684b18802e0239371b2b8ff9197ed069ff4827f795a002b", + "zh:50aaf20336d1296a73315adb66f7687f75bd5c6b1f93a894b95c75cc142810ec", + "zh:682064fabff895ec351860b4fe0321290bbbb17c2a410b62c9bea0039400650e", + "zh:70ac914d5830b3371a2679d8f77cc20c419a6e12925145afae6c977c8eb90934", + "zh:710aa02cccf7b0f3fb50880d6d2a7a8b8c9435248666616844ba71f74648cddc", + "zh:88e418118cd5afbdec4984944c7ab36950bf48e8d3e09e090232e55eecfb470b", + "zh:9cef159377bf23fa331f8724fdc6ce27ad39a217a4bae6df3b1ca408fc643da6", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} \ No newline at end of file diff --git a/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/220-grafana-loki/10-grafana-loki/terragrunt.hcl b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/220-grafana-loki/10-grafana-loki/terragrunt.hcl new file mode 100644 index 000000000..464a5a1ed --- /dev/null +++ b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/220-grafana-loki/10-grafana-loki/terragrunt.hcl @@ -0,0 +1,67 @@ +# Include all settings from the root terragrunt.hcl file +include { + path = find_in_parent_folders() +} + +terraform { + source = "github.com/ManagedKube/kubernetes-ops.git//terraform-modules/aws/helm/helm_generic?ref=v1.0.9" +} + +dependency "eks" { + config_path = "${get_terragrunt_dir()}/../../../200-eks" + + mock_outputs = { + zone_id = "zzzz" + } + mock_outputs_allowed_terraform_commands = ["validate", ] +} + +# Generate a Kubernetes provider configuration for authenticating against the EKS cluster. +generate "k8s_helm" { + path = "k8s_helm_provider.tf" + if_exists = "overwrite_terragrunt" + contents = templatefile( + find_in_parent_folders("provider_k8s_helm_for_eks.template.hcl"), + { + eks_cluster_name = dependency.eks.outputs.cluster_id, + kubergrunt_exec = get_env("KUBERGRUNT_EXEC", "kubergrunt") + }, + ) +} + +# --------------------------------------------------------------------------------------------------------------------- +# Locals are named constants that are reusable within the configuration. +# --------------------------------------------------------------------------------------------------------------------- +locals { + # Load common variables shared across all accounts + common_vars = read_terragrunt_config(find_in_parent_folders("common.hcl")) + + # Load region-level variables + region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl")) + + # Load environment-level variables + environment_vars = read_terragrunt_config(find_in_parent_folders("environment.hcl")) + + tags = { + ops_env = local.common_vars.locals.environment_name + ops_managed_by = "terraform" + ops_source_repo = local.common_vars.locals.repository_name + ops_source_repo_path = "${local.common_vars.locals.base_repository_path}/${path_relative_to_include()}" + ops_owners = "devops" + } +} + +# --------------------------------------------------------------------------------------------------------------------- +# MODULE PARAMETERS +# These are the variables we have to pass in to use the module specified in the terragrunt configuration above +# --------------------------------------------------------------------------------------------------------------------- +inputs = { + repository = "https://grafana.github.io/helm-charts" + official_chart_name = "loki-stack" + user_chart_name = "loki-stack" + helm_version = "2.3.1" + namespace = "monitoring" + helm_values = file("values.yaml") +} + + diff --git a/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/220-grafana-loki/10-grafana-loki/values.yaml b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/220-grafana-loki/10-grafana-loki/values.yaml new file mode 100644 index 000000000..a1c8a3e8e --- /dev/null +++ b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/220-grafana-loki/10-grafana-loki/values.yaml @@ -0,0 +1,43 @@ +--- +loki: + enabled: true + + persistence: + enabled: true + accessModes: + - ReadWriteOnce + size: 20Gi + +promtail: + enabled: true + + # https://grafana.com/docs/loki/latest/installation/helm/#run-promtail-with-systemd-journal-support + extraScrapeConfigs: + - job_name: journal + journal: + path: /var/log/journal + max_age: 12h + labels: + job: systemd-journal + relabel_configs: + - source_labels: ['__journal__systemd_unit'] + target_label: 'unit' + - source_labels: ['__journal__hostname'] + target_label: 'hostname' + + # Mount journal directory into promtail pods + extraVolumes: + - name: journal + hostPath: + path: /var/log/journal + + extraVolumeMounts: + - name: journal + mountPath: /var/log/journal + readOnly: true + +fluent-bit: + enabled: false + +grafana: + enabled: false diff --git a/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/230-opentelemetry/10-grafana-tempo-server-single/.terraform.lock.hcl b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/230-opentelemetry/10-grafana-tempo-server-single/.terraform.lock.hcl new file mode 100644 index 000000000..5d076ada3 --- /dev/null +++ b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/230-opentelemetry/10-grafana-tempo-server-single/.terraform.lock.hcl @@ -0,0 +1,56 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. +provider "registry.terraform.io/hashicorp/aws" { + version = "4.20.1" + hashes = [ + "h1:HHfwMYY0FDtMzaGgITqsPIBlUWnQNZ5+bTF1dyscsnw=", + "zh:21d064d8fac08376c633e002e2f36e83eb7958535e251831feaf38f51c49dafd", + "zh:3a37912ff43d89ce8d559ec86265d7506801bccb380c7cfb896e8ff24e3fe79d", + "zh:795eb175c85279ec51dbe12e4d1afa0860c2c0b22e5d36a8e8869f60a93b7931", + "zh:8afb61a18b17f8ff249cb23e9d3b5d2530944001ef1d56c1d53f41b0890c7ab8", + "zh:911701040395e0e4da4b7252279e7cf1593cdd26f22835e1a9eddbdb9691a1a7", + "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", + "zh:a46d54a6a5407f569f8178e916af888b2b268f86448c64cad165dc89759c8399", + "zh:c5f71fd5e3519a24fd6af455ef1c26a559cfdde7f626b0afbd2a73bb79f036b1", + "zh:df3b69d6c9b0cdc7e3f90ee08412b22332c32e97ad8ce6ccad528f89f235a7d3", + "zh:e99d6a64c03549d60c2accf792fa04466cfb317f72e895c8f67eff8a02920887", + "zh:eea7a0df8bcb69925c9ce8e15ef403c8bbf16d46c43e8f5607b116531d1bce4a", + "zh:f6a26ce77f7db1d50ce311e32902fd001fb365e5e45e47a9a5cd59d734c89cb6", + ] +} +provider "registry.terraform.io/hashicorp/helm" { + version = "2.5.1" + hashes = [ + "h1:NasRPC0qqlpGqcF3dsSoOFu7uc5hM+zJm+okd8FgrnQ=", + "zh:140b9748f0ad193a20d69e59d672f3c4eda8a56cede56a92f931bd3af020e2e9", + "zh:17ae319466ed6538ad49e011998bb86565fe0e97bc8b9ad7c8dda46a20f90669", + "zh:3a8bd723c21ba70e19f0395ed7096fc8e08bfc23366f1c3f06a9107eb37c572c", + "zh:3aae3b82adbe6dca52f1a1c8cf51575446e6b0f01f1b1f3b30de578c9af4a933", + "zh:3f65221f40148df57d2888e4f31ef3bf430b8c5af41de0db39a2b964e1826d7c", + "zh:650c74c4f46f5eb01df11d8392bdb7ebee3bba59ac0721000a6ad731ff0e61e2", + "zh:930fb8ab4cd6634472dfd6aa3123f109ef5b32cbe6ef7b4695fae6751353e83f", + "zh:ae57cd4b0be4b9ca252bc5d347bc925e35b0ed74d3dcdebf06c11362c1ac3436", + "zh:d15b1732a8602b6726eac22628b2f72f72d98b75b9c6aabceec9fd696fda696a", + "zh:d730ede1656bd193e2aea5302acec47c4905fe30b96f550196be4a0ed5f41936", + "zh:f010d4f9d8cd15936be4df12bf256cb2175ca1dedb728bd3a866c03d2ee7591f", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} +provider "registry.terraform.io/hashicorp/kubernetes" { + version = "2.11.0" + hashes = [ + "h1:pJiAJwZKUaoAJ4x+3ONJkwEVkjrwGROCGFgj7noPO58=", + "zh:143a19dd0ea3b07fc5e3d9231f3c2d01f92894385c98a67327de74c76c715843", + "zh:1fc757d209e09c3cf7848e4274daa32408c07743698fbed10ee52a4a479b62b6", + "zh:22dfebd0685749c51a8f765d51a1090a259778960ac1cd4f32021a325b2b9b72", + "zh:3039b3b76e870cd8fc404cf75a29c66b171c6ba9b6182e131b6ae2ca648ec7c0", + "zh:3af0a15562fcab4b5684b18802e0239371b2b8ff9197ed069ff4827f795a002b", + "zh:50aaf20336d1296a73315adb66f7687f75bd5c6b1f93a894b95c75cc142810ec", + "zh:682064fabff895ec351860b4fe0321290bbbb17c2a410b62c9bea0039400650e", + "zh:70ac914d5830b3371a2679d8f77cc20c419a6e12925145afae6c977c8eb90934", + "zh:710aa02cccf7b0f3fb50880d6d2a7a8b8c9435248666616844ba71f74648cddc", + "zh:88e418118cd5afbdec4984944c7ab36950bf48e8d3e09e090232e55eecfb470b", + "zh:9cef159377bf23fa331f8724fdc6ce27ad39a217a4bae6df3b1ca408fc643da6", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} \ No newline at end of file diff --git a/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/230-opentelemetry/10-grafana-tempo-server-single/terragrunt.hcl b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/230-opentelemetry/10-grafana-tempo-server-single/terragrunt.hcl new file mode 100644 index 000000000..33ea4d614 --- /dev/null +++ b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/230-opentelemetry/10-grafana-tempo-server-single/terragrunt.hcl @@ -0,0 +1,65 @@ +# Include all settings from the root terragrunt.hcl file +include { + path = find_in_parent_folders() +} + +terraform { + source = "github.com/ManagedKube/kubernetes-ops.git//terraform-modules/aws/helm/helm_generic?ref=v1.0.9" +} + +dependency "eks" { + config_path = "${get_terragrunt_dir()}/../../../200-eks" + + mock_outputs = { + zone_id = "zzzz" + } + mock_outputs_allowed_terraform_commands = ["validate", ] +} + +# Generate a Kubernetes provider configuration for authenticating against the EKS cluster. +generate "k8s_helm" { + path = "k8s_helm_provider.tf" + if_exists = "overwrite_terragrunt" + contents = templatefile( + find_in_parent_folders("provider_k8s_helm_for_eks.template.hcl"), + { + eks_cluster_name = dependency.eks.outputs.cluster_id, + kubergrunt_exec = get_env("KUBERGRUNT_EXEC", "kubergrunt") + }, + ) +} + +# --------------------------------------------------------------------------------------------------------------------- +# Locals are named constants that are reusable within the configuration. +# --------------------------------------------------------------------------------------------------------------------- +locals { + # Load common variables shared across all accounts + common_vars = read_terragrunt_config(find_in_parent_folders("common.hcl")) + + # Load region-level variables + region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl")) + + # Load environment-level variables + environment_vars = read_terragrunt_config(find_in_parent_folders("environment.hcl")) + + tags = { + ops_env = local.common_vars.locals.environment_name + ops_managed_by = "terraform" + ops_source_repo = local.common_vars.locals.repository_name + ops_source_repo_path = "${local.common_vars.locals.base_repository_path}/${path_relative_to_include()}" + ops_owners = "devops" + } +} + +# --------------------------------------------------------------------------------------------------------------------- +# MODULE PARAMETERS +# These are the variables we have to pass in to use the module specified in the terragrunt configuration above +# --------------------------------------------------------------------------------------------------------------------- +inputs = { + repository = "https://grafana.github.io/helm-charts" + official_chart_name = "tempo" + user_chart_name = "tempo" + helm_version = "0.14.2" + namespace = "monitoring" + helm_values = file("values.yaml") +} diff --git a/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/230-opentelemetry/10-grafana-tempo-server-single/values.yaml b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/230-opentelemetry/10-grafana-tempo-server-single/values.yaml new file mode 100644 index 000000000..ba012228a --- /dev/null +++ b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/230-opentelemetry/10-grafana-tempo-server-single/values.yaml @@ -0,0 +1,8 @@ +# source: https://github.com/grafana/helm-charts/tree/main/charts/tempo +--- +persistence: + enabled: true + # storageClassName: local-path + accessModes: + - ReadWriteOnce + size: 25Gi diff --git a/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/230-opentelemetry/20-opentelemetry-operator/.terraform.lock.hcl b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/230-opentelemetry/20-opentelemetry-operator/.terraform.lock.hcl new file mode 100644 index 000000000..5d076ada3 --- /dev/null +++ b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/230-opentelemetry/20-opentelemetry-operator/.terraform.lock.hcl @@ -0,0 +1,56 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. +provider "registry.terraform.io/hashicorp/aws" { + version = "4.20.1" + hashes = [ + "h1:HHfwMYY0FDtMzaGgITqsPIBlUWnQNZ5+bTF1dyscsnw=", + "zh:21d064d8fac08376c633e002e2f36e83eb7958535e251831feaf38f51c49dafd", + "zh:3a37912ff43d89ce8d559ec86265d7506801bccb380c7cfb896e8ff24e3fe79d", + "zh:795eb175c85279ec51dbe12e4d1afa0860c2c0b22e5d36a8e8869f60a93b7931", + "zh:8afb61a18b17f8ff249cb23e9d3b5d2530944001ef1d56c1d53f41b0890c7ab8", + "zh:911701040395e0e4da4b7252279e7cf1593cdd26f22835e1a9eddbdb9691a1a7", + "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", + "zh:a46d54a6a5407f569f8178e916af888b2b268f86448c64cad165dc89759c8399", + "zh:c5f71fd5e3519a24fd6af455ef1c26a559cfdde7f626b0afbd2a73bb79f036b1", + "zh:df3b69d6c9b0cdc7e3f90ee08412b22332c32e97ad8ce6ccad528f89f235a7d3", + "zh:e99d6a64c03549d60c2accf792fa04466cfb317f72e895c8f67eff8a02920887", + "zh:eea7a0df8bcb69925c9ce8e15ef403c8bbf16d46c43e8f5607b116531d1bce4a", + "zh:f6a26ce77f7db1d50ce311e32902fd001fb365e5e45e47a9a5cd59d734c89cb6", + ] +} +provider "registry.terraform.io/hashicorp/helm" { + version = "2.5.1" + hashes = [ + "h1:NasRPC0qqlpGqcF3dsSoOFu7uc5hM+zJm+okd8FgrnQ=", + "zh:140b9748f0ad193a20d69e59d672f3c4eda8a56cede56a92f931bd3af020e2e9", + "zh:17ae319466ed6538ad49e011998bb86565fe0e97bc8b9ad7c8dda46a20f90669", + "zh:3a8bd723c21ba70e19f0395ed7096fc8e08bfc23366f1c3f06a9107eb37c572c", + "zh:3aae3b82adbe6dca52f1a1c8cf51575446e6b0f01f1b1f3b30de578c9af4a933", + "zh:3f65221f40148df57d2888e4f31ef3bf430b8c5af41de0db39a2b964e1826d7c", + "zh:650c74c4f46f5eb01df11d8392bdb7ebee3bba59ac0721000a6ad731ff0e61e2", + "zh:930fb8ab4cd6634472dfd6aa3123f109ef5b32cbe6ef7b4695fae6751353e83f", + "zh:ae57cd4b0be4b9ca252bc5d347bc925e35b0ed74d3dcdebf06c11362c1ac3436", + "zh:d15b1732a8602b6726eac22628b2f72f72d98b75b9c6aabceec9fd696fda696a", + "zh:d730ede1656bd193e2aea5302acec47c4905fe30b96f550196be4a0ed5f41936", + "zh:f010d4f9d8cd15936be4df12bf256cb2175ca1dedb728bd3a866c03d2ee7591f", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} +provider "registry.terraform.io/hashicorp/kubernetes" { + version = "2.11.0" + hashes = [ + "h1:pJiAJwZKUaoAJ4x+3ONJkwEVkjrwGROCGFgj7noPO58=", + "zh:143a19dd0ea3b07fc5e3d9231f3c2d01f92894385c98a67327de74c76c715843", + "zh:1fc757d209e09c3cf7848e4274daa32408c07743698fbed10ee52a4a479b62b6", + "zh:22dfebd0685749c51a8f765d51a1090a259778960ac1cd4f32021a325b2b9b72", + "zh:3039b3b76e870cd8fc404cf75a29c66b171c6ba9b6182e131b6ae2ca648ec7c0", + "zh:3af0a15562fcab4b5684b18802e0239371b2b8ff9197ed069ff4827f795a002b", + "zh:50aaf20336d1296a73315adb66f7687f75bd5c6b1f93a894b95c75cc142810ec", + "zh:682064fabff895ec351860b4fe0321290bbbb17c2a410b62c9bea0039400650e", + "zh:70ac914d5830b3371a2679d8f77cc20c419a6e12925145afae6c977c8eb90934", + "zh:710aa02cccf7b0f3fb50880d6d2a7a8b8c9435248666616844ba71f74648cddc", + "zh:88e418118cd5afbdec4984944c7ab36950bf48e8d3e09e090232e55eecfb470b", + "zh:9cef159377bf23fa331f8724fdc6ce27ad39a217a4bae6df3b1ca408fc643da6", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} \ No newline at end of file diff --git a/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/230-opentelemetry/20-opentelemetry-operator/terragrunt.hcl b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/230-opentelemetry/20-opentelemetry-operator/terragrunt.hcl new file mode 100644 index 000000000..1e3ff1ff7 --- /dev/null +++ b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/230-opentelemetry/20-opentelemetry-operator/terragrunt.hcl @@ -0,0 +1,65 @@ +# Include all settings from the root terragrunt.hcl file +include { + path = find_in_parent_folders() +} + +terraform { + source = "github.com/ManagedKube/kubernetes-ops.git//terraform-modules/aws/helm/helm_generic?ref=v1.0.9" +} + +dependency "eks" { + config_path = "${get_terragrunt_dir()}/../../../200-eks" + + mock_outputs = { + zone_id = "zzzz" + } + mock_outputs_allowed_terraform_commands = ["validate", ] +} + +# Generate a Kubernetes provider configuration for authenticating against the EKS cluster. +generate "k8s_helm" { + path = "k8s_helm_provider.tf" + if_exists = "overwrite_terragrunt" + contents = templatefile( + find_in_parent_folders("provider_k8s_helm_for_eks.template.hcl"), + { + eks_cluster_name = dependency.eks.outputs.cluster_id, + kubergrunt_exec = get_env("KUBERGRUNT_EXEC", "kubergrunt") + }, + ) +} + +# --------------------------------------------------------------------------------------------------------------------- +# Locals are named constants that are reusable within the configuration. +# --------------------------------------------------------------------------------------------------------------------- +locals { + # Load common variables shared across all accounts + common_vars = read_terragrunt_config(find_in_parent_folders("common.hcl")) + + # Load region-level variables + region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl")) + + # Load environment-level variables + environment_vars = read_terragrunt_config(find_in_parent_folders("environment.hcl")) + + tags = { + ops_env = local.common_vars.locals.environment_name + ops_managed_by = "terraform" + ops_source_repo = local.common_vars.locals.repository_name + ops_source_repo_path = "${local.common_vars.locals.base_repository_path}/${path_relative_to_include()}" + ops_owners = "devops" + } +} + +# --------------------------------------------------------------------------------------------------------------------- +# MODULE PARAMETERS +# These are the variables we have to pass in to use the module specified in the terragrunt configuration above +# --------------------------------------------------------------------------------------------------------------------- +inputs = { + repository = "https://open-telemetry.github.io/opentelemetry-helm-charts" + official_chart_name = "opentelemetry-operator" + user_chart_name = "opentelemetry-operator" + helm_version = "0.6.6" + namespace = "monitoring" + helm_values = file("values.yaml") +} diff --git a/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/230-opentelemetry/20-opentelemetry-operator/values.yaml b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/230-opentelemetry/20-opentelemetry-operator/values.yaml new file mode 100644 index 000000000..66a800f50 --- /dev/null +++ b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/230-opentelemetry/20-opentelemetry-operator/values.yaml @@ -0,0 +1,2 @@ +# source: https://github.com/open-telemetry/opentelemetry-helm-charts/tree/main/charts/opentelemetry-operator +--- diff --git a/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/230-opentelemetry/30-opentelemetry-collector/.terraform.lock.hcl b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/230-opentelemetry/30-opentelemetry-collector/.terraform.lock.hcl new file mode 100644 index 000000000..1a5f057c0 --- /dev/null +++ b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/230-opentelemetry/30-opentelemetry-collector/.terraform.lock.hcl @@ -0,0 +1,56 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. +provider "registry.terraform.io/hashicorp/aws" { + version = "4.20.0" + hashes = [ + "h1:NXdDdRzdG5s1m7Rl+hkY01CNiICtEOD5K81qKtSTLWA=", + "zh:391819f7bf5c6662a71ea534aad1b1260a45153ac74a5d5e6580e86caea215e4", + "zh:466171f08033d1e59b6aac0a9a64bc283b25c859b80e65f20d3072dffcf3123b", + "zh:4b15d65fc61150eef699e6e29459ab0f90585e0fa80f969cbe2b9d9913d073a0", + "zh:52c6bb6c50111074068f7e650ea5185116fcaa164f82663ca11c46e7ba8e603f", + "zh:90fd88d533fc38f5e8133fdcf404009f36054aa70de429ac1971d7124039f305", + "zh:9202423fc4a846e97ba8d3c1e7c61b27cad39784ba4409a31553b564de97111d", + "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", + "zh:c0b72cfac66b408154df4d3fe1e5e5d8a26a04a275017e5e281e0ef2e8887a66", + "zh:cab020c10ed25288d15f2d1333adf0813943024da2c092e9e4035352ddbcafc7", + "zh:d7255656761ff549aa377afb9c69ea917e5a1120c5a2f572440fe7e936476bb6", + "zh:df90cfae77566a51c1668832fde0700cadcfb6de96d09a2b1a097220fab8a6fb", + "zh:e9ee20ff5aa693c7cf5890ff15331134c471d13c57affa993d45e75c8b912000", + ] +} +provider "registry.terraform.io/hashicorp/helm" { + version = "2.6.0" + hashes = [ + "h1:rGVucCeYAqklKupwoLVG5VPQTIkUhO7WGcw3WuHYrm8=", + "zh:0ac248c28acc1a4fd11bd26a85e48ab78dd6abf0f7ac842bf1cd7edd05ac6cf8", + "zh:3d32c8deae3740d8c5310136cc11c8afeffc350fbf88afaca0c34a223a5246f5", + "zh:4055a27489733d19ca7fa2dfce14d323fe99ae9dede7d0fea21ee6db0b9ca74b", + "zh:58a8ed39653fd4c874a2ecb128eccfa24c94266a00e349fd7fb13e22ad81f381", + "zh:6c81508044913f25083de132d0ff81d083732aba07c506cc2db05aa0cefcde2c", + "zh:7db5d18093047bfc4fe597f79610c0a281b21db0d61b0bacb3800585e976f814", + "zh:8269207b7422db99e7be80a5352d111966c3dfc7eb98511f11c8ff7b2e813456", + "zh:b1d7ababfb2374e72532308ff442cc906b79256b66b3fe7a98d42c68c4ddf9c5", + "zh:ca63e226cbdc964a5d63ef21189f059ce45c3fa4a5e972204d6916a9177d2b44", + "zh:d205a72d60e8cc362943d66f5bcdd6b6aaaa9aab2b89fd83bf6f1978ac0b1e4c", + "zh:db47dc579a0e68e5bfe3a61f2e950e6e2af82b1f388d1069de014a937962b56a", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} +provider "registry.terraform.io/hashicorp/kubernetes" { + version = "2.11.0" + hashes = [ + "h1:pJiAJwZKUaoAJ4x+3ONJkwEVkjrwGROCGFgj7noPO58=", + "zh:143a19dd0ea3b07fc5e3d9231f3c2d01f92894385c98a67327de74c76c715843", + "zh:1fc757d209e09c3cf7848e4274daa32408c07743698fbed10ee52a4a479b62b6", + "zh:22dfebd0685749c51a8f765d51a1090a259778960ac1cd4f32021a325b2b9b72", + "zh:3039b3b76e870cd8fc404cf75a29c66b171c6ba9b6182e131b6ae2ca648ec7c0", + "zh:3af0a15562fcab4b5684b18802e0239371b2b8ff9197ed069ff4827f795a002b", + "zh:50aaf20336d1296a73315adb66f7687f75bd5c6b1f93a894b95c75cc142810ec", + "zh:682064fabff895ec351860b4fe0321290bbbb17c2a410b62c9bea0039400650e", + "zh:70ac914d5830b3371a2679d8f77cc20c419a6e12925145afae6c977c8eb90934", + "zh:710aa02cccf7b0f3fb50880d6d2a7a8b8c9435248666616844ba71f74648cddc", + "zh:88e418118cd5afbdec4984944c7ab36950bf48e8d3e09e090232e55eecfb470b", + "zh:9cef159377bf23fa331f8724fdc6ce27ad39a217a4bae6df3b1ca408fc643da6", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} diff --git a/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/230-opentelemetry/30-opentelemetry-collector/terragrunt.hcl b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/230-opentelemetry/30-opentelemetry-collector/terragrunt.hcl new file mode 100644 index 000000000..9b82d5c62 --- /dev/null +++ b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/230-opentelemetry/30-opentelemetry-collector/terragrunt.hcl @@ -0,0 +1,63 @@ +# Include all settings from the root terragrunt.hcl file +include { + path = find_in_parent_folders() +} + +terraform { + source = "github.com/ManagedKube/kubernetes-ops.git//terraform-modules/aws/kubernetes/manifest_set?ref=v2.0.12" +} + +dependency "eks" { + config_path = "${get_terragrunt_dir()}/../../../200-eks" + + mock_outputs = { + zone_id = "zzzz" + } + mock_outputs_allowed_terraform_commands = ["validate", ] +} + +# Generate a Kubernetes provider configuration for authenticating against the EKS cluster. +generate "k8s_helm" { + path = "k8s_helm_provider.tf" + if_exists = "overwrite_terragrunt" + contents = templatefile( + find_in_parent_folders("provider_k8s_helm_for_eks.template.hcl"), + { + eks_cluster_name = dependency.eks.outputs.cluster_id, + kubergrunt_exec = get_env("KUBERGRUNT_EXEC", "kubergrunt") + }, + ) +} + +# --------------------------------------------------------------------------------------------------------------------- +# Locals are named constants that are reusable within the configuration. +# --------------------------------------------------------------------------------------------------------------------- +locals { + # Load common variables shared across all accounts + common_vars = read_terragrunt_config(find_in_parent_folders("common.hcl")) + + # Load region-level variables + region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl")) + + # Load environment-level variables + environment_vars = read_terragrunt_config(find_in_parent_folders("environment.hcl")) + + tags = { + ops_env = local.common_vars.locals.environment_name + ops_managed_by = "terraform" + ops_source_repo = local.common_vars.locals.repository_name + ops_source_repo_path = "${local.common_vars.locals.base_repository_path}/${path_relative_to_include()}" + ops_owners = "devops" + } +} + +# --------------------------------------------------------------------------------------------------------------------- +# MODULE PARAMETERS +# These are the variables we have to pass in to use the module specified in the terragrunt configuration above +# --------------------------------------------------------------------------------------------------------------------- +inputs = { + upload_source_path = "./" + upload_directory = "yaml" + fileset_pattern = "**/*.yaml" + template_vars = {} +} diff --git a/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/230-opentelemetry/30-opentelemetry-collector/yaml/collector.yaml b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/230-opentelemetry/30-opentelemetry-collector/yaml/collector.yaml new file mode 100644 index 000000000..4e61fda63 --- /dev/null +++ b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/230-opentelemetry/30-opentelemetry-collector/yaml/collector.yaml @@ -0,0 +1,34 @@ +# Source: https://github.com/open-telemetry/opentelemetry-helm-charts/tree/main/charts/opentelemetry-operator#deployment-mode +# Docs: https://opentelemetry.io/docs/collector/configuration/ +# https://github.com/open-telemetry/opentelemetry-collector/tree/main/exporter +--- +apiVersion: opentelemetry.io/v1alpha1 +kind: OpenTelemetryCollector +metadata: + name: opentelemtry-collector + namespace: monitoring +spec: + mode: deployment # This configuration is omittable. + config: | + receivers: + otlp: + protocols: + grpc: + http: + zipkin: + jaeger: + protocols: + thrift_compact: + processors: + batch: + exporters: + otlp: + endpoint: tempo:4317 + tls: + insecure: true + service: + pipelines: + traces: + receivers: [otlp, zipkin, jaeger] + processors: [batch] + exporters: [otlp] diff --git a/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/500-sample-app-opentel-1/README.md b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/500-sample-app-opentel-1/README.md new file mode 100644 index 000000000..0d548dbd3 --- /dev/null +++ b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/500-sample-app-opentel-1/README.md @@ -0,0 +1,7 @@ +# This is a set of pods that will generate APM metrics into the setup so that you +# can view the spans in Grafana. There are two apps in here + +# app 1: opentelemtry-example-app - this app has a frontend and a backend. You will +# have to port forward to this app and visit the website to induce any action + +# Inspired source: https://github.com/open-telemetry/opentelemetry-collector-contrib/blob/main/examples/tracing/docker-compose.yml diff --git a/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/500-sample-app-opentel-1/app/.terraform.lock.hcl b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/500-sample-app-opentel-1/app/.terraform.lock.hcl new file mode 100644 index 000000000..5d076ada3 --- /dev/null +++ b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/500-sample-app-opentel-1/app/.terraform.lock.hcl @@ -0,0 +1,56 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. +provider "registry.terraform.io/hashicorp/aws" { + version = "4.20.1" + hashes = [ + "h1:HHfwMYY0FDtMzaGgITqsPIBlUWnQNZ5+bTF1dyscsnw=", + "zh:21d064d8fac08376c633e002e2f36e83eb7958535e251831feaf38f51c49dafd", + "zh:3a37912ff43d89ce8d559ec86265d7506801bccb380c7cfb896e8ff24e3fe79d", + "zh:795eb175c85279ec51dbe12e4d1afa0860c2c0b22e5d36a8e8869f60a93b7931", + "zh:8afb61a18b17f8ff249cb23e9d3b5d2530944001ef1d56c1d53f41b0890c7ab8", + "zh:911701040395e0e4da4b7252279e7cf1593cdd26f22835e1a9eddbdb9691a1a7", + "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", + "zh:a46d54a6a5407f569f8178e916af888b2b268f86448c64cad165dc89759c8399", + "zh:c5f71fd5e3519a24fd6af455ef1c26a559cfdde7f626b0afbd2a73bb79f036b1", + "zh:df3b69d6c9b0cdc7e3f90ee08412b22332c32e97ad8ce6ccad528f89f235a7d3", + "zh:e99d6a64c03549d60c2accf792fa04466cfb317f72e895c8f67eff8a02920887", + "zh:eea7a0df8bcb69925c9ce8e15ef403c8bbf16d46c43e8f5607b116531d1bce4a", + "zh:f6a26ce77f7db1d50ce311e32902fd001fb365e5e45e47a9a5cd59d734c89cb6", + ] +} +provider "registry.terraform.io/hashicorp/helm" { + version = "2.5.1" + hashes = [ + "h1:NasRPC0qqlpGqcF3dsSoOFu7uc5hM+zJm+okd8FgrnQ=", + "zh:140b9748f0ad193a20d69e59d672f3c4eda8a56cede56a92f931bd3af020e2e9", + "zh:17ae319466ed6538ad49e011998bb86565fe0e97bc8b9ad7c8dda46a20f90669", + "zh:3a8bd723c21ba70e19f0395ed7096fc8e08bfc23366f1c3f06a9107eb37c572c", + "zh:3aae3b82adbe6dca52f1a1c8cf51575446e6b0f01f1b1f3b30de578c9af4a933", + "zh:3f65221f40148df57d2888e4f31ef3bf430b8c5af41de0db39a2b964e1826d7c", + "zh:650c74c4f46f5eb01df11d8392bdb7ebee3bba59ac0721000a6ad731ff0e61e2", + "zh:930fb8ab4cd6634472dfd6aa3123f109ef5b32cbe6ef7b4695fae6751353e83f", + "zh:ae57cd4b0be4b9ca252bc5d347bc925e35b0ed74d3dcdebf06c11362c1ac3436", + "zh:d15b1732a8602b6726eac22628b2f72f72d98b75b9c6aabceec9fd696fda696a", + "zh:d730ede1656bd193e2aea5302acec47c4905fe30b96f550196be4a0ed5f41936", + "zh:f010d4f9d8cd15936be4df12bf256cb2175ca1dedb728bd3a866c03d2ee7591f", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} +provider "registry.terraform.io/hashicorp/kubernetes" { + version = "2.11.0" + hashes = [ + "h1:pJiAJwZKUaoAJ4x+3ONJkwEVkjrwGROCGFgj7noPO58=", + "zh:143a19dd0ea3b07fc5e3d9231f3c2d01f92894385c98a67327de74c76c715843", + "zh:1fc757d209e09c3cf7848e4274daa32408c07743698fbed10ee52a4a479b62b6", + "zh:22dfebd0685749c51a8f765d51a1090a259778960ac1cd4f32021a325b2b9b72", + "zh:3039b3b76e870cd8fc404cf75a29c66b171c6ba9b6182e131b6ae2ca648ec7c0", + "zh:3af0a15562fcab4b5684b18802e0239371b2b8ff9197ed069ff4827f795a002b", + "zh:50aaf20336d1296a73315adb66f7687f75bd5c6b1f93a894b95c75cc142810ec", + "zh:682064fabff895ec351860b4fe0321290bbbb17c2a410b62c9bea0039400650e", + "zh:70ac914d5830b3371a2679d8f77cc20c419a6e12925145afae6c977c8eb90934", + "zh:710aa02cccf7b0f3fb50880d6d2a7a8b8c9435248666616844ba71f74648cddc", + "zh:88e418118cd5afbdec4984944c7ab36950bf48e8d3e09e090232e55eecfb470b", + "zh:9cef159377bf23fa331f8724fdc6ce27ad39a217a4bae6df3b1ca408fc643da6", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} \ No newline at end of file diff --git a/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/500-sample-app-opentel-1/app/helm_values.tpl.yaml b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/500-sample-app-opentel-1/app/helm_values.tpl.yaml new file mode 100644 index 000000000..c8bb8fda7 --- /dev/null +++ b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/500-sample-app-opentel-1/app/helm_values.tpl.yaml @@ -0,0 +1,80 @@ +replicaCount: ${replica_count} + +fullnameOverride: ${fullname_override} +namespace: ${namespace} + +deployment: + containers: + - name: ${fullname_override} + image: + repository: ${docker_repository} + tag: ${docker_tag} + pullPolicy: Always + + args: [ + "Frontend" + ] + + env: + base: + - name: JAVA_OPTS + value: "-Dspring.zipkin.baseUrl=http://opentelemtry-collector-collector.monitoring.svc:9411" + perEnv: [] + + ports: + - name: http + protocol: TCP + containerPort: 8081 + servicePort: 8081 + +ingress: + enabled: false + annotations: + kubernetes.io/ingress.class: istio + # kubernetes.io/tls-acme: "true" + paths: + - path: / + pathType: Prefix + servicePort: 8081 + hosts: + - sample-app-1.${domain_name} + tls: + - hosts: + - sample-app-1.${domain_name} + # Istio doc: https://istio.io/latest/docs/ops/integrations/certmanager/#kubernetes-ingress + # If using istio and using the domain-wildcard cert, the cert-manager kind: certificate + # should be created in the istio-system namespace. + secretName: domain-wildcard # This should match the Certificate secretName + ingressClass: + enabled: true + # Docs: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingressclass-scope + spec: + controller: istio.io/ingress-controller + +# +# Istio virtual service +# +istio: + ## + ## https://istio.io/latest/docs/reference/config/networking/virtual-service/ + virtualService: + enabled: true + apiVersion: networking.istio.io/v1alpha3 + gateways: + # /gateway-name + - istio-system/main-gateway + hosts: + - sample-app-1.${domain_name} + ## + ## The definition for the http, tls, tcp, etc. Per the istio virtual service doc + ## This template will just put everything under "protocolDefinition" into the virtualservice + protocolDefinition: + http: + - match: + - uri: + prefix: / + route: + - destination: + port: + number: 8081 + host: ${fullname_override} diff --git a/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/500-sample-app-opentel-1/app/terragrunt.hcl b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/500-sample-app-opentel-1/app/terragrunt.hcl new file mode 100644 index 000000000..4ee3dc6df --- /dev/null +++ b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/500-sample-app-opentel-1/app/terragrunt.hcl @@ -0,0 +1,88 @@ +# Include all settings from the root terragrunt.hcl file +include { + path = find_in_parent_folders() +} + +terraform { + source = "github.com/ManagedKube/kubernetes-ops.git//terraform-modules/aws/helm/helm_generic?ref=v1.0.9" +} + +dependency "eks" { + config_path = "${get_terragrunt_dir()}/../../../200-eks" + + mock_outputs = { + zone_id = "zzzz" + } + mock_outputs_allowed_terraform_commands = ["validate", ] +} + +# Generate a Kubernetes provider configuration for authenticating against the EKS cluster. +generate "k8s_helm" { + path = "k8s_helm_provider.tf" + if_exists = "overwrite_terragrunt" + contents = templatefile( + find_in_parent_folders("provider_k8s_helm_for_eks.template.hcl"), + { + eks_cluster_name = dependency.eks.outputs.cluster_id, + kubergrunt_exec = get_env("KUBERGRUNT_EXEC", "kubergrunt") + }, + ) +} + +# --------------------------------------------------------------------------------------------------------------------- +# Locals are named constants that are reusable within the configuration. +# --------------------------------------------------------------------------------------------------------------------- +locals { + # Load common variables shared across all accounts + common_vars = read_terragrunt_config(find_in_parent_folders("common.hcl")) + + # Load region-level variables + region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl")) + + # Load environment-level variables + environment_vars = read_terragrunt_config(find_in_parent_folders("environment.hcl")) + + tags = { + ops_env = local.common_vars.locals.environment_name + ops_managed_by = "terraform" + ops_source_repo = local.common_vars.locals.repository_name + ops_source_repo_path = "${local.common_vars.locals.base_repository_path}/${path_relative_to_include()}" + ops_owners = "devops" + } + + namespace = "500-sample-app-opentel-1" + fullname_override = "opentelemtry-example-app" + replica_count = 1 + docker_repository = "openzipkin/example-sleuth-webmvc" + docker_tag = "latest" +} + +# --------------------------------------------------------------------------------------------------------------------- +# MODULE PARAMETERS +# These are the variables we have to pass in to use the module specified in the terragrunt configuration above +# --------------------------------------------------------------------------------------------------------------------- +inputs = { + # this is the helm repo add URL + repository = "https://helm-charts.managedkube.com" + # This is the helm repo add name + official_chart_name = "standard-application" + # This is what you want to name the chart when deploying + user_chart_name = local.fullname_override + # The helm chart version you want to use + helm_version = "1.0.28" + # The namespace you want to install the chart into - it will create the namespace if it doesnt exist + namespace = local.namespace + # The helm chart values file + helm_values = templatefile( + "./helm_values.tpl.yaml", + { + fullname_override = local.fullname_override + namespace = local.namespace + replica_count = local.replica_count + docker_repository = local.docker_repository + docker_tag = local.docker_tag + domain_name = local.environment_vars.locals.domain_name + } + ) +} + diff --git a/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/500-sample-app-opentel-1/backend/.terraform.lock.hcl b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/500-sample-app-opentel-1/backend/.terraform.lock.hcl new file mode 100644 index 000000000..5d076ada3 --- /dev/null +++ b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/500-sample-app-opentel-1/backend/.terraform.lock.hcl @@ -0,0 +1,56 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. +provider "registry.terraform.io/hashicorp/aws" { + version = "4.20.1" + hashes = [ + "h1:HHfwMYY0FDtMzaGgITqsPIBlUWnQNZ5+bTF1dyscsnw=", + "zh:21d064d8fac08376c633e002e2f36e83eb7958535e251831feaf38f51c49dafd", + "zh:3a37912ff43d89ce8d559ec86265d7506801bccb380c7cfb896e8ff24e3fe79d", + "zh:795eb175c85279ec51dbe12e4d1afa0860c2c0b22e5d36a8e8869f60a93b7931", + "zh:8afb61a18b17f8ff249cb23e9d3b5d2530944001ef1d56c1d53f41b0890c7ab8", + "zh:911701040395e0e4da4b7252279e7cf1593cdd26f22835e1a9eddbdb9691a1a7", + "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", + "zh:a46d54a6a5407f569f8178e916af888b2b268f86448c64cad165dc89759c8399", + "zh:c5f71fd5e3519a24fd6af455ef1c26a559cfdde7f626b0afbd2a73bb79f036b1", + "zh:df3b69d6c9b0cdc7e3f90ee08412b22332c32e97ad8ce6ccad528f89f235a7d3", + "zh:e99d6a64c03549d60c2accf792fa04466cfb317f72e895c8f67eff8a02920887", + "zh:eea7a0df8bcb69925c9ce8e15ef403c8bbf16d46c43e8f5607b116531d1bce4a", + "zh:f6a26ce77f7db1d50ce311e32902fd001fb365e5e45e47a9a5cd59d734c89cb6", + ] +} +provider "registry.terraform.io/hashicorp/helm" { + version = "2.5.1" + hashes = [ + "h1:NasRPC0qqlpGqcF3dsSoOFu7uc5hM+zJm+okd8FgrnQ=", + "zh:140b9748f0ad193a20d69e59d672f3c4eda8a56cede56a92f931bd3af020e2e9", + "zh:17ae319466ed6538ad49e011998bb86565fe0e97bc8b9ad7c8dda46a20f90669", + "zh:3a8bd723c21ba70e19f0395ed7096fc8e08bfc23366f1c3f06a9107eb37c572c", + "zh:3aae3b82adbe6dca52f1a1c8cf51575446e6b0f01f1b1f3b30de578c9af4a933", + "zh:3f65221f40148df57d2888e4f31ef3bf430b8c5af41de0db39a2b964e1826d7c", + "zh:650c74c4f46f5eb01df11d8392bdb7ebee3bba59ac0721000a6ad731ff0e61e2", + "zh:930fb8ab4cd6634472dfd6aa3123f109ef5b32cbe6ef7b4695fae6751353e83f", + "zh:ae57cd4b0be4b9ca252bc5d347bc925e35b0ed74d3dcdebf06c11362c1ac3436", + "zh:d15b1732a8602b6726eac22628b2f72f72d98b75b9c6aabceec9fd696fda696a", + "zh:d730ede1656bd193e2aea5302acec47c4905fe30b96f550196be4a0ed5f41936", + "zh:f010d4f9d8cd15936be4df12bf256cb2175ca1dedb728bd3a866c03d2ee7591f", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} +provider "registry.terraform.io/hashicorp/kubernetes" { + version = "2.11.0" + hashes = [ + "h1:pJiAJwZKUaoAJ4x+3ONJkwEVkjrwGROCGFgj7noPO58=", + "zh:143a19dd0ea3b07fc5e3d9231f3c2d01f92894385c98a67327de74c76c715843", + "zh:1fc757d209e09c3cf7848e4274daa32408c07743698fbed10ee52a4a479b62b6", + "zh:22dfebd0685749c51a8f765d51a1090a259778960ac1cd4f32021a325b2b9b72", + "zh:3039b3b76e870cd8fc404cf75a29c66b171c6ba9b6182e131b6ae2ca648ec7c0", + "zh:3af0a15562fcab4b5684b18802e0239371b2b8ff9197ed069ff4827f795a002b", + "zh:50aaf20336d1296a73315adb66f7687f75bd5c6b1f93a894b95c75cc142810ec", + "zh:682064fabff895ec351860b4fe0321290bbbb17c2a410b62c9bea0039400650e", + "zh:70ac914d5830b3371a2679d8f77cc20c419a6e12925145afae6c977c8eb90934", + "zh:710aa02cccf7b0f3fb50880d6d2a7a8b8c9435248666616844ba71f74648cddc", + "zh:88e418118cd5afbdec4984944c7ab36950bf48e8d3e09e090232e55eecfb470b", + "zh:9cef159377bf23fa331f8724fdc6ce27ad39a217a4bae6df3b1ca408fc643da6", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} \ No newline at end of file diff --git a/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/500-sample-app-opentel-1/backend/helm_values.tpl.yaml b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/500-sample-app-opentel-1/backend/helm_values.tpl.yaml new file mode 100644 index 000000000..77ba3bf35 --- /dev/null +++ b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/500-sample-app-opentel-1/backend/helm_values.tpl.yaml @@ -0,0 +1,44 @@ +replicaCount: ${replica_count} + +fullnameOverride: ${fullname_override} +namespace: ${namespace} + +deployment: + containers: + - name: ${fullname_override} + image: + repository: ${docker_repository} + tag: ${docker_tag} + pullPolicy: Always + + args: [ + "Backend" + ] + + env: + base: + - name: JAVA_OPTS + value: "-Dspring.zipkin.baseUrl=http://opentelemtry-collector-collector.monitoring.svc:9411" + perEnv: [] + + ports: + - name: http + protocol: TCP + containerPort: 9000 + servicePort: 9000 + +# ingress: +# enabled: false +# annotations: +# kubernetes.io/ingress.class: nginx-external +# # kubernetes.io/tls-acme: "true" +# paths: +# - path: / +# servicePort: http +# hosts: +# - ops.x2.exactpay.com +# tls: [] +# # - secretName: chart-example-tls +# # hosts: +# # - chart-example.local + diff --git a/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/500-sample-app-opentel-1/backend/terragrunt.hcl b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/500-sample-app-opentel-1/backend/terragrunt.hcl new file mode 100644 index 000000000..939aa15b7 --- /dev/null +++ b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/500-sample-app-opentel-1/backend/terragrunt.hcl @@ -0,0 +1,86 @@ +# Include all settings from the root terragrunt.hcl file +include { + path = find_in_parent_folders() +} + +terraform { + source = "github.com/ManagedKube/kubernetes-ops.git//terraform-modules/aws/helm/helm_generic?ref=v1.0.9" +} + +dependency "eks" { + config_path = "${get_terragrunt_dir()}/../../../200-eks" + + mock_outputs = { + zone_id = "zzzz" + } + mock_outputs_allowed_terraform_commands = ["validate", ] +} + +# Generate a Kubernetes provider configuration for authenticating against the EKS cluster. +generate "k8s_helm" { + path = "k8s_helm_provider.tf" + if_exists = "overwrite_terragrunt" + contents = templatefile( + find_in_parent_folders("provider_k8s_helm_for_eks.template.hcl"), + { + eks_cluster_name = dependency.eks.outputs.cluster_id, + kubergrunt_exec = get_env("KUBERGRUNT_EXEC", "kubergrunt") + }, + ) +} + +# --------------------------------------------------------------------------------------------------------------------- +# Locals are named constants that are reusable within the configuration. +# --------------------------------------------------------------------------------------------------------------------- +locals { + # Load common variables shared across all accounts + common_vars = read_terragrunt_config(find_in_parent_folders("common.hcl")) + + # Load region-level variables + region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl")) + + # Load environment-level variables + environment_vars = read_terragrunt_config(find_in_parent_folders("environment.hcl")) + + tags = { + ops_env = local.common_vars.locals.environment_name + ops_managed_by = "terraform" + ops_source_repo = local.common_vars.locals.repository_name + ops_source_repo_path = "${local.common_vars.locals.base_repository_path}/${path_relative_to_include()}" + ops_owners = "devops" + } + + namespace = "500-sample-app-opentel-1" + fullname_override = "backend" + replica_count = 1 + docker_repository = "openzipkin/example-sleuth-webmvc" + docker_tag = "latest" +} + +# --------------------------------------------------------------------------------------------------------------------- +# MODULE PARAMETERS +# These are the variables we have to pass in to use the module specified in the terragrunt configuration above +# --------------------------------------------------------------------------------------------------------------------- +inputs = { + # this is the helm repo add URL + repository = "https://helm-charts.managedkube.com" + # This is the helm repo add name + official_chart_name = "standard-application" + # This is what you want to name the chart when deploying + user_chart_name = local.fullname_override + # The helm chart version you want to use + helm_version = "1.0.26" + # The namespace you want to install the chart into - it will create the namespace if it doesnt exist + namespace = local.namespace + # The helm chart values file + helm_values = templatefile( + "./helm_values.tpl.yaml", + { + fullname_override = local.fullname_override + namespace = local.namespace + replica_count = local.replica_count + docker_repository = local.docker_repository + docker_tag = local.docker_tag + } + ) +} diff --git a/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/510-sample-app-opentel-2/.terraform.lock.hcl b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/510-sample-app-opentel-2/.terraform.lock.hcl new file mode 100644 index 000000000..5d076ada3 --- /dev/null +++ b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/510-sample-app-opentel-2/.terraform.lock.hcl @@ -0,0 +1,56 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. +provider "registry.terraform.io/hashicorp/aws" { + version = "4.20.1" + hashes = [ + "h1:HHfwMYY0FDtMzaGgITqsPIBlUWnQNZ5+bTF1dyscsnw=", + "zh:21d064d8fac08376c633e002e2f36e83eb7958535e251831feaf38f51c49dafd", + "zh:3a37912ff43d89ce8d559ec86265d7506801bccb380c7cfb896e8ff24e3fe79d", + "zh:795eb175c85279ec51dbe12e4d1afa0860c2c0b22e5d36a8e8869f60a93b7931", + "zh:8afb61a18b17f8ff249cb23e9d3b5d2530944001ef1d56c1d53f41b0890c7ab8", + "zh:911701040395e0e4da4b7252279e7cf1593cdd26f22835e1a9eddbdb9691a1a7", + "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", + "zh:a46d54a6a5407f569f8178e916af888b2b268f86448c64cad165dc89759c8399", + "zh:c5f71fd5e3519a24fd6af455ef1c26a559cfdde7f626b0afbd2a73bb79f036b1", + "zh:df3b69d6c9b0cdc7e3f90ee08412b22332c32e97ad8ce6ccad528f89f235a7d3", + "zh:e99d6a64c03549d60c2accf792fa04466cfb317f72e895c8f67eff8a02920887", + "zh:eea7a0df8bcb69925c9ce8e15ef403c8bbf16d46c43e8f5607b116531d1bce4a", + "zh:f6a26ce77f7db1d50ce311e32902fd001fb365e5e45e47a9a5cd59d734c89cb6", + ] +} +provider "registry.terraform.io/hashicorp/helm" { + version = "2.5.1" + hashes = [ + "h1:NasRPC0qqlpGqcF3dsSoOFu7uc5hM+zJm+okd8FgrnQ=", + "zh:140b9748f0ad193a20d69e59d672f3c4eda8a56cede56a92f931bd3af020e2e9", + "zh:17ae319466ed6538ad49e011998bb86565fe0e97bc8b9ad7c8dda46a20f90669", + "zh:3a8bd723c21ba70e19f0395ed7096fc8e08bfc23366f1c3f06a9107eb37c572c", + "zh:3aae3b82adbe6dca52f1a1c8cf51575446e6b0f01f1b1f3b30de578c9af4a933", + "zh:3f65221f40148df57d2888e4f31ef3bf430b8c5af41de0db39a2b964e1826d7c", + "zh:650c74c4f46f5eb01df11d8392bdb7ebee3bba59ac0721000a6ad731ff0e61e2", + "zh:930fb8ab4cd6634472dfd6aa3123f109ef5b32cbe6ef7b4695fae6751353e83f", + "zh:ae57cd4b0be4b9ca252bc5d347bc925e35b0ed74d3dcdebf06c11362c1ac3436", + "zh:d15b1732a8602b6726eac22628b2f72f72d98b75b9c6aabceec9fd696fda696a", + "zh:d730ede1656bd193e2aea5302acec47c4905fe30b96f550196be4a0ed5f41936", + "zh:f010d4f9d8cd15936be4df12bf256cb2175ca1dedb728bd3a866c03d2ee7591f", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} +provider "registry.terraform.io/hashicorp/kubernetes" { + version = "2.11.0" + hashes = [ + "h1:pJiAJwZKUaoAJ4x+3ONJkwEVkjrwGROCGFgj7noPO58=", + "zh:143a19dd0ea3b07fc5e3d9231f3c2d01f92894385c98a67327de74c76c715843", + "zh:1fc757d209e09c3cf7848e4274daa32408c07743698fbed10ee52a4a479b62b6", + "zh:22dfebd0685749c51a8f765d51a1090a259778960ac1cd4f32021a325b2b9b72", + "zh:3039b3b76e870cd8fc404cf75a29c66b171c6ba9b6182e131b6ae2ca648ec7c0", + "zh:3af0a15562fcab4b5684b18802e0239371b2b8ff9197ed069ff4827f795a002b", + "zh:50aaf20336d1296a73315adb66f7687f75bd5c6b1f93a894b95c75cc142810ec", + "zh:682064fabff895ec351860b4fe0321290bbbb17c2a410b62c9bea0039400650e", + "zh:70ac914d5830b3371a2679d8f77cc20c419a6e12925145afae6c977c8eb90934", + "zh:710aa02cccf7b0f3fb50880d6d2a7a8b8c9435248666616844ba71f74648cddc", + "zh:88e418118cd5afbdec4984944c7ab36950bf48e8d3e09e090232e55eecfb470b", + "zh:9cef159377bf23fa331f8724fdc6ce27ad39a217a4bae6df3b1ca408fc643da6", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} \ No newline at end of file diff --git a/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/510-sample-app-opentel-2/README.md b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/510-sample-app-opentel-2/README.md new file mode 100644 index 000000000..202b20b1c --- /dev/null +++ b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/510-sample-app-opentel-2/README.md @@ -0,0 +1,2 @@ +# example from: +https://grafana.com/blog/2021/04/13/how-to-send-traces-to-grafana-clouds-tempo-service-with-opentelemetry-collector/ \ No newline at end of file diff --git a/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/510-sample-app-opentel-2/helm_values.tpl.yaml b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/510-sample-app-opentel-2/helm_values.tpl.yaml new file mode 100644 index 000000000..d5977edff --- /dev/null +++ b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/510-sample-app-opentel-2/helm_values.tpl.yaml @@ -0,0 +1,82 @@ +replicaCount: ${replica_count} + +fullnameOverride: ${fullname_override} +namespace: ${namespace} + +deployment: + containers: + - name: ${fullname_override} + image: + repository: ${docker_repository} + tag: ${docker_tag} + pullPolicy: Always + + commands: [ + "all" + ] + + env: + base: + - name: JAEGER_AGENT_HOST + value: "opentelemtry-collector-collector.monitoring.svc" + - name: JAEGER_AGENT_PORT + value: "6831" + perEnv: [] + + ports: + - name: http + protocol: TCP + containerPort: 8080 + servicePort: 8080 + +ingress: + enabled: false + annotations: + kubernetes.io/ingress.class: istio + # kubernetes.io/tls-acme: "true" + paths: + - path: / + pathType: Prefix + servicePort: 8080 + hosts: + - sample-app-2.${domain_name} + tls: + - hosts: + - sample-app-2.${domain_name} + # Istio doc: https://istio.io/latest/docs/ops/integrations/certmanager/#kubernetes-ingress + # If using istio and using the domain-wildcard cert, the cert-manager kind: certificate + # should be created in the istio-system namespace. + secretName: domain-wildcard # This should match the Certificate secretName + ingressClass: + enabled: true + # Docs: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingressclass-scope + spec: + controller: istio.io/ingress-controller + +# +# Istio virtual service +# +istio: + ## + ## https://istio.io/latest/docs/reference/config/networking/virtual-service/ + virtualService: + enabled: true + apiVersion: networking.istio.io/v1alpha3 + gateways: + # /gateway-name + - istio-system/main-gateway + hosts: + - sample-app-2.${domain_name} + ## + ## The definition for the http, tls, tcp, etc. Per the istio virtual service doc + ## This template will just put everything under "protocolDefinition" into the virtualservice + protocolDefinition: + http: + - match: + - uri: + prefix: / + route: + - destination: + port: + number: 8080 + host: ${fullname_override} diff --git a/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/510-sample-app-opentel-2/terragrunt.hcl b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/510-sample-app-opentel-2/terragrunt.hcl new file mode 100644 index 000000000..a42ccb417 --- /dev/null +++ b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/300-kubernetes/510-sample-app-opentel-2/terragrunt.hcl @@ -0,0 +1,88 @@ +# Include all settings from the root terragrunt.hcl file +include { + path = find_in_parent_folders() +} + +terraform { + source = "github.com/ManagedKube/kubernetes-ops.git//terraform-modules/aws/helm/helm_generic?ref=v1.0.9" +} + +dependency "eks" { + config_path = "${get_terragrunt_dir()}/../../200-eks" + + mock_outputs = { + zone_id = "zzzz" + } + mock_outputs_allowed_terraform_commands = ["validate", ] +} + +# Generate a Kubernetes provider configuration for authenticating against the EKS cluster. +generate "k8s_helm" { + path = "k8s_helm_provider.tf" + if_exists = "overwrite_terragrunt" + contents = templatefile( + find_in_parent_folders("provider_k8s_helm_for_eks.template.hcl"), + { + eks_cluster_name = dependency.eks.outputs.cluster_id, + kubergrunt_exec = get_env("KUBERGRUNT_EXEC", "kubergrunt") + }, + ) +} + +# --------------------------------------------------------------------------------------------------------------------- +# Locals are named constants that are reusable within the configuration. +# --------------------------------------------------------------------------------------------------------------------- +locals { + # Load common variables shared across all accounts + common_vars = read_terragrunt_config(find_in_parent_folders("common.hcl")) + + # Load region-level variables + region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl")) + + # Load environment-level variables + environment_vars = read_terragrunt_config(find_in_parent_folders("environment.hcl")) + + tags = { + ops_env = local.common_vars.locals.environment_name + ops_managed_by = "terraform" + ops_source_repo = local.common_vars.locals.repository_name + ops_source_repo_path = "${local.common_vars.locals.base_repository_path}/${path_relative_to_include()}" + ops_owners = "devops" + } + + namespace = "510-sample-app-opentel-2" + fullname_override = "jaegertracing-example-app" + replica_count = 1 + docker_repository = "jaegertracing/example-hotrod" + docker_tag = "latest" +} + +# --------------------------------------------------------------------------------------------------------------------- +# MODULE PARAMETERS +# These are the variables we have to pass in to use the module specified in the terragrunt configuration above +# --------------------------------------------------------------------------------------------------------------------- +inputs = { + # this is the helm repo add URL + repository = "https://helm-charts.managedkube.com" + # This is the helm repo add name + official_chart_name = "standard-application" + # This is what you want to name the chart when deploying + user_chart_name = local.fullname_override + # The helm chart version you want to use + helm_version = "1.0.28" + # The namespace you want to install the chart into - it will create the namespace if it doesnt exist + namespace = local.namespace + # The helm chart values file + helm_values = templatefile( + "./helm_values.tpl.yaml", + { + fullname_override = local.fullname_override + namespace = local.namespace + replica_count = local.replica_count + docker_repository = local.docker_repository + docker_tag = local.docker_tag + domain_name = local.environment_vars.locals.domain_name + } + ) +} + diff --git a/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/environment.hcl b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/environment.hcl new file mode 100644 index 000000000..63493cfb8 --- /dev/null +++ b/terraform-environments/aws/terragrunt-dev/us-east-1/terragrunt-dev/environment.hcl @@ -0,0 +1,11 @@ +locals { + cluster_name = "terragrunt-dev" + domain_name = "terragrunt-dev.managedkube.com" + vpc = { + availability_zones = ["a", "b", "c"] + cidr = "10.0.0.0/16" + private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"] + public_subnets = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"] + } + ingress_class = "istio" +} diff --git a/terraform-modules/README.md b/terraform-modules/README.md new file mode 100644 index 000000000..b0b1c41fb --- /dev/null +++ b/terraform-modules/README.md @@ -0,0 +1,53 @@ +# terraform-modules + +## Terraform Docs + +The readme's in this folder are generated with [Terraform-Docs](https://github.com/terraform-docs/terraform-docs) + +### Install + +``` +brew install terraform-docs +``` + +### Update + +To update the readme just run: + +``` +terraform-docs markdown . > README.md +``` + +## Terratest +Each module has unit testing using Terratest associated with it. + +### Starting a new test +In the modules directory, create a new folder named: `test` + +``` +mkdir test +cd test +``` + +Initilize the folder: +``` +go mod init github.com/ManagedKube/kubernetes-ops +``` + + +Create the Terratest file: + +``` +touch terratest_test.go +code terratest_test.go +``` + +Fill in the test details. There are examples in this repo and the doc is here: https://github.com/gruntwork-io/terratest + +### Running the test + +In the `test` directory run: + +``` +go test -v +``` diff --git a/terraform-modules/aws/airflow/default_iam_policy.json b/terraform-modules/aws/airflow/default_iam_policy.json new file mode 100644 index 000000000..5b1f9a691 --- /dev/null +++ b/terraform-modules/aws/airflow/default_iam_policy.json @@ -0,0 +1,98 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "airflow:PublishMetrics", + "Resource": "arn:aws:airflow:${aws_region}:${aws_account_id}:environment/${airflow_name}" + }, + { + "Effect": "Deny", + "Action": "s3:ListAllMyBuckets", + "Resource": [ + "arn:aws:s3:::${s3_bucket_name}", + "arn:aws:s3:::${s3_bucket_name}/*" + ] + }, + { + "Effect": "Allow", + "Action": [ + "s3:GetObject*", + "s3:GetBucket*", + "s3:List*" + ], + "Resource": [ + "arn:aws:s3:::${s3_bucket_name}", + "arn:aws:s3:::${s3_bucket_name}/*" + ] + }, + { + "Effect": "Allow", + "Action": [ + "logs:CreateLogStream", + "logs:CreateLogGroup", + "logs:PutLogEvents", + "logs:GetLogEvents", + "logs:GetLogRecord", + "logs:GetLogGroupFields", + "logs:GetQueryResults" + ], + "Resource": [ + "arn:aws:logs:${aws_region}:${aws_account_id}:log-group:airflow-${airflow_name}-*" + ] + }, + { + "Effect": "Allow", + "Action": [ + "logs:DescribeLogGroups" + ], + "Resource": [ + "*" + ] + }, + { + "Effect": "Allow", + "Action": [ + "s3:GetAccountPublicAccessBlock" + ], + "Resource": [ + "*" + ] + }, + { + "Effect": "Allow", + "Action": "cloudwatch:PutMetricData", + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": [ + "sqs:ChangeMessageVisibility", + "sqs:DeleteMessage", + "sqs:GetQueueAttributes", + "sqs:GetQueueUrl", + "sqs:ReceiveMessage", + "sqs:SendMessage" + ], + "Resource": "arn:aws:sqs:${aws_region}:*:airflow-celery-*" + }, + { + "Effect": "Allow", + "Action": [ + "kms:Decrypt", + "kms:DescribeKey", + "kms:GenerateDataKey*", + "kms:Encrypt" + ], + "Resource": "arn:aws:kms:${aws_region}:${aws_account_id}:key/*", + "Condition": { + "StringLike": { + "kms:ViaService": [ + "sqs.${aws_region}.amazonaws.com", + "s3.${aws_region}.amazonaws.com" + ] + } + } + } + ] +} diff --git a/terraform-modules/aws/airflow/main.tf b/terraform-modules/aws/airflow/main.tf new file mode 100644 index 000000000..2443dc746 --- /dev/null +++ b/terraform-modules/aws/airflow/main.tf @@ -0,0 +1,96 @@ +resource "aws_mwaa_environment" "this" { + name = var.airflow_name + airflow_version = var.airflow_version + environment_class = var.environment_class + max_workers = var.max_workers + min_workers = var.min_workers + source_bucket_arn = var.source_bucket_arn + dag_s3_path = var.dag_s3_path + execution_role_arn = module.iam_assumable_role_admin.iam_role_arn + + logging_configuration { + dag_processing_logs { + enabled = true + log_level = var.dag_processing_log_level + } + + scheduler_logs { + enabled = true + log_level = var.scheduler_log_level + } + + task_logs { + enabled = true + log_level = var.task_log_level + } + + webserver_logs { + enabled = true + log_level = var.webserver_log_level + } + + worker_logs { + enabled = true + log_level = var.worker_log_level + } + } + + network_configuration { + security_group_ids = [aws_security_group.this.id] + subnet_ids = var.subnet_ids + } + + tags = var.tags +} + +data "aws_caller_identity" "current" {} + +module "iam_assumable_role_admin" { + source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role" + version = "4.14.0" + + create_role = true + role_name = "airflow-${var.airflow_name}" + role_description = "Airflow role" + trusted_role_services = ["airflow.amazonaws.com","airflow-env.amazonaws.com"] + custom_role_policy_arns = [aws_iam_policy.policy.arn] + role_requires_mfa = false + tags = var.tags +} + +resource "aws_iam_policy" "policy" { + name_prefix = "cluster-autoscaler-${var.airflow_name}" + description = "Airflow policy" + policy = templatefile("default_iam_policy.json", { + aws_region = var.aws_region + aws_account_id = data.aws_caller_identity.current.account_id + airflow_name = var.airflow_name + s3_bucket_name = var.source_bucket_name + }) + + tags = var.tags +} + +resource "aws_security_group" "this" { + name = var.airflow_name + description = "Airflow security group" + vpc_id = var.vpc_id + + ingress { + description = "TLS from VPC" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"] + } + + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + ipv6_cidr_blocks = ["::/0"] + } + + tags = var.tags +} diff --git a/terraform-modules/aws/airflow/outputs.tf b/terraform-modules/aws/airflow/outputs.tf new file mode 100644 index 000000000..ed3df61ca --- /dev/null +++ b/terraform-modules/aws/airflow/outputs.tf @@ -0,0 +1,7 @@ +output "arn" { + value = aws_mwaa_environment.this.arn +} + +output "webserver_url" { + value = aws_mwaa_environment.this.webserver_url +} diff --git a/terraform-modules/aws/airflow/variables.tf b/terraform-modules/aws/airflow/variables.tf new file mode 100644 index 000000000..4d37ed563 --- /dev/null +++ b/terraform-modules/aws/airflow/variables.tf @@ -0,0 +1,104 @@ +variable "airflow_name" { + type = string + default = "airflow" + description = "Airflow name" +} + +variable "aws_region" { + type = string + default = "us-east-1" + description = "The AWS region" +} + +variable "vpc_id" { + type = string + default = "" + description = "The vpc ID" +} + +variable "subnet_ids" { + type = list(string) + default = [] + description = "(Required) The private subnet IDs in which the environment should be created. MWAA requires two subnets." +} + +variable "airflow_version" { + type = string + default = null + description = "(Optional) Airflow version of your environment, will be set by default to the latest version that MWAA supports." +} + + +variable "environment_class" { + type = string + default = "mw1.small" + description = "(Optional) Environment class for the cluster. Possible options are mw1.small, mw1.medium, mw1.large. Will be set by default to mw1.small. Please check the AWS Pricing for more information about the environment classes." +} + +variable "max_workers" { + type = number + default = 10 + description = "(Optional) The maximum number of workers that can be automatically scaled up. Value need to be between 1 and 25. Will be 10 by default." +} + +variable "min_workers" { + type = number + default = 1 + description = "(Optional) The minimum number of workers that you want to run in your environment. Will be 1 by default." +} + + + +variable "source_bucket_arn" { + type = string + default = "s3://foo" + description = "The Dag's S3 bucket arn: arn:aws:s3:::bucketname" +} + +variable "source_bucket_name" { + type = string + default = "foo" + description = "The Dag's S3 bucket name" +} + +variable "dag_s3_path" { + type = string + default = "dags/" + description = "The dag's S3 path" +} + +variable "tags" { + type = any + default = {} + description = "A set of tags to place on the items" +} + +variable "dag_processing_log_level" { + type = string + default = "INFO" + description = "The log level: INFO | WARNING | ERROR | CRITICAL" +} + +variable "scheduler_log_level" { + type = string + default = "INFO" + description = "The log level: INFO | WARNING | ERROR | CRITICAL" +} + +variable "task_log_level" { + type = string + default = "INFO" + description = "The log level: INFO | WARNING | ERROR | CRITICAL" +} + +variable "webserver_log_level" { + type = string + default = "INFO" + description = "The log level: INFO | WARNING | ERROR | CRITICAL" +} + +variable "worker_log_level" { + type = string + default = "INFO" + description = "The log level: INFO | WARNING | ERROR | CRITICAL" +} \ No newline at end of file diff --git a/terraform-modules/aws/athena/main.tf b/terraform-modules/aws/athena/main.tf new file mode 100644 index 000000000..b8312b5b4 --- /dev/null +++ b/terraform-modules/aws/athena/main.tf @@ -0,0 +1,9 @@ +resource "aws_athena_database" "this" { + name = var.name + bucket = var.s3_bucket_name + + encryption_configuration { + encryption_option = var.encryption_option + kms_key = var.kms_key + } +} diff --git a/terraform-modules/aws/athena/outputs.tf b/terraform-modules/aws/athena/outputs.tf new file mode 100644 index 000000000..9231dee3b --- /dev/null +++ b/terraform-modules/aws/athena/outputs.tf @@ -0,0 +1,3 @@ +output "id" { + value = aws_athena_database.this.id +} diff --git a/terraform-modules/aws/athena/variables.tf b/terraform-modules/aws/athena/variables.tf new file mode 100644 index 000000000..07a55c2cc --- /dev/null +++ b/terraform-modules/aws/athena/variables.tf @@ -0,0 +1,23 @@ +variable "name" { + type = string + default = "" + description = "The instance name" +} + +variable "s3_bucket_name" { + type = string + default = "" + description = "The S3 bucket to point Athena to" +} + +variable encryption_option { + type = string + default = "SSE_S3" + description = "Encryption option" +} + +variable "kms_key" { + type = string + default = null + description = "The kms key" +} diff --git a/terraform-modules/aws/cloudposse/aws-cloudtrail-cloudwatch-alarms/README.md b/terraform-modules/aws/cloudposse/aws-cloudtrail-cloudwatch-alarms/README.md new file mode 100644 index 000000000..5e83d5f22 --- /dev/null +++ b/terraform-modules/aws/cloudposse/aws-cloudtrail-cloudwatch-alarms/README.md @@ -0,0 +1,82 @@ +## Requirements + +No requirements. + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | n/a | + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [cis\_alarms](#module\_cis\_alarms) | cloudposse/cloudtrail-cloudwatch-alarms/aws | 0.14.3 | +| [cloudtrail](#module\_cloudtrail) | cloudposse/cloudtrail/aws | 0.17.0 | +| [cloudtrail\_s3\_bucket](#module\_cloudtrail\_s3\_bucket) | github.com/ManagedKube/terraform-aws-cloudtrail-s3-bucket.git// | 0.24.0 | +| [kms\_cloudtrail](#module\_kms\_cloudtrail) | github.com/ManagedKube/kubernetes-ops.git//terraform-modules/aws/kms/cloudtrail | feat-kms-cloudtrail | +| [kms\_cloudwatch\_log\_group](#module\_kms\_cloudwatch\_log\_group) | github.com/ManagedKube/kubernetes-ops.git//terraform-modules/aws/kms/cloudwatch_log_group | v2.0.37 | +| [metric\_configs](#module\_metric\_configs) | cloudposse/config/yaml | 0.7.0 | +| [this](#module\_this) | cloudposse/label/null | 0.25.0 | + +## Resources + +| Name | Type | +|------|------| +| [aws_cloudwatch_log_group.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource | +| [aws_iam_role.cloudtrail_cloudwatch_events_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_iam_role_policy.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | +| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | +| [aws_iam_policy_document.assume_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.log_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source | +| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [access\_log\_bucket\_name](#input\_access\_log\_bucket\_name) | Name of the S3 bucket where s3 access log will be sent to | `string` | `""` | no | +| [acl](#input\_acl) | The canned ACL to apply. We recommend log-delivery-write for compatibility with AWS services | `string` | `"log-delivery-write"` | no | +| [additional\_tag\_map](#input\_additional\_tag\_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no | +| [allow\_ssl\_requests\_only](#input\_allow\_ssl\_requests\_only) | Set to `true` to require requests to use Secure Socket Layer (HTTPS/SSL). This will explicitly deny access to HTTP requests | `bool` | `true` | no | +| [attributes](#input\_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | +| [cloudtrail\_event\_selector](#input\_cloudtrail\_event\_selector) | This enables the cloudtrail even selector to track all S3 API calls by default: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail. | `list(object({include_management_events = bool, read_write_type = string, data_resource = list(object({type = string, values = list(string)}))}))` | 
[
  {
    "data_resource": [
      {
        "type": "AWS::S3::Object",
        "values": [
          "arn:aws:s3"
        ]
      }
    ],
    "include_management_events": true,
    "read_write_type": "All"
  }
]
| no | +| [context](#input\_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional\_tag\_map, which are merged. | `any` | 
{
  "additional_tag_map": {},
  "attributes": [],
  "delimiter": null,
  "descriptor_formats": {},
  "enabled": true,
  "environment": null,
  "id_length_limit": null,
  "label_key_case": null,
  "label_order": [],
  "label_value_case": null,
  "labels_as_tags": [
    "unset"
  ],
  "name": null,
  "namespace": null,
  "regex_replace_chars": null,
  "stage": null,
  "tags": {},
  "tenant": null
}
| no | +| [delimiter](#input\_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | +| [descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no | +| [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | +| [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | +| [force\_destroy](#input\_force\_destroy) | (Optional, Default:false ) A boolean that indicates all objects should be deleted from the bucket so that the bucket can be destroyed without error. These objects are not recoverable | `bool` | `false` | no | +| [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no | +| [is\_multi\_region\_trail](#input\_is\_multi\_region\_trail) | Specifies whether the trail is created in the current region or in all regions | `bool` | `true` | no | +| [kms\_cloudtrail\_deletion\_window\_in\_days](#input\_kms\_cloudtrail\_deletion\_window\_in\_days) | The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key. (cloudtrail-trails) | `number` | `30` | no | +| [kms\_cloudtrail\_enable](#input\_kms\_cloudtrail\_enable) | It will create for you a standard kms for cloudwatch that will free it from possible vulnerabilities.. (cloudwatch-loggroup) | `bool` | `true` | no | +| [kms\_cloudtrail\_kms\_enable\_key\_rotation](#input\_kms\_cloudtrail\_kms\_enable\_key\_rotation) | Specifies whether key rotation is enabled. Defaults to false. (cloudtrail-trails) | `bool` | `true` | no | +| [kms\_cloudwatch\_loggroup\_deletion\_window\_in\_days](#input\_kms\_cloudwatch\_loggroup\_deletion\_window\_in\_days) | The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key. (cloudwatch-loggroup) | `number` | `30` | no | +| [kms\_cloudwatch\_loggroup\_enable](#input\_kms\_cloudwatch\_loggroup\_enable) | It will create for you a standard kms for cloudwatch that will free it from possible vulnerabilities. (cloudwatch-loggroup) | `bool` | `true` | no | +| [kms\_cloudwatch\_loggroup\_kms\_enable\_key\_rotation](#input\_kms\_cloudwatch\_loggroup\_kms\_enable\_key\_rotation) | Specifies whether key rotation is enabled. Defaults to false. (cloudwatch-loggroup) | `bool` | `true` | no | +| [label\_key\_case](#input\_label\_key\_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | +| [label\_order](#input\_label\_order) | The order in which the labels (ID elements) appear in the `id`.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no | +| [label\_value\_case](#input\_label\_value\_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no | +| [labels\_as\_tags](#input\_labels\_as\_tags) | Set of labels (ID elements) to include as tags in the `tags` output.
Default is to include all labels.
Tags with empty values will not be included in the `tags` output.
Set to `[]` to suppress all generated tags.
**Notes:**
The value of the `name` tag, if included, will be the `id`, not the `name`.
Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` | 
[
  "default"
]
| no | +| [metrics\_paths](#input\_metrics\_paths) | List of paths to CloudWatch metrics configurations | `list(string)` | n/a | yes | +| [name](#input\_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no | +| [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no | +| [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | +| [region](#input\_region) | n/a | `string` | n/a | yes | +| [restrict\_public\_buckets](#input\_restrict\_public\_buckets) | Set to `false` to disable the restricting of making the bucket public | `bool` | `true` | no | +| [s3\_object\_ownership](#input\_s3\_object\_ownership) | Specifies the S3 object ownership control. Valid values are `ObjectWriter`, `BucketOwnerPreferred`, and 'BucketOwnerEnforced'. | `string` | `"BucketOwnerPreferred"` | no | +| [stage](#input\_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | +| [tags](#input\_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no | +| [tenant](#input\_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no | +| [versioning\_enabled](#input\_versioning\_enabled) | A state of versioning. Versioning is a means of keeping multiple variants of an object in the same bucket | `bool` | `false` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [dashboard\_combined](#output\_dashboard\_combined) | n/a | +| [dashboard\_individual](#output\_dashboard\_individual) | n/a | +| [sns\_topic\_arn](#output\_sns\_topic\_arn) | n/a | diff --git a/terraform-modules/aws/cloudposse/aws-cloudtrail-cloudwatch-alarms/context.tf b/terraform-modules/aws/cloudposse/aws-cloudtrail-cloudwatch-alarms/context.tf new file mode 100644 index 000000000..3955ebd47 --- /dev/null +++ b/terraform-modules/aws/cloudposse/aws-cloudtrail-cloudwatch-alarms/context.tf @@ -0,0 +1,279 @@ +# +# ONLY EDIT THIS FILE IN github.com/cloudposse/terraform-null-label +# All other instances of this file should be a copy of that one +# +# +# Copy this file from https://github.com/cloudposse/terraform-null-label/blob/master/exports/context.tf +# and then place it in your Terraform module to automatically get +# Cloud Posse's standard configuration inputs suitable for passing +# to Cloud Posse modules. +# +# curl -sL https://raw.githubusercontent.com/cloudposse/terraform-null-label/master/exports/context.tf -o context.tf +# +# Modules should access the whole context as `module.this.context` +# to get the input variables with nulls for defaults, +# for example `context = module.this.context`, +# and access individual variables as `module.this.`, +# with final values filled in. +# +# For example, when using defaults, `module.this.context.delimiter` +# will be null, and `module.this.delimiter` will be `-` (hyphen). +# + +module "this" { + source = "cloudposse/label/null" + version = "0.25.0" # requires Terraform >= 0.13.0 + + enabled = var.enabled + namespace = var.namespace + tenant = var.tenant + environment = var.environment + stage = var.stage + name = var.name + delimiter = var.delimiter + attributes = var.attributes + tags = var.tags + additional_tag_map = var.additional_tag_map + label_order = var.label_order + regex_replace_chars = var.regex_replace_chars + id_length_limit = var.id_length_limit + label_key_case = var.label_key_case + label_value_case = var.label_value_case + descriptor_formats = var.descriptor_formats + labels_as_tags = var.labels_as_tags + + context = var.context +} + +# Copy contents of cloudposse/terraform-null-label/variables.tf here + +variable "context" { + type = any + default = { + enabled = true + namespace = null + tenant = null + environment = null + stage = null + name = null + delimiter = null + attributes = [] + tags = {} + additional_tag_map = {} + regex_replace_chars = null + label_order = [] + id_length_limit = null + label_key_case = null + label_value_case = null + descriptor_formats = {} + # Note: we have to use [] instead of null for unset lists due to + # https://github.com/hashicorp/terraform/issues/28137 + # which was not fixed until Terraform 1.0.0, + # but we want the default to be all the labels in `label_order` + # and we want users to be able to prevent all tag generation + # by setting `labels_as_tags` to `[]`, so we need + # a different sentinel to indicate "default" + labels_as_tags = ["unset"] + } + description = <<-EOT + Single object for setting entire context at once. + See description of individual variables for details. + Leave string and numeric variables as `null` to use default value. + Individual variable settings (non-null) override settings in context object, + except for attributes, tags, and additional_tag_map, which are merged. + EOT + + validation { + condition = lookup(var.context, "label_key_case", null) == null ? true : contains(["lower", "title", "upper"], var.context["label_key_case"]) + error_message = "Allowed values: `lower`, `title`, `upper`." + } + + validation { + condition = lookup(var.context, "label_value_case", null) == null ? true : contains(["lower", "title", "upper", "none"], var.context["label_value_case"]) + error_message = "Allowed values: `lower`, `title`, `upper`, `none`." + } +} + +variable "enabled" { + type = bool + default = null + description = "Set to false to prevent the module from creating any resources" +} + +variable "namespace" { + type = string + default = null + description = "ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique" +} + +variable "tenant" { + type = string + default = null + description = "ID element _(Rarely used, not included by default)_. A customer identifier, indicating who this instance of a resource is for" +} + +variable "environment" { + type = string + default = null + description = "ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT'" +} + +variable "stage" { + type = string + default = null + description = "ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release'" +} + +variable "name" { + type = string + default = null + description = <<-EOT + ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'. + This is the only ID element not also included as a `tag`. + The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. + EOT +} + +variable "delimiter" { + type = string + default = null + description = <<-EOT + Delimiter to be used between ID elements. + Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. + EOT +} + +variable "attributes" { + type = list(string) + default = [] + description = <<-EOT + ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`, + in the order they appear in the list. New attributes are appended to the + end of the list. The elements of the list are joined by the `delimiter` + and treated as a single ID element. + EOT +} + +variable "labels_as_tags" { + type = set(string) + default = ["default"] + description = <<-EOT + Set of labels (ID elements) to include as tags in the `tags` output. + Default is to include all labels. + Tags with empty values will not be included in the `tags` output. + Set to `[]` to suppress all generated tags. + **Notes:** + The value of the `name` tag, if included, will be the `id`, not the `name`. + Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be + changed in later chained modules. Attempts to change it will be silently ignored. + EOT +} + +variable "tags" { + type = map(string) + default = {} + description = <<-EOT + Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`). + Neither the tag keys nor the tag values will be modified by this module. + EOT +} + +variable "additional_tag_map" { + type = map(string) + default = {} + description = <<-EOT + Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`. + This is for some rare cases where resources want additional configuration of tags + and therefore take a list of maps with tag key, value, and additional configuration. + EOT +} + +variable "label_order" { + type = list(string) + default = null + description = <<-EOT + The order in which the labels (ID elements) appear in the `id`. + Defaults to ["namespace", "environment", "stage", "name", "attributes"]. + You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. + EOT +} + +variable "regex_replace_chars" { + type = string + default = null + description = <<-EOT + Terraform regular expression (regex) string. + Characters matching the regex will be removed from the ID elements. + If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. + EOT +} + +variable "id_length_limit" { + type = number + default = null + description = <<-EOT + Limit `id` to this many characters (minimum 6). + Set to `0` for unlimited length. + Set to `null` for keep the existing setting, which defaults to `0`. + Does not affect `id_full`. + EOT + validation { + condition = var.id_length_limit == null ? true : var.id_length_limit >= 6 || var.id_length_limit == 0 + error_message = "The id_length_limit must be >= 6 if supplied (not null), or 0 for unlimited length." + } +} + +variable "label_key_case" { + type = string + default = null + description = <<-EOT + Controls the letter case of the `tags` keys (label names) for tags generated by this module. + Does not affect keys of tags passed in via the `tags` input. + Possible values: `lower`, `title`, `upper`. + Default value: `title`. + EOT + + validation { + condition = var.label_key_case == null ? true : contains(["lower", "title", "upper"], var.label_key_case) + error_message = "Allowed values: `lower`, `title`, `upper`." + } +} + +variable "label_value_case" { + type = string + default = null + description = <<-EOT + Controls the letter case of ID elements (labels) as included in `id`, + set as tag values, and output by this module individually. + Does not affect values of tags passed in via the `tags` input. + Possible values: `lower`, `title`, `upper` and `none` (no transformation). + Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs. + Default value: `lower`. + EOT + + validation { + condition = var.label_value_case == null ? true : contains(["lower", "title", "upper", "none"], var.label_value_case) + error_message = "Allowed values: `lower`, `title`, `upper`, `none`." + } +} + +variable "descriptor_formats" { + type = any + default = {} + description = <<-EOT + Describe additional descriptors to be output in the `descriptors` output map. + Map of maps. Keys are names of descriptors. Values are maps of the form + `{ + format = string + labels = list(string) + }` + (Type is `any` so the map values can later be enhanced to provide additional options.) + `format` is a Terraform format string to be passed to the `format()` function. + `labels` is a list of labels, in order, to pass to `format()` function. + Label values will be normalized before being passed to `format()` so they will be + identical to how they appear in `id`. + Default is `{}` (`descriptors` output will be empty). + EOT +} + +#### End of copy of cloudposse/terraform-null-label/variables.tf \ No newline at end of file diff --git a/terraform-modules/aws/cloudposse/aws-cloudtrail-cloudwatch-alarms/main.tf b/terraform-modules/aws/cloudposse/aws-cloudtrail-cloudwatch-alarms/main.tf new file mode 100644 index 000000000..dc550db5a --- /dev/null +++ b/terraform-modules/aws/cloudposse/aws-cloudtrail-cloudwatch-alarms/main.tf @@ -0,0 +1,110 @@ +data "aws_partition" "current" {} +data "aws_caller_identity" "current" {} +data "aws_region" "current" {} + +module "kms_cloudwatch_log_group" { + count = var.kms_cloudwatch_loggroup_enable ? 1 : 0 + source = "github.com/ManagedKube/kubernetes-ops.git//terraform-modules/aws/kms/cloudwatch_log_group?ref=v2.0.40" + log_group_name = element(var.attributes, 0) + kms_deletion_window_in_days = var.kms_cloudwatch_loggroup_deletion_window_in_days + kms_enable_key_rotation = var.kms_cloudwatch_loggroup_kms_enable_key_rotation + tags = var.tags +} + +module "kms_cloudtrail" { + count = var.kms_cloudtrail_enable ? 1 : 0 + source = "github.com/ManagedKube/kubernetes-ops.git//terraform-modules/aws/kms/cloudtrail?ref=v2.0.40" + cloudtrail_name = element(var.attributes, 0) + kms_deletion_window_in_days = var.kms_cloudtrail_deletion_window_in_days + kms_enable_key_rotation = var.kms_cloudtrail_kms_enable_key_rotation + tags = var.tags +} + +module "cloudtrail_s3_bucket" { + source = "github.com/ManagedKube/terraform-aws-cloudtrail-s3-bucket.git//?ref=0.24.0" + #version = "master" + force_destroy = var.force_destroy + versioning_enabled = var.versioning_enabled + access_log_bucket_name = var.access_log_bucket_name + allow_ssl_requests_only= var.allow_ssl_requests_only + acl = var.acl + s3_object_ownership = var.s3_object_ownership + sse_algorithm = "aws:kms" + context = module.this.context +} + +resource "aws_cloudwatch_log_group" "default" { + name = module.this.id + tags = module.this.tags + retention_in_days = 365 + #prowler issue: https://github.com/prowler-cloud/prowler/issues/1229 + kms_key_id = var.kms_cloudwatch_loggroup_enable ? module.kms_cloudwatch_log_group[0].kms_arn : null +} + +data "aws_iam_policy_document" "log_policy" { + statement { + effect = "Allow" + actions = ["logs:CreateLogStream","logs:PutLogEvents"] + resources = [ + "arn:aws:logs:${var.region}:${data.aws_caller_identity.current.account_id}:log-group:${aws_cloudwatch_log_group.default.name}:*:*" + ] + } +} + +data "aws_iam_policy_document" "assume_policy" { + statement { + effect = "Allow" + actions = ["sts:AssumeRole"] + + principals { + identifiers = ["cloudtrail.amazonaws.com"] + type = "Service" + } + } +} + +resource "aws_iam_role" "cloudtrail_cloudwatch_events_role" { + name = lower(join(module.this.delimiter, [module.this.id, "role"])) + assume_role_policy = data.aws_iam_policy_document.assume_policy.json + tags = module.this.tags +} + +resource "aws_iam_role_policy" "policy" { + name = lower(join(module.this.delimiter, [module.this.id, "policy"])) + policy = data.aws_iam_policy_document.log_policy.json + role = aws_iam_role.cloudtrail_cloudwatch_events_role.id +} + +module "metric_configs" { + source = "cloudposse/config/yaml" + version = "0.7.0" + + map_config_local_base_path = path.module + map_config_paths = var.metrics_paths + + context = module.this.context +} + +module "cloudtrail" { + source = "cloudposse/cloudtrail/aws" + version = "0.17.0" + enable_log_file_validation = true + include_global_service_events = true + is_multi_region_trail = var.is_multi_region_trail + enable_logging = true + s3_bucket_name = module.cloudtrail_s3_bucket.bucket_id + # https://github.com/terraform-providers/terraform-provider-aws/issues/14557#issuecomment-671975672 + cloud_watch_logs_group_arn = "${aws_cloudwatch_log_group.default.arn}:*" + cloud_watch_logs_role_arn = aws_iam_role.cloudtrail_cloudwatch_events_role.arn + event_selector = var.cloudtrail_event_selector + kms_key_arn = var.kms_cloudtrail_enable ? module.kms_cloudtrail[0].kms_arn : null + context = module.this.context +} + +## This is the module being used +module "cis_alarms" { + source = "cloudposse/cloudtrail-cloudwatch-alarms/aws" + version = "0.14.3" + log_group_name = aws_cloudwatch_log_group.default.name + metrics = module.metric_configs.map_configs +} \ No newline at end of file diff --git a/terraform-modules/aws/cloudposse/aws-cloudtrail-cloudwatch-alarms/outputs.tf b/terraform-modules/aws/cloudposse/aws-cloudtrail-cloudwatch-alarms/outputs.tf new file mode 100644 index 000000000..1e829941d --- /dev/null +++ b/terraform-modules/aws/cloudposse/aws-cloudtrail-cloudwatch-alarms/outputs.tf @@ -0,0 +1,11 @@ +output "sns_topic_arn" { + value = module.cis_alarms.sns_topic_arn +} + +output "dashboard_individual" { + value = module.cis_alarms.dashboard_individual +} + +output "dashboard_combined" { + value = module.cis_alarms.dashboard_combined +} \ No newline at end of file diff --git a/terraform-modules/aws/cloudposse/aws-cloudtrail-cloudwatch-alarms/variables.tf b/terraform-modules/aws/cloudposse/aws-cloudtrail-cloudwatch-alarms/variables.tf new file mode 100644 index 000000000..65fd01d34 --- /dev/null +++ b/terraform-modules/aws/cloudposse/aws-cloudtrail-cloudwatch-alarms/variables.tf @@ -0,0 +1,110 @@ +variable "region" { + type = string +} + +variable "metrics_paths" { + type = list(string) + description = "List of paths to CloudWatch metrics configurations" +} + +variable "cloudtrail_event_selector" { + type = list(object({include_management_events = bool, read_write_type = string, data_resource = list(object({type = string, values = list(string)}))})) + + description = "This enables the cloudtrail even selector to track all S3 API calls by default: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail." + default = [ + { + include_management_events = true + read_write_type = "All" + data_resource = [{ + type = "AWS::S3::Object" + values = ["arn:aws:s3"] + }] + } + ] +} +variable "force_destroy" { + type = bool + default = false + description = "(Optional, Default:false ) A boolean that indicates all objects should be deleted from the bucket so that the bucket can be destroyed without error. These objects are not recoverable" +} +#Buckets input vars + +variable "versioning_enabled" { + type = bool + description = "A state of versioning. Versioning is a means of keeping multiple variants of an object in the same bucket" + default = false +} + +variable "access_log_bucket_name" { + type = string + default = "" + description = "Name of the S3 bucket where s3 access log will be sent to" +} + +variable "allow_ssl_requests_only" { + type = bool + default = true + description = "Set to `true` to require requests to use Secure Socket Layer (HTTPS/SSL). This will explicitly deny access to HTTP requests" +} + +variable "s3_object_ownership" { + type = string + default = "BucketOwnerPreferred" + description = "Specifies the S3 object ownership control. Valid values are `ObjectWriter`, `BucketOwnerPreferred`, and 'BucketOwnerEnforced'." +} + +variable "acl" { + type = string + description = "The canned ACL to apply. We recommend log-delivery-write for compatibility with AWS services" + default = "log-delivery-write" +} + +variable "is_multi_region_trail" { + type = bool + default = true + description = "Specifies whether the trail is created in the current region or in all regions" +} + +variable "restrict_public_buckets" { + type = bool + default = true + description = "Set to `false` to disable the restricting of making the bucket public" +} + + +#KMS Variables +variable "kms_cloudwatch_loggroup_enable" { + type = bool + default = true + description = "It will create for you a standard kms for cloudwatch that will free it from possible vulnerabilities. (cloudwatch-loggroup)" +} + +variable "kms_cloudtrail_enable" { + type = bool + default = true + description = "It will create for you a standard kms for cloudwatch that will free it from possible vulnerabilities.. (cloudwatch-loggroup)" +} + +variable "kms_cloudwatch_loggroup_deletion_window_in_days" { + type = number + default = 30 + description = "The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key. (cloudwatch-loggroup)" +} + +variable "kms_cloudwatch_loggroup_kms_enable_key_rotation" { + type = bool + default = true + description = "Specifies whether key rotation is enabled. Defaults to false. (cloudwatch-loggroup)" +} + +variable "kms_cloudtrail_deletion_window_in_days" { + type = number + default = 30 + description = "The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key. (cloudtrail-trails)" +} + +variable "kms_cloudtrail_kms_enable_key_rotation" { + type = bool + default = true + description = "Specifies whether key rotation is enabled. Defaults to false. (cloudtrail-trails)" +} \ No newline at end of file diff --git a/terraform-modules/aws/cluster-autoscaler/README.md b/terraform-modules/aws/cluster-autoscaler/README.md new file mode 100644 index 000000000..c1e839f82 --- /dev/null +++ b/terraform-modules/aws/cluster-autoscaler/README.md @@ -0,0 +1,3 @@ +# EKS cluster autoscaler + +source: https://github.com/terraform-aws-modules/terraform-aws-eks/tree/master/examples/irsa diff --git a/terraform-modules/aws/cluster-autoscaler/helm_values.yaml.tpl b/terraform-modules/aws/cluster-autoscaler/helm_values.yaml.tpl new file mode 100644 index 000000000..5eb57c7f8 --- /dev/null +++ b/terraform-modules/aws/cluster-autoscaler/helm_values.yaml.tpl @@ -0,0 +1,14 @@ +awsRegion: ${awsRegion} + +rbac: + create: true + serviceAccount: + # This value should match local.k8s_service_account_name in locals.tf + name: ${serviceAccountName} + annotations: + # This value should match the ARN of the role created by module.iam_assumable_role_admin in irsa.tf + eks.amazonaws.com/role-arn: "arn:aws:iam::${awsAccountID}:role/cluster-autoscaler-${clusterName}" + +autoDiscovery: + clusterName: ${clusterName} + enabled: true diff --git a/terraform-modules/aws/cluster-autoscaler/main.tf b/terraform-modules/aws/cluster-autoscaler/main.tf new file mode 100644 index 000000000..5c47aa147 --- /dev/null +++ b/terraform-modules/aws/cluster-autoscaler/main.tf @@ -0,0 +1,87 @@ +module "iam_assumable_role_admin" { + source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc" + version = "3.6.0" + create_role = true + role_name = "cluster-autoscaler-${var.cluster_name}" + provider_url = replace(var.eks_cluster_oidc_issuer_url, "https://", "") + role_policy_arns = [aws_iam_policy.cluster_autoscaler.arn] + oidc_fully_qualified_subjects = ["system:serviceaccount:${var.k8s_service_account_namespace}:${var.k8s_service_account_name}"] +} + +resource "aws_iam_policy" "cluster_autoscaler" { + name_prefix = "cluster-autoscaler-${var.cluster_name}" + description = "EKS cluster-autoscaler policy for cluster ${var.eks_cluster_id}" + policy = data.aws_iam_policy_document.cluster_autoscaler.json +} + +data "aws_iam_policy_document" "cluster_autoscaler" { + statement { + sid = "clusterAutoscalerAll" + effect = "Allow" + + actions = [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations", + "autoscaling:DescribeTags", + "ec2:DescribeLaunchTemplateVersions", + ] + + resources = ["*"] + } + + statement { + sid = "clusterAutoscalerOwn" + effect = "Allow" + + actions = [ + "autoscaling:SetDesiredCapacity", + "autoscaling:TerminateInstanceInAutoScalingGroup", + "autoscaling:UpdateAutoScalingGroup", + ] + + resources = ["*"] + + condition { + test = "StringEquals" + variable = "autoscaling:ResourceTag/kubernetes.io/cluster/${var.eks_cluster_id}" + values = ["owned"] + } + + condition { + test = "StringEquals" + variable = "autoscaling:ResourceTag/k8s.io/cluster-autoscaler/enabled" + values = ["true"] + } + } +} + +data "aws_caller_identity" "current" {} + +# +# Helm - cluster-autoscaler +# +data "template_file" "helm_values" { + template = file("${path.module}/helm_values.yaml.tpl") + vars = { + awsAccountID = data.aws_caller_identity.current.account_id + awsRegion = var.aws_region + clusterName = var.cluster_name + serviceAccountName = var.k8s_service_account_name + } +} + +module "cluster-autoscaler" { + source = "github.com/ManagedKube/kubernetes-ops//terraform-modules/aws/helm/helm_generic?ref=v1.0.9" + + repository = "https://kubernetes.github.io/autoscaler" + official_chart_name = "cluster-autoscaler" + user_chart_name = "cluster-autoscaler" + helm_version = "9.9.2" + namespace = "kube-system" + helm_values = data.template_file.helm_values.rendered + + depends_on = [ + module.iam_assumable_role_admin + ] +} diff --git a/terraform-modules/aws/cluster-autoscaler/variables.tf b/terraform-modules/aws/cluster-autoscaler/variables.tf new file mode 100644 index 000000000..1615ad09f --- /dev/null +++ b/terraform-modules/aws/cluster-autoscaler/variables.tf @@ -0,0 +1,36 @@ +variable "aws_region" { + type = string + default = "us-east-1" + description = "AWS region" +} + +variable "cluster_name" { + type = string + default = "cluster" + description = "EKS cluster name" +} + + +variable "eks_cluster_id" { + type = string + default = "" + description = "EKS cluster ID" +} + +variable "eks_cluster_oidc_issuer_url" { + type = string + default = "" + description = "EKS cluster oidc issuer url" +} + +variable "k8s_service_account_namespace" { + type = string + default = "kube-system" + description = "Namespace to place the service account into" +} + +variable "k8s_service_account_name" { + type = string + default = "cluster-autoscaler-aws-cluster-autoscaler" + description = "Service account name" +} diff --git a/terraform-modules/aws/data-modules/README.md b/terraform-modules/aws/data-modules/README.md new file mode 100644 index 000000000..14d7e9f1d --- /dev/null +++ b/terraform-modules/aws/data-modules/README.md @@ -0,0 +1,7 @@ +# Data Modules + +Data modules are used to fetch Terraform state data from a state store. + +Use case: +* If you have an infra repo containing your EKS cluster and an application repo that contains your Terraform for deployment. You will need the EKS cluste info to be able to deploy into that cluster. If you are using Terragrunt, you wont directly be able to use the "terraform_remote_state" Terraform resource. The way that Terragrunt wants you to do things is to call a module. This would be the module you would call to get the EKS output data so you can use it in other places if it is not in the same source Terragrunt repo that launched the EKS cluster. +* Problem described here: https://github.com/gruntwork-io/terragrunt/issues/759 diff --git a/terraform-modules/aws/data-modules/eks/main.tf b/terraform-modules/aws/data-modules/eks/main.tf new file mode 100644 index 000000000..79de239e5 --- /dev/null +++ b/terraform-modules/aws/data-modules/eks/main.tf @@ -0,0 +1,16 @@ +variable "backend_organization" {} +variable "workspace_name" {} + +data "terraform_remote_state" "eks" { + backend = "remote" + config = { + organization = var.backend_organization + workspaces = { + name = var.workspace_name + } + } +} + +output "all_outputs" { + value = data.terraform_remote_state.eks.outputs +} diff --git a/terraform-modules/aws/ec2_instance/README.md b/terraform-modules/aws/ec2_instance/README.md new file mode 100644 index 000000000..241b49f53 --- /dev/null +++ b/terraform-modules/aws/ec2_instance/README.md @@ -0,0 +1,55 @@ +# Nodes +This module creates a node based on the param + +It will create: +* A an EC2 instance +* attach a security group +* attach IAM policies to the instance role +* AMI used +* subnet it is placed in +* instance type + +# Dependencies + +`subnet_id` - the subnet to place this instance in +`aws_iam_role_policy_attachment_list` - a list of policy arn to attach to this instance + +# instance_config var +This is the main input for the module. This the EC2 instances and it's configuration. + +```hcl +instance_config = { + root_installer_device = { + instance_type = "m5.4xlarge" + delete_on_termination = true, + encrypted = true, + iops = "", + kms_key_id = "", + volume_size = 80, + volume_type = "gp2", + } + ebs_block_device = [] + user_data_inputs = { + ebs_block_device_1_is_set = "false" + ebs_block_device_1_mount_path = "null" + ebs_block_device_2_is_set = "false" + ebs_block_device_2_mount_path = "null" + } + } +``` + +# How to run the unit tests + +``` +cd test +go test ./ +``` + +no cache run +``` +go test ./ -v -count=1 +``` + +## How to run the debugger + +TBD diff --git a/terraform-modules/aws/ec2_instance/cloud-init/user-data.yaml.tpl b/terraform-modules/aws/ec2_instance/cloud-init/user-data.yaml.tpl new file mode 100644 index 000000000..959eb2582 --- /dev/null +++ b/terraform-modules/aws/ec2_instance/cloud-init/user-data.yaml.tpl @@ -0,0 +1,54 @@ +# #cloud-config +# # Doc: https://cloudinit.readthedocs.io/en/latest/topics/examples.html + +# # Add groups to the system +# groups: +# - fspace + +# # Add users to the system. Users are added after groups are added. +# users: +# - default +# - name: fsinstaller +# gecos: fsinstaller +# shell: /bin/bash +# primary_group: fspace +# sudo: +# - ALL=(ALL:ALL) NOPASSWD:/usr/bin/rpm +# - ALL=(ALL:ALL) NOPASSWD:/opt/chef/embedded/bin/gem +# - ALL=(ALL:ALL) NOPASSWD:/usr/bin/chef-client +# - ALL=(ALL:ALL) NOPASSWD:/usr/bin/pkill +# - ALL=(ALL:ALL) NOPASSWD:/usr/bin/chef +# - ALL=(ALL:ALL) NOPASSWD:/opt/chefdk/embedded/bin/gem +# lock_passwd: false +# ssh_authorized_keys: +# - ${user_ssh_public_key} +# - name: aric +# gecos: aric +# shell: /bin/bash +# primary_group: fspace +# ssh_authorized_keys: +# - ${user_ssh_public_key} + + +# # Installs packages +# packages: +# - unzip + +# # Sets the GOPATH & downloads the demo payload +# runcmd: +# - echo "ClientAliveInterval 60" | tee -a /etc/ssh/sshd_config +# - echo "ClientAliveCountMax 10" | tee -a /etc/ssh/sshd_config +# - systemctl restart sshd +# - echo "vm.swappiness=1" | tee -a /etc/sysctl.conf +# - sudo sysctl -p +# - curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64-2.0.30.zip" -o "/tmp/awscliv2.zip" +# - unzip /tmp/awscliv2.zip -d /tmp/ +# - /tmp/aws/install +# - if [[ "${ebs_block_device_1_is_set}" == "true" ]]; then export EBS_DEVICE=$(lsblk | grep -e "nvme1.*" | awk '{print $1}'); mkfs -t ext4 /dev/"$${EBS_DEVICE}"; mkdir -p "${ebs_block_device_1_mount_path}"; mount /dev/"$${EBS_DEVICE[$i]}" ${ebs_block_device_1_mount_path}; echo -e "UUID=$(lsblk -o +uuid /dev/"$${EBS_DEVICE[$i]}" | grep "$${EBS_DEVICE[$i]}" | awk '{print $8}') \t ${ebs_block_device_1_mount_path} \t ext4 \t defaults \t 0 \t 0" >> /etc/fstab; fi +# - if [[ "${ebs_block_device_2_is_set}" == "true" ]]; then export EBS_DEVICE=$(lsblk | grep -e "nvme2.*" | awk '{print $1}'); mkfs -t ext4 /dev/"$${EBS_DEVICE}"; mkdir -p "${ebs_block_device_2_mount_path}"; mount /dev/"$${EBS_DEVICE[$i]}" ${ebs_block_device_2_mount_path}; echo -e "UUID=$(lsblk -o +uuid /dev/"$${EBS_DEVICE[$i]}" | grep "$${EBS_DEVICE[$i]}" | awk '{print $8}') \t ${ebs_block_device_2_mount_path} \t ext4 \t defaults \t 0 \t 0" >> /etc/fstab; fi +# write_files: +# - encoding: gzip +# content: !!binary | +# ${sudoers} +# path: /etc/sudoers.d/99-custom-sudoers +# permissions: '0440' diff --git a/terraform-modules/aws/ec2_instance/files/99-custom-sudoers b/terraform-modules/aws/ec2_instance/files/99-custom-sudoers new file mode 100644 index 000000000..ad58254e5 --- /dev/null +++ b/terraform-modules/aws/ec2_instance/files/99-custom-sudoers @@ -0,0 +1,334 @@ +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl start monit +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl start nginx +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl start alertmanager +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl start analytics-controller +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl start asyncoutput +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl start async-executor +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl start batch-controller +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl start batch-engine +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl start bi-etl +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl start datapoller +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl start elasticsearch +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl start eventapi +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl start filebeat +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl start grafana +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl start kafka +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl start kibana +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl start linker +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl start logstash +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl start management-service +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl start mongod +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl start prometheus +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl start prometheus-collector +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl start reports +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl start storm-nimbus +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl start storm-supervisor +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl start telegraf +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl start ui-server +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl start ui-writer +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl start zookeeper +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl stop monit +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl stop nginx +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl stop alertmanager +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl stop analytics-controller +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl stop asyncoutput +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl stop async-executor +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl stop batch-controller +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl stop batch-engine +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl stop bi-etl +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl stop datapoller +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl stop elasticsearch +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl stop eventapi +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl stop filebeat +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl stop grafana +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl stop kafka +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl stop kibana +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl stop linker +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl stop logstash +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl stop management-service +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl stop mongod +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl stop postgres +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl stop prometheus +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl stop prometheus-collector +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl stop reports +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl stop storm-nimbus +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl stop storm-supervisor +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl stop telegraf +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl stop ui-server +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl stop ui-writer +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl stop zookeeper +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl enable monit +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl enable nginx +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl enable alertmanager +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl enable analytics-controller +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl enable asyncoutput +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl enable async-executor +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl enable batch-controller +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl enable batch-engine +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl enable bi-etl +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl enable datapoller +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl enable elasticsearch +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl enable eventapi +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl enable filebeat +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl enable grafana +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl enable kafka +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl enable kibana +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl enable linker +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl enable logstash +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl enable management-service +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl enable mongod +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl enable postgres +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl enable prometheus +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl enable prometheus-collector +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl enable reports +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl enable storm-nimbus +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl enable storm-supervisor +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl enable telegraf +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl enable ui-server +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl enable ui-writer +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl enable zookeeper +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl disable monit +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl disable nginx +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl disable alertmanager +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl disable analytics-controller +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl disable asyncoutput +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl disable async-executor +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl disable batch-controller +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl disable batch-engine +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl disable bi-etl +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl disable datapoller +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl disable elasticsearch +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl disable eventapi +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl disable filebeat +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl disable grafana +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl disable kafka +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl disable kibana +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl disable linker +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl disable logstash +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl disable management-service +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl disable mongod +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl disable postgres +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl disable prometheus +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl disable prometheus-collector +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl disable reports +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl disable storm-nimbus +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl disable storm-supervisor +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl disable telegraf +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl disable ui-server +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl disable ui-writer +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl disable zookeeper +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl restart monit +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl restart nginx +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl restart alertmanager +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl restart analytics-controller +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl restart asyncoutput +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl restart async-executor +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl restart batch-controller +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl restart batch-engine +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl restart bi-etl +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl restart datapoller +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl restart elasticsearch +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl restart eventapi +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl restart filebeat +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl restart grafana +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl restart kafka +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl restart kibana +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl restart linker +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl restart logstash +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl restart management-service +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl restart mongod +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl restart postgres +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl restart prometheus +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl restart prometheus-collector +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl restart reports +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl restart storm-nimbus +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl restart storm-supervisor +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl restart telegraf +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl restart ui-server +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl restart ui-writer +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl restart zookeeper +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl reload monit +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl reload nginx +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl reload alertmanager +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl reload analytics-controller +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl reload asyncoutput +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl reload async-executor +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl reload batch-controller +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl reload batch-engine +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl reload bi-etl +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl reload datapoller +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl reload elasticsearch +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl reload eventapi +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl reload filebeat +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl reload grafana +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl reload kafka +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl reload kibana +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl reload kibana +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl reload logstash +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl reload management-service +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl reload mongod +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl reload postgres +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl reload prometheus +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl reload prometheus-collector +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl reload reports +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl reload storm-nimbus +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl reload storm-supervisor +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl reload telegraf +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl reload ui-server +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl reload ui-writer +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl reload zookeeper +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl status monit +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl status nginx +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl status alertmanager +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl status analytics-controller +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl status asyncoutput +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl status async-executor +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl status batch-controller +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl status batch-engine +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl status bi-etl +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl status datapoller +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl status elasticsearch +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl status eventapi +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl status filebeat +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl status grafana +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl status kafka +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl status kibana +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl status linker +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl status logstash +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl status management-service +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl status mongod +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl status postgres +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl status prometheus +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl status prometheus-collector +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl status reports +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl status storm-nimbus +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl status storm-supervisor +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl status telegraf +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl status ui-server +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl status ui-writer +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl status zookeeper +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl status monit -l +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl status nginx -l +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl status alertmanager -l +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl status analytics-controller -l +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl status asyncoutput -l +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl status async-executor -l +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl status batch-controller -l +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl status batch-enigne -l +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl status bi-etl -l +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl status datapoller -l +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl status elasticsearch -l +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl status eventapi -l +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl status filebeat -l +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl status grafana -l +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl status kafka -l +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl status kibana -l +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl status linker -l +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl status logstash -l +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl status management-service -l +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl status mongod -l +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl status postgres -l +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl status prometheus -l +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl status prometheus-collector -l +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl status reports -l +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl status storm-nimbus -l +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl status storm-supervisor -l +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl status telegraf -l +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl status ui-server -l +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl status ui-writer -l +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/systemctl status zookeeper -l +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/journalctl -u monit +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/journalctl -u nginx +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/journalctl -u alertmanager +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/journalctl -u analytics-controller +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/journalctl -u asyncoutput +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/journalctl -u async-executor +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/journalctl -u batch-controller +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/journalctl -u batch-engine +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/journalctl -u bi-etl +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/journalctl -u datapoller +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/journalctl -u elasticsearch +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/journalctl -u eventapi +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/journalctl -u filebeat +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/journalctl -u grafana +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/journalctl -u kafka +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/journalctl -u kibana +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/journalctl -u linker +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/journalctl -u logstash +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/journalctl -u management-service +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/journalctl -u mongod +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/journalctl -u postgres +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/journalctl -u prometheus +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/journalctl -u prometheus-collector +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/journalctl -u reports +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/journalctl -u storm-nimbus +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/journalctl -u storm-supervisor +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/journalctl -u telegraf +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/journalctl -u ui-server +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/journalctl -u ui-writer +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/journalctl -u zookeeper +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/journalctl -u monit -n * +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/journalctl -u nginx -n * +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/journalctl -u alertmanager -n * +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/journalctl -u analytics-controller -n * +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/journalctl -u asyncoutput -n * +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/journalctl -u async-executor -n * +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/journalctl -u batch-controller -n * +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/journalctl -u batch-engine -n * +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/journalctl -u bi-etl -n * +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/journalctl -u datapoller -n * +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/journalctl -u elasticsearch -n * +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/journalctl -u eventapi -n * +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/journalctl -u filebeat -n * +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/journalctl -u grafana -n * +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/journalctl -u kafka -n * +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/journalctl -u kibana -n * +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/journalctl -u linker -n * +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/journalctl -u logstash -n * +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/journalctl -u management-service -n * +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/journalctl -u mongod -n * +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/journalctl -u postgres -n * +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/journalctl -u prometheus -n * +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/journalctl -u prometheus-collector -n * +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/journalctl -u reports -n * +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/journalctl -u storm-nimbus -n * +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/journalctl -u storm-supervisor -n * +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/journalctl -u telegraf -n * +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/journalctl -u ui-server -n * +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/journalctl -u ui-writer -n * +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/journalctl -u zookeeper -n * +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/journalctl -u monit -f +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/journalctl -u nginx -f +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/journalctl -u alertmanager -f +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/journalctl -u analytics-controller -f +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/journalctl -u asyncoutput -f +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/journalctl -u async-executor -f +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/journalctl -u batch-controller -f +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/journalctl -u batch-engine -f +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/journalctl -u bi-etl -f +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/journalctl -u datapoller -f +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/journalctl -u elasticsearch -f +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/journalctl -u eventapi -f +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/journalctl -u filebeat -f +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/journalctl -u grafana -f +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/journalctl -u kafka -f +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/journalctl -u kibana -f +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/journalctl -u linker -f +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/journalctl -u logstash -f +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/journalctl -u management-service -f +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/journalctl -u mongod -f +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/journalctl -u postgres -f +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/journalctl -u prometheus -f +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/journalctl -u prometheus-collector -f +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/journalctl -u reports -f +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/journalctl -u storm-nimbus -f +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/journalctl -u storm-supervisor -f +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/journalctl -u telegraf -f +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/journalctl -u ui-server -f +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/journalctl -u ui-writer -f +aric ALL=(ALL:ALL) NOPASSWD:/usr/bin/journalctl -u zookeeper -f +aric ALL=(ALL:ALL) NOPASSWD:/aric/monit +aric ALL=(ALL:ALL) NOPASSWD:/usr/local/bin/aric +aric ALL=(ALL:ALL) NOPASSWD:/aric/diagnostics/aric.sh +# Sudoers does not support regex +#aric ALL=(ALL) NOPASSWD:/bin/rm -r /opt/featurespace/aric-install/[^s]*[^s][^h] \ No newline at end of file diff --git a/terraform-modules/aws/ec2_instance/main.tf b/terraform-modules/aws/ec2_instance/main.tf new file mode 100644 index 000000000..fa2ca5c16 --- /dev/null +++ b/terraform-modules/aws/ec2_instance/main.tf @@ -0,0 +1,112 @@ +locals { + sudoers = base64gzip(file("${path.module}/files/99-custom-sudoers")) + + # combine user's IAM policy arn list with what is created in this module + complete_aws_iam_role_policy_attachment_list = concat(var.aws_iam_role_policy_attachment_list, + [ + "arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM", + aws_iam_policy.node_configs.arn, + ]) +} + +module "ec2_instance" { + source = "terraform-aws-modules/ec2-instance/aws" + version = "~> 2.0" + + name = var.instance_name + instance_count = 1 + + ami = var.ami + instance_type = var.instance_config.root_installer_device.instance_type + key_name = var.key_pair_name != null ? var.key_pair_name: aws_key_pair.this[0].id + monitoring = true + vpc_security_group_ids = var.security_group_list + subnet_id = var.subnet_id + + # instance profile created in this module for each individual node + iam_instance_profile = aws_iam_instance_profile.instance_profile.id + + tags = var.tags + + enable_volume_tags = true + root_block_device = [ + { + delete_on_termination = var.instance_config.root_installer_device.delete_on_termination + encrypted = var.instance_config.root_installer_device.encrypted + iops = var.instance_config.root_installer_device.volume_type == "io2" ? var.instance_config.root_installer_device.iops : null + kms_key_id = var.instance_config.root_installer_device.kms_key_id + volume_size = var.instance_config.root_installer_device.volume_size + volume_type = var.instance_config.root_installer_device.volume_type + }, + ] + + ebs_block_device = var.instance_config.ebs_block_device + + user_data = templatefile("${path.module}/cloud-init/user-data.yaml.tpl", { + sudoers = local.sudoers + user_ssh_public_key = var.user_ssh_public_key + ebs_block_device_1_is_set = var.instance_config.user_data_inputs.ebs_block_device_1_is_set + ebs_block_device_1_mount_path = var.instance_config.user_data_inputs.ebs_block_device_1_mount_path + ebs_block_device_2_is_set = var.instance_config.user_data_inputs.ebs_block_device_2_is_set + ebs_block_device_2_mount_path = var.instance_config.user_data_inputs.ebs_block_device_2_mount_path + }) + + depends_on = [ + aws_iam_instance_profile.instance_profile, + ] +} + +resource "aws_key_pair" "this" { + count = var.key_pair_name == null ? 1: 0 + key_name = var.instance_name + public_key = var.user_ssh_public_key +} + +# Instance profile +resource "aws_iam_instance_profile" "instance_profile" { + name = var.instance_name + role = aws_iam_role.instance_role.name +} + +# Instance role +resource "aws_iam_role" "instance_role" { + + name = var.instance_name + assume_role_policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = "sts:AssumeRole" + Effect = "Allow" + Sid = "" + Principal = { + Service = "ec2.amazonaws.com" + } + }, + ] + }) + description = "A role for the ${var.instance_name} node" +} + +# Attached the list of policies to the instance profile +resource "aws_iam_role_policy_attachment" "attach_policies" { + count = length(concat(local.complete_aws_iam_role_policy_attachment_list)) + role = aws_iam_role.instance_role.name + policy_arn = local.complete_aws_iam_role_policy_attachment_list[count.index] +} + +# Policy for S3 Bucket - allows the node to get read-only access to s3 buckets for the node_config items +# For the "all" nodes +resource "aws_iam_policy" "node_configs" { + name = "${var.instance_name}-node-configs" + policy = jsonencode({ + "Version" : "2012-10-17", + "Statement" : [ + { + "Action" : ["s3:GetObject", "s3:ListBucket"], + "Effect" : "Allow", + "Resource" : "arn:aws:s3:::${var.environment_name}-installer/node_configs/*" + } + ] + }) +} diff --git a/terraform-modules/aws/ec2_instance/outputs.tf b/terraform-modules/aws/ec2_instance/outputs.tf new file mode 100644 index 000000000..b1aa8a83a --- /dev/null +++ b/terraform-modules/aws/ec2_instance/outputs.tf @@ -0,0 +1,3 @@ +output "ec2_id" { + value = module.ec2_instance.id +} diff --git a/terraform-modules/aws/ec2_instance/test/go.mod b/terraform-modules/aws/ec2_instance/test/go.mod new file mode 100644 index 000000000..4672cc929 --- /dev/null +++ b/terraform-modules/aws/ec2_instance/test/go.mod @@ -0,0 +1,8 @@ +module github.com/ManagedKube/kubernetes-ops + +go 1.15 + +require ( + github.com/gruntwork-io/terratest v0.32.24 + github.com/stretchr/testify v1.7.0 +) diff --git a/terraform-modules/aws/ec2_instance/test/go.sum b/terraform-modules/aws/ec2_instance/test/go.sum new file mode 100644 index 000000000..f607bb444 --- /dev/null +++ b/terraform-modules/aws/ec2_instance/test/go.sum @@ -0,0 +1,631 @@ +cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= +cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= +cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU= +cloud.google.com/go v0.44.1/go.mod h1:iSa0KzasP4Uvy3f1mN/7PiObzGgflwredwwASm/v6AU= +cloud.google.com/go v0.44.2/go.mod h1:60680Gw3Yr4ikxnPRS/oxxkBccT6SA1yMk63TGekxKY= +cloud.google.com/go v0.45.1/go.mod h1:RpBamKRgapWJb87xiFSdk4g1CME7QZg3uwTez+TSTjc= +cloud.google.com/go v0.46.3/go.mod h1:a6bKKbmY7er1mI7TEI4lsAkts/mkhTSZK8w33B4RAg0= +cloud.google.com/go v0.51.0/go.mod h1:hWtGJ6gnXH+KgDv+V0zFGDvpi07n3z8ZNj3T1RW0Gcw= +cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o= +cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE= +cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I= +cloud.google.com/go/storage v1.0.0/go.mod h1:IhtSnM/ZTZV8YYJWCY8RULGVqBDmpoyjwiyrjsg+URw= +dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= +github.com/Azure/azure-sdk-for-go v35.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= +github.com/Azure/azure-sdk-for-go v38.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= +github.com/Azure/azure-sdk-for-go v46.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= +github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78/go.mod h1:LmzpDX56iTiv29bbRTIsUNlaFfuhWRQBWjQdVyAevI8= +github.com/Azure/go-autorest v14.2.0+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSWATqVooLgysK6ZNox3g/xq24= +github.com/Azure/go-autorest/autorest v0.9.0/go.mod h1:xyHB1BMZT0cuDHU7I0+g046+BFDTQ8rEZB0s4Yfa6bI= +github.com/Azure/go-autorest/autorest v0.9.3/go.mod h1:GsRuLYvwzLjjjRoWEIyMUaYq8GNUx2nRB378IPt/1p0= +github.com/Azure/go-autorest/autorest v0.9.6/go.mod h1:/FALq9T/kS7b5J5qsQ+RSTUdAmGFqi0vUdVNNx8q630= +github.com/Azure/go-autorest/autorest v0.11.0/go.mod h1:JFgpikqFJ/MleTTxwepExTKnFUKKszPS8UavbQYUMuw= +github.com/Azure/go-autorest/autorest v0.11.5/go.mod h1:foo3aIXRQ90zFve3r0QiDsrjGDUwWhKl0ZOQy1CT14k= +github.com/Azure/go-autorest/autorest/adal v0.5.0/go.mod h1:8Z9fGy2MpX0PvDjB1pEgQTmVqjGhiHBW7RJJEciWzS0= +github.com/Azure/go-autorest/autorest/adal v0.8.0/go.mod h1:Z6vX6WXXuyieHAXwMj0S6HY6e6wcHn37qQMBQlvY3lc= +github.com/Azure/go-autorest/autorest/adal v0.8.1/go.mod h1:ZjhuQClTqx435SRJ2iMlOxPYt3d2C/T/7TiQCVZSn3Q= +github.com/Azure/go-autorest/autorest/adal v0.8.2/go.mod h1:ZjhuQClTqx435SRJ2iMlOxPYt3d2C/T/7TiQCVZSn3Q= +github.com/Azure/go-autorest/autorest/adal v0.9.0/go.mod h1:/c022QCutn2P7uY+/oQWWNcK9YU+MH96NgK+jErpbcg= +github.com/Azure/go-autorest/autorest/adal v0.9.2/go.mod h1:/3SMAM86bP6wC9Ev35peQDUeqFZBMH07vvUOmg4z/fE= +github.com/Azure/go-autorest/autorest/azure/auth v0.5.1/go.mod h1:ea90/jvmnAwDrSooLH4sRIehEPtG/EPUXavDh31MnA4= +github.com/Azure/go-autorest/autorest/azure/cli v0.4.0/go.mod h1:JljT387FplPzBA31vUcvsetLKF3pec5bdAxjVU4kI2s= +github.com/Azure/go-autorest/autorest/date v0.1.0/go.mod h1:plvfp3oPSKwf2DNjlBjWF/7vwR+cUD/ELuzDCXwHUVA= +github.com/Azure/go-autorest/autorest/date v0.2.0/go.mod h1:vcORJHLJEh643/Ioh9+vPmf1Ij9AEBM5FuBIXLmIy0g= +github.com/Azure/go-autorest/autorest/date v0.3.0/go.mod h1:BI0uouVdmngYNUzGWeSYnokU+TrmwEsOqdt8Y6sso74= +github.com/Azure/go-autorest/autorest/mocks v0.1.0/go.mod h1:OTyCOPRA2IgIlWxVYxBee2F5Gr4kF2zd2J5cFRaIDN0= +github.com/Azure/go-autorest/autorest/mocks v0.2.0/go.mod h1:OTyCOPRA2IgIlWxVYxBee2F5Gr4kF2zd2J5cFRaIDN0= +github.com/Azure/go-autorest/autorest/mocks v0.3.0/go.mod h1:a8FDP3DYzQ4RYfVAxAN3SVSiiO77gL2j2ronKKP0syM= +github.com/Azure/go-autorest/autorest/mocks v0.4.0/go.mod h1:LTp+uSrOhSkaKrUy935gNZuuIPPVsHlr9DSOxSayd+k= +github.com/Azure/go-autorest/autorest/mocks v0.4.1/go.mod h1:LTp+uSrOhSkaKrUy935gNZuuIPPVsHlr9DSOxSayd+k= +github.com/Azure/go-autorest/autorest/to v0.2.0/go.mod h1:GunWKJp1AEqgMaGLV+iocmRAJWqST1wQYhyyjXJ3SJc= +github.com/Azure/go-autorest/autorest/to v0.3.0/go.mod h1:MgwOyqaIuKdG4TL/2ywSsIWKAfJfgHDo8ObuUk3t5sA= +github.com/Azure/go-autorest/autorest/validation v0.1.0/go.mod h1:Ha3z/SqBeaalWQvokg3NZAlQTalVMtOIAs1aGK7G6u8= +github.com/Azure/go-autorest/autorest/validation v0.3.0/go.mod h1:yhLgjC0Wda5DYXl6JAsWyUe4KVNffhoDhG0zVzUMo3E= +github.com/Azure/go-autorest/logger v0.1.0/go.mod h1:oExouG+K6PryycPJfVSxi/koC6LSNgds39diKLz7Vrc= +github.com/Azure/go-autorest/logger v0.2.0/go.mod h1:T9E3cAhj2VqvPOtCYAvby9aBXkZmbF5NWuPV8+WeEW8= +github.com/Azure/go-autorest/tracing v0.5.0/go.mod h1:r/s2XiOKccPW3HrqB+W0TQzfbtp2fGCgRFtBroKn4Dk= +github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBpUA79WCAKPPZVC2DeU= +github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= +github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= +github.com/GoogleCloudPlatform/k8s-cloud-provider v0.0.0-20190822182118-27a4ced34534/go.mod h1:iroGtC8B3tQiqtds1l+mgk/BBOrxbqjH+eUfFQYRc14= +github.com/Microsoft/go-winio v0.4.14/go.mod h1:qXqCSQ3Xa7+6tgxaGTIe4Kpcdsi+P8jBhyzoq1bpyYA= +github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ= +github.com/PuerkitoBio/purell v1.0.0/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0= +github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0= +github.com/PuerkitoBio/urlesc v0.0.0-20160726150825-5bd2802263f2/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE= +github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE= +github.com/agext/levenshtein v1.2.1 h1:QmvMAjj2aEICytGiWzmxoE0x2KZvE0fvmqMOfy2tjT8= +github.com/agext/levenshtein v1.2.1/go.mod h1:JEDfjyjHDjOF/1e4FlBE/PkbqA9OfWu2ki2W0IB5558= +github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= +github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= +github.com/apparentlymart/go-dump v0.0.0-20180507223929-23540a00eaa3/go.mod h1:oL81AME2rN47vu18xqj1S1jPIPuN7afo62yKTNn3XMM= +github.com/apparentlymart/go-textseg v1.0.0 h1:rRmlIsPEEhUTIKQb7T++Nz/A5Q6C9IuX2wFoYVvnCs0= +github.com/apparentlymart/go-textseg v1.0.0/go.mod h1:z96Txxhf3xSFMPmb5X/1W05FF/Nj9VFpLOpjS5yuumk= +github.com/apparentlymart/go-textseg/v12 v12.0.0 h1:bNEQyAGak9tojivJNkoqWErVCQbjdL7GzRt3F8NvfJ0= +github.com/apparentlymart/go-textseg/v12 v12.0.0/go.mod h1:S/4uRK2UtaQttw1GenVJEynmyUenKwP++x/+DdGV/Ec= +github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8= +github.com/aws/aws-lambda-go v1.13.3/go.mod h1:4UKl9IzQMoD+QF79YdCuzCwp8VbmG4VAQwij/eHl5CU= +github.com/aws/aws-sdk-go v1.16.26/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo= +github.com/aws/aws-sdk-go v1.27.1 h1:MXnqY6SlWySaZAqNnXThOvjRFdiiOuKtC6i7baFdNdU= +github.com/aws/aws-sdk-go v1.27.1/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo= +github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q= +github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8= +github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs= +github.com/blang/semver v3.5.0+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk= +github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc h1:biVzkmvwrH8WK8raXaxBx6fRVTlJILwEwQGL1I/ByEI= +github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8= +github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= +github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI= +github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI= +github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU= +github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= +github.com/cockroachdb/datadriven v0.0.0-20190809214429-80d97fb3cbaa/go.mod h1:zn76sxSg3SzpJ0PPJaLDCu+Bu0Lg3sKTORVIj19EIF8= +github.com/containerd/containerd v1.3.0/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA= +github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE= +github.com/coreos/go-etcd v2.0.0+incompatible/go.mod h1:Jez6KQU2B/sWsbdaef3ED8NzMklzPG4d5KIOhIy30Tk= +github.com/coreos/go-oidc v2.1.0+incompatible/go.mod h1:CgnwVTmzoESiwO9qyAFEMiHoZ1nMCKZlZ9V6mm3/LKc= +github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk= +github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk= +github.com/coreos/go-systemd v0.0.0-20180511133405-39ca1b05acc7/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= +github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= +github.com/coreos/pkg v0.0.0-20160727233714-3ac0863d7acf/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA= +github.com/coreos/pkg v0.0.0-20180108230652-97fdf19511ea/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA= +github.com/cpuguy83/go-md2man v1.0.10 h1:BSKMNlYxDvnunlTymqtgONjNnaRV1sTpcovwwjF22jk= +github.com/cpuguy83/go-md2man v1.0.10/go.mod h1:SmD6nW6nTyfqj6ABTjUi3V3JVMnlJmwcJI5acqYI6dE= +github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU= +github.com/cpuguy83/go-md2man/v2 v2.0.0 h1:EoUDS0afbrsXAZ9YQ9jdu/mZ2sXgT1/2yyNng4PGlyM= +github.com/cpuguy83/go-md2man/v2 v2.0.0/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU= +github.com/creack/pty v1.1.7/go.mod h1:lj5s0c3V2DBrqTV7llrYr5NG6My20zk30Fl46Y7DoTY= +github.com/davecgh/go-spew v0.0.0-20151105211317-5215b55f46b2/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= +github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ= +github.com/dimchansky/utfbom v1.1.0/go.mod h1:rO41eb7gLfo8SF1jd9F8HplJm1Fewwi4mQvIirEdv+8= +github.com/dnaeon/go-vcr v1.0.1/go.mod h1:aBB1+wY4s93YsC3HHjMBMrwTj2R9FHDzUr9KyGc8n1E= +github.com/docker/cli v0.0.0-20191017083524-a8ff7f821017/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= +github.com/docker/cli v0.0.0-20200109221225-a4f60165b7a3/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= +github.com/docker/distribution v2.7.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= +github.com/docker/docker v0.7.3-0.20190327010347-be7ac8be2ae0/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +github.com/docker/docker v1.4.2-0.20190924003213-a8608b5b67c7/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +github.com/docker/docker-credential-helpers v0.6.3/go.mod h1:WRaJzqw3CTB9bk10avuGsjVBZsD05qeibJ1/TYlvc0Y= +github.com/docker/go-connections v0.4.0/go.mod h1:Gbd7IOopHjR8Iph03tsViu4nIes5XhDvyHbTtUxmeec= +github.com/docker/go-units v0.4.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk= +github.com/docker/spdystream v0.0.0-20160310174837-449fdfce4d96/go.mod h1:Qh8CwZgvJUkLughtfhJv5dyTYa91l1fOUCrgjqmcifM= +github.com/docker/spdystream v0.0.0-20181023171402-6480d4af844c/go.mod h1:Qh8CwZgvJUkLughtfhJv5dyTYa91l1fOUCrgjqmcifM= +github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE= +github.com/dustin/go-humanize v0.0.0-20171111073723-bb3d318650d4/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk= +github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk= +github.com/elazarl/goproxy v0.0.0-20170405201442-c4fc26588b6e/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc= +github.com/elazarl/goproxy v0.0.0-20180725130230-947c36da3153/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc= +github.com/elazarl/goproxy v0.0.0-20190911111923-ecfe977594f1/go.mod h1:Ro8st/ElPeALwNFlcTpWmkr6IoMFfkjXAvTHpevnDsM= +github.com/elazarl/goproxy/ext v0.0.0-20190711103511-473e67f1d7d2/go.mod h1:gNh8nYJoAm43RfaxurUnxr+N1PwuFV3ZMl/efxlIlY8= +github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs= +github.com/emicklei/go-restful v2.9.5+incompatible/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs= +github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= +github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= +github.com/evanphx/json-patch v4.2.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= +github.com/evanphx/json-patch v4.9.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= +github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4= +github.com/fatih/color v1.9.0/go.mod h1:eQcE1qtQxscV5RaZvpXrrb8Drkc3/DdQ+uUYCNjL+zU= +github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= +github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ= +github.com/ghodss/yaml v0.0.0-20150909031657-73d445a93680/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= +github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= +github.com/go-errors/errors v1.0.1/go.mod h1:f4zRHt4oKfwPJE5k8C9vpYG+aDHdBFUsgrm6/TyX73Q= +github.com/go-errors/errors v1.0.2-0.20180813162953-d98b870cc4e0 h1:skJKxRtNmevLqnayafdLe2AsenqRupVmzZSqrvb5caU= +github.com/go-errors/errors v1.0.2-0.20180813162953-d98b870cc4e0/go.mod h1:f4zRHt4oKfwPJE5k8C9vpYG+aDHdBFUsgrm6/TyX73Q= +github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= +github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= +github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE= +github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas= +github.com/go-logr/logr v0.2.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU= +github.com/go-openapi/jsonpointer v0.0.0-20160704185906-46af16f9f7b1/go.mod h1:+35s3my2LFTysnkMfxsJBAMHj/DoqoB9knIWoYG/Vk0= +github.com/go-openapi/jsonpointer v0.19.2/go.mod h1:3akKfEdA7DF1sugOqz1dVQHBcuDBPKZGEoHC/NkiQRg= +github.com/go-openapi/jsonpointer v0.19.3/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg= +github.com/go-openapi/jsonreference v0.0.0-20160704190145-13c6e3589ad9/go.mod h1:W3Z9FmVs9qj+KR4zFKmDPGiLdk1D9Rlm7cyMvf57TTg= +github.com/go-openapi/jsonreference v0.19.2/go.mod h1:jMjeRr2HHw6nAVajTXJ4eiUwohSTlpa0o73RUL1owJc= +github.com/go-openapi/jsonreference v0.19.3/go.mod h1:rjx6GuL8TTa9VaixXglHmQmIL98+wF9xc8zWvFonSJ8= +github.com/go-openapi/spec v0.0.0-20160808142527-6aced65f8501/go.mod h1:J8+jY1nAiCcj+friV/PDoE1/3eeccG9LYBs0tYvLOWc= +github.com/go-openapi/spec v0.19.3/go.mod h1:FpwSN1ksY1eteniUU7X0N/BgJ7a4WvBFVA8Lj9mJglo= +github.com/go-openapi/swag v0.0.0-20160704191624-1d0bd113de87/go.mod h1:DXUve3Dpr1UfpPtxFw+EFuQ41HhCWZfha5jSVRG7C7I= +github.com/go-openapi/swag v0.19.2/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk= +github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk= +github.com/go-sql-driver/mysql v1.4.1 h1:g24URVg0OFbNUTx9qqY1IRZ9D9z3iPyi5zKhQZpNwpA= +github.com/go-sql-driver/mysql v1.4.1/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w= +github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= +github.com/go-test/deep v1.0.3/go.mod h1:wGDj63lr65AM2AQyKZd/NYHGb0R+1RLqB8NKt3aSFNA= +github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= +github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4= +github.com/gogo/protobuf v1.2.2-0.20190723190241-65acae22fc9d/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o= +github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o= +github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= +github.com/golang/groupcache v0.0.0-20160516000752-02826c3e7903/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= +github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= +github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= +github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= +github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= +github.com/golang/mock v1.3.1/go.mod h1:sBzyDLLjw3U8JLTeZvSv8jJB+tU5PVekmnlKIyFUx0Y= +github.com/golang/protobuf v0.0.0-20161109072736-4bd1920723d7/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.1.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.3.3/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw= +github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8= +github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA= +github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs= +github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w= +github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0= +github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8= +github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= +github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= +github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= +github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= +github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= +github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= +github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-containerregistry v0.0.0-20200110202235-f4fb41bf00a3/go.mod h1:2wIuQute9+hhWqvL3vEI7YB0EKluF4WcPzI1eAliazk= +github.com/google/gofuzz v0.0.0-20161122191042-44d81051d367/go.mod h1:HP5RmnzzSNb993RKQDq4+1A4ia9nllfqcQFTQJedwGI= +github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= +github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= +github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs= +github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= +github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= +github.com/google/pprof v0.0.0-20191218002539-d4f498aebedc/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= +github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= +github.com/google/uuid v1.0.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/google/uuid v1.1.1 h1:Gkbcsh/GbpXz7lPftLA3P6TYMwjCLYm83jiFQZF/3gY= +github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg= +github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk= +github.com/googleapis/gnostic v0.0.0-20170729233727-0c5108395e2d/go.mod h1:sJBsCZ4ayReDTBIg8b9dl28c5xFWyhBTVRp3pOg5EKY= +github.com/googleapis/gnostic v0.2.2/go.mod h1:sJBsCZ4ayReDTBIg8b9dl28c5xFWyhBTVRp3pOg5EKY= +github.com/googleapis/gnostic v0.4.1/go.mod h1:LRhVm6pbyptWbWbuZ38d1eyptfvIytN3ir6b65WBswg= +github.com/gophercloud/gophercloud v0.1.0/go.mod h1:vxM41WHh5uqHVBMZHzuwNOHh8XEoIEcSTewFxm1c5g8= +github.com/gorilla/mux v1.7.3/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs= +github.com/gorilla/websocket v0.0.0-20170926233335-4201258b820c/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ= +github.com/gorilla/websocket v1.4.0/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ= +github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA= +github.com/grpc-ecosystem/go-grpc-middleware v1.0.1-0.20190118093823-f849b5445de4/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs= +github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk= +github.com/grpc-ecosystem/grpc-gateway v1.9.5/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY= +github.com/gruntwork-io/go-commons v0.8.0 h1:k/yypwrPqSeYHevLlEDmvmgQzcyTwrlZGRaxEM6G0ro= +github.com/gruntwork-io/go-commons v0.8.0/go.mod h1:gtp0yTtIBExIZp7vyIV9I0XQkVwiQZze678hvDXof78= +github.com/gruntwork-io/terratest v0.32.24 h1:ihbpYh05VBNPtru2GGN36xTLrLkdMacCyRuvIOs3lsQ= +github.com/gruntwork-io/terratest v0.32.24/go.mod h1:IBb+b5b7p34oZLfpz/ZADyn8TSKeWSBu+vQMmNeePLE= +github.com/hashicorp/errwrap v1.0.0 h1:hLrqtEDnRye3+sgx6z4qVLNuviH3MR5aQ0ykNJa/UYA= +github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= +github.com/hashicorp/go-multierror v1.1.0 h1:B9UzwGQJehnUY1yNrnwREHc3fGbC2xefo8g4TbElacI= +github.com/hashicorp/go-multierror v1.1.0/go.mod h1:spPvp8C1qA32ftKqdAHm4hHTbPw+vmowP0z+KUhOZdA= +github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= +github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= +github.com/hashicorp/golang-lru v0.5.3/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4= +github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4= +github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ= +github.com/hashicorp/hcl/v2 v2.8.2 h1:wmFle3D1vu0okesm8BTLVDyJ6/OL9DCLUwn0b2OptiY= +github.com/hashicorp/hcl/v2 v2.8.2/go.mod h1:bQTN5mpo+jewjJgh8jr0JUguIi7qPHUF6yIfAEN3jqY= +github.com/hashicorp/terraform-json v0.9.0 h1:WE7+Wt93W93feOiCligElSyS0tlDzwZUtJuDGIBr8zg= +github.com/hashicorp/terraform-json v0.9.0/go.mod h1:3defM4kkMfttwiE7VakJDwCd4R+umhSQnvJwORXbprE= +github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU= +github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= +github.com/imdario/mergo v0.3.5/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA= +github.com/imdario/mergo v0.3.7/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA= +github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8= +github.com/jinzhu/copier v0.0.0-20190924061706-b57f9002281a h1:zPPuIq2jAWWPTrGt70eK/BSch+gFAGrNzecsoENgu2o= +github.com/jinzhu/copier v0.0.0-20190924061706-b57f9002281a/go.mod h1:yL958EeXv8Ylng6IfnvG4oflryUi3vgA3xPs9hmII1s= +github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af h1:pmfjZENx5imkbgOkpRUYLnmbU7UEFbjtDA2hxJ1ichM= +github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k= +github.com/joefitzgerald/rainbow-reporter v0.1.0/go.mod h1:481CNgqmVHQZzdIbN52CupLJyoVwB10FQ/IQlF1pdL8= +github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo= +github.com/json-iterator/go v0.0.0-20180612202835-f2b4162afba3/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU= +github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU= +github.com/json-iterator/go v1.1.7/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= +github.com/json-iterator/go v1.1.8/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= +github.com/json-iterator/go v1.1.10/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= +github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU= +github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk= +github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w= +github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q= +github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00= +github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= +github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= +github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= +github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc= +github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= +github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= +github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= +github.com/kr/pty v1.1.5/go.mod h1:9r2w37qlBe7rQ6e1fg1S/9xpWHSnaqNdHD3WcMdbPDA= +github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= +github.com/kylelemons/godebug v0.0.0-20170820004349-d65d576e9348/go.mod h1:B69LEHPfb2qLo0BaaOLcbitczOKLWTsrBG9LczfCD4k= +github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ= +github.com/mailru/easyjson v0.0.0-20160728113105-d5b7844b561a/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= +github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= +github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= +github.com/mailru/easyjson v0.7.0/go.mod h1:KAzv3t3aY1NaHWoQz1+4F1ccyAH66Jk7yos7ldAVICs= +github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU= +github.com/mattn/go-colorable v0.1.4/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE= +github.com/mattn/go-isatty v0.0.4/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4= +github.com/mattn/go-isatty v0.0.8/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s= +github.com/mattn/go-isatty v0.0.11/go.mod h1:PhnuNfih5lzO57/f3n+odYbM4JtupLOxQOAqxQCu2WE= +github.com/mattn/go-runewidth v0.0.2/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU= +github.com/mattn/go-zglob v0.0.1/go.mod h1:9fxibJccNxU2cnpIKLRRFA7zX7qhkJIQWBb449FYHOo= +github.com/mattn/go-zglob v0.0.2-0.20190814121620-e3c945676326/go.mod h1:9fxibJccNxU2cnpIKLRRFA7zX7qhkJIQWBb449FYHOo= +github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0= +github.com/maxbrunsfeld/counterfeiter/v6 v6.2.2/go.mod h1:eD9eIE7cdwcMi9rYluz88Jz2VyhSmden33/aXg4oVIY= +github.com/miekg/dns v1.1.31/go.mod h1:KNUDUusw/aVsxyTYZM1oqvCicbwhgbNgztCETuNZ7xM= +github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= +github.com/mitchellh/go-wordwrap v0.0.0-20150314170334-ad45545899c7 h1:DpOJ2HYzCv8LZP15IdmG+YdwD2luVPHITV96TkirNBM= +github.com/mitchellh/go-wordwrap v0.0.0-20150314170334-ad45545899c7/go.mod h1:ZXFpozHsX6DPmq2I0TCekCxypsnAUbP2oI0UX1GXzOo= +github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y= +github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= +github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= +github.com/modern-go/reflect2 v0.0.0-20180320133207-05fbef0ca5da/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= +github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= +github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= +github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc= +github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= +github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= +github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= +github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw= +github.com/olekukonko/tablewriter v0.0.0-20170122224234-a0225b3f23b5/go.mod h1:vsDQFd/mU46D+Z4whnwzcISnGGzXWMclvtLoiIKAKIo= +github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= +github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= +github.com/onsi/ginkgo v1.8.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= +github.com/onsi/ginkgo v1.10.1/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= +github.com/onsi/ginkgo v1.11.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= +github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA= +github.com/onsi/gomega v1.5.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= +github.com/onsi/gomega v1.7.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= +github.com/opencontainers/go-digest v1.0.0-rc1/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s= +github.com/opencontainers/image-spec v1.0.1/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0= +github.com/oracle/oci-go-sdk v7.1.0+incompatible/go.mod h1:VQb79nF8Z2cwLkLS35ukwStZIg5F66tcBccjip/j888= +github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic= +github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU= +github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/pmezard/go-difflib v0.0.0-20151028094244-d8ed2627bdf0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= +github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/pquerna/cachecontrol v0.0.0-20171018203845-0dec1b30a021/go.mod h1:prYjPmNq4d1NPVmpShWobRqXY3q7Vp+80DqgxxUrUIA= +github.com/pquerna/otp v1.2.0 h1:/A3+Jn+cagqayeR3iHs/L62m5ue7710D35zl1zJ1kok= +github.com/pquerna/otp v1.2.0/go.mod h1:dkJfzwRKNiegxyNb54X/3fLwhCynbMspSyWKnvi1AEg= +github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw= +github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo= +github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= +github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= +github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= +github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= +github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= +github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= +github.com/remyoudompheng/bigfft v0.0.0-20170806203942-52369c62f446/go.mod h1:uYEyJGbgTkfkS4+E/PavXkNJcbFIpEtjt2B0KDQ5+9M= +github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg= +github.com/rogpeppe/go-charset v0.0.0-20180617210344-2471d30d28b4/go.mod h1:qgYeAmZ5ZIpBWTGllZSQnw97Dj+woV0toclVaRGI8pc= +github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= +github.com/rubiojr/go-vhd v0.0.0-20160810183302-0bfd3b39853c/go.mod h1:DM5xW0nvfNNm2uytzsvhI3OnX8uzaRAg8UX/CnDqbto= +github.com/russross/blackfriday v1.5.2 h1:HyvC0ARfnZBqnXwABFeSZHpKvJHJJfPz81GNueLj0oo= +github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR/rfWxYHBV53g= +github.com/russross/blackfriday/v2 v2.0.1 h1:lPqVAte+HuHNfhJ/0LC98ESWRz8afy9tM/0RK8m9o+Q= +github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= +github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0= +github.com/sclevine/spec v1.2.0/go.mod h1:W4J29eT/Kzv7/b9IWLB055Z+qvVC9vt0Arko24q7p+U= +github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo= +github.com/shurcooL/sanitized_anchor_name v1.0.0 h1:PdmoCO6wvbs+7yrJyMORt4/BmY5IYyJwS/kOiWx8mHo= +github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc= +github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo= +github.com/sirupsen/logrus v1.4.1/go.mod h1:ni0Sbl8bgC9z8RoU9G6nDWqqs/fq4eDPysMBDgk/93Q= +github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE= +github.com/soheilhy/cmux v0.1.4/go.mod h1:IM3LyeVVIOuxMH7sFAkER9+bJ4dT7Ms6E4xg4kGIyLM= +github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ= +github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk= +github.com/spf13/cast v1.3.0/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE= +github.com/spf13/cobra v0.0.3/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ= +github.com/spf13/cobra v0.0.5/go.mod h1:3K3wKZymM7VvHMDS9+Akkh4K60UwM26emMESw8tLCHU= +github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo= +github.com/spf13/pflag v0.0.0-20170130214245-9ff6c6923cff/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= +github.com/spf13/pflag v1.0.1/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= +github.com/spf13/pflag v1.0.2/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= +github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= +github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= +github.com/spf13/viper v1.3.2/go.mod h1:ZiWeW+zYFKm7srdB9IoDzzZXaJaI5eL9QjNiN/DMA2s= +github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE= +github.com/stretchr/testify v0.0.0-20151208002404-e3a8ff8ce365/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= +github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= +github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= +github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= +github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY= +github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/tmc/grpc-websocket-proxy v0.0.0-20170815181823-89b8d40f7ca8/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= +github.com/ugorji/go/codec v0.0.0-20181204163529-d75b2dcb6bc8/go.mod h1:VFNgLljTbGfSG7qAOspJ7OScBnGdDN/yBr0sguwnwf0= +github.com/urfave/cli v1.20.0/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA= +github.com/urfave/cli v1.22.1/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0= +github.com/urfave/cli v1.22.2 h1:gsqYFH8bb9ekPA12kRo0hfjngWQjkJPlN9R0N78BoUo= +github.com/urfave/cli v1.22.2/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0= +github.com/vdemeester/k8s-pkg-credentialprovider v0.0.0-20200107171650-7c61ffa44238/go.mod h1:JwQJCMWpUDqjZrB5jpw0f5VbN7U95zxFy1ZDpoEarGo= +github.com/vmihailenco/msgpack v3.3.3+incompatible/go.mod h1:fy3FlTQTDXWkZ7Bh6AcGMlsjHatGryHQYUTf1ShIgkk= +github.com/vmware/govmomi v0.20.3/go.mod h1:URlwyTFZX72RmxtxuaFL2Uj3fD1JTvZdx59bHWk6aFU= +github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU= +github.com/xordataexchange/crypt v0.0.3-0.20170626215501-b2862e3d0a77/go.mod h1:aYKd//L2LvnjZzWKhF00oedf4jCCReLcmhLdhm1A27Q= +github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= +github.com/zclconf/go-cty v1.2.0/go.mod h1:hOPWgoHbaTUnI5k4D2ld+GRpFJSCe6bCM7m1q/N4PQ8= +github.com/zclconf/go-cty v1.2.1 h1:vGMsygfmeCl4Xb6OA5U5XVAaQZ69FvoG7X2jUtQujb8= +github.com/zclconf/go-cty v1.2.1/go.mod h1:hOPWgoHbaTUnI5k4D2ld+GRpFJSCe6bCM7m1q/N4PQ8= +go.etcd.io/bbolt v1.3.3/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU= +go.etcd.io/etcd v0.0.0-20191023171146-3cf2f69b5738/go.mod h1:dnLIgRNXwCJa5e+c6mIZCrds/GIG4ncV9HhK5PX7jPg= +go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= +go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8= +go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= +go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= +go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0= +go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q= +golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= +golang.org/x/crypto v0.0.0-20181203042331-505ab145d0a9/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= +golang.org/x/crypto v0.0.0-20190211182817-74369b46fc67/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= +golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= +golang.org/x/crypto v0.0.0-20190426145343-a29dc8fdc734/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20190611184440-5c40567a22f8/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20190820162420-60c769a6c586/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20191206172530-e9b2fee46413/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= +golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9 h1:psW17arqaxU48Z5kZ0CQnkZWQJsqcURM6tKiBApRjXI= +golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= +golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= +golang.org/x/exp v0.0.0-20190125153040-c74c464bbbf2/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= +golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= +golang.org/x/exp v0.0.0-20190312203227-4b39c73a6495/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= +golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= +golang.org/x/exp v0.0.0-20190829153037-c13cbed26979/go.mod h1:86+5VVa7VpoJ4kLfm080zCjGlMRFzhUhsZKEZO7MGek= +golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= +golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js= +golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0= +golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= +golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU= +golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= +golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= +golang.org/x/lint v0.0.0-20190409202823-959b441ac422/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= +golang.org/x/lint v0.0.0-20190909230951-414d861bb4ac/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= +golang.org/x/lint v0.0.0-20191125180803-fdd1cda4f05f/go.mod h1:5qLYkcX4OjUUV8bRuDixDT3tpyyb+LUpUlRWLxfhWrs= +golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE= +golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028/go.mod h1:E/iHnbuqvinMTCcRqshq8CkpyQDoeVncDDYHnLhea+o= +golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc= +golang.org/x/mod v0.1.0/go.mod h1:0QHyrYULN0/3qlju5TqG8bIK38QM8yzMo5ekMj3DlcY= +golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg= +golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/net v0.0.0-20170114055629-f2499483f923/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20180811021610-c39426892332/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20181220203305-927f97764cc3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= +golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20190628185345-da137c7871d7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20190813141303-74dc4d7220e7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20190923162816-aa69164e4478/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20191004110552-13f9640d40b9/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= +golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= +golang.org/x/net v0.0.0-20201021035429-f5854403a974 h1:IX6qOQeG5uLjB/hjjwjedwfjND0hgjPMMyO1RoIXQNI= +golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= +golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= +golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= +golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= +golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= +golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= +golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sys v0.0.0-20170830134202-bb24a47a89ea/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20181107165924-66b7b1311ac8/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20181205085412-a5c9d58dba9a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190209173611-3b5209105503/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190502145724-3ef323f4f1fd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190502175342-a43fa875dd82/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190616124812-15dcb6c0061f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190626221950-04f50cda93cb/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190826190057-c7b8b68b1456/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190924154521-2837fb4f24fe/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191010194322-b09406accb47/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200622214017-ed371f2e16b4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/text v0.0.0-20160726164857-2910a502d2bf/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= +golang.org/x/text v0.3.3 h1:cokOdA+Jmi5PJGXLlLllQSgYigAEfHXJAERHVMaCc2k= +golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20181011042414-1f849cf54d09/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20181030221726-6c7e314b6563/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20190206041539-40960b6deb8e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY= +golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= +golang.org/x/tools v0.0.0-20190312151545-0bb0c0a6e846/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= +golang.org/x/tools v0.0.0-20190312170243-e65039ee4138/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= +golang.org/x/tools v0.0.0-20190425150028-36563e24a262/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= +golang.org/x/tools v0.0.0-20190506145303-2d16b83fe98c/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= +golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= +golang.org/x/tools v0.0.0-20190606124116-d0a3d012864b/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= +golang.org/x/tools v0.0.0-20190614205625-5aca471b1d59/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= +golang.org/x/tools v0.0.0-20190621195816-6e04913cbbac/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= +golang.org/x/tools v0.0.0-20190628153133-6cdbf07be9d0/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= +golang.org/x/tools v0.0.0-20190706070813-72ffa07ba3db/go.mod h1:jcCCGcm9btYwXyDqrUWc6MKQKKGJCWEQ3AfLSRIbEuI= +golang.org/x/tools v0.0.0-20190816200558-6889da9d5479/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20190911174233-4f2ddba30aff/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20190920225731-5eefd052ad72/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191012152004-8de300cfc20a/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191125144606-a911d9008d1f/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191205215504-7b8c8591a921/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191216052735-49a3e744a425/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= +golang.org/x/tools v0.0.0-20191227053925-7b8e75db28f4/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= +golang.org/x/tools v0.0.0-20201110201400-7099162a900a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= +golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +gonum.org/v1/gonum v0.0.0-20190331200053-3d26580ed485/go.mod h1:2ltnJ7xHfj0zHS40VVPYEAAMTa3ZGguvHGBSJeRWqE0= +gonum.org/v1/netlib v0.0.0-20190313105609-8cb42192e0e0/go.mod h1:wa6Ws7BG/ESfp6dHfk7C6KdzKA7wR7u/rKwOGE66zvw= +gonum.org/v1/netlib v0.0.0-20190331212654-76723241ea4e/go.mod h1:kS+toOQn6AQKjmKJ7gzohV1XkqsFehRA2FbsbkopSuQ= +google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE= +google.golang.org/api v0.6.1-0.20190607001116-5213b8090861/go.mod h1:btoxGiFvQNVUZQ8W08zLtrVS08CNpINPEfxXxgJL1Q4= +google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M= +google.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg= +google.golang.org/api v0.9.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg= +google.golang.org/api v0.15.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI= +google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= +google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= +google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= +google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0= +google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= +google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= +google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= +google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= +google.golang.org/genproto v0.0.0-20190425155659-357c62f0e4bb/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= +google.golang.org/genproto v0.0.0-20190502173448-54afdca5d873/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= +google.golang.org/genproto v0.0.0-20190801165951-fa694d86fc64/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= +google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= +google.golang.org/genproto v0.0.0-20190911173649-1774047e7e51/go.mod h1:IbNlFCBrqXvoKpeg0TB2l7cyZUmoaFKYIwrEpbDKLA8= +google.golang.org/genproto v0.0.0-20191230161307-f3c370f40bfb/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= +google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo= +google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= +google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38= +google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM= +google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= +google.golang.org/grpc v1.23.1/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= +google.golang.org/grpc v1.24.0/go.mod h1:XDChyiUovWa60DnaeDeZmSW86xtLtjtZbwvSiRnRtcA= +google.golang.org/grpc v1.26.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= +google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= +google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= +google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= +google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= +google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE= +google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo= +google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= +google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= +google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= +google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGjtUeSXeh4= +gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= +gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/cheggaaa/pb.v1 v1.0.25/go.mod h1:V/YB90LKu/1FcN3WVnfiiE5oMCibMjukxqG/qStrOgw= +gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI= +gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys= +gopkg.in/gcfg.v1 v1.2.0/go.mod h1:yesOnuUOFQAhST5vPY4nbZsb/huCgGGXlipJsBn0b3o= +gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= +gopkg.in/natefinch/lumberjack.v2 v2.0.0/go.mod h1:l0ndWWf7gzL7RNwBG7wST/UCcT4T24xpD6X8LsfU/+k= +gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo= +gopkg.in/square/go-jose.v2 v2.2.2/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI= +gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw= +gopkg.in/warnings.v0 v0.1.1/go.mod h1:jksf8JmL6Qr/oQM2OXTHunEvvTAsrWBLb6OOjuVWRNI= +gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7/go.mod h1:JAlM8MvJe8wmxCU4Bli9HhUf9+ttbYbLASfIpnQbh74= +gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo= +gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81HFBacw= +honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= +honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= +honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= +honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= +honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg= +k8s.io/api v0.17.0/go.mod h1:npsyOePkeP0CPwyGfXDHxvypiYMJxBWAMpQxCaJ4ZxI= +k8s.io/api v0.19.3/go.mod h1:VF+5FT1B74Pw3KxMdKyinLo+zynBaMBiAfGMuldcNDs= +k8s.io/apimachinery v0.17.0/go.mod h1:b9qmWdKlLuU9EBh+06BtLcSf/Mu89rWL33naRxs1uZg= +k8s.io/apimachinery v0.19.3/go.mod h1:DnPGDnARWFvYa3pMHgSxtbZb7gpzzAZ1pTfaUNDVlmA= +k8s.io/apiserver v0.17.0/go.mod h1:ABM+9x/prjINN6iiffRVNCBR2Wk7uY4z+EtEGZD48cg= +k8s.io/client-go v0.17.0/go.mod h1:TYgR6EUHs6k45hb6KWjVD6jFZvJV4gHDikv/It0xz+k= +k8s.io/client-go v0.19.3/go.mod h1:+eEMktZM+MG0KO+PTkci8xnbCZHvj9TqR6Q1XDUIJOM= +k8s.io/cloud-provider v0.17.0/go.mod h1:Ze4c3w2C0bRsjkBUoHpFi+qWe3ob1wI2/7cUn+YQIDE= +k8s.io/code-generator v0.0.0-20191121015212-c4c8f8345c7e/go.mod h1:DVmfPQgxQENqDIzVR2ddLXMH34qeszkKSdH/N+s+38s= +k8s.io/component-base v0.17.0/go.mod h1:rKuRAokNMY2nn2A6LP/MiwpoaMRHpfRnrPaUJJj1Yoc= +k8s.io/csi-translation-lib v0.17.0/go.mod h1:HEF7MEz7pOLJCnxabi45IPkhSsE/KmxPQksuCrHKWls= +k8s.io/gengo v0.0.0-20190128074634-0689ccc1d7d6/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0= +k8s.io/gengo v0.0.0-20190822140433-26a664648505/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0= +k8s.io/gengo v0.0.0-20200413195148-3a45101e95ac/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0= +k8s.io/klog v0.0.0-20181102134211-b9b56d5dfc92/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk= +k8s.io/klog v0.3.0/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk= +k8s.io/klog v1.0.0/go.mod h1:4Bi6QPql/J/LkTDqv7R/cd3hPo4k2DG6Ptcz060Ez5I= +k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE= +k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y= +k8s.io/kube-openapi v0.0.0-20191107075043-30be4d16710a/go.mod h1:1TqjTSzOxsLGIKfj0lK8EeCP7K1iUG65v09OM0/WG5E= +k8s.io/kube-openapi v0.0.0-20200805222855-6aeccd4b50c6/go.mod h1:UuqjUnNftUyPE5H64/qeyjQoUZhGpeFDVdxjTeEVN2o= +k8s.io/legacy-cloud-providers v0.17.0/go.mod h1:DdzaepJ3RtRy+e5YhNtrCYwlgyK87j/5+Yfp0L9Syp8= +k8s.io/utils v0.0.0-20191114184206-e782cd3c129f/go.mod h1:sZAwmy6armz5eXlNoLmJcl4F1QuKu7sr+mFQ0byX7Ew= +k8s.io/utils v0.0.0-20200729134348-d5654de09c73/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= +modernc.org/cc v1.0.0/go.mod h1:1Sk4//wdnYJiUIxnW8ddKpaOJCF37yAdqYnkxUpaYxw= +modernc.org/golex v1.0.0/go.mod h1:b/QX9oBD/LhixY6NDh+IdGv17hgB+51fET1i2kPSmvk= +modernc.org/mathutil v1.0.0/go.mod h1:wU0vUrJsVWBZ4P6e7xtFJEhFSNsfRLJ8H458uRjg03k= +modernc.org/strutil v1.0.0/go.mod h1:lstksw84oURvj9y3tn8lGvRxyRC1S2+g5uuIzNfIOBs= +modernc.org/xc v1.0.0/go.mod h1:mRNCo0bvLjGhHO9WsyuKVU4q0ceiDDDoEeWDJHrNx8I= +rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= +sigs.k8s.io/structured-merge-diff v0.0.0-20190525122527-15d366b2352e/go.mod h1:wWxsB5ozmmv/SG7nM11ayaAW51xMvak/t1r0CSlcokI= +sigs.k8s.io/structured-merge-diff v1.0.1-0.20191108220359-b1b620dd3f06/go.mod h1:/ULNhyfzRopfcjskuui0cTITekDduZ7ycKN3oUT9R18= +sigs.k8s.io/structured-merge-diff/v4 v4.0.1/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw= +sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o= +sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc= diff --git a/terraform-modules/aws/ec2_instance/test/terratest_test.go b/terraform-modules/aws/ec2_instance/test/terratest_test.go new file mode 100644 index 000000000..92da3402b --- /dev/null +++ b/terraform-modules/aws/ec2_instance/test/terratest_test.go @@ -0,0 +1,213 @@ +package test + +import ( + "math/rand" + "testing" + "time" + + // "github.com/gruntwork-io/terratest/modules/aws" + "github.com/gruntwork-io/terratest/modules/terraform" + "github.com/stretchr/testify/assert" +) + +// Default test +func TestTerraformDefault(t *testing.T) { + t.Parallel() + + // Random string for various dynamic bucket name usage + stringRand := randomString(8) + node0 := "node0-" + stringRand + node1 := "node1-" + stringRand + // The unit test should really create everything it needs. Maybe except for the AMI. + subnet_id := "subnet-0dc93d734674d2651" + security_group := "sg-06f385f8d8a319d59" + key_name := "marqeta-aws-root" + ami := "ami-0b4bc4eb77ae7e66c" + instance_type := "t3.small" + group0Name := "group0-" + stringRand + group1Name := "group1-" + stringRand + userData := `#cloud-config\nwrite_files:\n- encoding: b64\n content: aGVsbG8K\n owner: root:root\n path: /tmp/unit-test-user-data-file.txt\n permissions: '0644'` + + terraformOptions := terraform.WithDefaultRetryableErrors(t, &terraform.Options{ + // The path to where our Terraform code is located + TerraformDir: "../examples/node_list_1", + + // Dynamic Variables that we should pass in addition to varfile.tfvars + // VarFiles: []string{ + // "./test/var1.tfvars", + // }, + + Vars: map[string]interface{}{ + "aws_region": "us-east-1", + "environment_name": "node_list_unit_test_" + stringRand, + "key_pair_name": "node_list_unit_test_" + stringRand, + "user_ssh_public_key": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC641Tabto5333cceSZftvqibRr9OhbP0IPv+gqRo9OdED7shWhA2XuWqQnIok8yv0Wimi+CZ00tVbkZHA27NObDQnX/KZ2ntIuM9VY6Io+K40RbN2UFHwgC8v3PyMPTCiQuriFT9whtAEOY4biqiN6X38G80g6Y3qXXlD/IkZXrOao+0m9aMNrxWhWP1Q5whZoxeeOY0DBGiLgAfIqtV9gAttehWWND41kv8QMi5p1rDjuowM7cG1YbbuwEXDV1tOb99Pz/LFebWE6arPYkM3C2P/kDuQX1EmT6GnN2uIu0FgoNkj7zykqr5YbDKnjwDKk9GpsfWCx8buIu+bYJh9D", + "distinct_group_list": []string{ + group0Name, + group1Name, + }, + "node_list": []interface{}{ + 0: map[string]interface{}{ + "instance_name": node0, + "group_name": group0Name, + "ami": ami, + "key_name": key_name, + "subnet_id": subnet_id, + "instance_type": instance_type, + "instance_monitoring": "true", + "root_block_device": map[string]interface{}{ + "delete_on_termination": true, + "encrypted": true, + "iops": 1000, + "kms_key_id": nil, + "volume_size": 11, + "volume_type": "gp2", + }, + "ebs_block_device": []interface{}{ + 0: map[string]interface{}{ + "device_name": "/dev/sdh", + "delete_on_termination": true, + "encrypted": true, + "iops": 1001, + "kms_key_id": nil, + "volume_size": 4, + "volume_type": "io2", + }, + }, + "user_data": userData, + "tags": map[string]interface{}{ + "purpose": "terratest", + "repo": "managedkube-infra", + "repo-path": "terraform-modules/aws/node_list/test", + "node": node0, + }, + }, + 1: map[string]interface{}{ + "instance_name": node1, + "group_name": group1Name, + "ami": ami, + "key_name": key_name, + "subnet_id": subnet_id, + "instance_type": instance_type, + "instance_monitoring": "true", + "root_block_device": map[string]interface{}{ + "delete_on_termination": true, + "encrypted": true, + "iops": 1000, + "kms_key_id": nil, + "volume_size": 12, + "volume_type": "gp2", + }, + "ebs_block_device": []interface{}{ + 0: map[string]interface{}{ + "device_name": "/dev/sdh", + "delete_on_termination": true, + "encrypted": true, + "iops": 1002, + "kms_key_id": nil, + "volume_size": 5, + "volume_type": "io2", + }, + 1: map[string]interface{}{ + "device_name": "/dev/sdi", + "delete_on_termination": true, + "encrypted": true, + // "iops": 1, + "kms_key_id": nil, + "volume_size": 6, + "volume_type": "gp2", + }, + }, + //"upload_files": map[string]interface{}{}, + "user_data": "", + "tags": map[string]interface{}{ + "purpose": "terratest", + "repo": "managedkube-infra", + "repo-path": "terraform-modules/aws/node_list/test", + "node": node1, + }, + }, + 2: map[string]interface{}{ + "instance_name": node0 + "-1", + "group_name": group0Name, + "ami": ami, + "key_name": key_name, + "subnet_id": subnet_id, + "instance_type": instance_type, + "instance_monitoring": "true", + "root_block_device": map[string]interface{}{ + "delete_on_termination": true, + "encrypted": true, + "iops": 1000, + "kms_key_id": nil, + "volume_size": 13, + "volume_type": "gp2", + }, + "ebs_block_device": []interface{}{ + // testing to make sure no additional disks is working + // Still need this key here though + }, + // "upload_files": map[string]interface{}{}, + "user_data": "", + "tags": map[string]interface{}{ + "purpose": "terratest", + "repo": "managedkube-infra", + "repo-path": "terraform-modules/aws/node_list/test", + "node": node0 + "-1", + }, + }, + }, + "security_group_id_list": []interface{}{ + 0: security_group, + 1: security_group, + }, + "security_group_name_list": []interface{}{ + 0: group0Name, + 1: group1Name, + }, + }, + + // Disable colors in Terraform commands so its easier to parse stdout/stderr + NoColor: true, + }) + + // At the end of the test, run `terraform destroy` to clean up any resources that were created + defer terraform.Destroy(t, terraformOptions) + + // This will run `terraform init` and `terraform apply` and fail the test if there are any errors + terraform.InitAndApply(t, terraformOptions) + + // Run `terraform output` to get the values of output variables + outputEc2IdList := terraform.OutputList(t, terraformOptions, "ec2_id_list") + // outputSecurityGroupRuleModuleSGList := terraform.OutputList(t, terraformOptions, "security_group_id_list") + // outputDatadogPolicyName := terraform.Output(t, terraformOptions, "datadog_policy") + + // awsAccountID := aws.GetAccountId(t) + + // check if node0's name is accurate + // assert.Equal(t, outputSecurityGroupModuleNameList[0], group0Name) + // check if node1's name is accurate + // assert.Equal(t, outputSecurityGroupModuleNameList[1], group1Name) + + numberOfExpected := 1 + assert.Equal(t, numberOfExpected, len(outputEc2IdList)) + // assert.Equal(t, "datadog-ec2", outputDatadogPolicyName) + +} + +func randomString(len int) string { + + rand.Seed(time.Now().UTC().UnixNano()) + bytes := make([]byte, len) + + for i := 0; i < len; i++ { + bytes[i] = byte(randInt(97, 122)) + } + + return string(bytes) +} + +func randInt(min int, max int) int { + + return min + rand.Intn(max-min) +} diff --git a/terraform-modules/aws/ec2_instance/variables.tf b/terraform-modules/aws/ec2_instance/variables.tf new file mode 100644 index 000000000..450e5618a --- /dev/null +++ b/terraform-modules/aws/ec2_instance/variables.tf @@ -0,0 +1,90 @@ +variable "aws_region" { + type = string + default = "" +} + +variable "ami" { + type = string + description = "AMI image" +} + +variable "key_pair_name" { + type = string + default = null + description = "The ec2 key/pair name" +} + +variable "user_ssh_public_key" { + type = string + description = "The public key for the key pair" + default = "" +} + +variable "environment_name" { + type = string + description = "The full name of the environment" +} + +variable "instance_name" { + type = string + description = "The instance name" +} + +variable "key_name" { + type = string + description = "The AWS Key name" +} + +variable "subnet_id" { + type = string + description = "The subnet ID to place this instance into" +} + +variable "tags" { + type = map(any) + description = "The set of tags to place on this node and other resources" +} + +variable "node_profile_type" { + type = string + default = null + description = "description" +} + +variable "instance_config" { + type = object({ + root_installer_device = map(any) + ebs_block_device = list(any) + user_data_inputs = map(any) + }) + default = { + root_installer_device = { + instance_type = "m5.large" + delete_on_termination = true, + encrypted = true, + iops = "", + kms_key_id = "", + volume_size = 80, + volume_type = "gp2", + } + ebs_block_device = [] + user_data_inputs = { + ebs_block_device_1_is_set = "false" + ebs_block_device_1_mount_path = "null" + ebs_block_device_2_is_set = "false" + ebs_block_device_2_mount_path = "null" + } + } +} + +variable "aws_iam_role_policy_attachment_list" { + type = list(string) + default = [] + description = "A list of IAM policy ARNs to attached to this node's instance profile" +} + +variable "security_group_list" { + type = list(string) + default = [] + description = "The list of security group IDs to apply to this instance" +} diff --git a/terraform-modules/aws/eks-efs-csi-driver/README.md b/terraform-modules/aws/eks-efs-csi-driver/README.md new file mode 100644 index 000000000..3169bda26 --- /dev/null +++ b/terraform-modules/aws/eks-efs-csi-driver/README.md @@ -0,0 +1,8 @@ +# EKS EFS CSI Driver + +source: https://github.com/kubernetes-sigs/aws-efs-csi-driver + + +Creates: +* AWS IAM policies for the efs-csi-driver to access EFS +* Deploys the aws-efs-csi-driver helm chart into an EKS cluster diff --git a/terraform-modules/aws/eks-efs-csi-driver/efs-policy.json b/terraform-modules/aws/eks-efs-csi-driver/efs-policy.json new file mode 100644 index 000000000..32ee8d5a3 --- /dev/null +++ b/terraform-modules/aws/eks-efs-csi-driver/efs-policy.json @@ -0,0 +1,36 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "elasticfilesystem:DescribeAccessPoints", + "elasticfilesystem:DescribeFileSystems" + ], + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": [ + "elasticfilesystem:CreateAccessPoint" + ], + "Resource": "*", + "Condition": { + "StringLike": { + "aws:RequestTag/efs.csi.aws.com/cluster": "true" + } + } + }, + { + "Effect": "Allow", + "Action": "elasticfilesystem:DeleteAccessPoint", + "Resource": "*", + "Condition": { + "StringEquals": { + "aws:ResourceTag/efs.csi.aws.com/cluster": "true" + } + } + } + ] + } + \ No newline at end of file diff --git a/terraform-modules/aws/eks-efs-csi-driver/helm_values.tpl.yaml b/terraform-modules/aws/eks-efs-csi-driver/helm_values.tpl.yaml new file mode 100644 index 000000000..ed97d539c --- /dev/null +++ b/terraform-modules/aws/eks-efs-csi-driver/helm_values.tpl.yaml @@ -0,0 +1 @@ +--- diff --git a/terraform-modules/aws/eks-efs-csi-driver/main.tf b/terraform-modules/aws/eks-efs-csi-driver/main.tf new file mode 100644 index 000000000..5275768e7 --- /dev/null +++ b/terraform-modules/aws/eks-efs-csi-driver/main.tf @@ -0,0 +1,47 @@ +module "iam_assumable_role_admin" { + source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc" + version = "3.6.0" + create_role = true + role_name = "efs-csi-driver-${var.cluster_name}" + provider_url = replace(var.eks_cluster_oidc_issuer_url, "https://", "") + role_policy_arns = [aws_iam_policy.cluster_autoscaler.arn] + oidc_fully_qualified_subjects = ["system:serviceaccount:${var.k8s_service_account_namespace}:${var.k8s_service_account_name}"] +} + +# Policy doc: https://github.com/kubernetes-sigs/aws-efs-csi-driver/blob/master/docs/iam-policy-example.json +resource "aws_iam_policy" "cluster_autoscaler" { + name_prefix = "efs-csi-driver-${var.cluster_name}" + description = "EKS efs-csi-driver policy for cluster ${var.eks_cluster_id}" + policy = file("${path.module}/efs-policy.json") +} + +data "aws_caller_identity" "current" {} + +# +# Helm - efs-csi-driver +# +# Docs: https://github.com/kubernetes-sigs/aws-efs-csi-driver/tree/master/charts/aws-efs-csi-driver +data "template_file" "helm_values" { + template = file("${path.module}/helm_values.tpl.yaml") + vars = { + awsAccountID = data.aws_caller_identity.current.account_id + awsRegion = var.aws_region + clusterName = var.cluster_name + serviceAccountName = var.k8s_service_account_name + } +} + +module "eks-efs-csi-driver" { + source = "github.com/ManagedKube/kubernetes-ops//terraform-modules/aws/helm/helm_generic?ref=v1.0.9" + + repository = "https://kubernetes-sigs.github.io/aws-efs-csi-driver" + official_chart_name = "aws-efs-csi-driver" + user_chart_name = "aws-efs-csi-driver" + helm_version = "1.2.4" + namespace = "kube-system" + helm_values = data.template_file.helm_values.rendered + + depends_on = [ + module.iam_assumable_role_admin + ] +} diff --git a/terraform-modules/aws/eks-efs-csi-driver/outputs.tf b/terraform-modules/aws/eks-efs-csi-driver/outputs.tf new file mode 100644 index 000000000..0ff7df1b0 --- /dev/null +++ b/terraform-modules/aws/eks-efs-csi-driver/outputs.tf @@ -0,0 +1,11 @@ +# output "arn" { +# value = module.eks-efs-csi-driver.arn +# } + +# output "id" { +# value = module.eks-efs-csi-driver.id +# } + +# output "dns_name" { +# value = module.eks-efs-csi-driver.dns_name +# } diff --git a/terraform-modules/aws/eks-efs-csi-driver/variables.tf b/terraform-modules/aws/eks-efs-csi-driver/variables.tf new file mode 100644 index 000000000..b1cfac077 --- /dev/null +++ b/terraform-modules/aws/eks-efs-csi-driver/variables.tf @@ -0,0 +1,41 @@ +variable "aws_region" { + type = string + default = "us-east-1" + description = "AWS region" +} + +variable "cluster_name" { + type = string + default = "cluster" + description = "EKS cluster name" +} + + +variable "eks_cluster_id" { + type = string + default = "" + description = "EKS cluster ID" +} + +variable "eks_cluster_oidc_issuer_url" { + type = string + default = "" + description = "EKS cluster oidc issuer url" +} + +variable "k8s_service_account_namespace" { + type = string + default = "kube-system" + description = "Namespace to place the service account into" +} + +variable "k8s_service_account_name" { + type = string + default = "cluster-autoscaler-aws-cluster-autoscaler" + description = "Service account name" +} + +variable "tags" { + type = map(any) + default = {} +} diff --git a/terraform-modules/aws/eks/REAMDE.md b/terraform-modules/aws/eks/REAMDE.md new file mode 100644 index 000000000..3209bfce6 --- /dev/null +++ b/terraform-modules/aws/eks/REAMDE.md @@ -0,0 +1,33 @@ +# eks + +Builds and EKS cluster using this module: https://github.com/terraform-aws-modules/terraform-aws-eks + +## Post cluster creation + +list clusters +``` +aws eks --region us-east-1 list-clusters +``` + +Get kubeconfig +``` +aws eks --region us-east-1 update-kubeconfig --name eks-dev +``` + +## aws-auth config map +Due to the changes in how the AWS EKS module works, the module is not applying the aws-auth's configmap anymore. This means we have to apply it. + + +If using Github Actions to run this module, you will have to download `kubectl` into the pipeline. +``` + - name: 'Download kubectl' + run: | + curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" + chmod 755 kubectl + cp kubectl ${{ github.workspace }}/tmp_bin/kubectl +``` + +Then set this input parameter: +``` +kubectl_binary = "/github/workspace/kubectl" +``` diff --git a/terraform-modules/aws/eks/main.tf b/terraform-modules/aws/eks/main.tf new file mode 100644 index 000000000..5339e9c1e --- /dev/null +++ b/terraform-modules/aws/eks/main.tf @@ -0,0 +1,84 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 3.37.0" + } + kubernetes = { + source = "hashicorp/kubernetes" + version = ">= 2.1.0" + } + } +} + +data "aws_eks_cluster" "cluster" { + name = module.eks.cluster_id +} + +data "aws_eks_cluster_auth" "cluster" { + name = module.eks.cluster_id +} + +provider "kubernetes" { + host = data.aws_eks_cluster.cluster.endpoint + cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority.0.data) + token = data.aws_eks_cluster_auth.cluster.token +} + +resource "aws_kms_key" "eks" { + description = "EKS Secret Encryption Key" + enable_key_rotation = var.cluster_kms_enable_rotation + tags = var.tags +} + + +module "kms_cloudwatch_log_group" { + source = "github.com/ManagedKube/kubernetes-ops.git//terraform-modules/aws/kms/cloudwatch_log_group?ref=v2.0.37" + log_group_name = "/aws/eks/${var.cluster_name}/cluster" + tags = var.tags +} + + +module "eks" { + source = "terraform-aws-modules/eks/aws" + version = "18.23.0" + cluster_name = var.cluster_name + cluster_version = var.cluster_version + enable_irsa = var.enable_irsa + tags = var.tags + + # vpc_id = data.terraform_remote_state.vpc.outputs.vpc_id + vpc_id = var.vpc_id + + # Using a conditional for backwards compatibility for those who started out only + # using the private_subnets for the input variable. The new k8s_subnets is new + # and makes the subnet id input var name more generic to where the k8s worker nodes goes + subnet_ids = length(var.private_subnets) > 0 ? var.private_subnets : var.k8s_subnets + + cluster_endpoint_public_access = var.cluster_endpoint_public_access + cluster_endpoint_public_access_cidrs = var.cluster_endpoint_public_access_cidrs + + cluster_endpoint_private_access = var.cluster_endpoint_private_access + + cluster_encryption_config = [{ + provider_key_arn = aws_kms_key.eks.arn + resources = ["secrets"] + }] + + cloudwatch_log_group_kms_key_id = module.kms_cloudwatch_log_group.kms_arn + cloudwatch_log_group_retention_in_days = var.cloudwatch_log_group_retention_in_days + cluster_enabled_log_types = var.cluster_enabled_log_types + + eks_managed_node_groups = var.eks_managed_node_groups + + node_security_group_additional_rules = var.node_security_group_additional_rules + + # aws-auth configmap + manage_aws_auth_configmap = true + + aws_auth_roles = var.aws_auth_roles + + aws_auth_users = var.aws_auth_users + + aws_auth_accounts = var.aws_auth_accounts +} diff --git a/terraform-modules/aws/eks/outputs.tf b/terraform-modules/aws/eks/outputs.tf new file mode 100644 index 000000000..0bec0830c --- /dev/null +++ b/terraform-modules/aws/eks/outputs.tf @@ -0,0 +1,54 @@ +output "cluster_endpoint" { + description = "Endpoint for EKS control plane." + value = module.eks.cluster_endpoint +} + +output "cluster_platform_version" { + value = module.eks.cluster_platform_version +} + +output "cluster_certificate_authority_data" { + value = module.eks.cluster_certificate_authority_data +} + +output "cluster_id" { + value = module.eks.cluster_id +} + +output "cluster_oidc_issuer_url" { + value = module.eks.cluster_oidc_issuer_url +} + +output "cluster_primary_security_group_id" { + value = module.eks.cluster_primary_security_group_id +} + +output "cluster_security_group_id" { + value = module.eks.cluster_security_group_id +} + +output "node_security_group_id" { + value = module.eks.node_security_group_id +} + +output "cluster_iam_role_arn" { + value = module.eks.cluster_iam_role_arn +} + +output "oidc_provider_arn" { + value = module.eks.oidc_provider_arn +} + +output "cluster_arn" { + value = module.eks.cluster_arn +} + +output "eks_managed_node_groups_arns" { + value = [ + for item in module.eks.eks_managed_node_groups: + { + rolearn = item.iam_role_arn + } + ] +} + diff --git a/terraform-modules/aws/eks/test/go.mod b/terraform-modules/aws/eks/test/go.mod new file mode 100644 index 000000000..4672cc929 --- /dev/null +++ b/terraform-modules/aws/eks/test/go.mod @@ -0,0 +1,8 @@ +module github.com/ManagedKube/kubernetes-ops + +go 1.15 + +require ( + github.com/gruntwork-io/terratest v0.32.24 + github.com/stretchr/testify v1.7.0 +) diff --git a/terraform-modules/aws/eks/test/go.sum b/terraform-modules/aws/eks/test/go.sum new file mode 100644 index 000000000..df390bcb1 --- /dev/null +++ b/terraform-modules/aws/eks/test/go.sum @@ -0,0 +1,617 @@ +cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= +cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= +cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU= +cloud.google.com/go v0.44.1/go.mod h1:iSa0KzasP4Uvy3f1mN/7PiObzGgflwredwwASm/v6AU= +cloud.google.com/go v0.44.2/go.mod h1:60680Gw3Yr4ikxnPRS/oxxkBccT6SA1yMk63TGekxKY= +cloud.google.com/go v0.45.1/go.mod h1:RpBamKRgapWJb87xiFSdk4g1CME7QZg3uwTez+TSTjc= +cloud.google.com/go v0.46.3/go.mod h1:a6bKKbmY7er1mI7TEI4lsAkts/mkhTSZK8w33B4RAg0= +cloud.google.com/go v0.51.0/go.mod h1:hWtGJ6gnXH+KgDv+V0zFGDvpi07n3z8ZNj3T1RW0Gcw= +cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o= +cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE= +cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I= +cloud.google.com/go/storage v1.0.0/go.mod h1:IhtSnM/ZTZV8YYJWCY8RULGVqBDmpoyjwiyrjsg+URw= +dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= +github.com/Azure/azure-sdk-for-go v35.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= +github.com/Azure/azure-sdk-for-go v38.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= +github.com/Azure/azure-sdk-for-go v46.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= +github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78/go.mod h1:LmzpDX56iTiv29bbRTIsUNlaFfuhWRQBWjQdVyAevI8= +github.com/Azure/go-autorest v14.2.0+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSWATqVooLgysK6ZNox3g/xq24= +github.com/Azure/go-autorest/autorest v0.9.0/go.mod h1:xyHB1BMZT0cuDHU7I0+g046+BFDTQ8rEZB0s4Yfa6bI= +github.com/Azure/go-autorest/autorest v0.9.3/go.mod h1:GsRuLYvwzLjjjRoWEIyMUaYq8GNUx2nRB378IPt/1p0= +github.com/Azure/go-autorest/autorest v0.9.6/go.mod h1:/FALq9T/kS7b5J5qsQ+RSTUdAmGFqi0vUdVNNx8q630= +github.com/Azure/go-autorest/autorest v0.11.0/go.mod h1:JFgpikqFJ/MleTTxwepExTKnFUKKszPS8UavbQYUMuw= +github.com/Azure/go-autorest/autorest v0.11.5/go.mod h1:foo3aIXRQ90zFve3r0QiDsrjGDUwWhKl0ZOQy1CT14k= +github.com/Azure/go-autorest/autorest/adal v0.5.0/go.mod h1:8Z9fGy2MpX0PvDjB1pEgQTmVqjGhiHBW7RJJEciWzS0= +github.com/Azure/go-autorest/autorest/adal v0.8.0/go.mod h1:Z6vX6WXXuyieHAXwMj0S6HY6e6wcHn37qQMBQlvY3lc= +github.com/Azure/go-autorest/autorest/adal v0.8.1/go.mod h1:ZjhuQClTqx435SRJ2iMlOxPYt3d2C/T/7TiQCVZSn3Q= +github.com/Azure/go-autorest/autorest/adal v0.8.2/go.mod h1:ZjhuQClTqx435SRJ2iMlOxPYt3d2C/T/7TiQCVZSn3Q= +github.com/Azure/go-autorest/autorest/adal v0.9.0/go.mod h1:/c022QCutn2P7uY+/oQWWNcK9YU+MH96NgK+jErpbcg= +github.com/Azure/go-autorest/autorest/adal v0.9.2/go.mod h1:/3SMAM86bP6wC9Ev35peQDUeqFZBMH07vvUOmg4z/fE= +github.com/Azure/go-autorest/autorest/azure/auth v0.5.1/go.mod h1:ea90/jvmnAwDrSooLH4sRIehEPtG/EPUXavDh31MnA4= +github.com/Azure/go-autorest/autorest/azure/cli v0.4.0/go.mod h1:JljT387FplPzBA31vUcvsetLKF3pec5bdAxjVU4kI2s= +github.com/Azure/go-autorest/autorest/date v0.1.0/go.mod h1:plvfp3oPSKwf2DNjlBjWF/7vwR+cUD/ELuzDCXwHUVA= +github.com/Azure/go-autorest/autorest/date v0.2.0/go.mod h1:vcORJHLJEh643/Ioh9+vPmf1Ij9AEBM5FuBIXLmIy0g= +github.com/Azure/go-autorest/autorest/date v0.3.0/go.mod h1:BI0uouVdmngYNUzGWeSYnokU+TrmwEsOqdt8Y6sso74= +github.com/Azure/go-autorest/autorest/mocks v0.1.0/go.mod h1:OTyCOPRA2IgIlWxVYxBee2F5Gr4kF2zd2J5cFRaIDN0= +github.com/Azure/go-autorest/autorest/mocks v0.2.0/go.mod h1:OTyCOPRA2IgIlWxVYxBee2F5Gr4kF2zd2J5cFRaIDN0= +github.com/Azure/go-autorest/autorest/mocks v0.3.0/go.mod h1:a8FDP3DYzQ4RYfVAxAN3SVSiiO77gL2j2ronKKP0syM= +github.com/Azure/go-autorest/autorest/mocks v0.4.0/go.mod h1:LTp+uSrOhSkaKrUy935gNZuuIPPVsHlr9DSOxSayd+k= +github.com/Azure/go-autorest/autorest/mocks v0.4.1/go.mod h1:LTp+uSrOhSkaKrUy935gNZuuIPPVsHlr9DSOxSayd+k= +github.com/Azure/go-autorest/autorest/to v0.2.0/go.mod h1:GunWKJp1AEqgMaGLV+iocmRAJWqST1wQYhyyjXJ3SJc= +github.com/Azure/go-autorest/autorest/to v0.3.0/go.mod h1:MgwOyqaIuKdG4TL/2ywSsIWKAfJfgHDo8ObuUk3t5sA= +github.com/Azure/go-autorest/autorest/validation v0.1.0/go.mod h1:Ha3z/SqBeaalWQvokg3NZAlQTalVMtOIAs1aGK7G6u8= +github.com/Azure/go-autorest/autorest/validation v0.3.0/go.mod h1:yhLgjC0Wda5DYXl6JAsWyUe4KVNffhoDhG0zVzUMo3E= +github.com/Azure/go-autorest/logger v0.1.0/go.mod h1:oExouG+K6PryycPJfVSxi/koC6LSNgds39diKLz7Vrc= +github.com/Azure/go-autorest/logger v0.2.0/go.mod h1:T9E3cAhj2VqvPOtCYAvby9aBXkZmbF5NWuPV8+WeEW8= +github.com/Azure/go-autorest/tracing v0.5.0/go.mod h1:r/s2XiOKccPW3HrqB+W0TQzfbtp2fGCgRFtBroKn4Dk= +github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBpUA79WCAKPPZVC2DeU= +github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= +github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= +github.com/GoogleCloudPlatform/k8s-cloud-provider v0.0.0-20190822182118-27a4ced34534/go.mod h1:iroGtC8B3tQiqtds1l+mgk/BBOrxbqjH+eUfFQYRc14= +github.com/Microsoft/go-winio v0.4.14/go.mod h1:qXqCSQ3Xa7+6tgxaGTIe4Kpcdsi+P8jBhyzoq1bpyYA= +github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ= +github.com/PuerkitoBio/purell v1.0.0/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0= +github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0= +github.com/PuerkitoBio/urlesc v0.0.0-20160726150825-5bd2802263f2/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE= +github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE= +github.com/agext/levenshtein v1.2.1 h1:QmvMAjj2aEICytGiWzmxoE0x2KZvE0fvmqMOfy2tjT8= +github.com/agext/levenshtein v1.2.1/go.mod h1:JEDfjyjHDjOF/1e4FlBE/PkbqA9OfWu2ki2W0IB5558= +github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= +github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= +github.com/apparentlymart/go-dump v0.0.0-20180507223929-23540a00eaa3/go.mod h1:oL81AME2rN47vu18xqj1S1jPIPuN7afo62yKTNn3XMM= +github.com/apparentlymart/go-textseg v1.0.0 h1:rRmlIsPEEhUTIKQb7T++Nz/A5Q6C9IuX2wFoYVvnCs0= +github.com/apparentlymart/go-textseg v1.0.0/go.mod h1:z96Txxhf3xSFMPmb5X/1W05FF/Nj9VFpLOpjS5yuumk= +github.com/apparentlymart/go-textseg/v12 v12.0.0 h1:bNEQyAGak9tojivJNkoqWErVCQbjdL7GzRt3F8NvfJ0= +github.com/apparentlymart/go-textseg/v12 v12.0.0/go.mod h1:S/4uRK2UtaQttw1GenVJEynmyUenKwP++x/+DdGV/Ec= +github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8= +github.com/aws/aws-lambda-go v1.13.3/go.mod h1:4UKl9IzQMoD+QF79YdCuzCwp8VbmG4VAQwij/eHl5CU= +github.com/aws/aws-sdk-go v1.16.26/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo= +github.com/aws/aws-sdk-go v1.27.1/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo= +github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q= +github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8= +github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs= +github.com/blang/semver v3.5.0+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk= +github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8= +github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= +github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI= +github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI= +github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU= +github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= +github.com/cockroachdb/datadriven v0.0.0-20190809214429-80d97fb3cbaa/go.mod h1:zn76sxSg3SzpJ0PPJaLDCu+Bu0Lg3sKTORVIj19EIF8= +github.com/containerd/containerd v1.3.0/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA= +github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE= +github.com/coreos/go-etcd v2.0.0+incompatible/go.mod h1:Jez6KQU2B/sWsbdaef3ED8NzMklzPG4d5KIOhIy30Tk= +github.com/coreos/go-oidc v2.1.0+incompatible/go.mod h1:CgnwVTmzoESiwO9qyAFEMiHoZ1nMCKZlZ9V6mm3/LKc= +github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk= +github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk= +github.com/coreos/go-systemd v0.0.0-20180511133405-39ca1b05acc7/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= +github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= +github.com/coreos/pkg v0.0.0-20160727233714-3ac0863d7acf/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA= +github.com/coreos/pkg v0.0.0-20180108230652-97fdf19511ea/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA= +github.com/cpuguy83/go-md2man v1.0.10/go.mod h1:SmD6nW6nTyfqj6ABTjUi3V3JVMnlJmwcJI5acqYI6dE= +github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU= +github.com/cpuguy83/go-md2man/v2 v2.0.0/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU= +github.com/creack/pty v1.1.7/go.mod h1:lj5s0c3V2DBrqTV7llrYr5NG6My20zk30Fl46Y7DoTY= +github.com/davecgh/go-spew v0.0.0-20151105211317-5215b55f46b2/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= +github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ= +github.com/dimchansky/utfbom v1.1.0/go.mod h1:rO41eb7gLfo8SF1jd9F8HplJm1Fewwi4mQvIirEdv+8= +github.com/dnaeon/go-vcr v1.0.1/go.mod h1:aBB1+wY4s93YsC3HHjMBMrwTj2R9FHDzUr9KyGc8n1E= +github.com/docker/cli v0.0.0-20191017083524-a8ff7f821017/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= +github.com/docker/cli v0.0.0-20200109221225-a4f60165b7a3/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= +github.com/docker/distribution v2.7.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= +github.com/docker/docker v0.7.3-0.20190327010347-be7ac8be2ae0/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +github.com/docker/docker v1.4.2-0.20190924003213-a8608b5b67c7/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +github.com/docker/docker-credential-helpers v0.6.3/go.mod h1:WRaJzqw3CTB9bk10avuGsjVBZsD05qeibJ1/TYlvc0Y= +github.com/docker/go-connections v0.4.0/go.mod h1:Gbd7IOopHjR8Iph03tsViu4nIes5XhDvyHbTtUxmeec= +github.com/docker/go-units v0.4.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk= +github.com/docker/spdystream v0.0.0-20160310174837-449fdfce4d96/go.mod h1:Qh8CwZgvJUkLughtfhJv5dyTYa91l1fOUCrgjqmcifM= +github.com/docker/spdystream v0.0.0-20181023171402-6480d4af844c/go.mod h1:Qh8CwZgvJUkLughtfhJv5dyTYa91l1fOUCrgjqmcifM= +github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE= +github.com/dustin/go-humanize v0.0.0-20171111073723-bb3d318650d4/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk= +github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk= +github.com/elazarl/goproxy v0.0.0-20170405201442-c4fc26588b6e/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc= +github.com/elazarl/goproxy v0.0.0-20180725130230-947c36da3153/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc= +github.com/elazarl/goproxy v0.0.0-20190911111923-ecfe977594f1/go.mod h1:Ro8st/ElPeALwNFlcTpWmkr6IoMFfkjXAvTHpevnDsM= +github.com/elazarl/goproxy/ext v0.0.0-20190711103511-473e67f1d7d2/go.mod h1:gNh8nYJoAm43RfaxurUnxr+N1PwuFV3ZMl/efxlIlY8= +github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs= +github.com/emicklei/go-restful v2.9.5+incompatible/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs= +github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= +github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= +github.com/evanphx/json-patch v4.2.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= +github.com/evanphx/json-patch v4.9.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= +github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4= +github.com/fatih/color v1.9.0/go.mod h1:eQcE1qtQxscV5RaZvpXrrb8Drkc3/DdQ+uUYCNjL+zU= +github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= +github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ= +github.com/ghodss/yaml v0.0.0-20150909031657-73d445a93680/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= +github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= +github.com/go-errors/errors v1.0.1/go.mod h1:f4zRHt4oKfwPJE5k8C9vpYG+aDHdBFUsgrm6/TyX73Q= +github.com/go-errors/errors v1.0.2-0.20180813162953-d98b870cc4e0/go.mod h1:f4zRHt4oKfwPJE5k8C9vpYG+aDHdBFUsgrm6/TyX73Q= +github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= +github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= +github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE= +github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas= +github.com/go-logr/logr v0.2.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU= +github.com/go-openapi/jsonpointer v0.0.0-20160704185906-46af16f9f7b1/go.mod h1:+35s3my2LFTysnkMfxsJBAMHj/DoqoB9knIWoYG/Vk0= +github.com/go-openapi/jsonpointer v0.19.2/go.mod h1:3akKfEdA7DF1sugOqz1dVQHBcuDBPKZGEoHC/NkiQRg= +github.com/go-openapi/jsonpointer v0.19.3/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg= +github.com/go-openapi/jsonreference v0.0.0-20160704190145-13c6e3589ad9/go.mod h1:W3Z9FmVs9qj+KR4zFKmDPGiLdk1D9Rlm7cyMvf57TTg= +github.com/go-openapi/jsonreference v0.19.2/go.mod h1:jMjeRr2HHw6nAVajTXJ4eiUwohSTlpa0o73RUL1owJc= +github.com/go-openapi/jsonreference v0.19.3/go.mod h1:rjx6GuL8TTa9VaixXglHmQmIL98+wF9xc8zWvFonSJ8= +github.com/go-openapi/spec v0.0.0-20160808142527-6aced65f8501/go.mod h1:J8+jY1nAiCcj+friV/PDoE1/3eeccG9LYBs0tYvLOWc= +github.com/go-openapi/spec v0.19.3/go.mod h1:FpwSN1ksY1eteniUU7X0N/BgJ7a4WvBFVA8Lj9mJglo= +github.com/go-openapi/swag v0.0.0-20160704191624-1d0bd113de87/go.mod h1:DXUve3Dpr1UfpPtxFw+EFuQ41HhCWZfha5jSVRG7C7I= +github.com/go-openapi/swag v0.19.2/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk= +github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk= +github.com/go-sql-driver/mysql v1.4.1/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w= +github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= +github.com/go-test/deep v1.0.3/go.mod h1:wGDj63lr65AM2AQyKZd/NYHGb0R+1RLqB8NKt3aSFNA= +github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= +github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4= +github.com/gogo/protobuf v1.2.2-0.20190723190241-65acae22fc9d/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o= +github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o= +github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= +github.com/golang/groupcache v0.0.0-20160516000752-02826c3e7903/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= +github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= +github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= +github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= +github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= +github.com/golang/mock v1.3.1/go.mod h1:sBzyDLLjw3U8JLTeZvSv8jJB+tU5PVekmnlKIyFUx0Y= +github.com/golang/protobuf v0.0.0-20161109072736-4bd1920723d7/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.1.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.3.3/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw= +github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8= +github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA= +github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs= +github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w= +github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0= +github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8= +github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= +github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= +github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= +github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= +github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= +github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= +github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-containerregistry v0.0.0-20200110202235-f4fb41bf00a3/go.mod h1:2wIuQute9+hhWqvL3vEI7YB0EKluF4WcPzI1eAliazk= +github.com/google/gofuzz v0.0.0-20161122191042-44d81051d367/go.mod h1:HP5RmnzzSNb993RKQDq4+1A4ia9nllfqcQFTQJedwGI= +github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= +github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= +github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs= +github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= +github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= +github.com/google/pprof v0.0.0-20191218002539-d4f498aebedc/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= +github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= +github.com/google/uuid v1.0.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg= +github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk= +github.com/googleapis/gnostic v0.0.0-20170729233727-0c5108395e2d/go.mod h1:sJBsCZ4ayReDTBIg8b9dl28c5xFWyhBTVRp3pOg5EKY= +github.com/googleapis/gnostic v0.2.2/go.mod h1:sJBsCZ4ayReDTBIg8b9dl28c5xFWyhBTVRp3pOg5EKY= +github.com/googleapis/gnostic v0.4.1/go.mod h1:LRhVm6pbyptWbWbuZ38d1eyptfvIytN3ir6b65WBswg= +github.com/gophercloud/gophercloud v0.1.0/go.mod h1:vxM41WHh5uqHVBMZHzuwNOHh8XEoIEcSTewFxm1c5g8= +github.com/gorilla/mux v1.7.3/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs= +github.com/gorilla/websocket v0.0.0-20170926233335-4201258b820c/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ= +github.com/gorilla/websocket v1.4.0/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ= +github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA= +github.com/grpc-ecosystem/go-grpc-middleware v1.0.1-0.20190118093823-f849b5445de4/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs= +github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk= +github.com/grpc-ecosystem/grpc-gateway v1.9.5/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY= +github.com/gruntwork-io/go-commons v0.8.0/go.mod h1:gtp0yTtIBExIZp7vyIV9I0XQkVwiQZze678hvDXof78= +github.com/gruntwork-io/terratest v0.32.24 h1:ihbpYh05VBNPtru2GGN36xTLrLkdMacCyRuvIOs3lsQ= +github.com/gruntwork-io/terratest v0.32.24/go.mod h1:IBb+b5b7p34oZLfpz/ZADyn8TSKeWSBu+vQMmNeePLE= +github.com/hashicorp/errwrap v1.0.0 h1:hLrqtEDnRye3+sgx6z4qVLNuviH3MR5aQ0ykNJa/UYA= +github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= +github.com/hashicorp/go-multierror v1.1.0 h1:B9UzwGQJehnUY1yNrnwREHc3fGbC2xefo8g4TbElacI= +github.com/hashicorp/go-multierror v1.1.0/go.mod h1:spPvp8C1qA32ftKqdAHm4hHTbPw+vmowP0z+KUhOZdA= +github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= +github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= +github.com/hashicorp/golang-lru v0.5.3/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4= +github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4= +github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ= +github.com/hashicorp/hcl/v2 v2.8.2 h1:wmFle3D1vu0okesm8BTLVDyJ6/OL9DCLUwn0b2OptiY= +github.com/hashicorp/hcl/v2 v2.8.2/go.mod h1:bQTN5mpo+jewjJgh8jr0JUguIi7qPHUF6yIfAEN3jqY= +github.com/hashicorp/terraform-json v0.9.0 h1:WE7+Wt93W93feOiCligElSyS0tlDzwZUtJuDGIBr8zg= +github.com/hashicorp/terraform-json v0.9.0/go.mod h1:3defM4kkMfttwiE7VakJDwCd4R+umhSQnvJwORXbprE= +github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU= +github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= +github.com/imdario/mergo v0.3.5/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA= +github.com/imdario/mergo v0.3.7/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA= +github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8= +github.com/jinzhu/copier v0.0.0-20190924061706-b57f9002281a h1:zPPuIq2jAWWPTrGt70eK/BSch+gFAGrNzecsoENgu2o= +github.com/jinzhu/copier v0.0.0-20190924061706-b57f9002281a/go.mod h1:yL958EeXv8Ylng6IfnvG4oflryUi3vgA3xPs9hmII1s= +github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k= +github.com/joefitzgerald/rainbow-reporter v0.1.0/go.mod h1:481CNgqmVHQZzdIbN52CupLJyoVwB10FQ/IQlF1pdL8= +github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo= +github.com/json-iterator/go v0.0.0-20180612202835-f2b4162afba3/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU= +github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU= +github.com/json-iterator/go v1.1.7/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= +github.com/json-iterator/go v1.1.8/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= +github.com/json-iterator/go v1.1.10/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= +github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU= +github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk= +github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w= +github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q= +github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00= +github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= +github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= +github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= +github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc= +github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= +github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= +github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= +github.com/kr/pty v1.1.5/go.mod h1:9r2w37qlBe7rQ6e1fg1S/9xpWHSnaqNdHD3WcMdbPDA= +github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= +github.com/kylelemons/godebug v0.0.0-20170820004349-d65d576e9348/go.mod h1:B69LEHPfb2qLo0BaaOLcbitczOKLWTsrBG9LczfCD4k= +github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ= +github.com/mailru/easyjson v0.0.0-20160728113105-d5b7844b561a/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= +github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= +github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= +github.com/mailru/easyjson v0.7.0/go.mod h1:KAzv3t3aY1NaHWoQz1+4F1ccyAH66Jk7yos7ldAVICs= +github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU= +github.com/mattn/go-colorable v0.1.4/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE= +github.com/mattn/go-isatty v0.0.4/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4= +github.com/mattn/go-isatty v0.0.8/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s= +github.com/mattn/go-isatty v0.0.11/go.mod h1:PhnuNfih5lzO57/f3n+odYbM4JtupLOxQOAqxQCu2WE= +github.com/mattn/go-runewidth v0.0.2/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU= +github.com/mattn/go-zglob v0.0.1/go.mod h1:9fxibJccNxU2cnpIKLRRFA7zX7qhkJIQWBb449FYHOo= +github.com/mattn/go-zglob v0.0.2-0.20190814121620-e3c945676326/go.mod h1:9fxibJccNxU2cnpIKLRRFA7zX7qhkJIQWBb449FYHOo= +github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0= +github.com/maxbrunsfeld/counterfeiter/v6 v6.2.2/go.mod h1:eD9eIE7cdwcMi9rYluz88Jz2VyhSmden33/aXg4oVIY= +github.com/miekg/dns v1.1.31/go.mod h1:KNUDUusw/aVsxyTYZM1oqvCicbwhgbNgztCETuNZ7xM= +github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= +github.com/mitchellh/go-wordwrap v0.0.0-20150314170334-ad45545899c7 h1:DpOJ2HYzCv8LZP15IdmG+YdwD2luVPHITV96TkirNBM= +github.com/mitchellh/go-wordwrap v0.0.0-20150314170334-ad45545899c7/go.mod h1:ZXFpozHsX6DPmq2I0TCekCxypsnAUbP2oI0UX1GXzOo= +github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y= +github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= +github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= +github.com/modern-go/reflect2 v0.0.0-20180320133207-05fbef0ca5da/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= +github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= +github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= +github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc= +github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= +github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= +github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= +github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw= +github.com/olekukonko/tablewriter v0.0.0-20170122224234-a0225b3f23b5/go.mod h1:vsDQFd/mU46D+Z4whnwzcISnGGzXWMclvtLoiIKAKIo= +github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= +github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= +github.com/onsi/ginkgo v1.8.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= +github.com/onsi/ginkgo v1.10.1/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= +github.com/onsi/ginkgo v1.11.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= +github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA= +github.com/onsi/gomega v1.5.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= +github.com/onsi/gomega v1.7.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= +github.com/opencontainers/go-digest v1.0.0-rc1/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s= +github.com/opencontainers/image-spec v1.0.1/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0= +github.com/oracle/oci-go-sdk v7.1.0+incompatible/go.mod h1:VQb79nF8Z2cwLkLS35ukwStZIg5F66tcBccjip/j888= +github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic= +github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU= +github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/pmezard/go-difflib v0.0.0-20151028094244-d8ed2627bdf0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= +github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/pquerna/cachecontrol v0.0.0-20171018203845-0dec1b30a021/go.mod h1:prYjPmNq4d1NPVmpShWobRqXY3q7Vp+80DqgxxUrUIA= +github.com/pquerna/otp v1.2.0/go.mod h1:dkJfzwRKNiegxyNb54X/3fLwhCynbMspSyWKnvi1AEg= +github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw= +github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo= +github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= +github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= +github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= +github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= +github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= +github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= +github.com/remyoudompheng/bigfft v0.0.0-20170806203942-52369c62f446/go.mod h1:uYEyJGbgTkfkS4+E/PavXkNJcbFIpEtjt2B0KDQ5+9M= +github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg= +github.com/rogpeppe/go-charset v0.0.0-20180617210344-2471d30d28b4/go.mod h1:qgYeAmZ5ZIpBWTGllZSQnw97Dj+woV0toclVaRGI8pc= +github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= +github.com/rubiojr/go-vhd v0.0.0-20160810183302-0bfd3b39853c/go.mod h1:DM5xW0nvfNNm2uytzsvhI3OnX8uzaRAg8UX/CnDqbto= +github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR/rfWxYHBV53g= +github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= +github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0= +github.com/sclevine/spec v1.2.0/go.mod h1:W4J29eT/Kzv7/b9IWLB055Z+qvVC9vt0Arko24q7p+U= +github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo= +github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc= +github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo= +github.com/sirupsen/logrus v1.4.1/go.mod h1:ni0Sbl8bgC9z8RoU9G6nDWqqs/fq4eDPysMBDgk/93Q= +github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE= +github.com/soheilhy/cmux v0.1.4/go.mod h1:IM3LyeVVIOuxMH7sFAkER9+bJ4dT7Ms6E4xg4kGIyLM= +github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ= +github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk= +github.com/spf13/cast v1.3.0/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE= +github.com/spf13/cobra v0.0.3/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ= +github.com/spf13/cobra v0.0.5/go.mod h1:3K3wKZymM7VvHMDS9+Akkh4K60UwM26emMESw8tLCHU= +github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo= +github.com/spf13/pflag v0.0.0-20170130214245-9ff6c6923cff/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= +github.com/spf13/pflag v1.0.1/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= +github.com/spf13/pflag v1.0.2/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= +github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= +github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= +github.com/spf13/viper v1.3.2/go.mod h1:ZiWeW+zYFKm7srdB9IoDzzZXaJaI5eL9QjNiN/DMA2s= +github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE= +github.com/stretchr/testify v0.0.0-20151208002404-e3a8ff8ce365/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= +github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= +github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= +github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= +github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY= +github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/tmc/grpc-websocket-proxy v0.0.0-20170815181823-89b8d40f7ca8/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= +github.com/ugorji/go/codec v0.0.0-20181204163529-d75b2dcb6bc8/go.mod h1:VFNgLljTbGfSG7qAOspJ7OScBnGdDN/yBr0sguwnwf0= +github.com/urfave/cli v1.20.0/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA= +github.com/urfave/cli v1.22.1/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0= +github.com/urfave/cli v1.22.2/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0= +github.com/vdemeester/k8s-pkg-credentialprovider v0.0.0-20200107171650-7c61ffa44238/go.mod h1:JwQJCMWpUDqjZrB5jpw0f5VbN7U95zxFy1ZDpoEarGo= +github.com/vmihailenco/msgpack v3.3.3+incompatible/go.mod h1:fy3FlTQTDXWkZ7Bh6AcGMlsjHatGryHQYUTf1ShIgkk= +github.com/vmware/govmomi v0.20.3/go.mod h1:URlwyTFZX72RmxtxuaFL2Uj3fD1JTvZdx59bHWk6aFU= +github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU= +github.com/xordataexchange/crypt v0.0.3-0.20170626215501-b2862e3d0a77/go.mod h1:aYKd//L2LvnjZzWKhF00oedf4jCCReLcmhLdhm1A27Q= +github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= +github.com/zclconf/go-cty v1.2.0/go.mod h1:hOPWgoHbaTUnI5k4D2ld+GRpFJSCe6bCM7m1q/N4PQ8= +github.com/zclconf/go-cty v1.2.1 h1:vGMsygfmeCl4Xb6OA5U5XVAaQZ69FvoG7X2jUtQujb8= +github.com/zclconf/go-cty v1.2.1/go.mod h1:hOPWgoHbaTUnI5k4D2ld+GRpFJSCe6bCM7m1q/N4PQ8= +go.etcd.io/bbolt v1.3.3/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU= +go.etcd.io/etcd v0.0.0-20191023171146-3cf2f69b5738/go.mod h1:dnLIgRNXwCJa5e+c6mIZCrds/GIG4ncV9HhK5PX7jPg= +go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= +go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8= +go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= +go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= +go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0= +go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q= +golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= +golang.org/x/crypto v0.0.0-20181203042331-505ab145d0a9/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= +golang.org/x/crypto v0.0.0-20190211182817-74369b46fc67/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= +golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= +golang.org/x/crypto v0.0.0-20190426145343-a29dc8fdc734/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20190611184440-5c40567a22f8/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20190820162420-60c769a6c586/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20191206172530-e9b2fee46413/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= +golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9 h1:psW17arqaxU48Z5kZ0CQnkZWQJsqcURM6tKiBApRjXI= +golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= +golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= +golang.org/x/exp v0.0.0-20190125153040-c74c464bbbf2/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= +golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= +golang.org/x/exp v0.0.0-20190312203227-4b39c73a6495/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= +golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= +golang.org/x/exp v0.0.0-20190829153037-c13cbed26979/go.mod h1:86+5VVa7VpoJ4kLfm080zCjGlMRFzhUhsZKEZO7MGek= +golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= +golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js= +golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0= +golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= +golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU= +golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= +golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= +golang.org/x/lint v0.0.0-20190409202823-959b441ac422/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= +golang.org/x/lint v0.0.0-20190909230951-414d861bb4ac/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= +golang.org/x/lint v0.0.0-20191125180803-fdd1cda4f05f/go.mod h1:5qLYkcX4OjUUV8bRuDixDT3tpyyb+LUpUlRWLxfhWrs= +golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE= +golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028/go.mod h1:E/iHnbuqvinMTCcRqshq8CkpyQDoeVncDDYHnLhea+o= +golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc= +golang.org/x/mod v0.1.0/go.mod h1:0QHyrYULN0/3qlju5TqG8bIK38QM8yzMo5ekMj3DlcY= +golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg= +golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/net v0.0.0-20170114055629-f2499483f923/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20180811021610-c39426892332/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20181220203305-927f97764cc3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= +golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20190628185345-da137c7871d7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20190813141303-74dc4d7220e7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20190923162816-aa69164e4478/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20191004110552-13f9640d40b9/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= +golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= +golang.org/x/net v0.0.0-20201021035429-f5854403a974 h1:IX6qOQeG5uLjB/hjjwjedwfjND0hgjPMMyO1RoIXQNI= +golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= +golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= +golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= +golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= +golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= +golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= +golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sys v0.0.0-20170830134202-bb24a47a89ea/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20181107165924-66b7b1311ac8/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20181205085412-a5c9d58dba9a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190209173611-3b5209105503/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190502145724-3ef323f4f1fd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190502175342-a43fa875dd82/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190616124812-15dcb6c0061f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190626221950-04f50cda93cb/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190826190057-c7b8b68b1456/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190924154521-2837fb4f24fe/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191010194322-b09406accb47/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200622214017-ed371f2e16b4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/text v0.0.0-20160726164857-2910a502d2bf/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= +golang.org/x/text v0.3.3 h1:cokOdA+Jmi5PJGXLlLllQSgYigAEfHXJAERHVMaCc2k= +golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20181011042414-1f849cf54d09/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20181030221726-6c7e314b6563/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20190206041539-40960b6deb8e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY= +golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= +golang.org/x/tools v0.0.0-20190312151545-0bb0c0a6e846/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= +golang.org/x/tools v0.0.0-20190312170243-e65039ee4138/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= +golang.org/x/tools v0.0.0-20190425150028-36563e24a262/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= +golang.org/x/tools v0.0.0-20190506145303-2d16b83fe98c/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= +golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= +golang.org/x/tools v0.0.0-20190606124116-d0a3d012864b/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= +golang.org/x/tools v0.0.0-20190614205625-5aca471b1d59/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= +golang.org/x/tools v0.0.0-20190621195816-6e04913cbbac/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= +golang.org/x/tools v0.0.0-20190628153133-6cdbf07be9d0/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= +golang.org/x/tools v0.0.0-20190706070813-72ffa07ba3db/go.mod h1:jcCCGcm9btYwXyDqrUWc6MKQKKGJCWEQ3AfLSRIbEuI= +golang.org/x/tools v0.0.0-20190816200558-6889da9d5479/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20190911174233-4f2ddba30aff/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20190920225731-5eefd052ad72/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191012152004-8de300cfc20a/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191125144606-a911d9008d1f/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191205215504-7b8c8591a921/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191216052735-49a3e744a425/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= +golang.org/x/tools v0.0.0-20191227053925-7b8e75db28f4/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= +golang.org/x/tools v0.0.0-20201110201400-7099162a900a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= +golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +gonum.org/v1/gonum v0.0.0-20190331200053-3d26580ed485/go.mod h1:2ltnJ7xHfj0zHS40VVPYEAAMTa3ZGguvHGBSJeRWqE0= +gonum.org/v1/netlib v0.0.0-20190313105609-8cb42192e0e0/go.mod h1:wa6Ws7BG/ESfp6dHfk7C6KdzKA7wR7u/rKwOGE66zvw= +gonum.org/v1/netlib v0.0.0-20190331212654-76723241ea4e/go.mod h1:kS+toOQn6AQKjmKJ7gzohV1XkqsFehRA2FbsbkopSuQ= +google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE= +google.golang.org/api v0.6.1-0.20190607001116-5213b8090861/go.mod h1:btoxGiFvQNVUZQ8W08zLtrVS08CNpINPEfxXxgJL1Q4= +google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M= +google.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg= +google.golang.org/api v0.9.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg= +google.golang.org/api v0.15.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI= +google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= +google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= +google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= +google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0= +google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= +google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= +google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= +google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= +google.golang.org/genproto v0.0.0-20190425155659-357c62f0e4bb/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= +google.golang.org/genproto v0.0.0-20190502173448-54afdca5d873/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= +google.golang.org/genproto v0.0.0-20190801165951-fa694d86fc64/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= +google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= +google.golang.org/genproto v0.0.0-20190911173649-1774047e7e51/go.mod h1:IbNlFCBrqXvoKpeg0TB2l7cyZUmoaFKYIwrEpbDKLA8= +google.golang.org/genproto v0.0.0-20191230161307-f3c370f40bfb/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= +google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo= +google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= +google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38= +google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM= +google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= +google.golang.org/grpc v1.23.1/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= +google.golang.org/grpc v1.24.0/go.mod h1:XDChyiUovWa60DnaeDeZmSW86xtLtjtZbwvSiRnRtcA= +google.golang.org/grpc v1.26.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= +google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= +google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= +google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= +google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= +google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE= +google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo= +google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= +google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= +google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= +google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGjtUeSXeh4= +gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= +gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/cheggaaa/pb.v1 v1.0.25/go.mod h1:V/YB90LKu/1FcN3WVnfiiE5oMCibMjukxqG/qStrOgw= +gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI= +gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys= +gopkg.in/gcfg.v1 v1.2.0/go.mod h1:yesOnuUOFQAhST5vPY4nbZsb/huCgGGXlipJsBn0b3o= +gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= +gopkg.in/natefinch/lumberjack.v2 v2.0.0/go.mod h1:l0ndWWf7gzL7RNwBG7wST/UCcT4T24xpD6X8LsfU/+k= +gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo= +gopkg.in/square/go-jose.v2 v2.2.2/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI= +gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw= +gopkg.in/warnings.v0 v0.1.1/go.mod h1:jksf8JmL6Qr/oQM2OXTHunEvvTAsrWBLb6OOjuVWRNI= +gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7/go.mod h1:JAlM8MvJe8wmxCU4Bli9HhUf9+ttbYbLASfIpnQbh74= +gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo= +gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81HFBacw= +honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= +honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= +honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= +honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= +honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg= +k8s.io/api v0.17.0/go.mod h1:npsyOePkeP0CPwyGfXDHxvypiYMJxBWAMpQxCaJ4ZxI= +k8s.io/api v0.19.3/go.mod h1:VF+5FT1B74Pw3KxMdKyinLo+zynBaMBiAfGMuldcNDs= +k8s.io/apimachinery v0.17.0/go.mod h1:b9qmWdKlLuU9EBh+06BtLcSf/Mu89rWL33naRxs1uZg= +k8s.io/apimachinery v0.19.3/go.mod h1:DnPGDnARWFvYa3pMHgSxtbZb7gpzzAZ1pTfaUNDVlmA= +k8s.io/apiserver v0.17.0/go.mod h1:ABM+9x/prjINN6iiffRVNCBR2Wk7uY4z+EtEGZD48cg= +k8s.io/client-go v0.17.0/go.mod h1:TYgR6EUHs6k45hb6KWjVD6jFZvJV4gHDikv/It0xz+k= +k8s.io/client-go v0.19.3/go.mod h1:+eEMktZM+MG0KO+PTkci8xnbCZHvj9TqR6Q1XDUIJOM= +k8s.io/cloud-provider v0.17.0/go.mod h1:Ze4c3w2C0bRsjkBUoHpFi+qWe3ob1wI2/7cUn+YQIDE= +k8s.io/code-generator v0.0.0-20191121015212-c4c8f8345c7e/go.mod h1:DVmfPQgxQENqDIzVR2ddLXMH34qeszkKSdH/N+s+38s= +k8s.io/component-base v0.17.0/go.mod h1:rKuRAokNMY2nn2A6LP/MiwpoaMRHpfRnrPaUJJj1Yoc= +k8s.io/csi-translation-lib v0.17.0/go.mod h1:HEF7MEz7pOLJCnxabi45IPkhSsE/KmxPQksuCrHKWls= +k8s.io/gengo v0.0.0-20190128074634-0689ccc1d7d6/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0= +k8s.io/gengo v0.0.0-20190822140433-26a664648505/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0= +k8s.io/gengo v0.0.0-20200413195148-3a45101e95ac/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0= +k8s.io/klog v0.0.0-20181102134211-b9b56d5dfc92/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk= +k8s.io/klog v0.3.0/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk= +k8s.io/klog v1.0.0/go.mod h1:4Bi6QPql/J/LkTDqv7R/cd3hPo4k2DG6Ptcz060Ez5I= +k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE= +k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y= +k8s.io/kube-openapi v0.0.0-20191107075043-30be4d16710a/go.mod h1:1TqjTSzOxsLGIKfj0lK8EeCP7K1iUG65v09OM0/WG5E= +k8s.io/kube-openapi v0.0.0-20200805222855-6aeccd4b50c6/go.mod h1:UuqjUnNftUyPE5H64/qeyjQoUZhGpeFDVdxjTeEVN2o= +k8s.io/legacy-cloud-providers v0.17.0/go.mod h1:DdzaepJ3RtRy+e5YhNtrCYwlgyK87j/5+Yfp0L9Syp8= +k8s.io/utils v0.0.0-20191114184206-e782cd3c129f/go.mod h1:sZAwmy6armz5eXlNoLmJcl4F1QuKu7sr+mFQ0byX7Ew= +k8s.io/utils v0.0.0-20200729134348-d5654de09c73/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= +modernc.org/cc v1.0.0/go.mod h1:1Sk4//wdnYJiUIxnW8ddKpaOJCF37yAdqYnkxUpaYxw= +modernc.org/golex v1.0.0/go.mod h1:b/QX9oBD/LhixY6NDh+IdGv17hgB+51fET1i2kPSmvk= +modernc.org/mathutil v1.0.0/go.mod h1:wU0vUrJsVWBZ4P6e7xtFJEhFSNsfRLJ8H458uRjg03k= +modernc.org/strutil v1.0.0/go.mod h1:lstksw84oURvj9y3tn8lGvRxyRC1S2+g5uuIzNfIOBs= +modernc.org/xc v1.0.0/go.mod h1:mRNCo0bvLjGhHO9WsyuKVU4q0ceiDDDoEeWDJHrNx8I= +rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= +sigs.k8s.io/structured-merge-diff v0.0.0-20190525122527-15d366b2352e/go.mod h1:wWxsB5ozmmv/SG7nM11ayaAW51xMvak/t1r0CSlcokI= +sigs.k8s.io/structured-merge-diff v1.0.1-0.20191108220359-b1b620dd3f06/go.mod h1:/ULNhyfzRopfcjskuui0cTITekDduZ7ycKN3oUT9R18= +sigs.k8s.io/structured-merge-diff/v4 v4.0.1/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw= +sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o= +sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc= diff --git a/terraform-modules/aws/eks/test/terratest_test.go b/terraform-modules/aws/eks/test/terratest_test.go new file mode 100644 index 000000000..b80481c5e --- /dev/null +++ b/terraform-modules/aws/eks/test/terratest_test.go @@ -0,0 +1,77 @@ +package test + +import ( + "math/rand" + "testing" + "time" + + // "github.com/gruntwork-io/terratest/modules/aws" + "github.com/gruntwork-io/terratest/modules/terraform" + "github.com/stretchr/testify/assert" +) + +// Default test +func TestTerraformDefault(t *testing.T) { + t.Parallel() + + // Random string for various dynamic bucket name usage + stringRand := randomString(8) + + terraformOptions := terraform.WithDefaultRetryableErrors(t, &terraform.Options{ + // The path to where our Terraform code is located + TerraformDir: "../", + + // Dynamic Variables that we should pass in addition to varfile.tfvars + Vars: map[string]interface{}{ + "aws_region": "us-east-1", + "environment_name": "unittest_aws_vpc_" + stringRand, + "vpc_cidr": "10.0.0.0/16", + "enable_nat_gateway": false, + "enable_vpn_gateway": false, + "tags": `{ + ops_env = "unit-test" + ops_managed_by = "terraform", + ops_source_repo = "kubernetes-ops", + ops_source_repo_path = "terraform-module/aws/vpc", + ops_owners = "devops" + }`, + }, + + // Disable colors in Terraform commands so its easier to parse stdout/stderr + NoColor: true, + }) + + // At the end of the test, run `terraform destroy` to clean up any resources that were created + defer terraform.Destroy(t, terraformOptions) + + // This will run `terraform init` and `terraform apply` and fail the test if there are any errors + terraform.InitAndApply(t, terraformOptions) + + // Run `terraform output` to get the values of output variables + actualVPCId := terraform.Output(t, terraformOptions, "vpc_id") + // actualPrivateSubnets := terraform.Output(t, terraformOptions, "private_subnets") + + // awsAccountID := aws.GetAccountId(t) + + // assert.Equal(t, "unittest_aws_iam_policy_"+stringRand, actualPolicyName) + // assert.Equal(t, "arn:aws:iam::"+awsAccountID+":policy/unittest_aws_iam_policy_"+stringRand, actualPolicyArn) + assert.Equal(t, "vpc-", actualVPCId[0:4]) + // assert.Equal(t, 3, len(actualPrivateSubnets)) +} + +func randomString(len int) string { + + rand.Seed(time.Now().UTC().UnixNano()) + bytes := make([]byte, len) + + for i := 0; i < len; i++ { + bytes[i] = byte(randInt(97, 122)) + } + + return string(bytes) +} + +func randInt(min int, max int) int { + + return min + rand.Intn(max-min) +} \ No newline at end of file diff --git a/terraform-modules/aws/eks/variables.tf b/terraform-modules/aws/eks/variables.tf new file mode 100644 index 000000000..6c45855dd --- /dev/null +++ b/terraform-modules/aws/eks/variables.tf @@ -0,0 +1,246 @@ +variable "aws_region" { + default = "us-east-1" +} +variable "tags" { + type = map(any) +} +variable "vpc_id" { + default = "" +} +variable "private_subnets" { + type = list(any) + default = [] +} +variable "public_subnets" { + type = list(any) + default = [] +} + +variable "k8s_subnets" { + type = list(any) + default = [] + description = "Subnet IDs to place the EKS nodes into" +} + +variable "cluster_name" { + default = "test-cluster" +} + +variable "cluster_version" { + default = "1.21" +} + +variable "enable_irsa" { + type = bool + default = true + description = "enable_irsa" +} + +variable "cluster_endpoint_public_access" { + type = bool + default = true + description = "Enable or disable Kube API public access" +} + +variable "cluster_endpoint_public_access_cidrs" { + type = list(any) + default = [ + "0.0.0.0/0" + ] + description = "Kube API public endpoint allow access cidrs" +} + +variable "aws_auth_roles" { + type = list(any) + default = [ + { + rolearn = "arn:aws:iam::66666666666:role/role1" + username = "role1" + groups = ["system:masters"] + }, + ] + description = "A list of roles to give permission to access this cluster" +} + +variable "aws_auth_users" { + type = list(any) + default = [ + { + userarn = "arn:aws:iam::66666666666:user/user1" + username = "user1" + groups = ["system:masters"] + }, + { + userarn = "arn:aws:iam::66666666666:user/user2" + username = "user2" + groups = ["system:masters"] + }, + ] + description = "A list of users to give permission to access this cluster" +} + +variable "aws_auth_accounts" { + description = "Additional AWS account numbers to add to the aws-auth configmap." + type = list(string) + default = [] +} + +variable "eks_managed_node_groups" { + description = "Map of EKS managed node group definitions to create" + type = any + default = { + ng1 = { + create_launch_template = false + launch_template_name = "" + + # Doc: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_node_group + # (Optional) Force version update if existing pods are unable to be drained due to a pod disruption budget issue. + force_update_version = true + + # doc: https://docs.aws.amazon.com/eks/latest/userguide/launch-templates.html#launch-template-custom-ami + # doc: https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami-bottlerocket.html + ami_type = "BOTTLEROCKET_x86_64" + platform = "bottlerocket" + version = "1.21" + + disk_size = 20 + desired_size = 1 + max_size = 1 + min_size = 1 + instance_types = ["t2.small"] + additional_tags = { + Name = "foo", + } + k8s_labels = {} + } + } +} + +variable "cluster_enabled_log_types" { + type = list(string) + default = [ + "api", + "audit", + "authenticator", + "controllerManager", + "scheduler" + ] + description = "The Kubernetes log types to enable" +} + +variable "cloudwatch_log_group_retention_in_days" { + type = number + default = 365 + description = "Log retention in days" +} + +variable "cluster_endpoint_private_access" { + type = bool + default = false + description = "Enable or disable Kube API private access" +} + +variable "cluster_security_group_additional_rules" { + description = "List of additional security group rules to add to the cluster security group created" + type = any + default = {} +} + +variable "kubectl_binary" { + description = "The path the the kubectl binary. Used for applying the aws-auth configmap" + type = string + default = "kubectl" + # This could be a path. If running from Github Actions, you can download kubectl to: /github/workspace/kubectl and set this parameter to that location +} + +# Source on config params: https://github.com/terraform-aws-modules/terraform-aws-eks/blob/master/node_groups.tf#L166-L186 +variable "node_security_group_additional_rules" { + type = any + description = "Additional security groups to add to the node_group" + default = { + allow_all_internal_ranges = { + description = "Allow all inbound range from internal addresses" + protocol = "all" + from_port = 0 + to_port = 65535 + type = "ingress" + cidr_blocks = ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "100.64.0.0/10"] + } + ingress_self_all = { + description = "Node to node all ports/protocols" + protocol = "-1" + from_port = 0 + to_port = 0 + type = "ingress" + self = true + } + egress_all = { + description = "Node all egress" + protocol = "-1" + from_port = 0 + to_port = 0 + type = "egress" + cidr_blocks = ["0.0.0.0/0"] + ipv6_cidr_blocks = ["::/0"] + } + # This is a blanket rule that allows the EKS to reach any of the nodes on any port + # The reason for the blanket rule is to allow the various webhook validation that + # happens when a service like istio, nginx-ingress, prometheus has CRDs and the + # Kubernetes API on submit wants to go to those controllers to validate that the + # CRD is valid. Since each service sets it's own port and register that with the + # Kubernetes API on where the validation webhook is, it is hard to pick out only + # those ports that you want. However, you can if you want these rules to be very + # restrictive. The below examples starts to show how you can selectively allow + # the ports and source/destination that Istio wants to use. + inbound_from_eks_api = { + description = "Inbound from the EKS API to all EKS nodes" + protocol = "tcp" + from_port = 0 + to_port = 65535 + type = "ingress" + # This denotes that it should put the cluster's SG group ID as the source. This + # would include the EKS API as the source + source_cluster_security_group = true + } + # + # The alternative is to start adding specific rules for each item. It became a little too + # much to add even for just one service such as istio. Then you will have to start adding + # rules for nginx-ingress webhook validation, prometheus, etc. + # + # istio_webhook = { + # description = "Allow EKS API to reach Istio for CRD validation" + # protocol = "tcp" + # from_port = 15017 + # to_port = 15017 + # type = "ingress" + # # This denotes that it should put the cluster's SG group ID as the source. This + # # would include the EKS API as the source + # source_cluster_security_group = true + # } + # istio_workload_cert_request = { + # description = "Allow inbound to istiod for envoy to request a workload identity (cert)" + # protocol = "tcp" + # from_port = 15012 + # to_port = 15012 + # type = "ingress" + # # cidr_blocks = ["172.16.0.0/12"] + # # 'self' denotes that the source is the node group's SG ID + # self = true + # } + # istio_envoy_healthchecks = { + # description = "Allow inbound to istio envoy healthcheck port" + # protocol = "tcp" + # from_port = 15021 + # to_port = 15021 + # type = "ingress" + # source_cluster_security_group = true + # } + } +} + +#https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key#enable_key_rotation +variable "cluster_kms_enable_rotation" { + type = bool + default = true + description = "(Optional) Specifies whether key rotation is enabled. Defaults to true." +} \ No newline at end of file diff --git a/terraform-modules/aws/emr/security_configuration/main.tf b/terraform-modules/aws/emr/security_configuration/main.tf new file mode 100644 index 000000000..3e89835ac --- /dev/null +++ b/terraform-modules/aws/emr/security_configuration/main.tf @@ -0,0 +1,5 @@ +resource "aws_emr_security_configuration" "this" { + name = var.name + + configuration = var.configuration +} diff --git a/terraform-modules/aws/emr/security_configuration/outputs.tf b/terraform-modules/aws/emr/security_configuration/outputs.tf new file mode 100644 index 000000000..9a41a8cc0 --- /dev/null +++ b/terraform-modules/aws/emr/security_configuration/outputs.tf @@ -0,0 +1,7 @@ +output "id" { + value = aws_emr_security_configuration.this.id +} + +output "name" { + value = aws_emr_security_configuration.this.name +} diff --git a/terraform-modules/aws/emr/security_configuration/variables.tf b/terraform-modules/aws/emr/security_configuration/variables.tf new file mode 100644 index 000000000..22ca6f069 --- /dev/null +++ b/terraform-modules/aws/emr/security_configuration/variables.tf @@ -0,0 +1,23 @@ +variable "name" { + type = string + default = "security_config" + description = "The name of the security configuration" +} + +variable "configuration" { + type = string + default = < +``` + +You can then place the secret into AWS Secrets and use the `../../external-secrets` module to +sync the secret for this CR to use. By going this route (which is way more work), you don't +have to commit the secret into git. + +## How to test an alert +Once you have your alert config(s) in place, the following shows you, how you can send a test alert to the Alert Manager to see if it sends it off to your desired destination(s). + +We are going to mimick how Prometheus sends an alert to the Alert Manager + +Port forward to the Alert Manager: +``` +kubectl -n monitoring port-forward svc/kube-prometheus-stack-alertmanager 9093 +``` + + + +``` +curl -si -X POST -H "Content-Type: application/json" "http://localhost:9093/api/v1/alerts" -d ' +[ + { + "labels": { + "alertname": "TestAlert", + "instance": "localhost:8080", + "job": "node", + "severity": "critical", + "namespace": "foobar" + }, + "annotations": { + "summary": "Test alert" + }, + "generatorURL": "http://localhost:9090/graph" + } +]' +``` + +This will send an alert with the labels `severity=critical`. Depending on what you want to trigger, you can adjust the items in the alert. diff --git a/terraform-modules/aws/helm/kube-prometheus-stack/main.tf b/terraform-modules/aws/helm/kube-prometheus-stack/main.tf new file mode 100644 index 000000000..21c20d738 --- /dev/null +++ b/terraform-modules/aws/helm/kube-prometheus-stack/main.tf @@ -0,0 +1,15 @@ +resource "helm_release" "helm_chart" { + chart = "kube-prometheus-stack" + namespace = var.namespace + create_namespace = "true" + name = var.chart_name + version = var.helm_version + verify = var.verify + repository = "https://prometheus-community.github.io/helm-charts" + + values = [ + file("${path.module}/values.yaml"), + var.helm_values, + ] + +} diff --git a/terraform-modules/aws/helm/kube-prometheus-stack/outputs.tf b/terraform-modules/aws/helm/kube-prometheus-stack/outputs.tf new file mode 100644 index 000000000..bea8e491b --- /dev/null +++ b/terraform-modules/aws/helm/kube-prometheus-stack/outputs.tf @@ -0,0 +1,7 @@ +output chart { + value = helm_release.helm_chart.chart +} + +output status { + value = helm_release.helm_chart.status +} diff --git a/terraform-modules/aws/helm/kube-prometheus-stack/values.yaml b/terraform-modules/aws/helm/kube-prometheus-stack/values.yaml new file mode 100644 index 000000000..6d67ea9bd --- /dev/null +++ b/terraform-modules/aws/helm/kube-prometheus-stack/values.yaml @@ -0,0 +1,203 @@ +--- +namespaceOverride: monitoring + +# prometheus: +# prometheusSpec: +# storageSpec: +# volumeClaimTemplate: +# spec: +# # storageClassName: gluster +# accessModes: ["ReadWriteOnce"] +# resources: +# requests: +# storage: 25Gi +# additionalScrapeConfigs: +# # Istio scrap endpoints +# # Doc: https://istio.io/latest/docs/ops/integrations/prometheus/#option-2-customized-scraping-configurations +# - job_name: 'istiod' +# kubernetes_sd_configs: +# - role: endpoints +# namespaces: +# names: +# - istio-system +# relabel_configs: +# - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] +# action: keep +# regex: istiod;http-monitoring +# - job_name: 'envoy-stats' +# metrics_path: /stats/prometheus +# kubernetes_sd_configs: +# - role: pod + +# relabel_configs: +# - source_labels: [__meta_kubernetes_pod_container_port_name] +# action: keep +# regex: '.*-envoy-prom' +# # End of istio scrape endpoints + +grafana: + adminPassword: prom-operator + ingress: + enabled: true + annotations: + kubernetes.io/ingress.class: istio + hosts: + - grafana.kubernetes-ops.com + # nodeSelector: + # app-type: my-app + # tolerations: + # - key: "app-type" + # operator: "Equal" + # value: "my-app" + # effect: "NoSchedule" + + +## Configuration for alertmanager +## ref: https://prometheus.io/docs/alerting/alertmanager/ +## +alertmanager: + + ingress: + enabled: false + + annotations: + external-dns.alpha.kubernetes.io/hostname: alertmanager.internal.managedkube.com + kubernetes.io/ingress.class: nginx-external + # certmanager.k8s.io/cluster-issuer: prod + # certmanager.k8s.io/acme-http01-edit-in-place: "true" + + hosts: + - alertmanager.internal.managedkube.com + + tls: + - secretName: cert-manager-tls-cert + hosts: + - alertmanager.internal.managedkube.com + # secretName: domain-wildcard # This should match the Certificate secretName + + alertmanagerSpec: + alertmanagerConfigSelector: + matchLabels: + # The `AlertmanagerConfig` configs must have this label for + # this alert manager to include in the config. + release: kube-prometheus-stack + + ## Alertmanager configuration directives + ## ref: https://prometheus.io/docs/alerting/configuration/#configuration-file + ## https://prometheus.io/webtools/alerting/routing-tree-editor/ + ## + config: + route: + receiver: 'null' + routes: + - match: + alertname: Watchdog + receiver: 'null' + - match: + alertname: KubeControllerManagerDown + receiver: 'null' + - match: + alertname: KubeProxyDown + receiver: 'null' + - match: + alertname: KubeSchedulerDown + receiver: 'null' + + # - match_re: + # severity: critical|page|alert + # receiver: slack-critical + # continue: true + # - match: + # severity: warning + # receiver: slack-warning + # continue: true + # - match_re: + # severity: critical|page|alert + # receiver: pagerduty-critical + # continue: true + + receivers: + - name: 'null' + + ## Receiver config docs: + ## https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md + # + # - name: 'slack-tests' + # slack_configs: + # - api_url: https://hooks.slack.com/services/xxx/xxx/xxx + # channel: kube-alerts + # send_resolved: true + # text: |- + # {{ range .Alerts }} + # Annotations: + # {{ range $key, $value := .Annotations }} - {{ $key }}: {{ $value }} + # {{ end }} + # Details: + # {{ range .Labels.SortedPairs }} - {{ .Name }} = {{ .Value }} + # {{ end }} + # {{ end }} + # title: '{{ if ne .Status "firing" }}[{{ .Status | toUpper }}]{{ end }} {{ .CommonAnnotations.summary }}{{ .CommonAnnotations.message }}' + # title_link: https://alertmanager.internal.managedkube.com + # username: slack-test-dev-us + + # - name: slack-critical + # slack_configs: + # - api_url: https://hooks.slack.com/services/xxx/xxx/xxx + # channel: kube-alerts + # send_resolved: true + # text: |- + # {{ range .Alerts }} + # Annotations: + # {{ range $key, $value := .Annotations }} - {{ $key }}: {{ $value }} + # {{ end }} + # Details: + # {{ range .Labels.SortedPairs }} - {{ .Name }} = {{ .Value }} + # {{ end }} + # {{ end }} + # title: '{{ if ne .Status "firing" }}[{{ .Status | toUpper }}]{{ end }} {{ .CommonAnnotations.summary }}{{ .CommonAnnotations.message }}' + # title_link: https://alertmanager.internal.managedkube.com + # username: slack-critical-dev-us + + # - name: 'slack-warning' + # slack_configs: + # - api_url: https://hooks.slack.com/services/xxx/xxx/xxx + # channel: kube-alerts + # send_resolved: true + # text: |- + # {{ range .Alerts }} + # Annotations: + # {{ range $key, $value := .Annotations }} - {{ $key }}: {{ $value }} + # {{ end }} + # Details: + # {{ range .Labels.SortedPairs }} - {{ .Name }} = {{ .Value }} + # {{ end }} + # {{ end }} + # title: '{{ if ne .Status "firing" }}[{{ .Status | toUpper }}]{{ end }} {{ .CommonAnnotations.summary }}{{ .CommonAnnotations.message }}' + # title_link: https://alertmanager.internal.managedkube.com + # username: slack-warning-dev-us + + # - name: 'pagerduty-critical' + # pagerduty_configs: + # - service_key: xxxxx + + additionalDataSources: + - name: loki + access: proxy + basicAuth: false + basicAuthPassword: pass + basicAuthUser: daco + editable: false + jsonData: + tlsSkipVerify: true + orgId: 1 + type: loki + url: http://loki-stack:3100 + version: 1 + +## Istio changes to not add the istio sidecar to the prometheus operator's addmission webhook patch +## https://github.com/prometheus-community/helm-charts/issues/479#issuecomment-752709725 +# prometheusOperator: +# admissionWebhooks: +# patch: +# podAnnotations: +# sidecar.istio.io/inject: "false" diff --git a/terraform-modules/aws/helm/kube-prometheus-stack/variables.tf b/terraform-modules/aws/helm/kube-prometheus-stack/variables.tf new file mode 100644 index 000000000..5df607395 --- /dev/null +++ b/terraform-modules/aws/helm/kube-prometheus-stack/variables.tf @@ -0,0 +1,29 @@ +variable helm_version { + type = string + default = "34.1.1" + description = "Helm chart version" +} + +variable verify { + type = bool + default = false + description = "Verify the helm download" +} + +variable namespace { + type = string + default = "monitoring" + description = "Namespace to install in" +} + +variable chart_name { + type = string + default = "kube-prometheus-stack" + description = "Name to set the helm deployment to" +} + +variable helm_values { + type = string + default = "" + description = "Additional helm values to pass in. These values would override the default in this module." +} diff --git a/terraform-modules/aws/helm/kubernetes-external-secrets/README.md b/terraform-modules/aws/helm/kubernetes-external-secrets/README.md new file mode 100644 index 000000000..938b0c00c --- /dev/null +++ b/terraform-modules/aws/helm/kubernetes-external-secrets/README.md @@ -0,0 +1,20 @@ +# kubernetes-external-secrets + +# Deprecated +This helm chart has been deprecated in favor of the `external-secrets` helm chart + +Source project: https://github.com/external-secrets/kubernetes-external-secrets +Source chart: https://github.com/external-secrets/kubernetes-external-secrets/tree/master/charts/kubernetes-external-secrets + +EKS Kubernetes v1.19+ + +## Useful guides +Getting the IAM policies and trust relationships to all align up is tricky. If something is not set correctly like +the name is off in one of the place, the entire sequence of chained identity fails and it is hard to figure out where +exactly. You can guess and see if it is something obvious but if it is not, then you should just follow each of the +resources through to make sure everything is setup correctly. + +Here is the doc on how to setup IAM for ServiceAccounts: https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html + +At the bottom of this doc it will link to how to create each of the items. Following each one through to make sure these +items exist and the names all match up is critical for this entire setup. diff --git a/terraform-modules/aws/helm/kubernetes-external-secrets/helm_values.tpl.yaml b/terraform-modules/aws/helm/kubernetes-external-secrets/helm_values.tpl.yaml new file mode 100644 index 000000000..940f943a7 --- /dev/null +++ b/terraform-modules/aws/helm/kubernetes-external-secrets/helm_values.tpl.yaml @@ -0,0 +1,9 @@ +--- +env: + AWS_REGION: us-east-1 + AWS_DEFAULT_REGION: us-east-1 + +serviceAccount: + name: ${resource_name} + annotations: + eks.amazonaws.com/role-arn: "arn:aws:iam::${awsAccountID}:role/${resource_name}" diff --git a/terraform-modules/aws/helm/kubernetes-external-secrets/iam-policy.tpl.json b/terraform-modules/aws/helm/kubernetes-external-secrets/iam-policy.tpl.json new file mode 100644 index 000000000..d56ddee99 --- /dev/null +++ b/terraform-modules/aws/helm/kubernetes-external-secrets/iam-policy.tpl.json @@ -0,0 +1,20 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "secretsmanager:GetResourcePolicy", + "secretsmanager:GetSecretValue", + "secretsmanager:DescribeSecret", + "secretsmanager:ListSecretVersionIds", + "sts:AssumeRole" + ], + "Resource": [ + "arn:aws:iam::016733450475:role/kubernetes-external-secrets-${envName}", + "arn:aws:secretsmanager:${awsRegion}:${awsAccountID}:secret:${secretsPrefix}*" + ] + } + ] +} + \ No newline at end of file diff --git a/terraform-modules/aws/helm/kubernetes-external-secrets/main.tf b/terraform-modules/aws/helm/kubernetes-external-secrets/main.tf new file mode 100644 index 000000000..9cf38face --- /dev/null +++ b/terraform-modules/aws/helm/kubernetes-external-secrets/main.tf @@ -0,0 +1,68 @@ +locals { + base_name = "kubernetes-external-secrets" + iam_policy_file = "iam-policy.tpl.json" + k8s_service_account_name = "kubernetes-external-secrets" +} + +data "aws_caller_identity" "current" {} +data "aws_region" "current" {} + +module "iam_assumable_role_admin" { + source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc" + version = "3.6.0" + create_role = true + role_name = "${local.base_name}-${var.environment_name}" + # role_path = "/token-file-web-identity/" + provider_url = replace(var.eks_cluster_oidc_issuer_url, "https://", "") + role_policy_arns = [aws_iam_policy.cluster_autoscaler.arn] + oidc_fully_qualified_subjects = ["system:serviceaccount:${var.namespace}:${local.k8s_service_account_name}-${var.environment_name}"] +} + +data "template_file" "iam_policy" { + template = file("${path.module}/iam-policy.tpl.json") + vars = { + awsAccountID = data.aws_caller_identity.current.account_id + awsRegion = data.aws_region.current.name + secretsPrefix = var.secrets_prefix + envName = var.environment_name + } +} + +# Policy doc: https://github.com/kubernetes-sigs/aws-efs-csi-driver/blob/master/docs/iam-policy-example.json +resource "aws_iam_policy" "cluster_autoscaler" { + name_prefix = "${local.base_name}-${var.environment_name}" + description = "${local.base_name} for ${var.environment_name}" + policy = data.template_file.iam_policy.rendered +} + +# +# Helm templating +# +data "template_file" "helm_values" { + template = file("${path.module}/helm_values.tpl.yaml") + vars = { + awsAccountID = data.aws_caller_identity.current.account_id + awsRegion = data.aws_region.current.name + serviceAccountName = local.k8s_service_account_name + resource_name = "${local.base_name}-${var.environment_name}" + } +} + +resource "helm_release" "helm_chart" { + chart = "kubernetes-external-secrets" + namespace = var.namespace + create_namespace = var.create_namespace + name = var.chart_name + version = var.helm_version + verify = var.verify + repository = "https://external-secrets.github.io/kubernetes-external-secrets/" + + values = [ + data.template_file.helm_values.rendered, + var.helm_values, + ] + + depends_on = [ + module.iam_assumable_role_admin + ] +} diff --git a/terraform-modules/aws/helm/kubernetes-external-secrets/variables.tf b/terraform-modules/aws/helm/kubernetes-external-secrets/variables.tf new file mode 100644 index 000000000..1863b2f06 --- /dev/null +++ b/terraform-modules/aws/helm/kubernetes-external-secrets/variables.tf @@ -0,0 +1,53 @@ +variable "helm_version" { + type = string + default = "8.3.0" + description = "Helm chart version" +} + +variable "verify" { + type = bool + default = false + description = "Verify the helm download" +} + +variable "create_namespace" { + type = bool + default = true + description = "Create namespace if it does not exist" +} + +variable "namespace" { + type = string + default = "kubernetes-external-secrets" + description = "Namespace to install in" +} + +variable "chart_name" { + type = string + default = "kubernetes-external-secrets" + description = "Name to set the helm deployment to" +} + +variable "helm_values" { + type = string + default = "" + description = "Additional helm values to pass in. These values would override the default in this module." +} + +variable "environment_name" { + type = string + default = "env" + description = "An environment name to attach to some resources. Optional only needed if you are going to create more than one of these items in an AWS account" +} + +variable "eks_cluster_oidc_issuer_url" { + type = string + default = "" + description = "EKS cluster oidc issuer url" +} + +variable "secrets_prefix" { + type = string + default = "" + description = "The prefix to your AWS Secrets. This allows this module to craft a more tightly controlled set of IAM policies to only allow it to get certain secrets" +} diff --git a/terraform-modules/aws/helm/nginx-ingress/README.md b/terraform-modules/aws/helm/nginx-ingress/README.md new file mode 100644 index 000000000..065f91a5e --- /dev/null +++ b/terraform-modules/aws/helm/nginx-ingress/README.md @@ -0,0 +1,3 @@ +# helm chart - argocd + +Chart source: https://github.com/argoproj/argo-helm/tree/master/charts/argo-cd diff --git a/terraform-modules/aws/helm/nginx-ingress/main.tf b/terraform-modules/aws/helm/nginx-ingress/main.tf new file mode 100644 index 000000000..a8b0c892f --- /dev/null +++ b/terraform-modules/aws/helm/nginx-ingress/main.tf @@ -0,0 +1,15 @@ +resource "helm_release" "helm_chart" { + chart = "ingress-nginx" + namespace = var.namespace + create_namespace = "true" + name = var.chart_name + version = var.helm_version + verify = var.verify + repository = "https://kubernetes.github.io/ingress-nginx" + + values = [ + file("${path.module}/values.yaml"), + var.helm_values, + ] + +} diff --git a/terraform-modules/aws/helm/nginx-ingress/outputs.tf b/terraform-modules/aws/helm/nginx-ingress/outputs.tf new file mode 100644 index 000000000..bea8e491b --- /dev/null +++ b/terraform-modules/aws/helm/nginx-ingress/outputs.tf @@ -0,0 +1,7 @@ +output chart { + value = helm_release.helm_chart.chart +} + +output status { + value = helm_release.helm_chart.status +} diff --git a/terraform-modules/aws/helm/nginx-ingress/values.yaml b/terraform-modules/aws/helm/nginx-ingress/values.yaml new file mode 100644 index 000000000..b722ccba3 --- /dev/null +++ b/terraform-modules/aws/helm/nginx-ingress/values.yaml @@ -0,0 +1,21 @@ +--- +controller: + ingressClass: ingress-external + # Turning off the ingress admission webhook for validating the ingress spec. + # There is something that is blocking the GKE Kube API from reaching this service + # admissionWebhooks: + # enabled: false + containerPort: + http: 80 + https: 443 + service: + annotations: + # https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer + service.beta.kubernetes.io/aws-load-balancer-internal: "false" + # nodeSelector: + # app-type: my-node + # tolerations: + # - key: "app-type" + # operator: "Equal" + # value: "my-node" + # effect: "NoSchedule" diff --git a/terraform-modules/aws/helm/nginx-ingress/variables.tf b/terraform-modules/aws/helm/nginx-ingress/variables.tf new file mode 100644 index 000000000..2e315e858 --- /dev/null +++ b/terraform-modules/aws/helm/nginx-ingress/variables.tf @@ -0,0 +1,29 @@ +variable helm_version { + type = string + default = "3.23.0" + description = "Helm chart version" +} + +variable verify { + type = bool + default = false + description = "Verify the helm download" +} + +variable namespace { + type = string + default = "nginx-ingress" + description = "Namespace to install in" +} + +variable chart_name { + type = string + default = "nginx-ingress" + description = "Name to set the helm deployment to" +} + +variable helm_values { + type = string + default = "" + description = "Additional helm values to pass in. These values would override the default in this module." +} diff --git a/terraform-modules/aws/iam_policies/s3_node_config/main.tf b/terraform-modules/aws/iam_policies/s3_node_config/main.tf new file mode 100644 index 000000000..0004e9136 --- /dev/null +++ b/terraform-modules/aws/iam_policies/s3_node_config/main.tf @@ -0,0 +1,15 @@ +# Policy for S3 Bucket - allows the node to get read-only access to s3 buckets for the node_config items +# For the "all" nodes +resource "aws_iam_policy" "this" { + name = var.name + policy = jsonencode({ + "Version" : "2012-10-17", + "Statement" : [ + { + "Action" : ["s3:GetObject", "s3:ListBucket"], + "Effect" : "Allow", + "Resource" : "arn:aws:s3:::${var.environment_name}-installer/node_configs/*" + } + ] + }) +} diff --git a/terraform-modules/aws/iam_policies/s3_node_config/outputs.tf b/terraform-modules/aws/iam_policies/s3_node_config/outputs.tf new file mode 100644 index 000000000..80bb0bd9f --- /dev/null +++ b/terraform-modules/aws/iam_policies/s3_node_config/outputs.tf @@ -0,0 +1,11 @@ +output "arn" { + value = aws_iam_policy.this.arn +} + +output "name" { + value = aws_iam_policy.this.name +} + +output "path" { + value = aws_iam_policy.this.path +} diff --git a/terraform-modules/aws/iam_policies/s3_node_config/variables.tf b/terraform-modules/aws/iam_policies/s3_node_config/variables.tf new file mode 100644 index 000000000..3bb971ffb --- /dev/null +++ b/terraform-modules/aws/iam_policies/s3_node_config/variables.tf @@ -0,0 +1,15 @@ +variable "name" { + type = string + default = "featurespace-s3-ec2-node_configs-" + description = "The full name of the policy" +} + +variable "environment_name" { + type = string + description = "The full name of the environment" +} + +variable "tags" { + type = map(any) + description = "The set of tags to place on this node and other resources" +} diff --git a/terraform-modules/aws/image-builder/README.md b/terraform-modules/aws/image-builder/README.md new file mode 100644 index 000000000..cbb99b033 --- /dev/null +++ b/terraform-modules/aws/image-builder/README.md @@ -0,0 +1,144 @@ +# Image Builder +This image builder uses a Terraform module called `imagebuilder` to create a EC2 Build Image pipeline. + +## EC2 Image Builder overview +https://docs.aws.amazon.com/imagebuilder/latest/userguide/how-image-builder-works.html + +### Image Pipeline +An image pipeline provides an automation framework for building secure AMIs and container images on AWS. The Image Builder image pipeline is associated with an image recipe or container recipe that defines the build, validation, and test phases for an image build lifecycle. + +### Image Recipe +An Image Builder image recipe is a document that defines the source image and the components that are applied to the source image to produce the desired configuration for the output AMI image. You can use an image recipe to duplicate builds. Image Builder image recipes can be shared, branched, and edited using the console wizard, the AWS CLI, or the API. You can use image recipes with your version control software to maintain shareable, versioned image recipes. + +### Infrastructure Configuration +Image Builder launches Amazon EC2 instances in your account to customize images and run validation tests. The Infrastructure configuration settings specify infrastructure details for the instances that will run in your AWS account during the build process. + +### Distrubtion Configuration +Choose the AWS Regions to distribute your image to after the build is complete and has passed all its tests. The pipeline automatically distributes your image to the Region where it runs the build, and you can add image distribution for other Regions. + +### Component +A component defines the sequence of steps required to either customize an instance prior to image creation (a build component), or to test an instance that was launched from the created image (a test component). + +A component is created from a declarative, plain-text YAML or JSON document that describes the runtime configuration for building and validating, or testing an instance that is produced by your pipeline. Components run on the instance using a component management application. The component management application parses the documents and runs the desired steps. + +## How to set it up +Decide on what operating system you wish to create an AMI for and set up a new directory structure as shown below. +``` + +└─── - +│ └─ main.tf +│ └─ outputs.tf +| └─ variables.tf +... +``` + +### main.tf +``` +provider "aws" { + region = var.aws_region +} + +module "imagebuilder" { + source = "git::git@github.marqeta.com:marqeta/managedkube-infra.git//terraform-modules/aws/image-builder?ref=tf-image-builder" + custom_prefix = var.custom_prefix + aws_region = var.aws_region + recipe_parent_image = var.recipe_parent_image + infrastructure_configuration_subnet_id = var.infrastructure_configuration_subnet_id + infrastructure_configuration_security_group_ids = var.infrastructure_configuration_security_group_ids + component_data = file("${path.module}/component.yaml") + tags = { + owner = "rpg" + env = "dev" + region = "us-east-1" + service = "EC2 Image Builder" + repo = "managedkube-infra" + terraform = "${timestamp()}" + service = "managedkube" + owner = "risk" + oncall = "_Team Risk Services" + } +} +``` + +Set up your variables or replace inline. + +## How to create an AMI +Creating an AMI is a manual process. After applying Terraform, navigate to the AWS Management Console -> EC2 Image Builder -> Image Pipelines. There should be a pipeline already created by Terraform. If not, double check your region. + +![pipeline](./docs/image-builder-pipeline.png) + +From the management console, you can run an Image Pipeline and an AMI will be created and distributed the the region(s) defined in your Terraform. During this process, a `build` EC2 instance will run and self terminate, along with a `test` EC2 instance. + + +![status](./docs/image-builder-status.png) + + +After the process is finished, you can check EC2 for your AMI. + + +![ami](./docs/ec2-ami.png) + + +## How to bake in commands during the AMI build process +When creating a new module, you want to create a file called `component.yaml`. Within this file you will set instructions for the build. Either add more commands or create more actions. + +Click here for more details: https://docs.aws.amazon.com/imagebuilder/latest/userguide/image-builder-application-documents.html + +``` +--- +phases: +- name: build + steps: + - action: ExecuteBash + inputs: + commands: + - "command1" + - "command2 -y" + name: "" + onFailure: Continue +schemaVersion: 1 + +``` + +Updating your existing pipeline will force a replacment of your Image Builder Component. Destroying and re-applying Terraform ad-hoc should be okay to do and may be required depending on which part of the pipeline is updating. + +## Parameters +The following section describes the parameters used and what they do. + +#### source +The source of the image builder module (set of resources). + +#### custom_prefix +A `string` added as a prefix to the names of the various instantiated pieces of the pipeline. + +#### aws_region +The AWS region you want to provision to your pipeline to. + +#### recipe_parent_image +The name of the source image you use to to build your AMI. + +#### aws_iam_instance_profile_name +The instance profile name is used to provide the instance with the permissions that are required to perform customization activities. This is a custom value. + +#### aws_iam_role_name +The IAM role that you associate with your instance profile must have permissions to run the build and test components included in your image. This is a custom value. + +#### infastructure_configuration_instance_types +This is a list of AWS EC2 instance types used for your `build` and `test` instances. List a few different sizes to increase instance pool availbility. + +#### infrastructure_configuration_subnet_id +Set one subnet ID within an existing VPC for your Build and Test images used by the infrastructure configuration. + +#### infrastructure_configuration_security_group_ids +Set one or more (list) security group IDs within the same VPC as subnet IDs. + +#### component_data +The `component.yaml` file is used to populate the variable `component_data` and is used as a way to commands during the buid process. + +### tags +Set tag mappings to properly label the various provisioned services. The same tag mappings will be applied to each AWS service created, where applicable. + +## How to remove +``` +terraform destroy +``` diff --git a/terraform-modules/aws/image-builder/docs/ec2-ami.png b/terraform-modules/aws/image-builder/docs/ec2-ami.png new file mode 100644 index 000000000..247b3f733 Binary files /dev/null and b/terraform-modules/aws/image-builder/docs/ec2-ami.png differ diff --git a/terraform-modules/aws/image-builder/docs/image-builder-pipeline.png b/terraform-modules/aws/image-builder/docs/image-builder-pipeline.png new file mode 100644 index 000000000..0fb1b1e7e Binary files /dev/null and b/terraform-modules/aws/image-builder/docs/image-builder-pipeline.png differ diff --git a/terraform-modules/aws/image-builder/docs/image-builder-status.png b/terraform-modules/aws/image-builder/docs/image-builder-status.png new file mode 100644 index 000000000..047b75e6d Binary files /dev/null and b/terraform-modules/aws/image-builder/docs/image-builder-status.png differ diff --git a/terraform-modules/aws/image-builder/main.tf b/terraform-modules/aws/image-builder/main.tf new file mode 100644 index 000000000..705659a1a --- /dev/null +++ b/terraform-modules/aws/image-builder/main.tf @@ -0,0 +1,115 @@ +provider "aws" { + region = var.aws_region +} + +resource "aws_iam_instance_profile" "InstanceProfileForImageBuilder" { + name = "${var.custom_prefix}${var.aws_iam_instance_profile_name}" + role = aws_iam_role.role.name + tags = var.tags +} + +resource "aws_iam_role" "role" { + name = "${var.custom_prefix}${var.aws_iam_role_name}" + path = "/" + tags = var.tags + assume_role_policy = < [aws](#provider\_aws) | n/a | +| [kubectl](#provider\_kubectl) | n/a | +| [template](#provider\_template) | n/a | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [kubectl_manifest.certificate](https://registry.terraform.io/providers/hashicorp/kubectl/latest/docs/resources/manifest) | resource | +| [kubectl_manifest.gateway](https://registry.terraform.io/providers/hashicorp/kubectl/latest/docs/resources/manifest) | resource | +| [aws_eks_cluster_auth.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster_auth) | data source | +| [template_file.certificate](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file) | data source | +| [template_file.gateway](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [cert\_common\_name](#input\_cert\_common\_name) | The common name for the certificate | `string` | n/a | yes | +| [cert\_dns\_name](#input\_cert\_dns\_name) | The dns name for the certificate | `string` | n/a | yes | +| [cluster\_ca\_certificate](#input\_cluster\_ca\_certificate) | The eks kubernetes cluster\_ca\_certificate | `string` | n/a | yes | +| [cluster\_name](#input\_cluster\_name) | The name of the EKS cluster | `string` | n/a | yes | +| [issue\_ref\_group](#input\_issue\_ref\_group) | n/a | `string` | `"cert-manager.io"` | no | +| [issue\_ref\_kind](#input\_issue\_ref\_kind) | n/a | `string` | `"ClusterIssuer"` | no | +| [issue\_ref\_name](#input\_issue\_ref\_name) | n/a | `string` | `"letsencrypt-prod-dns01"` | no | +| [kubernetes\_api\_host](#input\_kubernetes\_api\_host) | The eks kubernetes api host endpoint | `string` | n/a | yes | +| [namespace](#input\_namespace) | The kubernetes namespace to deploy into | `string` | `"istio-system"` | no | + +## Outputs + +No outputs. diff --git a/terraform-modules/aws/istio-networking/main-gateway/certificate.tpl.yaml b/terraform-modules/aws/istio-networking/main-gateway/certificate.tpl.yaml new file mode 100644 index 000000000..e2eb4dfe4 --- /dev/null +++ b/terraform-modules/aws/istio-networking/main-gateway/certificate.tpl.yaml @@ -0,0 +1,19 @@ +# This certificate created in this namespace and the nginx-ingress uses it +# This requires a functioning cert-manager +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: domain-wildcard + namespace: ${namespace} +spec: + secretName: domain-wildcard # use this secret name in the nginx-ingress definition + commonName: "${cert_common_name}" + dnsNames: + - "${cert_dns_name}" + issuerRef: + name: ${issue_ref_name} + # We can reference ClusterIssuers by changing the kind here. + # The default value is Issuer (i.e. a locally namespaced Issuer) + kind: ${issue_ref_kind} + group: ${issue_ref_group} diff --git a/terraform-modules/aws/istio-networking/main-gateway/gateway.tpl.yaml b/terraform-modules/aws/istio-networking/main-gateway/gateway.tpl.yaml new file mode 100644 index 000000000..0082c7e55 --- /dev/null +++ b/terraform-modules/aws/istio-networking/main-gateway/gateway.tpl.yaml @@ -0,0 +1,25 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: main-gateway + namespace: ${namespace} +spec: + selector: + # use Istio default gateway implementation + app: istio-ingressgateway + istio: ingressgateway + servers: + - port: + number: 80 + name: http + protocol: HTTP + hosts: ${gateway_hosts} + - port: + number: 443 + name: https + protocol: HTTPS + tls: + mode: SIMPLE + credentialName: ${gateway_credentialName} # This should match the Certificate secretName + hosts: + - "*" # This should match a DNS name in the Certificate diff --git a/terraform-modules/aws/istio-networking/main-gateway/main.tf b/terraform-modules/aws/istio-networking/main-gateway/main.tf new file mode 100644 index 000000000..6b17e5d54 --- /dev/null +++ b/terraform-modules/aws/istio-networking/main-gateway/main.tf @@ -0,0 +1,46 @@ +data "aws_eks_cluster_auth" "main" { + name = var.cluster_name +} + +provider "kubectl" { + host = var.kubernetes_api_host + cluster_ca_certificate = base64decode(var.cluster_ca_certificate) + token = data.aws_eks_cluster_auth.main.token + load_config_file = false +} + +# file templating +data "template_file" "gateway" { + template = file("${path.module}/gateway.tpl.yaml") + + vars = { + namespace = var.namespace + gateway_hosts = "${jsonencode(var.gateway_hosts)}" + gateway_credentialName = var.gateway_credentialName + } +} + +resource "kubectl_manifest" "gateway" { + yaml_body = data.template_file.gateway.rendered +} + +# file templating +data "template_file" "certificate" { + count = var.enable_certificate ? 1 : 0 + template = file("${path.module}/certificate.tpl.yaml") + + vars = { + namespace = var.namespace + cert_common_name = var.cert_common_name + cert_dns_name = var.cert_dns_name + issue_ref_name = var.issue_ref_name + issue_ref_name = var.issue_ref_name + issue_ref_kind = var.issue_ref_kind + issue_ref_group = var.issue_ref_group + } +} + +resource "kubectl_manifest" "certificate" { + count = var.enable_certificate ? 1 : 0 + yaml_body = data.template_file.certificate[0].rendered +} diff --git a/terraform-modules/aws/istio-networking/main-gateway/variables.tf b/terraform-modules/aws/istio-networking/main-gateway/variables.tf new file mode 100644 index 000000000..e47eed52a --- /dev/null +++ b/terraform-modules/aws/istio-networking/main-gateway/variables.tf @@ -0,0 +1,62 @@ +variable "cluster_name" { + type = string + description = "The name of the EKS cluster" +} + +variable "kubernetes_api_host" { + type = string + description = "The eks kubernetes api host endpoint" +} + +variable "cluster_ca_certificate" { + type = string + description = "The eks kubernetes cluster_ca_certificate" +} + +variable "namespace" { + type = string + description = "The kubernetes namespace to deploy into" + default = "istio-system" +} + +variable "cert_common_name" { + type = string + description = "The common name for the certificate" + default = "" +} + +variable "cert_dns_name" { + type = string + description = "The dns name for the certificate" + default = "" +} + +variable "enable_certificate" { + type = bool + description = "If set to true, it will create the certificate resource on-demand" + default = true +} + +variable "issue_ref_name" { + default = "letsencrypt-prod-dns01" +} + +variable "issue_ref_kind" { + default = "ClusterIssuer" +} + +variable "issue_ref_group" { + default = "cert-manager.io" +} + +variable "gateway_hosts" { + type = list(string) + description = "the list of hosts available for the gateway" + default = ["*"] +} + +variable "gateway_credentialName" { + type = string + description = "This is the gateway matches the secretName field in the certificate" + default = "domain-wildcard" +} \ No newline at end of file diff --git a/terraform-modules/aws/istio/README.md b/terraform-modules/aws/istio/README.md new file mode 100644 index 000000000..01bcde165 --- /dev/null +++ b/terraform-modules/aws/istio/README.md @@ -0,0 +1,69 @@ +# Istio + +## Release page: +https://github.com/istio/istio/releases/ + +## Extract the Istio release +Istio doesn't provide a helm registry and they provide the releases in a release package. Download the release +you want to use, and extract it to this directory followed by the version number so the folder is +in this pattern: `istio-` to keep our folders consistent. + +The package comes with a lot of files and you only need to check in the `istion-/manifest` folder. + +Remove folders from the extract (not needed) +* bin +* samples +* tools + +## Install +General Helm install docs: https://istio.io/latest/docs/setup/install/helm/ + +Move to the Istio directory for the version you are setting up: +``` +cd ./istio/istio- +``` + +Create the `istio-system` namespace: +``` +kubectl create namespace istio-system +``` + +Install Istio base chart: +``` +helm install istio-base -n istio-system manifests/charts/base +``` + +Some of these items we are adding in: +* nodeSelectors +* tolerations + +Install Istio discovery: +``` +helm install -n istio-system istiod manifests/charts/istio-control/istio-discovery +``` + +Install ingress gateway +``` +helm install -n istio-system istio-ingress manifests/charts/gateways/istio-ingress +``` + +Install egress gateway +``` +helm install -n istio-system istio-egress manifests/charts/gateways/istio-egress +``` + +## Enable auto Istio/Envoy injection + +``` +kubectl label namespace my-app istio-injection=enabled +``` + +## Verify mTLS +If you installed Istio with values.global.proxy.privileged=true, you can use tcpdump to verify traffic is encrypted or not. + +``` +$ kubectl exec -n foo "$(kubectl get pod -n foo -lapp=httpbin -ojsonpath={.items..metadata.name})" -c istio-proxy -- sudo tcpdump dst port 80 -A +``` + +## Istio networking +![alt text](/docs/images/istio-networking.png "Title") diff --git a/terraform-modules/aws/istio/istio-1.11.0/LICENSE b/terraform-modules/aws/istio/istio-1.11.0/LICENSE new file mode 100644 index 000000000..56e48aa37 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/LICENSE @@ -0,0 +1,202 @@ + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "{}" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright 2016-2020 Istio Authors + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/terraform-modules/aws/istio/istio-1.11.0/README.md b/terraform-modules/aws/istio/istio-1.11.0/README.md new file mode 100644 index 000000000..b32f0697d --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/README.md @@ -0,0 +1,109 @@ +# Istio + +[![Go Report Card](https://goreportcard.com/badge/github.com/istio/istio)](https://goreportcard.com/report/github.com/istio/istio) +[![GoDoc](https://godoc.org/istio.io/istio?status.svg)](https://godoc.org/istio.io/istio) + + + Istio logo + + +--- + +An open platform to connect, manage, and secure microservices. + +- For in-depth information about how to use Istio, visit [istio.io](https://istio.io) +- To ask questions and get assistance from our community, visit [discuss.istio.io](https://discuss.istio.io) +- To learn how to participate in our overall community, visit [our community page](https://istio.io/about/community) + +In this README: + +- [Introduction](#introduction) +- [Repositories](#repositories) +- [Issue management](#issue-management) + +In addition, here are some other documents you may wish to read: + +- [Istio Community](https://github.com/istio/community#istio-community) - describes how to get involved and contribute to the Istio project +- [Istio Developer's Guide](https://github.com/istio/istio/wiki/Preparing-for-Development) - explains how to set up and use an Istio development environment +- [Project Conventions](https://github.com/istio/istio/wiki/Development-Conventions) - describes the conventions we use within the code base +- [Creating Fast and Lean Code](https://github.com/istio/istio/wiki/Writing-Fast-and-Lean-Code) - performance-oriented advice and guidelines for the code base + +You'll find many other useful documents on our [Wiki](https://github.com/istio/istio/wiki). + +## Introduction + +[Istio](https://istio.io/latest/docs/concepts/what-is-istio/) is an open platform for providing a uniform way to [integrate +microservices](https://istio.io/latest/docs/examples/microservices-istio/), manage [traffic flow](https://istio.io/latest/docs/concepts/traffic-management/) across microservices, enforce policies +and aggregate telemetry data. Istio's control plane provides an abstraction +layer over the underlying cluster management platform, such as Kubernetes. + +Istio is composed of these components: + +- **Envoy** - Sidecar proxies per microservice to handle ingress/egress traffic + between services in the cluster and from a service to external + services. The proxies form a _secure microservice mesh_ providing a rich + set of functions like discovery, rich layer-7 routing, circuit breakers, + policy enforcement and telemetry recording/reporting + functions. + + > Note: The service mesh is not an overlay network. It + > simplifies and enhances how microservices in an application talk to each + > other over the network provided by the underlying platform. + +- **Istiod** - The Istio control plane. It provides service discovery, configuration and certificate management. It consists of the following sub-components: + + - **Pilot** - Responsible for configuring the proxies at runtime. + + - **Citadel** - Responsible for certificate issuance and rotation. + + - **Galley** - Responsible for validating, ingesting, aggregating, transforming and distributing config within Istio. + +- **Operator** - The component provides user friendly options to operate the Istio service mesh. + +## Repositories + +The Istio project is divided across a few GitHub repositories: + +- [istio/api](https://github.com/istio/api). This repository defines +component-level APIs and common configuration formats for the Istio platform. + +- [istio/community](https://github.com/istio/community). This repository contains +information on the Istio community, including the various documents that govern +the Istio open source project. + +- [istio/istio](README.md). This is the main code repository. It hosts Istio's +core components, install artifacts, and sample programs. It includes: + + - [istioctl](istioctl/). This directory contains code for the +[_istioctl_](https://istio.io/latest/docs/reference/commands/istioctl/) command line utility. + + - [operator](operator/). This directory contains code for the +[Istio Operator](https://istio.io/latest/docs/setup/install/operator/). + + - [pilot](pilot/). This directory +contains platform-specific code to populate the +[abstract service model](https://istio.io/docs/concepts/traffic-management/#pilot), dynamically reconfigure the proxies +when the application topology changes, as well as translate +[routing rules](https://istio.io/latest/docs/reference/config/networking/) into proxy specific configuration. + + - [security](security/). This directory contains [security](https://istio.io/latest/docs/concepts/security/) related code, +including Citadel (acting as Certificate Authority), citadel agent, etc. + +- [istio/proxy](https://github.com/istio/proxy). The Istio proxy contains +extensions to the [Envoy proxy](https://github.com/envoyproxy/envoy) (in the form of +Envoy filters) that support authentication, authorization, and telemetry collection. + +## Issue management + +We use GitHub to track all of our bugs and feature requests. Each issue we track has a variety of metadata: + +- **Epic**. An epic represents a feature area for Istio as a whole. Epics are fairly broad in scope and are basically product-level things. +Each issue is ultimately part of an epic. + +- **Milestone**. Each issue is assigned a milestone. This is 0.1, 0.2, ..., or 'Nebulous Future'. The milestone indicates when we +think the issue should get addressed. + +- **Priority**. Each issue has a priority which is represented by the column in the [Prioritization](https://github.com/orgs/istio/projects/6) project. Priority can be one of +P0, P1, P2, or >P2. The priority indicates how important it is to address the issue within the milestone. P0 says that the +milestone cannot be considered achieved if the issue isn't resolved. diff --git a/terraform-modules/aws/istio/istio-1.11.0/bin/istioctl b/terraform-modules/aws/istio/istio-1.11.0/bin/istioctl new file mode 100755 index 000000000..66c7eb97e Binary files /dev/null and b/terraform-modules/aws/istio/istio-1.11.0/bin/istioctl differ diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifest.yaml b/terraform-modules/aws/istio/istio-1.11.0/manifest.yaml new file mode 100644 index 000000000..342794c99 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifest.yaml @@ -0,0 +1,30 @@ +dashboards: + istio-extension-dashboard: 13277 + istio-mesh-dashboard: 7639 + istio-performance-dashboard: 11829 + istio-service-dashboard: 7636 + istio-workload-dashboard: 7630 + pilot-dashboard: 7645 +dependencies: + api: + sha: eff556fb5d8a2f9d0f70d2a8d74f4323b9fba6e5 + client-go: + goversionenabled: true + sha: a3be2da5baa32a745148d8da0e281a5e85982bf7 + envoy: + sha: 68fe53a889416fd8570506232052b06f5a531541 + gogo-genproto: + sha: 16cc1841f1f76c890b806f169b1532db66d7069a + istio: + sha: 57d639a4fd19ee8c3559b9a4032f91e4d23c6f14 + pkg: + sha: 95ff2e6f6c81627bc015b3aaf57c0966a9bc294a + proxy: + sha: 494a674e70543a319ad4865482c125581f5746bf + test-infra: + sha: fed5d1d7eba51f5c326c2bd6ca2c8bfee99e5dcf + tools: + sha: 7c470470777e6e82475f02dae6678e5cdc3fdd50 +docker: docker.io/istio +ignoreVulnerability: false +version: 1.11.0 diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/README-helm3.md b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/README-helm3.md new file mode 100644 index 000000000..ad3361792 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/README-helm3.md @@ -0,0 +1,66 @@ +# Helm v3 support + +## Install + +The Helm charts are supported both by Helm v2 and Helm v3. Please do not introduce Helm v3 specific changes as many +users are still using Helm v2 and the operator is currently using the Helm v2 code to generate. + +To install with Helm v3, you must first create the namespace that you wish to install in if the namespace does not exist already. The default namespace used is `istio-system` and can be created as follows: + +```console +kubectl create namespace istio-system +``` + +The charts are as follows: + +- `base` creates cluster-wide CRDs, cluster bindings and cluster resources. It is possible to change the namespace from `istio-system` but it is not recommended. + +```console +helm install istio-base -n istio-system manifests/charts/base +``` + +- `istio-control/istio-discovery` installs a revision of istiod. You can install it multiple times, with different revisions. + +```console + helm install -n istio-system istio-17 manifests/charts/istio-control/istio-discovery + + helm install -n istio-system istio-canary manifests/charts/istio-control/istio-discovery \ + --set revision=canary + + helm install -n istio-system istio-mytest manifests/charts/istio-control/istio-discovery \ + --set revision=mytest +``` + +- `gateways` install a load balancer with `ingress` and `egress`. You can install it multiple times with different revisions but they must be installed in separate namespaces. + +Ingress secrets and access should be separated from the control plane. + +```console +helm install -n istio-system istio-ingress manifests/charts/gateways/istio-ingress + +kubectl create ns istio-ingress-canary +helm install -n istio-ingress-canary istio-ingress-canary manifests/charts/gateways/istio-ingress \ + --set revision=canary +``` + +Egress secrets and access should be separated from the control plane. + +```console +helm install -n istio-system istio-egress manifests/charts/gateways/istio-egress + +kubectl create ns istio-egress-canary +helm install -n istio-egress-canary istio-egress-canary manifests/charts/gateways/istio-egress \ + --set revision=canary +``` + +This is an optional step. [More details](install-OpenShift.md) + +- `istio-cni` installs the CNI plugin. This should be installed after the `base` chart and prior to `istiod`. Need to add `--set istio_cni.enabled=true` to the `istiod` install to enable its usage. + +```console +helm install istio-cni -n kube-system manifests/charts/istio-cni +``` + +## Namespaces + +One of the changes in Helm v3 is that the namespace is no longer created on the fly when installing a chart. This means that the namespace being used needs to be created prior to installing the charts if it does not exist already. If the default `istio-system` namespace is not being used then you need to add the setting `--set global.istioNamespace=` to the installs, to match the control plane namespace. diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/README.md b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/README.md new file mode 100644 index 000000000..6575a50c7 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/README.md @@ -0,0 +1,136 @@ +# Istio Installer + +Note: If making any changes to the charts or values.yaml in this dir, first read [UPDATING-CHARTS.md](UPDATING-CHARTS.md) + +Istio installer is a modular, 'a-la-carte' installer for Istio. It is based on a +fork of the Istio helm templates, refactored to increase modularity and isolation. + +Goals: +- Improve upgrade experience: users should be able to gradually roll upgrades, with proper +canary deployments for Istio components. It should be possible to deploy a new version while keeping the +stable version in place and gradually migrate apps to the new version. + +- More flexibility: the new installer allows multiple 'environments', allowing applications to select +a set of control plane settings and components. While the entire mesh respects the same APIs and config, +apps may target different 'environments' which contain different instances and variants of Istio. + +- Better security: separate Istio components reside in different namespaces, allowing different teams or +roles to manage different parts of Istio. For example, a security team would maintain the +root CA and policy, a telemetry team may only have access to Prometheus, +and a different team may maintain the control plane components (which are highly security sensitive). + +The install is organized in 'environments' - each environment consists of a set of components +in different namespaces that are configured to work together. Regardless of 'environment', +workloads can talk with each other and obey the Istio configuration resources, but each environment +can use different Istio versions and different configuration defaults. + +`istioctl kube-inject` or the automatic sidecar injector are used to select the environment. +In the case of the sidecar injector, the namespace label `istio-env: ` is used instead +of the conventional `istio-injected: true`. The name of the environment is defined as the namespace +where the corresponding control plane components (config, discovery, auto-injection) are running. +In the examples below, by default this is the `istio-control` namespace. Pod annotations can also +be used to select a different 'environment'. + +## Installing + +The new installer is intended to be modular and very explicit about what is installed. It has +far more steps than the Istio installer - but each step is smaller and focused on a specific +feature, and can be performed by different people/teams at different times. + +It is strongly recommended that different namespaces are used, with different service accounts. +In particular access to the security-critical production components (root CA, policy, control) +should be locked down and restricted. The new installer allows multiple instances of +policy/control/telemetry - so testing/staging of new settings and versions can be performed +by a different role than the prod version. + +The intended users of this repo are users running Istio in production who want to select, tune +and understand each binary that gets deployed, and select which combination to use. + +Note: each component can be installed in parallel with an existing Istio 1.0 or 1.1 install in +`istio-system`. The new components will not interfere with existing apps, but can interoperate +and it is possible to gradually move apps from Istio 1.0/1.1 to the new environments and +across environments ( for example canary -> prod ) + +Note: there are still some cluster roles that may need to be fixed, most likely cluster permissions +will need to move to the security component. + +## Everything is Optional + +Each component in the new installer is optional. Users can install the component defined in the new installer, +use the equivalent component in `istio-system`, configured with the official installer, or use a different +version or implementation. + +For example you may use your own Prometheus and Grafana installs, or you may use a specialized/custom +certificate provisioning tool, or use components that are centrally managed and running in a different cluster. + +This is a work in progress - building on top of the multi-cluster installer. + +As an extreme, the goal is to be possible to run Istio workloads in a cluster without installing any Istio component +in that cluster. Currently the minimum we require is the security provider (node agent or citadel). + +### Install Istio CRDs + +This is the first step of the install. Please do not remove or edit any CRD - config currently requires +all CRDs to be present. On each upgrade it is recommended to reapply the file, to make sure +you get all CRDs. CRDs are separated by release and by component type in the CRD directory. + +Istio has strong integration with certmanager. Some operators may want to keep their current certmanager +CRDs in place and not have Istio modify them. In this case, it is necessary to apply CRD files individually. + +```bash +kubectl apply -k github.com/istio/installer/base +``` + +or + +```bash +kubectl apply -f base/files +``` + +### Install Istio-CNI + +This is an optional step - CNI must run in a dedicated namespace, it is a 'singleton' and extremely +security sensitive. Access to the CNI namespace must be highly restricted. + +**NOTE:** The environment variable `ISTIO_CLUSTER_ISGKE` is assumed to be set to `true` if the cluster +is a GKE cluster. + +```bash +ISTIO_CNI_ARGS= +# TODO: What k8s data can we use for this check for whether GKE? +if [[ "${ISTIO_CLUSTER_ISGKE}" == "true" ]]; then + ISTIO_CNI_ARGS="--set cni.cniBinDir=/home/kubernetes/bin" +fi +iop kube-system istio-cni $IBASE/istio-cni/ ${ISTIO_CNI_ARGS} +``` + +TODO. It is possible to add Istio-CNI later, and gradually migrate. + +### Install Control plane + +This can run in any cluster. A mesh should have at least one cluster should run Pilot or equivalent XDS server, +and it is recommended to have Pilot running in each region and in multiple availability zones for multi cluster. + +```bash +iop istio-control istio-discovery $IBASE/istio-control/istio-discovery \ + --set global.istioNamespace=istio-system + +# Second istio-discovery, using master version of istio +TAG=latest HUB=gcr.io/istio-testing iop istio-master istio-discovery-master $IBASE/istio-control/istio-discovery \ + --set policy.enable=false \ + --set global.istioNamespace=istio-master +``` + +### Gateways + +A cluster may use multiple Gateways, each with a different load balancer IP, domains and certificates. + +Since the domain certificates are stored in the gateway namespace, it is recommended to keep each +gateway in a dedicated namespace and restrict access. + +For large-scale gateways it is optionally possible to use a dedicated pilot in the gateway namespace. + +### Additional test templates + +A number of helm test setups are general-purpose and should be installable in any cluster, to confirm +Istio works properly and allow testing the specific install. diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/UPDATING-CHARTS.md b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/UPDATING-CHARTS.md new file mode 100644 index 000000000..33f7e5559 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/UPDATING-CHARTS.md @@ -0,0 +1,60 @@ +# Upating charts and values.yaml + +The charts in the `manifests` directory are used in istioctl to generate an installation manifest. The configuration +settings contained in values.yaml files and passed through the CLI are validated against a +[schema](../../operator/pkg/apis/istio/v1alpha1/values_types.proto). +Whenever making changes in the charts, it's important to follow the below steps. + +## Step 0. Check that any schema change really belongs in values.yaml + +Is this a new parameter being added? If not, go to the next step. +Dynamic, runtime config that is used to configure Istio components should go into the +[MeshConfig API](https://github.com/istio/api/blob/master/mesh/v1alpha1/config.proto). Values.yaml is being deprecated and adding +to it is discouraged. MeshConfig is the official API which follows API management practices and is dynamic +(does not require component restarts). +Exceptions to this rule are configuration items that affect K8s level settings (resources, mounts etc.) + +## Step 1. Make changes in charts and values.yaml in `manifests` directory + +## Step 2. Make corresponding values changes in [../profiles/default.yaml](../profiles/default.yaml) + +The values.yaml in `manifests` are only used for direct Helm based installations, which is being deprecated. +If any values.yaml changes are being made, the same changes must be made in the `manifests/profiles/default.yaml` +file, which must be in sync with the Helm values in `manifests`. + +## Step 3. Update the validation schema + +Istioctl uses a [schema](../../operator/pkg/apis/istio/v1alpha1/values_types.proto) to validate the values. Any changes to +the schema must be added here, otherwise istioctl users will see errors. +Once the schema file is updated, run: + +```bash +$ make operator-proto +``` + +This will regenerate the Go structs used for schema validation. + +## Step 4. Update the generated manifests + +Tests of istioctl use the auto-generated manifests to ensure that the istioctl binary has the correct version of the charts. +These manifests can be found in [gen-istio.yaml](../charts/istio-control/istio-discovery/files/gen-istio.yaml). +To regenerate the manifests, run: + +```bash +$ make gen +``` + +## Step 5. Update golden files + +The new charts/values will likely produce different installation manifests. Unit tests that expect a certain command +output will fail for this reason. To update the golden output files, run: + +```bash +$ make refresh-goldens +``` + +This will generate git diffs in the golden output files. Check that the changes are what you expect. + +## Step 6. Create a PR using outputs from Steps 1 to 5 + +Your PR should pass all the checks if you followed these steps. diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/base/Chart.yaml b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/base/Chart.yaml new file mode 100644 index 000000000..11672c2a1 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/base/Chart.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +name: base +version: 1.11.0 +tillerVersion: ">=2.7.2" +description: Helm chart for deploying Istio cluster resources and CRDs +keywords: + - istio +sources: + - http://github.com/istio/istio +engine: gotpl +icon: https://istio.io/latest/favicons/android-192x192.png diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/base/NOTES.txt b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/base/NOTES.txt new file mode 100644 index 000000000..7cdd44032 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/base/NOTES.txt @@ -0,0 +1 @@ +Installs Istio cluster resources: CRDs, cluster bindings and associated service accounts. diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/base/crds/crd-all.gen.yaml b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/base/crds/crd-all.gen.yaml new file mode 100644 index 000000000..e93fbb867 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/base/crds/crd-all.gen.yaml @@ -0,0 +1,5717 @@ +# DO NOT EDIT - Generated by Cue OpenAPI generator based on Istio APIs. +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: destinationrules.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: DestinationRule + listKind: DestinationRuleList + plural: destinationrules + shortNames: + - dr + singular: destinationrule + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The name of a service from the service registry + jsonPath: .spec.host + name: Host + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting load balancing, outlier detection, + etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html' + properties: + exportTo: + description: A list of namespaces to which this destination rule is + exported. + items: + type: string + type: array + host: + description: The name of a service from the service registry. + type: string + subsets: + items: + properties: + labels: + additionalProperties: + type: string + type: object + name: + description: Name of the subset. + type: string + trafficPolicy: + description: Traffic policies that apply to this subset. + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should + be upgraded to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP requests + to a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will + be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the + socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query + parameter. + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute or + failover can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to + traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this + is DestinationRule-level and will override mesh + wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only failover or distribute + can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + type: string + type: object + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host + is ejected from the connection pool. + nullable: true + type: integer + consecutiveLocalOriginFailures: + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local + origin failures from external errors. + type: boolean + type: object + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection + should be upgraded to http2 for the associated + destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP + requests to a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to + a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream + connection pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per + connection to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol + will be preserved while initiating connection + to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and + TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP + connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE + on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between + keep-alive probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer + algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP + header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP + query parameter. + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute + or failover can be set.' + items: + properties: + from: + description: Originating locality, '/' + separated, e.g. + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities + to traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, + this is DestinationRule-level and will override + mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only failover or distribute + can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + type: string + type: object + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host + is ejected from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a + host is ejected from the connection pool. + nullable: true + type: integer + consecutiveLocalOriginFailures: + nullable: true + type: integer + interval: + description: Time interval between ejection sweep + analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish + local origin failures from external errors. + type: boolean + type: object + port: + properties: + number: + type: integer + type: object + tls: + description: TLS related settings for connections + to the upstream service. + properties: + caCertificates: + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server + during TLS handshake. + type: string + subjectAltNames: + items: + type: string + type: array + type: object + type: object + type: array + tls: + description: TLS related settings for connections to the + upstream service. + properties: + caCertificates: + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during + TLS handshake. + type: string + subjectAltNames: + items: + type: string + type: array + type: object + type: object + type: object + type: array + trafficPolicy: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should be upgraded + to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP requests to + a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved + while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket + to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query parameter. + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute or failover + can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to traffic + distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this is DestinationRule-level + and will override mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only failover or distribute can + be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + type: string + type: object + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host is ejected + from the connection pool. + nullable: true + type: integer + consecutiveLocalOriginFailures: + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local origin + failures from external errors. + type: boolean + type: object + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should + be upgraded to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP requests + to a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will + be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the + socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query + parameter. + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute or + failover can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to + traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this + is DestinationRule-level and will override mesh + wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only failover or distribute + can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + type: string + type: object + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host + is ejected from the connection pool. + nullable: true + type: integer + consecutiveLocalOriginFailures: + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local + origin failures from external errors. + type: boolean + type: object + port: + properties: + number: + type: integer + type: object + tls: + description: TLS related settings for connections to the + upstream service. + properties: + caCertificates: + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during + TLS handshake. + type: string + subjectAltNames: + items: + type: string + type: array + type: object + type: object + type: array + tls: + description: TLS related settings for connections to the upstream + service. + properties: + caCertificates: + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during TLS + handshake. + type: string + subjectAltNames: + items: + type: string + type: array + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: The name of a service from the service registry + jsonPath: .spec.host + name: Host + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting load balancing, outlier detection, + etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html' + properties: + exportTo: + description: A list of namespaces to which this destination rule is + exported. + items: + type: string + type: array + host: + description: The name of a service from the service registry. + type: string + subsets: + items: + properties: + labels: + additionalProperties: + type: string + type: object + name: + description: Name of the subset. + type: string + trafficPolicy: + description: Traffic policies that apply to this subset. + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should + be upgraded to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP requests + to a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will + be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the + socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query + parameter. + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute or + failover can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to + traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this + is DestinationRule-level and will override mesh + wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only failover or distribute + can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + type: string + type: object + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host + is ejected from the connection pool. + nullable: true + type: integer + consecutiveLocalOriginFailures: + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local + origin failures from external errors. + type: boolean + type: object + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection + should be upgraded to http2 for the associated + destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP + requests to a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to + a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream + connection pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per + connection to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol + will be preserved while initiating connection + to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and + TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP + connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE + on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between + keep-alive probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer + algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP + header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP + query parameter. + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute + or failover can be set.' + items: + properties: + from: + description: Originating locality, '/' + separated, e.g. + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities + to traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, + this is DestinationRule-level and will override + mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only failover or distribute + can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + type: string + type: object + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host + is ejected from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a + host is ejected from the connection pool. + nullable: true + type: integer + consecutiveLocalOriginFailures: + nullable: true + type: integer + interval: + description: Time interval between ejection sweep + analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish + local origin failures from external errors. + type: boolean + type: object + port: + properties: + number: + type: integer + type: object + tls: + description: TLS related settings for connections + to the upstream service. + properties: + caCertificates: + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server + during TLS handshake. + type: string + subjectAltNames: + items: + type: string + type: array + type: object + type: object + type: array + tls: + description: TLS related settings for connections to the + upstream service. + properties: + caCertificates: + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during + TLS handshake. + type: string + subjectAltNames: + items: + type: string + type: array + type: object + type: object + type: object + type: array + trafficPolicy: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should be upgraded + to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP requests to + a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved + while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket + to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query parameter. + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute or failover + can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to traffic + distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this is DestinationRule-level + and will override mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only failover or distribute can + be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + type: string + type: object + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host is ejected + from the connection pool. + nullable: true + type: integer + consecutiveLocalOriginFailures: + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local origin + failures from external errors. + type: boolean + type: object + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should + be upgraded to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP requests + to a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will + be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the + socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query + parameter. + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute or + failover can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to + traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this + is DestinationRule-level and will override mesh + wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only failover or distribute + can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + type: string + type: object + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host + is ejected from the connection pool. + nullable: true + type: integer + consecutiveLocalOriginFailures: + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local + origin failures from external errors. + type: boolean + type: object + port: + properties: + number: + type: integer + type: object + tls: + description: TLS related settings for connections to the + upstream service. + properties: + caCertificates: + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during + TLS handshake. + type: string + subjectAltNames: + items: + type: string + type: array + type: object + type: object + type: array + tls: + description: TLS related settings for connections to the upstream + service. + properties: + caCertificates: + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during TLS + handshake. + type: string + subjectAltNames: + items: + type: string + type: array + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: envoyfilters.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: EnvoyFilter + listKind: EnvoyFilterList + plural: envoyfilters + singular: envoyfilter + scope: Namespaced + versions: + - name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Customizing Envoy configuration generated by Istio. See + more details at: https://istio.io/docs/reference/config/networking/envoy-filter.html' + properties: + configPatches: + description: One or more patches with match conditions. + items: + properties: + applyTo: + enum: + - INVALID + - LISTENER + - FILTER_CHAIN + - NETWORK_FILTER + - HTTP_FILTER + - ROUTE_CONFIGURATION + - VIRTUAL_HOST + - HTTP_ROUTE + - CLUSTER + - EXTENSION_CONFIG + - BOOTSTRAP + type: string + match: + description: Match on listener/route configuration/cluster. + oneOf: + - not: + anyOf: + - required: + - listener + - required: + - routeConfiguration + - required: + - cluster + - required: + - listener + - required: + - routeConfiguration + - required: + - cluster + properties: + cluster: + description: Match on envoy cluster attributes. + properties: + name: + description: The exact name of the cluster to match. + type: string + portNumber: + description: The service port for which this cluster + was generated. + type: integer + service: + description: The fully qualified service name for this + cluster. + type: string + subset: + description: The subset associated with the service. + type: string + type: object + context: + description: The specific config generation context to match + on. + enum: + - ANY + - SIDECAR_INBOUND + - SIDECAR_OUTBOUND + - GATEWAY + type: string + listener: + description: Match on envoy listener attributes. + properties: + filterChain: + description: Match a specific filter chain in a listener. + properties: + applicationProtocols: + description: Applies only to sidecars. + type: string + destinationPort: + description: The destination_port value used by + a filter chain's match condition. + type: integer + filter: + description: The name of a specific filter to apply + the patch to. + properties: + name: + description: The filter name to match on. + type: string + subFilter: + properties: + name: + description: The filter name to match on. + type: string + type: object + type: object + name: + description: The name assigned to the filter chain. + type: string + sni: + description: The SNI value used by a filter chain's + match condition. + type: string + transportProtocol: + description: Applies only to `SIDECAR_INBOUND` context. + type: string + type: object + name: + description: Match a specific listener by its name. + type: string + portName: + type: string + portNumber: + type: integer + type: object + proxy: + description: Match on properties associated with a proxy. + properties: + metadata: + additionalProperties: + type: string + type: object + proxyVersion: + type: string + type: object + routeConfiguration: + description: Match on envoy HTTP route configuration attributes. + properties: + gateway: + type: string + name: + description: Route configuration name to match on. + type: string + portName: + description: Applicable only for GATEWAY context. + type: string + portNumber: + type: integer + vhost: + properties: + name: + type: string + route: + description: Match a specific route within the virtual + host. + properties: + action: + description: Match a route with specific action + type. + enum: + - ANY + - ROUTE + - REDIRECT + - DIRECT_RESPONSE + type: string + name: + type: string + type: object + type: object + type: object + type: object + patch: + description: The patch to apply along with the operation. + properties: + filterClass: + description: Determines the filter insertion order. + enum: + - UNSPECIFIED + - AUTHN + - AUTHZ + - STATS + type: string + operation: + description: Determines how the patch should be applied. + enum: + - INVALID + - MERGE + - ADD + - REMOVE + - INSERT_BEFORE + - INSERT_AFTER + - INSERT_FIRST + - REPLACE + type: string + value: + description: The JSON config of the object being patched. + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + priority: + description: Priority defines the order in which patch sets are applied + within a context. + format: int32 + type: integer + workloadSelector: + properties: + labels: + additionalProperties: + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: gateways.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: Gateway + listKind: GatewayList + plural: gateways + shortNames: + - gw + singular: gateway + scope: Namespaced + versions: + - name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting edge load balancer. See more details + at: https://istio.io/docs/reference/config/networking/gateway.html' + properties: + selector: + additionalProperties: + type: string + type: object + servers: + description: A list of server specifications. + items: + properties: + bind: + type: string + defaultEndpoint: + type: string + hosts: + description: One or more hosts exposed by this gateway. + items: + type: string + type: array + name: + description: An optional name of the server, when set must be + unique across all servers. + type: string + port: + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + type: integer + type: object + tls: + description: Set of TLS related options that govern the server's + behavior. + properties: + caCertificates: + description: REQUIRED if mode is `MUTUAL`. + type: string + cipherSuites: + description: 'Optional: If specified, only support the specified + cipher list.' + items: + type: string + type: array + credentialName: + type: string + httpsRedirect: + type: boolean + maxProtocolVersion: + description: 'Optional: Maximum TLS protocol version.' + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + minProtocolVersion: + description: 'Optional: Minimum TLS protocol version.' + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + mode: + enum: + - PASSTHROUGH + - SIMPLE + - MUTUAL + - AUTO_PASSTHROUGH + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + serverCertificate: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + subjectAltNames: + items: + type: string + type: array + verifyCertificateHash: + items: + type: string + type: array + verifyCertificateSpki: + items: + type: string + type: array + type: object + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting edge load balancer. See more details + at: https://istio.io/docs/reference/config/networking/gateway.html' + properties: + selector: + additionalProperties: + type: string + type: object + servers: + description: A list of server specifications. + items: + properties: + bind: + type: string + defaultEndpoint: + type: string + hosts: + description: One or more hosts exposed by this gateway. + items: + type: string + type: array + name: + description: An optional name of the server, when set must be + unique across all servers. + type: string + port: + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + type: integer + type: object + tls: + description: Set of TLS related options that govern the server's + behavior. + properties: + caCertificates: + description: REQUIRED if mode is `MUTUAL`. + type: string + cipherSuites: + description: 'Optional: If specified, only support the specified + cipher list.' + items: + type: string + type: array + credentialName: + type: string + httpsRedirect: + type: boolean + maxProtocolVersion: + description: 'Optional: Maximum TLS protocol version.' + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + minProtocolVersion: + description: 'Optional: Minimum TLS protocol version.' + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + mode: + enum: + - PASSTHROUGH + - SIMPLE + - MUTUAL + - AUTO_PASSTHROUGH + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + serverCertificate: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + subjectAltNames: + items: + type: string + type: array + verifyCertificateHash: + items: + type: string + type: array + verifyCertificateSpki: + items: + type: string + type: array + type: object + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: serviceentries.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: ServiceEntry + listKind: ServiceEntryList + plural: serviceentries + shortNames: + - se + singular: serviceentry + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The hosts associated with the ServiceEntry + jsonPath: .spec.hosts + name: Hosts + type: string + - description: Whether the service is external to the mesh or part of the mesh + (MESH_EXTERNAL or MESH_INTERNAL) + jsonPath: .spec.location + name: Location + type: string + - description: Service discovery mode for the hosts (NONE, STATIC, or DNS) + jsonPath: .spec.resolution + name: Resolution + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting service registry. See more details + at: https://istio.io/docs/reference/config/networking/service-entry.html' + properties: + addresses: + description: The virtual IP addresses associated with the service. + items: + type: string + type: array + endpoints: + description: One or more endpoints associated with the service. + items: + properties: + address: + type: string + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + type: string + network: + type: string + ports: + additionalProperties: + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + type: string + weight: + description: The load balancing weight associated with the endpoint. + type: integer + type: object + type: array + exportTo: + description: A list of namespaces to which this service is exported. + items: + type: string + type: array + hosts: + description: The hosts associated with the ServiceEntry. + items: + type: string + type: array + location: + enum: + - MESH_EXTERNAL + - MESH_INTERNAL + type: string + ports: + description: The ports associated with the external service. + items: + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + type: integer + type: object + type: array + resolution: + description: Service discovery mode for the hosts. + enum: + - NONE + - STATIC + - DNS + type: string + subjectAltNames: + items: + type: string + type: array + workloadSelector: + description: Applicable only for MESH_INTERNAL services. + properties: + labels: + additionalProperties: + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: The hosts associated with the ServiceEntry + jsonPath: .spec.hosts + name: Hosts + type: string + - description: Whether the service is external to the mesh or part of the mesh + (MESH_EXTERNAL or MESH_INTERNAL) + jsonPath: .spec.location + name: Location + type: string + - description: Service discovery mode for the hosts (NONE, STATIC, or DNS) + jsonPath: .spec.resolution + name: Resolution + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting service registry. See more details + at: https://istio.io/docs/reference/config/networking/service-entry.html' + properties: + addresses: + description: The virtual IP addresses associated with the service. + items: + type: string + type: array + endpoints: + description: One or more endpoints associated with the service. + items: + properties: + address: + type: string + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + type: string + network: + type: string + ports: + additionalProperties: + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + type: string + weight: + description: The load balancing weight associated with the endpoint. + type: integer + type: object + type: array + exportTo: + description: A list of namespaces to which this service is exported. + items: + type: string + type: array + hosts: + description: The hosts associated with the ServiceEntry. + items: + type: string + type: array + location: + enum: + - MESH_EXTERNAL + - MESH_INTERNAL + type: string + ports: + description: The ports associated with the external service. + items: + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + type: integer + type: object + type: array + resolution: + description: Service discovery mode for the hosts. + enum: + - NONE + - STATIC + - DNS + type: string + subjectAltNames: + items: + type: string + type: array + workloadSelector: + description: Applicable only for MESH_INTERNAL services. + properties: + labels: + additionalProperties: + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: sidecars.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: Sidecar + listKind: SidecarList + plural: sidecars + singular: sidecar + scope: Namespaced + versions: + - name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting network reachability of a sidecar. + See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' + properties: + egress: + items: + properties: + bind: + type: string + captureMode: + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + hosts: + items: + type: string + type: array + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + type: integer + type: object + type: object + type: array + ingress: + items: + properties: + bind: + description: The IP to which the listener should be bound. + type: string + captureMode: + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + defaultEndpoint: + type: string + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + type: integer + type: object + type: object + type: array + outboundTrafficPolicy: + description: Configuration for the outbound traffic policy. + properties: + egressProxy: + properties: + host: + description: The name of a service from the service registry. + type: string + port: + description: Specifies the port on the host that is being + addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + type: object + mode: + enum: + - REGISTRY_ONLY + - ALLOW_ANY + type: string + type: object + workloadSelector: + properties: + labels: + additionalProperties: + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting network reachability of a sidecar. + See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' + properties: + egress: + items: + properties: + bind: + type: string + captureMode: + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + hosts: + items: + type: string + type: array + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + type: integer + type: object + type: object + type: array + ingress: + items: + properties: + bind: + description: The IP to which the listener should be bound. + type: string + captureMode: + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + defaultEndpoint: + type: string + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + type: integer + type: object + type: object + type: array + outboundTrafficPolicy: + description: Configuration for the outbound traffic policy. + properties: + egressProxy: + properties: + host: + description: The name of a service from the service registry. + type: string + port: + description: Specifies the port on the host that is being + addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + type: object + mode: + enum: + - REGISTRY_ONLY + - ALLOW_ANY + type: string + type: object + workloadSelector: + properties: + labels: + additionalProperties: + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: virtualservices.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: VirtualService + listKind: VirtualServiceList + plural: virtualservices + shortNames: + - vs + singular: virtualservice + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The names of gateways and sidecars that should apply these routes + jsonPath: .spec.gateways + name: Gateways + type: string + - description: The destination hosts to which traffic is being sent + jsonPath: .spec.hosts + name: Hosts + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting label/content routing, sni routing, + etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html' + properties: + exportTo: + description: A list of namespaces to which this virtual service is + exported. + items: + type: string + type: array + gateways: + description: The names of gateways and sidecars that should apply + these routes. + items: + type: string + type: array + hosts: + description: The destination hosts to which traffic is being sent. + items: + type: string + type: array + http: + description: An ordered list of route rules for HTTP traffic. + items: + properties: + corsPolicy: + description: Cross-Origin Resource Sharing policy (CORS). + properties: + allowCredentials: + nullable: true + type: boolean + allowHeaders: + items: + type: string + type: array + allowMethods: + description: List of HTTP methods allowed to access the + resource. + items: + type: string + type: array + allowOrigin: + description: The list of origins that are allowed to perform + CORS requests. + items: + type: string + type: array + allowOrigins: + description: String patterns that match allowed origins. + items: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + type: array + exposeHeaders: + items: + type: string + type: array + maxAge: + type: string + type: object + delegate: + properties: + name: + description: Name specifies the name of the delegate VirtualService. + type: string + namespace: + description: Namespace specifies the namespace where the + delegate VirtualService resides. + type: string + type: object + fault: + description: Fault injection policy to apply on HTTP traffic + at the client side. + properties: + abort: + oneOf: + - not: + anyOf: + - required: + - httpStatus + - required: + - grpcStatus + - required: + - http2Error + - required: + - httpStatus + - required: + - grpcStatus + - required: + - http2Error + properties: + grpcStatus: + type: string + http2Error: + type: string + httpStatus: + description: HTTP status code to use to abort the Http + request. + format: int32 + type: integer + percentage: + description: Percentage of requests to be aborted with + the error code provided. + properties: + value: + format: double + type: number + type: object + type: object + delay: + oneOf: + - not: + anyOf: + - required: + - fixedDelay + - required: + - exponentialDelay + - required: + - fixedDelay + - required: + - exponentialDelay + properties: + exponentialDelay: + type: string + fixedDelay: + description: Add a fixed delay before forwarding the + request. + type: string + percent: + description: Percentage of requests on which the delay + will be injected (0-100). + format: int32 + type: integer + percentage: + description: Percentage of requests on which the delay + will be injected. + properties: + value: + format: double + type: number + type: object + type: object + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + type: object + match: + items: + properties: + authority: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + gateways: + description: Names of gateways where the rule should be + applied. + items: + type: string + type: array + headers: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + type: object + ignoreUriCase: + description: Flag to specify whether the URI matching + should be case-insensitive. + type: boolean + method: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + name: + description: The name assigned to a match. + type: string + port: + description: Specifies the ports on the host that is being + addressed. + type: integer + queryParams: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + description: Query parameters for matching. + type: object + scheme: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + sourceLabels: + additionalProperties: + type: string + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + type: string + uri: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + withoutHeaders: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + description: withoutHeader has the same syntax with the + header, but has opposite meaning. + type: object + type: object + type: array + mirror: + properties: + host: + description: The name of a service from the service registry. + type: string + port: + description: Specifies the port on the host that is being + addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + type: object + mirror_percent: + description: Percentage of the traffic to be mirrored by the + `mirror` field. + nullable: true + type: integer + mirrorPercent: + description: Percentage of the traffic to be mirrored by the + `mirror` field. + nullable: true + type: integer + mirrorPercentage: + description: Percentage of the traffic to be mirrored by the + `mirror` field. + properties: + value: + format: double + type: number + type: object + name: + description: The name assigned to the route for debugging purposes. + type: string + redirect: + description: A HTTP rule can either redirect or forward (default) + traffic. + properties: + authority: + type: string + redirectCode: + type: integer + uri: + type: string + type: object + retries: + description: Retry policy for HTTP requests. + properties: + attempts: + description: Number of retries to be allowed for a given + request. + format: int32 + type: integer + perTryTimeout: + description: Timeout per attempt for a given request, including + the initial call and any retries. + type: string + retryOn: + description: Specifies the conditions under which retry + takes place. + type: string + retryRemoteLocalities: + description: Flag to specify whether the retries should + retry to other localities. + nullable: true + type: boolean + type: object + rewrite: + description: Rewrite HTTP URIs and Authority headers. + properties: + authority: + description: rewrite the Authority/Host header with this + value. + type: string + uri: + type: string + type: object + route: + description: A HTTP rule can either redirect or forward (default) + traffic. + items: + properties: + destination: + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + type: object + weight: + format: int32 + type: integer + type: object + type: array + timeout: + description: Timeout for HTTP requests, default is disabled. + type: string + type: object + type: array + tcp: + description: An ordered list of route rules for opaque TCP traffic. + items: + properties: + match: + items: + properties: + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination + with optional subnet. + items: + type: string + type: array + gateways: + description: Names of gateways where the rule should be + applied. + items: + type: string + type: array + port: + description: Specifies the port on the host that is being + addressed. + type: integer + sourceLabels: + additionalProperties: + type: string + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + type: string + sourceSubnet: + description: IPv4 or IPv6 ip address of source with optional + subnet. + type: string + type: object + type: array + route: + description: The destination to which the connection should + be forwarded to. + items: + properties: + destination: + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + type: object + weight: + format: int32 + type: integer + type: object + type: array + type: object + type: array + tls: + items: + properties: + match: + items: + properties: + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination + with optional subnet. + items: + type: string + type: array + gateways: + description: Names of gateways where the rule should be + applied. + items: + type: string + type: array + port: + description: Specifies the port on the host that is being + addressed. + type: integer + sniHosts: + description: SNI (server name indicator) to match on. + items: + type: string + type: array + sourceLabels: + additionalProperties: + type: string + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + type: string + type: object + type: array + route: + description: The destination to which the connection should + be forwarded to. + items: + properties: + destination: + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + type: object + weight: + format: int32 + type: integer + type: object + type: array + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: The names of gateways and sidecars that should apply these routes + jsonPath: .spec.gateways + name: Gateways + type: string + - description: The destination hosts to which traffic is being sent + jsonPath: .spec.hosts + name: Hosts + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting label/content routing, sni routing, + etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html' + properties: + exportTo: + description: A list of namespaces to which this virtual service is + exported. + items: + type: string + type: array + gateways: + description: The names of gateways and sidecars that should apply + these routes. + items: + type: string + type: array + hosts: + description: The destination hosts to which traffic is being sent. + items: + type: string + type: array + http: + description: An ordered list of route rules for HTTP traffic. + items: + properties: + corsPolicy: + description: Cross-Origin Resource Sharing policy (CORS). + properties: + allowCredentials: + nullable: true + type: boolean + allowHeaders: + items: + type: string + type: array + allowMethods: + description: List of HTTP methods allowed to access the + resource. + items: + type: string + type: array + allowOrigin: + description: The list of origins that are allowed to perform + CORS requests. + items: + type: string + type: array + allowOrigins: + description: String patterns that match allowed origins. + items: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + type: array + exposeHeaders: + items: + type: string + type: array + maxAge: + type: string + type: object + delegate: + properties: + name: + description: Name specifies the name of the delegate VirtualService. + type: string + namespace: + description: Namespace specifies the namespace where the + delegate VirtualService resides. + type: string + type: object + fault: + description: Fault injection policy to apply on HTTP traffic + at the client side. + properties: + abort: + oneOf: + - not: + anyOf: + - required: + - httpStatus + - required: + - grpcStatus + - required: + - http2Error + - required: + - httpStatus + - required: + - grpcStatus + - required: + - http2Error + properties: + grpcStatus: + type: string + http2Error: + type: string + httpStatus: + description: HTTP status code to use to abort the Http + request. + format: int32 + type: integer + percentage: + description: Percentage of requests to be aborted with + the error code provided. + properties: + value: + format: double + type: number + type: object + type: object + delay: + oneOf: + - not: + anyOf: + - required: + - fixedDelay + - required: + - exponentialDelay + - required: + - fixedDelay + - required: + - exponentialDelay + properties: + exponentialDelay: + type: string + fixedDelay: + description: Add a fixed delay before forwarding the + request. + type: string + percent: + description: Percentage of requests on which the delay + will be injected (0-100). + format: int32 + type: integer + percentage: + description: Percentage of requests on which the delay + will be injected. + properties: + value: + format: double + type: number + type: object + type: object + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + type: object + match: + items: + properties: + authority: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + gateways: + description: Names of gateways where the rule should be + applied. + items: + type: string + type: array + headers: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + type: object + ignoreUriCase: + description: Flag to specify whether the URI matching + should be case-insensitive. + type: boolean + method: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + name: + description: The name assigned to a match. + type: string + port: + description: Specifies the ports on the host that is being + addressed. + type: integer + queryParams: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + description: Query parameters for matching. + type: object + scheme: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + sourceLabels: + additionalProperties: + type: string + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + type: string + uri: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + withoutHeaders: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + description: withoutHeader has the same syntax with the + header, but has opposite meaning. + type: object + type: object + type: array + mirror: + properties: + host: + description: The name of a service from the service registry. + type: string + port: + description: Specifies the port on the host that is being + addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + type: object + mirror_percent: + description: Percentage of the traffic to be mirrored by the + `mirror` field. + nullable: true + type: integer + mirrorPercent: + description: Percentage of the traffic to be mirrored by the + `mirror` field. + nullable: true + type: integer + mirrorPercentage: + description: Percentage of the traffic to be mirrored by the + `mirror` field. + properties: + value: + format: double + type: number + type: object + name: + description: The name assigned to the route for debugging purposes. + type: string + redirect: + description: A HTTP rule can either redirect or forward (default) + traffic. + properties: + authority: + type: string + redirectCode: + type: integer + uri: + type: string + type: object + retries: + description: Retry policy for HTTP requests. + properties: + attempts: + description: Number of retries to be allowed for a given + request. + format: int32 + type: integer + perTryTimeout: + description: Timeout per attempt for a given request, including + the initial call and any retries. + type: string + retryOn: + description: Specifies the conditions under which retry + takes place. + type: string + retryRemoteLocalities: + description: Flag to specify whether the retries should + retry to other localities. + nullable: true + type: boolean + type: object + rewrite: + description: Rewrite HTTP URIs and Authority headers. + properties: + authority: + description: rewrite the Authority/Host header with this + value. + type: string + uri: + type: string + type: object + route: + description: A HTTP rule can either redirect or forward (default) + traffic. + items: + properties: + destination: + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + type: object + weight: + format: int32 + type: integer + type: object + type: array + timeout: + description: Timeout for HTTP requests, default is disabled. + type: string + type: object + type: array + tcp: + description: An ordered list of route rules for opaque TCP traffic. + items: + properties: + match: + items: + properties: + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination + with optional subnet. + items: + type: string + type: array + gateways: + description: Names of gateways where the rule should be + applied. + items: + type: string + type: array + port: + description: Specifies the port on the host that is being + addressed. + type: integer + sourceLabels: + additionalProperties: + type: string + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + type: string + sourceSubnet: + description: IPv4 or IPv6 ip address of source with optional + subnet. + type: string + type: object + type: array + route: + description: The destination to which the connection should + be forwarded to. + items: + properties: + destination: + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + type: object + weight: + format: int32 + type: integer + type: object + type: array + type: object + type: array + tls: + items: + properties: + match: + items: + properties: + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination + with optional subnet. + items: + type: string + type: array + gateways: + description: Names of gateways where the rule should be + applied. + items: + type: string + type: array + port: + description: Specifies the port on the host that is being + addressed. + type: integer + sniHosts: + description: SNI (server name indicator) to match on. + items: + type: string + type: array + sourceLabels: + additionalProperties: + type: string + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + type: string + type: object + type: array + route: + description: The destination to which the connection should + be forwarded to. + items: + properties: + destination: + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + type: object + weight: + format: int32 + type: integer + type: object + type: array + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: workloadentries.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: WorkloadEntry + listKind: WorkloadEntryList + plural: workloadentries + shortNames: + - we + singular: workloadentry + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: Address associated with the network endpoint. + jsonPath: .spec.address + name: Address + type: string + name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting VMs onboarded into the mesh. See + more details at: https://istio.io/docs/reference/config/networking/workload-entry.html' + properties: + address: + type: string + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + type: string + network: + type: string + ports: + additionalProperties: + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + type: string + weight: + description: The load balancing weight associated with the endpoint. + type: integer + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: Address associated with the network endpoint. + jsonPath: .spec.address + name: Address + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting VMs onboarded into the mesh. See + more details at: https://istio.io/docs/reference/config/networking/workload-entry.html' + properties: + address: + type: string + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + type: string + network: + type: string + ports: + additionalProperties: + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + type: string + weight: + description: The load balancing weight associated with the endpoint. + type: integer + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: workloadgroups.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: WorkloadGroup + listKind: WorkloadGroupList + plural: workloadgroups + shortNames: + - wg + singular: workloadgroup + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Describes a collection of workload instances. See more details + at: https://istio.io/docs/reference/config/networking/workload-group.html' + properties: + metadata: + description: Metadata that will be used for all corresponding `WorkloadEntries`. + properties: + annotations: + additionalProperties: + type: string + type: object + labels: + additionalProperties: + type: string + type: object + type: object + probe: + description: '`ReadinessProbe` describes the configuration the user + must provide for healthchecking on their workload.' + oneOf: + - not: + anyOf: + - required: + - httpGet + - required: + - tcpSocket + - required: + - exec + - required: + - httpGet + - required: + - tcpSocket + - required: + - exec + properties: + exec: + description: Health is determined by how the command that is executed + exited. + properties: + command: + description: Command to run. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for the probe to be + considered failed after having succeeded. + format: int32 + type: integer + httpGet: + properties: + host: + description: Host name to connect to, defaults to the pod + IP. + type: string + httpHeaders: + description: Headers the proxy will pass on to make the request. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + description: Port on which the endpoint lives. + type: integer + scheme: + type: string + type: object + initialDelaySeconds: + description: Number of seconds after the container has started + before readiness probes are initiated. + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform the probe. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for the probe to be + considered successful after having failed. + format: int32 + type: integer + tcpSocket: + description: Health is determined by if the proxy is able to connect. + properties: + host: + type: string + port: + type: integer + type: object + timeoutSeconds: + description: Number of seconds after which the probe times out. + format: int32 + type: integer + type: object + template: + description: Template to be used for the generation of `WorkloadEntry` + resources that belong to this `WorkloadGroup`. + properties: + address: + type: string + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + type: string + network: + type: string + ports: + additionalProperties: + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + type: string + weight: + description: The load balancing weight associated with the endpoint. + type: integer + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + istio: security + release: istio + name: authorizationpolicies.security.istio.io +spec: + group: security.istio.io + names: + categories: + - istio-io + - security-istio-io + kind: AuthorizationPolicy + listKind: AuthorizationPolicyList + plural: authorizationpolicies + singular: authorizationpolicy + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration for access control on workloads. See more + details at: https://istio.io/docs/reference/config/security/authorization-policy.html' + oneOf: + - not: + anyOf: + - required: + - provider + - required: + - provider + properties: + action: + description: Optional. + enum: + - ALLOW + - DENY + - AUDIT + - CUSTOM + type: string + provider: + description: Specifies detailed configuration of the CUSTOM action. + properties: + name: + description: Specifies the name of the extension provider. + type: string + type: object + rules: + description: Optional. + items: + properties: + from: + description: Optional. + items: + properties: + source: + description: Source specifies the source of a request. + properties: + ipBlocks: + description: Optional. + items: + type: string + type: array + namespaces: + description: Optional. + items: + type: string + type: array + notIpBlocks: + description: Optional. + items: + type: string + type: array + notNamespaces: + description: Optional. + items: + type: string + type: array + notPrincipals: + description: Optional. + items: + type: string + type: array + notRemoteIpBlocks: + description: Optional. + items: + type: string + type: array + notRequestPrincipals: + description: Optional. + items: + type: string + type: array + principals: + description: Optional. + items: + type: string + type: array + remoteIpBlocks: + description: Optional. + items: + type: string + type: array + requestPrincipals: + description: Optional. + items: + type: string + type: array + type: object + type: object + type: array + to: + description: Optional. + items: + properties: + operation: + description: Operation specifies the operation of a request. + properties: + hosts: + description: Optional. + items: + type: string + type: array + methods: + description: Optional. + items: + type: string + type: array + notHosts: + description: Optional. + items: + type: string + type: array + notMethods: + description: Optional. + items: + type: string + type: array + notPaths: + description: Optional. + items: + type: string + type: array + notPorts: + description: Optional. + items: + type: string + type: array + paths: + description: Optional. + items: + type: string + type: array + ports: + description: Optional. + items: + type: string + type: array + type: object + type: object + type: array + when: + description: Optional. + items: + properties: + key: + description: The name of an Istio attribute. + type: string + notValues: + description: Optional. + items: + type: string + type: array + values: + description: Optional. + items: + type: string + type: array + type: object + type: array + type: object + type: array + selector: + description: Optional. + properties: + matchLabels: + additionalProperties: + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + istio: security + release: istio + name: peerauthentications.security.istio.io +spec: + group: security.istio.io + names: + categories: + - istio-io + - security-istio-io + kind: PeerAuthentication + listKind: PeerAuthenticationList + plural: peerauthentications + shortNames: + - pa + singular: peerauthentication + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Defines the mTLS mode used for peer authentication. + jsonPath: .spec.mtls.mode + name: Mode + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: PeerAuthentication defines how traffic will be tunneled (or + not) to the sidecar. + properties: + mtls: + description: Mutual TLS settings for workload. + properties: + mode: + description: Defines the mTLS mode used for peer authentication. + enum: + - UNSET + - DISABLE + - PERMISSIVE + - STRICT + type: string + type: object + portLevelMtls: + additionalProperties: + properties: + mode: + description: Defines the mTLS mode used for peer authentication. + enum: + - UNSET + - DISABLE + - PERMISSIVE + - STRICT + type: string + type: object + description: Port specific mutual TLS settings. + type: object + selector: + description: The selector determines the workloads to apply the ChannelAuthentication + on. + properties: + matchLabels: + additionalProperties: + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + istio: security + release: istio + name: requestauthentications.security.istio.io +spec: + group: security.istio.io + names: + categories: + - istio-io + - security-istio-io + kind: RequestAuthentication + listKind: RequestAuthenticationList + plural: requestauthentications + shortNames: + - ra + singular: requestauthentication + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: RequestAuthentication defines what request authentication + methods are supported by a workload. + properties: + jwtRules: + description: Define the list of JWTs that can be validated at the + selected workloads' proxy. + items: + properties: + audiences: + items: + type: string + type: array + forwardOriginalToken: + description: If set to true, the orginal token will be kept + for the ustream request. + type: boolean + fromHeaders: + description: List of header locations from which JWT is expected. + items: + properties: + name: + description: The HTTP header name. + type: string + prefix: + description: The prefix that should be stripped before + decoding the token. + type: string + type: object + type: array + fromParams: + description: List of query parameters from which JWT is expected. + items: + type: string + type: array + issuer: + description: Identifies the issuer that issued the JWT. + type: string + jwks: + description: JSON Web Key Set of public keys to validate signature + of the JWT. + type: string + jwks_uri: + type: string + jwksUri: + type: string + outputPayloadToHeader: + type: string + type: object + type: array + selector: + description: The selector determines the workloads to apply the RequestAuthentication + on. + properties: + matchLabels: + additionalProperties: + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + istio: telemetry + release: istio + name: telemetries.telemetry.istio.io +spec: + group: telemetry.istio.io + names: + categories: + - istio-io + - telemetry-istio-io + kind: Telemetry + listKind: TelemetryList + plural: telemetries + shortNames: + - telemetry + singular: telemetry + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + description: Telemetry defines how the telemetry is generated for workloads + within a mesh. + properties: + accessLogging: + description: Optional. + items: + properties: + disabled: + description: Controls logging. + nullable: true + type: boolean + providers: + description: Optional. + items: + properties: + name: + description: Required. + type: string + type: object + type: array + type: object + type: array + metrics: + description: Optional. + items: + properties: + overrides: + description: Optional. + items: + properties: + disabled: + description: Optional. + nullable: true + type: boolean + match: + description: Match allows provides the scope of the override. + oneOf: + - not: + anyOf: + - required: + - metric + - required: + - customMetric + - required: + - metric + - required: + - customMetric + properties: + customMetric: + description: Allows free-form specification of a metric. + type: string + metric: + description: One of the well-known Istio Standard + Metrics. + enum: + - ALL_METRICS + - REQUEST_COUNT + - REQUEST_DURATION + - REQUEST_SIZE + - RESPONSE_SIZE + - TCP_OPENED_CONNECTIONS + - TCP_CLOSED_CONNECTIONS + - TCP_SENT_BYTES + - TCP_RECEIVED_BYTES + - GRPC_REQUEST_MESSAGES + - GRPC_RESPONSE_MESSAGES + type: string + mode: + description: 'Controls which mode of metrics generation + is selected: CLIENT and/or SERVER.' + enum: + - CLIENT_AND_SERVER + - CLIENT + - SERVER + type: string + type: object + tagOverrides: + additionalProperties: + properties: + operation: + description: Operation controls whether or not to + update/add a tag, or to remove it. + enum: + - UPSERT + - REMOVE + type: string + value: + description: Value is only considered if the operation + is `UPSERT`. + type: string + type: object + description: Optional. + type: object + type: object + type: array + providers: + description: Optional. + items: + properties: + name: + description: Required. + type: string + type: object + type: array + type: object + type: array + selector: + description: Optional. + properties: + matchLabels: + additionalProperties: + type: string + type: object + type: object + tracing: + description: Optional. + items: + properties: + customTags: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - literal + - required: + - environment + - required: + - header + - required: + - literal + - required: + - environment + - required: + - header + properties: + environment: + description: Environment adds the value of an environment + variable to each span. + properties: + defaultValue: + description: Optional. + type: string + name: + description: Name of the environment variable from + which to extract the tag value. + type: string + type: object + header: + description: RequestHeader adds the value of an header + from the request to each span. + properties: + defaultValue: + description: Optional. + type: string + name: + description: Name of the header from which to extract + the tag value. + type: string + type: object + literal: + description: Literal adds the same, hard-coded value to + each span. + properties: + value: + description: The tag value to use. + type: string + type: object + type: object + description: Optional. + type: object + disableSpanReporting: + description: Controls span reporting. + nullable: true + type: boolean + providers: + description: Optional. + items: + properties: + name: + description: Required. + type: string + type: object + type: array + randomSamplingPercentage: + nullable: true + type: number + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + +--- diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/base/crds/crd-operator.yaml b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/base/crds/crd-operator.yaml new file mode 100644 index 000000000..2a80f4186 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/base/crds/crd-operator.yaml @@ -0,0 +1,48 @@ +# SYNC WITH manifests/charts/istio-operator/templates +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: istiooperators.install.istio.io + labels: + release: istio +spec: + conversion: + strategy: None + group: install.istio.io + names: + kind: IstioOperator + listKind: IstioOperatorList + plural: istiooperators + singular: istiooperator + shortNames: + - iop + - io + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Istio control plane revision + jsonPath: .spec.revision + name: Revision + type: string + - description: IOP current state + jsonPath: .status.status + name: Status + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + subresources: + status: {} + name: v1alpha1 + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + served: true + storage: true +--- diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/base/files/gen-istio-cluster.yaml b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/base/files/gen-istio-cluster.yaml new file mode 100644 index 000000000..9fd002fc5 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/base/files/gen-istio-cluster.yaml @@ -0,0 +1,6034 @@ +--- +# Source: crds/crd-all.gen.yaml +# DO NOT EDIT - Generated by Cue OpenAPI generator based on Istio APIs. +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: destinationrules.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: DestinationRule + listKind: DestinationRuleList + plural: destinationrules + shortNames: + - dr + singular: destinationrule + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The name of a service from the service registry + jsonPath: .spec.host + name: Host + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting load balancing, outlier detection, + etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html' + properties: + exportTo: + description: A list of namespaces to which this destination rule is + exported. + items: + type: string + type: array + host: + description: The name of a service from the service registry. + type: string + subsets: + items: + properties: + labels: + additionalProperties: + type: string + type: object + name: + description: Name of the subset. + type: string + trafficPolicy: + description: Traffic policies that apply to this subset. + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should + be upgraded to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP requests + to a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will + be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the + socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query + parameter. + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute or + failover can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to + traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this + is DestinationRule-level and will override mesh + wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only failover or distribute + can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + type: string + type: object + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host + is ejected from the connection pool. + nullable: true + type: integer + consecutiveLocalOriginFailures: + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local + origin failures from external errors. + type: boolean + type: object + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection + should be upgraded to http2 for the associated + destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP + requests to a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to + a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream + connection pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per + connection to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol + will be preserved while initiating connection + to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and + TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP + connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE + on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between + keep-alive probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer + algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP + header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP + query parameter. + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute + or failover can be set.' + items: + properties: + from: + description: Originating locality, '/' + separated, e.g. + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities + to traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, + this is DestinationRule-level and will override + mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only failover or distribute + can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + type: string + type: object + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host + is ejected from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a + host is ejected from the connection pool. + nullable: true + type: integer + consecutiveLocalOriginFailures: + nullable: true + type: integer + interval: + description: Time interval between ejection sweep + analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish + local origin failures from external errors. + type: boolean + type: object + port: + properties: + number: + type: integer + type: object + tls: + description: TLS related settings for connections + to the upstream service. + properties: + caCertificates: + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server + during TLS handshake. + type: string + subjectAltNames: + items: + type: string + type: array + type: object + type: object + type: array + tls: + description: TLS related settings for connections to the + upstream service. + properties: + caCertificates: + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during + TLS handshake. + type: string + subjectAltNames: + items: + type: string + type: array + type: object + type: object + type: object + type: array + trafficPolicy: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should be upgraded + to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP requests to + a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved + while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket + to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query parameter. + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute or failover + can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to traffic + distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this is DestinationRule-level + and will override mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only failover or distribute can + be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + type: string + type: object + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host is ejected + from the connection pool. + nullable: true + type: integer + consecutiveLocalOriginFailures: + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local origin + failures from external errors. + type: boolean + type: object + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should + be upgraded to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP requests + to a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will + be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the + socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query + parameter. + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute or + failover can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to + traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this + is DestinationRule-level and will override mesh + wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only failover or distribute + can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + type: string + type: object + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host + is ejected from the connection pool. + nullable: true + type: integer + consecutiveLocalOriginFailures: + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local + origin failures from external errors. + type: boolean + type: object + port: + properties: + number: + type: integer + type: object + tls: + description: TLS related settings for connections to the + upstream service. + properties: + caCertificates: + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during + TLS handshake. + type: string + subjectAltNames: + items: + type: string + type: array + type: object + type: object + type: array + tls: + description: TLS related settings for connections to the upstream + service. + properties: + caCertificates: + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during TLS + handshake. + type: string + subjectAltNames: + items: + type: string + type: array + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: The name of a service from the service registry + jsonPath: .spec.host + name: Host + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting load balancing, outlier detection, + etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html' + properties: + exportTo: + description: A list of namespaces to which this destination rule is + exported. + items: + type: string + type: array + host: + description: The name of a service from the service registry. + type: string + subsets: + items: + properties: + labels: + additionalProperties: + type: string + type: object + name: + description: Name of the subset. + type: string + trafficPolicy: + description: Traffic policies that apply to this subset. + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should + be upgraded to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP requests + to a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will + be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the + socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query + parameter. + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute or + failover can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to + traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this + is DestinationRule-level and will override mesh + wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only failover or distribute + can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + type: string + type: object + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host + is ejected from the connection pool. + nullable: true + type: integer + consecutiveLocalOriginFailures: + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local + origin failures from external errors. + type: boolean + type: object + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection + should be upgraded to http2 for the associated + destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP + requests to a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to + a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream + connection pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per + connection to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol + will be preserved while initiating connection + to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and + TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP + connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE + on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between + keep-alive probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer + algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP + header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP + query parameter. + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute + or failover can be set.' + items: + properties: + from: + description: Originating locality, '/' + separated, e.g. + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities + to traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, + this is DestinationRule-level and will override + mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only failover or distribute + can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + type: string + type: object + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host + is ejected from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a + host is ejected from the connection pool. + nullable: true + type: integer + consecutiveLocalOriginFailures: + nullable: true + type: integer + interval: + description: Time interval between ejection sweep + analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish + local origin failures from external errors. + type: boolean + type: object + port: + properties: + number: + type: integer + type: object + tls: + description: TLS related settings for connections + to the upstream service. + properties: + caCertificates: + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server + during TLS handshake. + type: string + subjectAltNames: + items: + type: string + type: array + type: object + type: object + type: array + tls: + description: TLS related settings for connections to the + upstream service. + properties: + caCertificates: + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during + TLS handshake. + type: string + subjectAltNames: + items: + type: string + type: array + type: object + type: object + type: object + type: array + trafficPolicy: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should be upgraded + to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP requests to + a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved + while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket + to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query parameter. + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute or failover + can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to traffic + distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this is DestinationRule-level + and will override mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only failover or distribute can + be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + type: string + type: object + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host is ejected + from the connection pool. + nullable: true + type: integer + consecutiveLocalOriginFailures: + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local origin + failures from external errors. + type: boolean + type: object + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should + be upgraded to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP requests + to a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will + be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the + socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query + parameter. + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute or + failover can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to + traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this + is DestinationRule-level and will override mesh + wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only failover or distribute + can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + type: string + type: object + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host + is ejected from the connection pool. + nullable: true + type: integer + consecutiveLocalOriginFailures: + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local + origin failures from external errors. + type: boolean + type: object + port: + properties: + number: + type: integer + type: object + tls: + description: TLS related settings for connections to the + upstream service. + properties: + caCertificates: + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during + TLS handshake. + type: string + subjectAltNames: + items: + type: string + type: array + type: object + type: object + type: array + tls: + description: TLS related settings for connections to the upstream + service. + properties: + caCertificates: + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during TLS + handshake. + type: string + subjectAltNames: + items: + type: string + type: array + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: envoyfilters.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: EnvoyFilter + listKind: EnvoyFilterList + plural: envoyfilters + singular: envoyfilter + scope: Namespaced + versions: + - name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Customizing Envoy configuration generated by Istio. See + more details at: https://istio.io/docs/reference/config/networking/envoy-filter.html' + properties: + configPatches: + description: One or more patches with match conditions. + items: + properties: + applyTo: + enum: + - INVALID + - LISTENER + - FILTER_CHAIN + - NETWORK_FILTER + - HTTP_FILTER + - ROUTE_CONFIGURATION + - VIRTUAL_HOST + - HTTP_ROUTE + - CLUSTER + - EXTENSION_CONFIG + - BOOTSTRAP + type: string + match: + description: Match on listener/route configuration/cluster. + oneOf: + - not: + anyOf: + - required: + - listener + - required: + - routeConfiguration + - required: + - cluster + - required: + - listener + - required: + - routeConfiguration + - required: + - cluster + properties: + cluster: + description: Match on envoy cluster attributes. + properties: + name: + description: The exact name of the cluster to match. + type: string + portNumber: + description: The service port for which this cluster + was generated. + type: integer + service: + description: The fully qualified service name for this + cluster. + type: string + subset: + description: The subset associated with the service. + type: string + type: object + context: + description: The specific config generation context to match + on. + enum: + - ANY + - SIDECAR_INBOUND + - SIDECAR_OUTBOUND + - GATEWAY + type: string + listener: + description: Match on envoy listener attributes. + properties: + filterChain: + description: Match a specific filter chain in a listener. + properties: + applicationProtocols: + description: Applies only to sidecars. + type: string + destinationPort: + description: The destination_port value used by + a filter chain's match condition. + type: integer + filter: + description: The name of a specific filter to apply + the patch to. + properties: + name: + description: The filter name to match on. + type: string + subFilter: + properties: + name: + description: The filter name to match on. + type: string + type: object + type: object + name: + description: The name assigned to the filter chain. + type: string + sni: + description: The SNI value used by a filter chain's + match condition. + type: string + transportProtocol: + description: Applies only to `SIDECAR_INBOUND` context. + type: string + type: object + name: + description: Match a specific listener by its name. + type: string + portName: + type: string + portNumber: + type: integer + type: object + proxy: + description: Match on properties associated with a proxy. + properties: + metadata: + additionalProperties: + type: string + type: object + proxyVersion: + type: string + type: object + routeConfiguration: + description: Match on envoy HTTP route configuration attributes. + properties: + gateway: + type: string + name: + description: Route configuration name to match on. + type: string + portName: + description: Applicable only for GATEWAY context. + type: string + portNumber: + type: integer + vhost: + properties: + name: + type: string + route: + description: Match a specific route within the virtual + host. + properties: + action: + description: Match a route with specific action + type. + enum: + - ANY + - ROUTE + - REDIRECT + - DIRECT_RESPONSE + type: string + name: + type: string + type: object + type: object + type: object + type: object + patch: + description: The patch to apply along with the operation. + properties: + filterClass: + description: Determines the filter insertion order. + enum: + - UNSPECIFIED + - AUTHN + - AUTHZ + - STATS + type: string + operation: + description: Determines how the patch should be applied. + enum: + - INVALID + - MERGE + - ADD + - REMOVE + - INSERT_BEFORE + - INSERT_AFTER + - INSERT_FIRST + - REPLACE + type: string + value: + description: The JSON config of the object being patched. + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + priority: + description: Priority defines the order in which patch sets are applied + within a context. + format: int32 + type: integer + workloadSelector: + properties: + labels: + additionalProperties: + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: gateways.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: Gateway + listKind: GatewayList + plural: gateways + shortNames: + - gw + singular: gateway + scope: Namespaced + versions: + - name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting edge load balancer. See more details + at: https://istio.io/docs/reference/config/networking/gateway.html' + properties: + selector: + additionalProperties: + type: string + type: object + servers: + description: A list of server specifications. + items: + properties: + bind: + type: string + defaultEndpoint: + type: string + hosts: + description: One or more hosts exposed by this gateway. + items: + type: string + type: array + name: + description: An optional name of the server, when set must be + unique across all servers. + type: string + port: + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + type: integer + type: object + tls: + description: Set of TLS related options that govern the server's + behavior. + properties: + caCertificates: + description: REQUIRED if mode is `MUTUAL`. + type: string + cipherSuites: + description: 'Optional: If specified, only support the specified + cipher list.' + items: + type: string + type: array + credentialName: + type: string + httpsRedirect: + type: boolean + maxProtocolVersion: + description: 'Optional: Maximum TLS protocol version.' + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + minProtocolVersion: + description: 'Optional: Minimum TLS protocol version.' + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + mode: + enum: + - PASSTHROUGH + - SIMPLE + - MUTUAL + - AUTO_PASSTHROUGH + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + serverCertificate: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + subjectAltNames: + items: + type: string + type: array + verifyCertificateHash: + items: + type: string + type: array + verifyCertificateSpki: + items: + type: string + type: array + type: object + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting edge load balancer. See more details + at: https://istio.io/docs/reference/config/networking/gateway.html' + properties: + selector: + additionalProperties: + type: string + type: object + servers: + description: A list of server specifications. + items: + properties: + bind: + type: string + defaultEndpoint: + type: string + hosts: + description: One or more hosts exposed by this gateway. + items: + type: string + type: array + name: + description: An optional name of the server, when set must be + unique across all servers. + type: string + port: + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + type: integer + type: object + tls: + description: Set of TLS related options that govern the server's + behavior. + properties: + caCertificates: + description: REQUIRED if mode is `MUTUAL`. + type: string + cipherSuites: + description: 'Optional: If specified, only support the specified + cipher list.' + items: + type: string + type: array + credentialName: + type: string + httpsRedirect: + type: boolean + maxProtocolVersion: + description: 'Optional: Maximum TLS protocol version.' + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + minProtocolVersion: + description: 'Optional: Minimum TLS protocol version.' + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + mode: + enum: + - PASSTHROUGH + - SIMPLE + - MUTUAL + - AUTO_PASSTHROUGH + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + serverCertificate: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + subjectAltNames: + items: + type: string + type: array + verifyCertificateHash: + items: + type: string + type: array + verifyCertificateSpki: + items: + type: string + type: array + type: object + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: serviceentries.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: ServiceEntry + listKind: ServiceEntryList + plural: serviceentries + shortNames: + - se + singular: serviceentry + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The hosts associated with the ServiceEntry + jsonPath: .spec.hosts + name: Hosts + type: string + - description: Whether the service is external to the mesh or part of the mesh + (MESH_EXTERNAL or MESH_INTERNAL) + jsonPath: .spec.location + name: Location + type: string + - description: Service discovery mode for the hosts (NONE, STATIC, or DNS) + jsonPath: .spec.resolution + name: Resolution + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting service registry. See more details + at: https://istio.io/docs/reference/config/networking/service-entry.html' + properties: + addresses: + description: The virtual IP addresses associated with the service. + items: + type: string + type: array + endpoints: + description: One or more endpoints associated with the service. + items: + properties: + address: + type: string + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + type: string + network: + type: string + ports: + additionalProperties: + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + type: string + weight: + description: The load balancing weight associated with the endpoint. + type: integer + type: object + type: array + exportTo: + description: A list of namespaces to which this service is exported. + items: + type: string + type: array + hosts: + description: The hosts associated with the ServiceEntry. + items: + type: string + type: array + location: + enum: + - MESH_EXTERNAL + - MESH_INTERNAL + type: string + ports: + description: The ports associated with the external service. + items: + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + type: integer + type: object + type: array + resolution: + description: Service discovery mode for the hosts. + enum: + - NONE + - STATIC + - DNS + type: string + subjectAltNames: + items: + type: string + type: array + workloadSelector: + description: Applicable only for MESH_INTERNAL services. + properties: + labels: + additionalProperties: + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: The hosts associated with the ServiceEntry + jsonPath: .spec.hosts + name: Hosts + type: string + - description: Whether the service is external to the mesh or part of the mesh + (MESH_EXTERNAL or MESH_INTERNAL) + jsonPath: .spec.location + name: Location + type: string + - description: Service discovery mode for the hosts (NONE, STATIC, or DNS) + jsonPath: .spec.resolution + name: Resolution + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting service registry. See more details + at: https://istio.io/docs/reference/config/networking/service-entry.html' + properties: + addresses: + description: The virtual IP addresses associated with the service. + items: + type: string + type: array + endpoints: + description: One or more endpoints associated with the service. + items: + properties: + address: + type: string + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + type: string + network: + type: string + ports: + additionalProperties: + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + type: string + weight: + description: The load balancing weight associated with the endpoint. + type: integer + type: object + type: array + exportTo: + description: A list of namespaces to which this service is exported. + items: + type: string + type: array + hosts: + description: The hosts associated with the ServiceEntry. + items: + type: string + type: array + location: + enum: + - MESH_EXTERNAL + - MESH_INTERNAL + type: string + ports: + description: The ports associated with the external service. + items: + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + type: integer + type: object + type: array + resolution: + description: Service discovery mode for the hosts. + enum: + - NONE + - STATIC + - DNS + type: string + subjectAltNames: + items: + type: string + type: array + workloadSelector: + description: Applicable only for MESH_INTERNAL services. + properties: + labels: + additionalProperties: + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: sidecars.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: Sidecar + listKind: SidecarList + plural: sidecars + singular: sidecar + scope: Namespaced + versions: + - name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting network reachability of a sidecar. + See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' + properties: + egress: + items: + properties: + bind: + type: string + captureMode: + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + hosts: + items: + type: string + type: array + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + type: integer + type: object + type: object + type: array + ingress: + items: + properties: + bind: + description: The IP to which the listener should be bound. + type: string + captureMode: + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + defaultEndpoint: + type: string + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + type: integer + type: object + type: object + type: array + outboundTrafficPolicy: + description: Configuration for the outbound traffic policy. + properties: + egressProxy: + properties: + host: + description: The name of a service from the service registry. + type: string + port: + description: Specifies the port on the host that is being + addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + type: object + mode: + enum: + - REGISTRY_ONLY + - ALLOW_ANY + type: string + type: object + workloadSelector: + properties: + labels: + additionalProperties: + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting network reachability of a sidecar. + See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' + properties: + egress: + items: + properties: + bind: + type: string + captureMode: + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + hosts: + items: + type: string + type: array + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + type: integer + type: object + type: object + type: array + ingress: + items: + properties: + bind: + description: The IP to which the listener should be bound. + type: string + captureMode: + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + defaultEndpoint: + type: string + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + type: integer + type: object + type: object + type: array + outboundTrafficPolicy: + description: Configuration for the outbound traffic policy. + properties: + egressProxy: + properties: + host: + description: The name of a service from the service registry. + type: string + port: + description: Specifies the port on the host that is being + addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + type: object + mode: + enum: + - REGISTRY_ONLY + - ALLOW_ANY + type: string + type: object + workloadSelector: + properties: + labels: + additionalProperties: + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: virtualservices.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: VirtualService + listKind: VirtualServiceList + plural: virtualservices + shortNames: + - vs + singular: virtualservice + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The names of gateways and sidecars that should apply these routes + jsonPath: .spec.gateways + name: Gateways + type: string + - description: The destination hosts to which traffic is being sent + jsonPath: .spec.hosts + name: Hosts + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting label/content routing, sni routing, + etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html' + properties: + exportTo: + description: A list of namespaces to which this virtual service is + exported. + items: + type: string + type: array + gateways: + description: The names of gateways and sidecars that should apply + these routes. + items: + type: string + type: array + hosts: + description: The destination hosts to which traffic is being sent. + items: + type: string + type: array + http: + description: An ordered list of route rules for HTTP traffic. + items: + properties: + corsPolicy: + description: Cross-Origin Resource Sharing policy (CORS). + properties: + allowCredentials: + nullable: true + type: boolean + allowHeaders: + items: + type: string + type: array + allowMethods: + description: List of HTTP methods allowed to access the + resource. + items: + type: string + type: array + allowOrigin: + description: The list of origins that are allowed to perform + CORS requests. + items: + type: string + type: array + allowOrigins: + description: String patterns that match allowed origins. + items: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + type: array + exposeHeaders: + items: + type: string + type: array + maxAge: + type: string + type: object + delegate: + properties: + name: + description: Name specifies the name of the delegate VirtualService. + type: string + namespace: + description: Namespace specifies the namespace where the + delegate VirtualService resides. + type: string + type: object + fault: + description: Fault injection policy to apply on HTTP traffic + at the client side. + properties: + abort: + oneOf: + - not: + anyOf: + - required: + - httpStatus + - required: + - grpcStatus + - required: + - http2Error + - required: + - httpStatus + - required: + - grpcStatus + - required: + - http2Error + properties: + grpcStatus: + type: string + http2Error: + type: string + httpStatus: + description: HTTP status code to use to abort the Http + request. + format: int32 + type: integer + percentage: + description: Percentage of requests to be aborted with + the error code provided. + properties: + value: + format: double + type: number + type: object + type: object + delay: + oneOf: + - not: + anyOf: + - required: + - fixedDelay + - required: + - exponentialDelay + - required: + - fixedDelay + - required: + - exponentialDelay + properties: + exponentialDelay: + type: string + fixedDelay: + description: Add a fixed delay before forwarding the + request. + type: string + percent: + description: Percentage of requests on which the delay + will be injected (0-100). + format: int32 + type: integer + percentage: + description: Percentage of requests on which the delay + will be injected. + properties: + value: + format: double + type: number + type: object + type: object + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + type: object + match: + items: + properties: + authority: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + gateways: + description: Names of gateways where the rule should be + applied. + items: + type: string + type: array + headers: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + type: object + ignoreUriCase: + description: Flag to specify whether the URI matching + should be case-insensitive. + type: boolean + method: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + name: + description: The name assigned to a match. + type: string + port: + description: Specifies the ports on the host that is being + addressed. + type: integer + queryParams: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + description: Query parameters for matching. + type: object + scheme: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + sourceLabels: + additionalProperties: + type: string + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + type: string + uri: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + withoutHeaders: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + description: withoutHeader has the same syntax with the + header, but has opposite meaning. + type: object + type: object + type: array + mirror: + properties: + host: + description: The name of a service from the service registry. + type: string + port: + description: Specifies the port on the host that is being + addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + type: object + mirror_percent: + description: Percentage of the traffic to be mirrored by the + `mirror` field. + nullable: true + type: integer + mirrorPercent: + description: Percentage of the traffic to be mirrored by the + `mirror` field. + nullable: true + type: integer + mirrorPercentage: + description: Percentage of the traffic to be mirrored by the + `mirror` field. + properties: + value: + format: double + type: number + type: object + name: + description: The name assigned to the route for debugging purposes. + type: string + redirect: + description: A HTTP rule can either redirect or forward (default) + traffic. + properties: + authority: + type: string + redirectCode: + type: integer + uri: + type: string + type: object + retries: + description: Retry policy for HTTP requests. + properties: + attempts: + description: Number of retries to be allowed for a given + request. + format: int32 + type: integer + perTryTimeout: + description: Timeout per attempt for a given request, including + the initial call and any retries. + type: string + retryOn: + description: Specifies the conditions under which retry + takes place. + type: string + retryRemoteLocalities: + description: Flag to specify whether the retries should + retry to other localities. + nullable: true + type: boolean + type: object + rewrite: + description: Rewrite HTTP URIs and Authority headers. + properties: + authority: + description: rewrite the Authority/Host header with this + value. + type: string + uri: + type: string + type: object + route: + description: A HTTP rule can either redirect or forward (default) + traffic. + items: + properties: + destination: + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + type: object + weight: + format: int32 + type: integer + type: object + type: array + timeout: + description: Timeout for HTTP requests, default is disabled. + type: string + type: object + type: array + tcp: + description: An ordered list of route rules for opaque TCP traffic. + items: + properties: + match: + items: + properties: + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination + with optional subnet. + items: + type: string + type: array + gateways: + description: Names of gateways where the rule should be + applied. + items: + type: string + type: array + port: + description: Specifies the port on the host that is being + addressed. + type: integer + sourceLabels: + additionalProperties: + type: string + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + type: string + sourceSubnet: + description: IPv4 or IPv6 ip address of source with optional + subnet. + type: string + type: object + type: array + route: + description: The destination to which the connection should + be forwarded to. + items: + properties: + destination: + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + type: object + weight: + format: int32 + type: integer + type: object + type: array + type: object + type: array + tls: + items: + properties: + match: + items: + properties: + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination + with optional subnet. + items: + type: string + type: array + gateways: + description: Names of gateways where the rule should be + applied. + items: + type: string + type: array + port: + description: Specifies the port on the host that is being + addressed. + type: integer + sniHosts: + description: SNI (server name indicator) to match on. + items: + type: string + type: array + sourceLabels: + additionalProperties: + type: string + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + type: string + type: object + type: array + route: + description: The destination to which the connection should + be forwarded to. + items: + properties: + destination: + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + type: object + weight: + format: int32 + type: integer + type: object + type: array + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: The names of gateways and sidecars that should apply these routes + jsonPath: .spec.gateways + name: Gateways + type: string + - description: The destination hosts to which traffic is being sent + jsonPath: .spec.hosts + name: Hosts + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting label/content routing, sni routing, + etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html' + properties: + exportTo: + description: A list of namespaces to which this virtual service is + exported. + items: + type: string + type: array + gateways: + description: The names of gateways and sidecars that should apply + these routes. + items: + type: string + type: array + hosts: + description: The destination hosts to which traffic is being sent. + items: + type: string + type: array + http: + description: An ordered list of route rules for HTTP traffic. + items: + properties: + corsPolicy: + description: Cross-Origin Resource Sharing policy (CORS). + properties: + allowCredentials: + nullable: true + type: boolean + allowHeaders: + items: + type: string + type: array + allowMethods: + description: List of HTTP methods allowed to access the + resource. + items: + type: string + type: array + allowOrigin: + description: The list of origins that are allowed to perform + CORS requests. + items: + type: string + type: array + allowOrigins: + description: String patterns that match allowed origins. + items: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + type: array + exposeHeaders: + items: + type: string + type: array + maxAge: + type: string + type: object + delegate: + properties: + name: + description: Name specifies the name of the delegate VirtualService. + type: string + namespace: + description: Namespace specifies the namespace where the + delegate VirtualService resides. + type: string + type: object + fault: + description: Fault injection policy to apply on HTTP traffic + at the client side. + properties: + abort: + oneOf: + - not: + anyOf: + - required: + - httpStatus + - required: + - grpcStatus + - required: + - http2Error + - required: + - httpStatus + - required: + - grpcStatus + - required: + - http2Error + properties: + grpcStatus: + type: string + http2Error: + type: string + httpStatus: + description: HTTP status code to use to abort the Http + request. + format: int32 + type: integer + percentage: + description: Percentage of requests to be aborted with + the error code provided. + properties: + value: + format: double + type: number + type: object + type: object + delay: + oneOf: + - not: + anyOf: + - required: + - fixedDelay + - required: + - exponentialDelay + - required: + - fixedDelay + - required: + - exponentialDelay + properties: + exponentialDelay: + type: string + fixedDelay: + description: Add a fixed delay before forwarding the + request. + type: string + percent: + description: Percentage of requests on which the delay + will be injected (0-100). + format: int32 + type: integer + percentage: + description: Percentage of requests on which the delay + will be injected. + properties: + value: + format: double + type: number + type: object + type: object + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + type: object + match: + items: + properties: + authority: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + gateways: + description: Names of gateways where the rule should be + applied. + items: + type: string + type: array + headers: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + type: object + ignoreUriCase: + description: Flag to specify whether the URI matching + should be case-insensitive. + type: boolean + method: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + name: + description: The name assigned to a match. + type: string + port: + description: Specifies the ports on the host that is being + addressed. + type: integer + queryParams: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + description: Query parameters for matching. + type: object + scheme: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + sourceLabels: + additionalProperties: + type: string + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + type: string + uri: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + withoutHeaders: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + description: withoutHeader has the same syntax with the + header, but has opposite meaning. + type: object + type: object + type: array + mirror: + properties: + host: + description: The name of a service from the service registry. + type: string + port: + description: Specifies the port on the host that is being + addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + type: object + mirror_percent: + description: Percentage of the traffic to be mirrored by the + `mirror` field. + nullable: true + type: integer + mirrorPercent: + description: Percentage of the traffic to be mirrored by the + `mirror` field. + nullable: true + type: integer + mirrorPercentage: + description: Percentage of the traffic to be mirrored by the + `mirror` field. + properties: + value: + format: double + type: number + type: object + name: + description: The name assigned to the route for debugging purposes. + type: string + redirect: + description: A HTTP rule can either redirect or forward (default) + traffic. + properties: + authority: + type: string + redirectCode: + type: integer + uri: + type: string + type: object + retries: + description: Retry policy for HTTP requests. + properties: + attempts: + description: Number of retries to be allowed for a given + request. + format: int32 + type: integer + perTryTimeout: + description: Timeout per attempt for a given request, including + the initial call and any retries. + type: string + retryOn: + description: Specifies the conditions under which retry + takes place. + type: string + retryRemoteLocalities: + description: Flag to specify whether the retries should + retry to other localities. + nullable: true + type: boolean + type: object + rewrite: + description: Rewrite HTTP URIs and Authority headers. + properties: + authority: + description: rewrite the Authority/Host header with this + value. + type: string + uri: + type: string + type: object + route: + description: A HTTP rule can either redirect or forward (default) + traffic. + items: + properties: + destination: + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + type: object + weight: + format: int32 + type: integer + type: object + type: array + timeout: + description: Timeout for HTTP requests, default is disabled. + type: string + type: object + type: array + tcp: + description: An ordered list of route rules for opaque TCP traffic. + items: + properties: + match: + items: + properties: + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination + with optional subnet. + items: + type: string + type: array + gateways: + description: Names of gateways where the rule should be + applied. + items: + type: string + type: array + port: + description: Specifies the port on the host that is being + addressed. + type: integer + sourceLabels: + additionalProperties: + type: string + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + type: string + sourceSubnet: + description: IPv4 or IPv6 ip address of source with optional + subnet. + type: string + type: object + type: array + route: + description: The destination to which the connection should + be forwarded to. + items: + properties: + destination: + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + type: object + weight: + format: int32 + type: integer + type: object + type: array + type: object + type: array + tls: + items: + properties: + match: + items: + properties: + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination + with optional subnet. + items: + type: string + type: array + gateways: + description: Names of gateways where the rule should be + applied. + items: + type: string + type: array + port: + description: Specifies the port on the host that is being + addressed. + type: integer + sniHosts: + description: SNI (server name indicator) to match on. + items: + type: string + type: array + sourceLabels: + additionalProperties: + type: string + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + type: string + type: object + type: array + route: + description: The destination to which the connection should + be forwarded to. + items: + properties: + destination: + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + type: object + weight: + format: int32 + type: integer + type: object + type: array + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: workloadentries.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: WorkloadEntry + listKind: WorkloadEntryList + plural: workloadentries + shortNames: + - we + singular: workloadentry + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: Address associated with the network endpoint. + jsonPath: .spec.address + name: Address + type: string + name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting VMs onboarded into the mesh. See + more details at: https://istio.io/docs/reference/config/networking/workload-entry.html' + properties: + address: + type: string + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + type: string + network: + type: string + ports: + additionalProperties: + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + type: string + weight: + description: The load balancing weight associated with the endpoint. + type: integer + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: Address associated with the network endpoint. + jsonPath: .spec.address + name: Address + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting VMs onboarded into the mesh. See + more details at: https://istio.io/docs/reference/config/networking/workload-entry.html' + properties: + address: + type: string + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + type: string + network: + type: string + ports: + additionalProperties: + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + type: string + weight: + description: The load balancing weight associated with the endpoint. + type: integer + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: workloadgroups.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: WorkloadGroup + listKind: WorkloadGroupList + plural: workloadgroups + shortNames: + - wg + singular: workloadgroup + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Describes a collection of workload instances. See more details + at: https://istio.io/docs/reference/config/networking/workload-group.html' + properties: + metadata: + description: Metadata that will be used for all corresponding `WorkloadEntries`. + properties: + annotations: + additionalProperties: + type: string + type: object + labels: + additionalProperties: + type: string + type: object + type: object + probe: + description: '`ReadinessProbe` describes the configuration the user + must provide for healthchecking on their workload.' + oneOf: + - not: + anyOf: + - required: + - httpGet + - required: + - tcpSocket + - required: + - exec + - required: + - httpGet + - required: + - tcpSocket + - required: + - exec + properties: + exec: + description: Health is determined by how the command that is executed + exited. + properties: + command: + description: Command to run. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for the probe to be + considered failed after having succeeded. + format: int32 + type: integer + httpGet: + properties: + host: + description: Host name to connect to, defaults to the pod + IP. + type: string + httpHeaders: + description: Headers the proxy will pass on to make the request. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + description: Port on which the endpoint lives. + type: integer + scheme: + type: string + type: object + initialDelaySeconds: + description: Number of seconds after the container has started + before readiness probes are initiated. + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform the probe. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for the probe to be + considered successful after having failed. + format: int32 + type: integer + tcpSocket: + description: Health is determined by if the proxy is able to connect. + properties: + host: + type: string + port: + type: integer + type: object + timeoutSeconds: + description: Number of seconds after which the probe times out. + format: int32 + type: integer + type: object + template: + description: Template to be used for the generation of `WorkloadEntry` + resources that belong to this `WorkloadGroup`. + properties: + address: + type: string + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + type: string + network: + type: string + ports: + additionalProperties: + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + type: string + weight: + description: The load balancing weight associated with the endpoint. + type: integer + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + istio: security + release: istio + name: authorizationpolicies.security.istio.io +spec: + group: security.istio.io + names: + categories: + - istio-io + - security-istio-io + kind: AuthorizationPolicy + listKind: AuthorizationPolicyList + plural: authorizationpolicies + singular: authorizationpolicy + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration for access control on workloads. See more + details at: https://istio.io/docs/reference/config/security/authorization-policy.html' + oneOf: + - not: + anyOf: + - required: + - provider + - required: + - provider + properties: + action: + description: Optional. + enum: + - ALLOW + - DENY + - AUDIT + - CUSTOM + type: string + provider: + description: Specifies detailed configuration of the CUSTOM action. + properties: + name: + description: Specifies the name of the extension provider. + type: string + type: object + rules: + description: Optional. + items: + properties: + from: + description: Optional. + items: + properties: + source: + description: Source specifies the source of a request. + properties: + ipBlocks: + description: Optional. + items: + type: string + type: array + namespaces: + description: Optional. + items: + type: string + type: array + notIpBlocks: + description: Optional. + items: + type: string + type: array + notNamespaces: + description: Optional. + items: + type: string + type: array + notPrincipals: + description: Optional. + items: + type: string + type: array + notRemoteIpBlocks: + description: Optional. + items: + type: string + type: array + notRequestPrincipals: + description: Optional. + items: + type: string + type: array + principals: + description: Optional. + items: + type: string + type: array + remoteIpBlocks: + description: Optional. + items: + type: string + type: array + requestPrincipals: + description: Optional. + items: + type: string + type: array + type: object + type: object + type: array + to: + description: Optional. + items: + properties: + operation: + description: Operation specifies the operation of a request. + properties: + hosts: + description: Optional. + items: + type: string + type: array + methods: + description: Optional. + items: + type: string + type: array + notHosts: + description: Optional. + items: + type: string + type: array + notMethods: + description: Optional. + items: + type: string + type: array + notPaths: + description: Optional. + items: + type: string + type: array + notPorts: + description: Optional. + items: + type: string + type: array + paths: + description: Optional. + items: + type: string + type: array + ports: + description: Optional. + items: + type: string + type: array + type: object + type: object + type: array + when: + description: Optional. + items: + properties: + key: + description: The name of an Istio attribute. + type: string + notValues: + description: Optional. + items: + type: string + type: array + values: + description: Optional. + items: + type: string + type: array + type: object + type: array + type: object + type: array + selector: + description: Optional. + properties: + matchLabels: + additionalProperties: + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + istio: security + release: istio + name: peerauthentications.security.istio.io +spec: + group: security.istio.io + names: + categories: + - istio-io + - security-istio-io + kind: PeerAuthentication + listKind: PeerAuthenticationList + plural: peerauthentications + shortNames: + - pa + singular: peerauthentication + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Defines the mTLS mode used for peer authentication. + jsonPath: .spec.mtls.mode + name: Mode + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: PeerAuthentication defines how traffic will be tunneled (or + not) to the sidecar. + properties: + mtls: + description: Mutual TLS settings for workload. + properties: + mode: + description: Defines the mTLS mode used for peer authentication. + enum: + - UNSET + - DISABLE + - PERMISSIVE + - STRICT + type: string + type: object + portLevelMtls: + additionalProperties: + properties: + mode: + description: Defines the mTLS mode used for peer authentication. + enum: + - UNSET + - DISABLE + - PERMISSIVE + - STRICT + type: string + type: object + description: Port specific mutual TLS settings. + type: object + selector: + description: The selector determines the workloads to apply the ChannelAuthentication + on. + properties: + matchLabels: + additionalProperties: + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + istio: security + release: istio + name: requestauthentications.security.istio.io +spec: + group: security.istio.io + names: + categories: + - istio-io + - security-istio-io + kind: RequestAuthentication + listKind: RequestAuthenticationList + plural: requestauthentications + shortNames: + - ra + singular: requestauthentication + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: RequestAuthentication defines what request authentication + methods are supported by a workload. + properties: + jwtRules: + description: Define the list of JWTs that can be validated at the + selected workloads' proxy. + items: + properties: + audiences: + items: + type: string + type: array + forwardOriginalToken: + description: If set to true, the orginal token will be kept + for the ustream request. + type: boolean + fromHeaders: + description: List of header locations from which JWT is expected. + items: + properties: + name: + description: The HTTP header name. + type: string + prefix: + description: The prefix that should be stripped before + decoding the token. + type: string + type: object + type: array + fromParams: + description: List of query parameters from which JWT is expected. + items: + type: string + type: array + issuer: + description: Identifies the issuer that issued the JWT. + type: string + jwks: + description: JSON Web Key Set of public keys to validate signature + of the JWT. + type: string + jwks_uri: + type: string + jwksUri: + type: string + outputPayloadToHeader: + type: string + type: object + type: array + selector: + description: The selector determines the workloads to apply the RequestAuthentication + on. + properties: + matchLabels: + additionalProperties: + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + istio: telemetry + release: istio + name: telemetries.telemetry.istio.io +spec: + group: telemetry.istio.io + names: + categories: + - istio-io + - telemetry-istio-io + kind: Telemetry + listKind: TelemetryList + plural: telemetries + shortNames: + - telemetry + singular: telemetry + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + description: Telemetry defines how the telemetry is generated for workloads + within a mesh. + properties: + accessLogging: + description: Optional. + items: + properties: + disabled: + description: Controls logging. + nullable: true + type: boolean + providers: + description: Optional. + items: + properties: + name: + description: Required. + type: string + type: object + type: array + type: object + type: array + metrics: + description: Optional. + items: + properties: + overrides: + description: Optional. + items: + properties: + disabled: + description: Optional. + nullable: true + type: boolean + match: + description: Match allows provides the scope of the override. + oneOf: + - not: + anyOf: + - required: + - metric + - required: + - customMetric + - required: + - metric + - required: + - customMetric + properties: + customMetric: + description: Allows free-form specification of a metric. + type: string + metric: + description: One of the well-known Istio Standard + Metrics. + enum: + - ALL_METRICS + - REQUEST_COUNT + - REQUEST_DURATION + - REQUEST_SIZE + - RESPONSE_SIZE + - TCP_OPENED_CONNECTIONS + - TCP_CLOSED_CONNECTIONS + - TCP_SENT_BYTES + - TCP_RECEIVED_BYTES + - GRPC_REQUEST_MESSAGES + - GRPC_RESPONSE_MESSAGES + type: string + mode: + description: 'Controls which mode of metrics generation + is selected: CLIENT and/or SERVER.' + enum: + - CLIENT_AND_SERVER + - CLIENT + - SERVER + type: string + type: object + tagOverrides: + additionalProperties: + properties: + operation: + description: Operation controls whether or not to + update/add a tag, or to remove it. + enum: + - UPSERT + - REMOVE + type: string + value: + description: Value is only considered if the operation + is `UPSERT`. + type: string + type: object + description: Optional. + type: object + type: object + type: array + providers: + description: Optional. + items: + properties: + name: + description: Required. + type: string + type: object + type: array + type: object + type: array + selector: + description: Optional. + properties: + matchLabels: + additionalProperties: + type: string + type: object + type: object + tracing: + description: Optional. + items: + properties: + customTags: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - literal + - required: + - environment + - required: + - header + - required: + - literal + - required: + - environment + - required: + - header + properties: + environment: + description: Environment adds the value of an environment + variable to each span. + properties: + defaultValue: + description: Optional. + type: string + name: + description: Name of the environment variable from + which to extract the tag value. + type: string + type: object + header: + description: RequestHeader adds the value of an header + from the request to each span. + properties: + defaultValue: + description: Optional. + type: string + name: + description: Name of the header from which to extract + the tag value. + type: string + type: object + literal: + description: Literal adds the same, hard-coded value to + each span. + properties: + value: + description: The tag value to use. + type: string + type: object + type: object + description: Optional. + type: object + disableSpanReporting: + description: Controls span reporting. + nullable: true + type: boolean + providers: + description: Optional. + items: + properties: + name: + description: Required. + type: string + type: object + type: array + randomSamplingPercentage: + nullable: true + type: number + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + +--- + +--- +# Source: crds/crd-operator.yaml +# SYNC WITH manifests/charts/istio-operator/templates +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: istiooperators.install.istio.io + labels: + release: istio +spec: + conversion: + strategy: None + group: install.istio.io + names: + kind: IstioOperator + listKind: IstioOperatorList + plural: istiooperators + singular: istiooperator + shortNames: + - iop + - io + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Istio control plane revision + jsonPath: .spec.revision + name: Revision + type: string + - description: IOP current state + jsonPath: .status.status + name: Status + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + subresources: + status: {} + name: v1alpha1 + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + served: true + storage: true +--- + +--- +# Source: base/templates/reader-serviceaccount.yaml +# This service account aggregates reader permissions for the revisions in a given cluster +# Should be used for remote secret creation. +apiVersion: v1 +kind: ServiceAccount +metadata: + name: istio-reader-service-account + namespace: istio-system + labels: + app: istio-reader + release: istio +--- +# Source: base/templates/serviceaccount.yaml +# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- +# DO NOT EDIT! +# THIS IS A LEGACY CHART HERE FOR BACKCOMPAT +# UPDATED CHART AT manifests/charts/istio-control/istio-discovery +# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: istiod-service-account + namespace: istio-system + labels: + app: istiod + release: istio +--- +# Source: base/templates/clusterrole.yaml +# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- +# DO NOT EDIT! +# THIS IS A LEGACY CHART HERE FOR BACKCOMPAT +# UPDATED CHART AT manifests/charts/istio-control/istio-discovery +# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istiod-istio-system + labels: + app: istiod + release: istio +rules: + # sidecar injection controller + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update", "patch"] + + # configuration validation webhook controller + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update"] + + # istio configuration + # removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382) + # please proceed with caution + - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io"] + verbs: ["get", "watch", "list"] + resources: ["*"] + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "workloadentries" ] + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "workloadentries/status" ] + + # auto-detect installed CRD definitions + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "list", "watch"] + + # discovery and routing + - apiGroups: [""] + resources: ["pods", "nodes", "services", "namespaces", "endpoints"] + verbs: ["get", "list", "watch"] + - apiGroups: ["discovery.k8s.io"] + resources: ["endpointslices"] + verbs: ["get", "list", "watch"] + + # ingress controller + - apiGroups: ["networking.k8s.io"] + resources: ["ingresses", "ingressclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["networking.k8s.io"] + resources: ["ingresses/status"] + verbs: ["*"] + + # required for CA's namespace controller + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["create", "get", "list", "watch", "update"] + + # Istiod and bootstrap. + - apiGroups: ["certificates.k8s.io"] + resources: + - "certificatesigningrequests" + - "certificatesigningrequests/approval" + - "certificatesigningrequests/status" + verbs: ["update", "create", "get", "delete", "watch"] + - apiGroups: ["certificates.k8s.io"] + resources: + - "signers" + resourceNames: + - "kubernetes.io/legacy-unknown" + verbs: ["approve"] + + # Used by Istiod to verify the JWT tokens + - apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] + + # Used by Istiod to verify gateway SDS + - apiGroups: ["authorization.k8s.io"] + resources: ["subjectaccessreviews"] + verbs: ["create"] + + # Use for Kubernetes Service APIs + - apiGroups: ["networking.x-k8s.io"] + resources: ["*"] + verbs: ["get", "watch", "list"] + - apiGroups: ["networking.x-k8s.io"] + resources: ["*"] # TODO: should be on just */status but wildcard is not supported + verbs: ["update"] + + # Needed for multicluster secret reading, possibly ingress certs in the future + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "watch", "list"] + + # Used for MCS serviceexport management + - apiGroups: ["multicluster.x-k8s.io"] + resources: ["serviceexports"] + verbs: ["get", "watch", "list", "create", "delete"] +--- +# Source: base/templates/clusterrole.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istio-reader-istio-system + labels: + app: istio-reader + release: istio +rules: + - apiGroups: + - "config.istio.io" + - "security.istio.io" + - "networking.istio.io" + - "authentication.istio.io" + - "rbac.istio.io" + resources: ["*"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets"] + verbs: ["get", "list", "watch"] + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list" ] + resources: [ "workloadentries" ] + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "list", "watch"] + - apiGroups: ["discovery.k8s.io"] + resources: ["endpointslices"] + verbs: ["get", "list", "watch"] + - apiGroups: ["apps"] + resources: ["replicasets"] + verbs: ["get", "list", "watch"] + - apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] + - apiGroups: ["authorization.k8s.io"] + resources: ["subjectaccessreviews"] + verbs: ["create"] + - apiGroups: ["multicluster.x-k8s.io"] + resources: ["serviceexports"] + verbs: ["get", "watch", "list"] +--- +# Source: base/templates/clusterrolebinding.yaml +# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- +# DO NOT EDIT! +# THIS IS A LEGACY CHART HERE FOR BACKCOMPAT +# UPDATED CHART AT manifests/charts/istio-control/istio-discovery +# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istio-reader-istio-system + labels: + app: istio-reader + release: istio +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-reader-istio-system +subjects: + - kind: ServiceAccount + name: istio-reader-service-account + namespace: istio-system +--- +# Source: base/templates/clusterrolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istiod-istio-system + labels: + app: istiod + release: istio +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istiod-istio-system +subjects: + - kind: ServiceAccount + name: istiod-service-account + namespace: istio-system +--- +# Source: base/templates/role.yaml +# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- +# DO NOT EDIT! +# THIS IS A LEGACY CHART HERE FOR BACKCOMPAT +# UPDATED CHART AT manifests/charts/istio-control/istio-discovery +# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: istiod-istio-system + namespace: istio-system + labels: + app: istiod + release: istio +rules: +# permissions to verify the webhook is ready and rejecting +# invalid config. We use --server-dry-run so no config is persisted. +- apiGroups: ["networking.istio.io"] + verbs: ["create"] + resources: ["gateways"] + +# For storing CA secret +- apiGroups: [""] + resources: ["secrets"] + # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config + verbs: ["create", "get", "watch", "list", "update", "delete"] +--- +# Source: base/templates/rolebinding.yaml +# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- +# DO NOT EDIT! +# THIS IS A LEGACY CHART HERE FOR BACKCOMPAT +# UPDATED CHART AT manifests/charts/istio-control/istio-discovery +# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: istiod-istio-system + namespace: istio-system + labels: + app: istiod + release: istio +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: istiod-istio-system +subjects: + - kind: ServiceAccount + name: istiod-service-account + namespace: istio-system diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/base/kustomization.yaml b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/base/kustomization.yaml new file mode 100644 index 000000000..dbde62f0a --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/base/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - files/gen-istio-cluster.yaml diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/base/templates/clusterrole.yaml b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/base/templates/clusterrole.yaml new file mode 100644 index 000000000..e07d5cd4c --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/base/templates/clusterrole.yaml @@ -0,0 +1,171 @@ +# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- +# DO NOT EDIT! +# THIS IS A LEGACY CHART HERE FOR BACKCOMPAT +# UPDATED CHART AT manifests/charts/istio-control/istio-discovery +# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istiod-{{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} +rules: + # sidecar injection controller + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update", "patch"] + + # configuration validation webhook controller + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update"] + + # istio configuration + # removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382) + # please proceed with caution + - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io"] + verbs: ["get", "watch", "list"] + resources: ["*"] +{{- if .Values.global.istiod.enableAnalysis }} + - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io"] + verbs: ["update"] + # TODO: should be on just */status but wildcard is not supported + resources: ["*"] +{{- end }} + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "workloadentries" ] + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "workloadentries/status" ] + + # auto-detect installed CRD definitions + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "list", "watch"] + + # discovery and routing + - apiGroups: [""] + resources: ["pods", "nodes", "services", "namespaces", "endpoints"] + verbs: ["get", "list", "watch"] + - apiGroups: ["discovery.k8s.io"] + resources: ["endpointslices"] + verbs: ["get", "list", "watch"] + + # ingress controller +{{- if .Values.global.istiod.enableAnalysis }} + - apiGroups: ["extensions", "networking.k8s.io"] + resources: ["ingresses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["extensions", "networking.k8s.io"] + resources: ["ingresses/status"] + verbs: ["*"] +{{- end}} + - apiGroups: ["networking.k8s.io"] + resources: ["ingresses", "ingressclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["networking.k8s.io"] + resources: ["ingresses/status"] + verbs: ["*"] + + # required for CA's namespace controller + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["create", "get", "list", "watch", "update"] + + # Istiod and bootstrap. + - apiGroups: ["certificates.k8s.io"] + resources: + - "certificatesigningrequests" + - "certificatesigningrequests/approval" + - "certificatesigningrequests/status" + verbs: ["update", "create", "get", "delete", "watch"] + - apiGroups: ["certificates.k8s.io"] + resources: + - "signers" + resourceNames: + - "kubernetes.io/legacy-unknown" + verbs: ["approve"] + + # Used by Istiod to verify the JWT tokens + - apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] + + # Used by Istiod to verify gateway SDS + - apiGroups: ["authorization.k8s.io"] + resources: ["subjectaccessreviews"] + verbs: ["create"] + + # Use for Kubernetes Service APIs + - apiGroups: ["networking.x-k8s.io"] + resources: ["*"] + verbs: ["get", "watch", "list"] + - apiGroups: ["networking.x-k8s.io"] + resources: ["*"] # TODO: should be on just */status but wildcard is not supported + verbs: ["update"] + + # Needed for multicluster secret reading, possibly ingress certs in the future + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "watch", "list"] + + # Used for MCS serviceexport management + - apiGroups: ["multicluster.x-k8s.io"] + resources: ["serviceexports"] + verbs: ["get", "watch", "list", "create", "delete"] + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istio-reader-{{ .Values.global.istioNamespace }} + labels: + app: istio-reader + release: {{ .Release.Name }} +rules: + - apiGroups: + - "config.istio.io" + - "security.istio.io" + - "networking.istio.io" + - "authentication.istio.io" + - "rbac.istio.io" + resources: ["*"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets"] + verbs: ["get", "list", "watch"] + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list" ] + resources: [ "workloadentries" ] + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "list", "watch"] + - apiGroups: ["discovery.k8s.io"] + resources: ["endpointslices"] + verbs: ["get", "list", "watch"] + - apiGroups: ["apps"] + resources: ["replicasets"] + verbs: ["get", "list", "watch"] + - apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] + - apiGroups: ["authorization.k8s.io"] + resources: ["subjectaccessreviews"] + verbs: ["create"] + - apiGroups: ["multicluster.x-k8s.io"] + resources: ["serviceexports"] + verbs: ["get", "watch", "list"] +{{- if or .Values.global.externalIstiod }} + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["create", "get", "list", "watch", "update"] + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update"] +{{- end}} +--- diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/base/templates/clusterrolebinding.yaml b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/base/templates/clusterrolebinding.yaml new file mode 100644 index 000000000..d61729b29 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/base/templates/clusterrolebinding.yaml @@ -0,0 +1,37 @@ +# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- +# DO NOT EDIT! +# THIS IS A LEGACY CHART HERE FOR BACKCOMPAT +# UPDATED CHART AT manifests/charts/istio-control/istio-discovery +# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istio-reader-{{ .Values.global.istioNamespace }} + labels: + app: istio-reader + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-reader-{{ .Values.global.istioNamespace }} +subjects: + - kind: ServiceAccount + name: istio-reader-service-account + namespace: {{ .Values.global.istioNamespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istiod-{{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istiod-{{ .Values.global.istioNamespace }} +subjects: + - kind: ServiceAccount + name: istiod-service-account + namespace: {{ .Values.global.istioNamespace }} +--- diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/base/templates/crds.yaml b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/base/templates/crds.yaml new file mode 100644 index 000000000..871ee2a6b --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/base/templates/crds.yaml @@ -0,0 +1,4 @@ +{{- if .Values.base.enableCRDTemplates }} +{{ .Files.Get "crds/crd-all.gen.yaml" }} +{{ .Files.Get "crds/crd-operator.yaml" }} +{{- end }} diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/base/templates/endpoints.yaml b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/base/templates/endpoints.yaml new file mode 100644 index 000000000..996152bb0 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/base/templates/endpoints.yaml @@ -0,0 +1,30 @@ +{{- if .Values.global.remotePilotAddress }} + {{- if not .Values.global.externalIstiod }} +apiVersion: v1 +kind: Endpoints +metadata: + name: istiod-remote + namespace: {{ .Release.Namespace }} +subsets: +- addresses: + - ip: {{ .Values.global.remotePilotAddress }} + ports: + - port: 15012 + name: tcp-istiod + protocol: TCP + {{- else if regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress }} +apiVersion: v1 +kind: Endpoints +metadata: + name: istiod + namespace: {{ .Release.Namespace }} +subsets: +- addresses: + - ip: {{ .Values.global.remotePilotAddress }} + ports: + - port: 15012 + name: tcp-istiod + protocol: TCP + {{- end }} +--- +{{- end }} diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/base/templates/reader-serviceaccount.yaml b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/base/templates/reader-serviceaccount.yaml new file mode 100644 index 000000000..d9ce18c27 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/base/templates/reader-serviceaccount.yaml @@ -0,0 +1,16 @@ +# This service account aggregates reader permissions for the revisions in a given cluster +# Should be used for remote secret creation. +apiVersion: v1 +kind: ServiceAccount + {{- if .Values.global.imagePullSecrets }} +imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +metadata: + name: istio-reader-service-account + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istio-reader + release: {{ .Release.Name }} diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/base/templates/role.yaml b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/base/templates/role.yaml new file mode 100644 index 000000000..ca1a4243f --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/base/templates/role.yaml @@ -0,0 +1,25 @@ +# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- +# DO NOT EDIT! +# THIS IS A LEGACY CHART HERE FOR BACKCOMPAT +# UPDATED CHART AT manifests/charts/istio-control/istio-discovery +# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: istiod-{{ .Values.global.istioNamespace }} + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} +rules: +# permissions to verify the webhook is ready and rejecting +# invalid config. We use --server-dry-run so no config is persisted. +- apiGroups: ["networking.istio.io"] + verbs: ["create"] + resources: ["gateways"] + +# For storing CA secret +- apiGroups: [""] + resources: ["secrets"] + # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config + verbs: ["create", "get", "watch", "list", "update", "delete"] diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/base/templates/rolebinding.yaml b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/base/templates/rolebinding.yaml new file mode 100644 index 000000000..2b591fb89 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/base/templates/rolebinding.yaml @@ -0,0 +1,21 @@ +# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- +# DO NOT EDIT! +# THIS IS A LEGACY CHART HERE FOR BACKCOMPAT +# UPDATED CHART AT manifests/charts/istio-control/istio-discovery +# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: istiod-{{ .Values.global.istioNamespace }} + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: istiod-{{ .Values.global.istioNamespace }} +subjects: + - kind: ServiceAccount + name: istiod-service-account + namespace: {{ .Values.global.istioNamespace }} diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/base/templates/serviceaccount.yaml b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/base/templates/serviceaccount.yaml new file mode 100644 index 000000000..ec25fd250 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/base/templates/serviceaccount.yaml @@ -0,0 +1,19 @@ +# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- +# DO NOT EDIT! +# THIS IS A LEGACY CHART HERE FOR BACKCOMPAT +# UPDATED CHART AT manifests/charts/istio-control/istio-discovery +# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- +apiVersion: v1 +kind: ServiceAccount + {{- if .Values.global.imagePullSecrets }} +imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +metadata: + name: istiod-service-account + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/base/templates/services.yaml b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/base/templates/services.yaml new file mode 100644 index 000000000..606fd4459 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/base/templates/services.yaml @@ -0,0 +1,37 @@ +{{- if .Values.global.remotePilotAddress }} + {{- if not .Values.global.externalIstiod }} +# when istiod is enabled in remote cluster, we can't use istiod service name +apiVersion: v1 +kind: Service +metadata: + name: istiod-remote + namespace: {{ .Release.Namespace }} +spec: + ports: + - port: 15012 + name: tcp-istiod + protocol: TCP + clusterIP: None + {{- else }} +# when istiod isn't enabled in remote cluster, we can use istiod service name +apiVersion: v1 +kind: Service +metadata: + name: istiod + namespace: {{ .Release.Namespace }} +spec: + ports: + - port: 15012 + name: tcp-istiod + protocol: TCP + # if the remotePilotAddress is IP addr, we use clusterIP: None. + # else, we use externalName + {{- if regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress }} + clusterIP: None + {{- else }} + type: ExternalName + externalName: {{ .Values.global.remotePilotAddress }} + {{- end }} + {{- end }} +--- +{{- end }} diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/base/values.yaml b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/base/values.yaml new file mode 100644 index 000000000..8f86ba0e9 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/base/values.yaml @@ -0,0 +1,27 @@ +global: + + # ImagePullSecrets for control plane ServiceAccount, list of secrets in the same namespace + # to use for pulling any images in pods that reference this ServiceAccount. + # Must be set for any cluster configured with private docker registry. + imagePullSecrets: [] + + # Used to locate istiod. + istioNamespace: istio-system + + istiod: + enableAnalysis: false + + configValidation: true + externalIstiod: false + remotePilotAddress: "" + +base: + # Used for helm2 to add the CRDs to templates. + enableCRDTemplates: false + + # Validation webhook configuration url + # For example: https://$remotePilotAddress:15017/validate + validationURL: "" + + # For istioctl usage to disable istio config crds in base + enableIstioConfigCRDs: true diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/gateways/istio-egress/Chart.yaml b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/gateways/istio-egress/Chart.yaml new file mode 100644 index 000000000..517e7ea68 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/gateways/istio-egress/Chart.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +name: istio-egress +version: 1.11.0 +tillerVersion: ">=2.7.2" +description: Helm chart for deploying Istio gateways +keywords: + - istio + - egressgateway + - gateways +sources: + - http://github.com/istio/istio +engine: gotpl +icon: https://istio.io/latest/favicons/android-192x192.png diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/gateways/istio-egress/NOTES.txt b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/gateways/istio-egress/NOTES.txt new file mode 100644 index 000000000..9baacc0ea --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/gateways/istio-egress/NOTES.txt @@ -0,0 +1,45 @@ + +Changes: +- separate namespace allows: +-- easier reconfig of just the gateway +-- TLS secrets and domain name management is isolated, for better security +-- simplified configuration +-- multiple versions of the ingress can be used, to minize upgrade risks + +- the new chart uses the default namespace service account, and doesn't require +additional RBAC permissions. + +- simplified label structure. Label change is not supported on upgrade. + +- for 'internal load balancer' you should deploy a separate gateway, in a different +namespace. + +All ingress gateway have a "app:ingressgateway" label, used to identify it as an +ingress, and an "istio: ingressgateway$SUFFIX" label of Gateway selection. + +The Gateways use "istio: ingressgateway$SUFFIX" selectors. + + +# Multiple gateway versions + + + +# Using different pilot versions + + + +# Migration from istio-system + +Istio 1.0 includes the gateways in istio-system. Since the external IP is associated +with the Service and bound to the namespace, it is recommended to: + +1. Install the new gateway in a new namespace. +2. Copy any TLS certificate to the new namespace, and configure the domains. +3. Checking the new gateway work - for example by overriding the IP in /etc/hosts +4. Modify the DNS server to add the A record of the new namespace +5. Check traffic +6. Delete the A record corresponding to the gateway in istio-system +7. Upgrade istio-system, disabling the ingressgateway +8. Delete the domain TLS certs from istio-system. + +If using certmanager, all Certificate and associated configs must be moved as well. diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/gateways/istio-egress/templates/_affinity.tpl b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/gateways/istio-egress/templates/_affinity.tpl new file mode 100644 index 000000000..7a4f39b2a --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/gateways/istio-egress/templates/_affinity.tpl @@ -0,0 +1,100 @@ +{{/* affinity - https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ */}} + +{{ define "nodeaffinity" }} +nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + {{- include "nodeAffinityRequiredDuringScheduling" . }} + preferredDuringSchedulingIgnoredDuringExecution: + {{- include "nodeAffinityPreferredDuringScheduling" . }} +{{- end }} + +{{- define "nodeAffinityRequiredDuringScheduling" }} + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/arch + operator: In + values: + {{- range $key, $val := .global.arch }} + {{- if gt ($val | int) 0 }} + - {{ $key | quote }} + {{- end }} + {{- end }} + {{- $nodeSelector := default .global.defaultNodeSelector .nodeSelector -}} + {{- range $key, $val := $nodeSelector }} + - key: {{ $key }} + operator: In + values: + - {{ $val | quote }} + {{- end }} +{{- end }} + +{{- define "nodeAffinityPreferredDuringScheduling" }} + {{- range $key, $val := .global.arch }} + {{- if gt ($val | int) 0 }} + - weight: {{ $val | int }} + preference: + matchExpressions: + - key: kubernetes.io/arch + operator: In + values: + - {{ $key | quote }} + {{- end }} + {{- end }} +{{- end }} + +{{- define "podAntiAffinity" }} +{{- if or .podAntiAffinityLabelSelector .podAntiAffinityTermLabelSelector}} + podAntiAffinity: + {{- if .podAntiAffinityLabelSelector }} + requiredDuringSchedulingIgnoredDuringExecution: + {{- include "podAntiAffinityRequiredDuringScheduling" . }} + {{- end }} + {{- if .podAntiAffinityTermLabelSelector }} + preferredDuringSchedulingIgnoredDuringExecution: + {{- include "podAntiAffinityPreferredDuringScheduling" . }} + {{- end }} +{{- end }} +{{- end }} + +{{- define "podAntiAffinityRequiredDuringScheduling" }} + {{- range $index, $item := .podAntiAffinityLabelSelector }} + - labelSelector: + matchExpressions: + - key: {{ $item.key }} + operator: {{ $item.operator }} + {{- if $item.values }} + values: + {{- $vals := split "," $item.values }} + {{- range $i, $v := $vals }} + - {{ $v | quote }} + {{- end }} + {{- end }} + topologyKey: {{ $item.topologyKey }} + {{- if $item.namespaces }} + namespaces: + {{- $ns := split "," $item.namespaces }} + {{- range $i, $n := $ns }} + - {{ $n | quote }} + {{- end }} + {{- end }} + {{- end }} +{{- end }} + +{{- define "podAntiAffinityPreferredDuringScheduling" }} + {{- range $index, $item := .podAntiAffinityTermLabelSelector }} + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: {{ $item.key }} + operator: {{ $item.operator }} + {{- if $item.values }} + values: + {{- $vals := split "," $item.values }} + {{- range $i, $v := $vals }} + - {{ $v | quote }} + {{- end }} + {{- end }} + topologyKey: {{ $item.topologyKey }} + weight: 100 + {{- end }} +{{- end }} diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/gateways/istio-egress/templates/autoscale.yaml b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/gateways/istio-egress/templates/autoscale.yaml new file mode 100644 index 000000000..6336373c1 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/gateways/istio-egress/templates/autoscale.yaml @@ -0,0 +1,27 @@ +{{ $gateway := index .Values "gateways" "istio-egressgateway" }} +{{- if and $gateway.autoscaleEnabled $gateway.autoscaleMin $gateway.autoscaleMax }} +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ $gateway.name }} + namespace: {{ .Release.Namespace }} + labels: +{{ $gateway.labels | toYaml | indent 4 }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "EgressGateways" +spec: + maxReplicas: {{ $gateway.autoscaleMax }} + minReplicas: {{ $gateway.autoscaleMin }} + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ $gateway.name }} + metrics: + - type: Resource + resource: + name: cpu + targetAverageUtilization: {{ $gateway.cpu.targetAverageUtilization }} +--- +{{- end }} diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/gateways/istio-egress/templates/deployment.yaml b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/gateways/istio-egress/templates/deployment.yaml new file mode 100644 index 000000000..8c71ea189 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/gateways/istio-egress/templates/deployment.yaml @@ -0,0 +1,327 @@ +{{- $gateway := index .Values "gateways" "istio-egressgateway" }} +{{- if eq $gateway.injectionTemplate "" }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ $gateway.name }} + namespace: {{ .Release.Namespace }} + labels: +{{ $gateway.labels | toYaml | indent 4 }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "EgressGateways" +spec: +{{- if not $gateway.autoscaleEnabled }} +{{- if $gateway.replicaCount }} + replicas: {{ $gateway.replicaCount }} +{{- end }} +{{- end }} + selector: + matchLabels: +{{ $gateway.labels | toYaml | indent 6 }} + strategy: + rollingUpdate: + maxSurge: {{ $gateway.rollingMaxSurge }} + maxUnavailable: {{ $gateway.rollingMaxUnavailable }} + template: + metadata: + labels: +{{ $gateway.labels | toYaml | indent 8 }} +{{- if eq .Release.Namespace "istio-system"}} + heritage: Tiller + release: istio + chart: gateways +{{- end }} + service.istio.io/canonical-name: {{ $gateway.name }} + {{- if not (eq .Values.revision "") }} + service.istio.io/canonical-revision: {{ .Values.revision }} + {{- else}} + service.istio.io/canonical-revision: latest + {{- end }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "EgressGateways" + sidecar.istio.io/inject: "false" + annotations: + {{- if .Values.meshConfig.enablePrometheusMerge }} + prometheus.io/port: "15020" + prometheus.io/scrape: "true" + prometheus.io/path: "/stats/prometheus" + {{- end }} + sidecar.istio.io/inject: "false" +{{- if $gateway.podAnnotations }} +{{ toYaml $gateway.podAnnotations | indent 8 }} +{{ end }} + spec: +{{- if not $gateway.runAsRoot }} + securityContext: + runAsUser: 1337 + runAsGroup: 1337 + runAsNonRoot: true + fsGroup: 1337 +{{- end }} + serviceAccountName: {{ $gateway.name }}-service-account +{{- if .Values.global.priorityClassName }} + priorityClassName: "{{ .Values.global.priorityClassName }}" +{{- end }} +{{- if .Values.global.proxy.enableCoreDump }} + initContainers: + - name: enable-core-dump +{{- if contains "/" .Values.global.proxy.image }} + image: "{{ .Values.global.proxy.image }}" +{{- else }} + image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image | default "proxyv2" }}:{{ .Values.global.tag }}" +{{- end }} +{{- if .Values.global.imagePullPolicy }} + imagePullPolicy: {{ .Values.global.imagePullPolicy }} +{{- end }} + command: + - /bin/sh + args: + - -c + - sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited + securityContext: + runAsUser: 0 + runAsGroup: 0 + runAsNonRoot: false + privileged: true +{{- end }} + containers: + - name: istio-proxy +{{- if contains "/" .Values.global.proxy.image }} + image: "{{ .Values.global.proxy.image }}" +{{- else }} + image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image | default "proxyv2" }}:{{ .Values.global.tag }}" +{{- end }} +{{- if .Values.global.imagePullPolicy }} + imagePullPolicy: {{ .Values.global.imagePullPolicy }} +{{- end }} + ports: + {{- range $key, $val := $gateway.ports }} + - containerPort: {{ $val.targetPort | default $val.port }} + protocol: {{ $val.protocol | default "TCP" }} + {{- end }} + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - router + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + {{- if .Values.global.proxy.logLevel }} + - --proxyLogLevel={{ .Values.global.proxy.logLevel }} + {{- end}} + {{- if .Values.global.proxy.componentLogLevel }} + - --proxyComponentLogLevel={{ .Values.global.proxy.componentLogLevel }} + {{- end}} + {{- if .Values.global.logging.level }} + - --log_output_level={{ .Values.global.logging.level }} + {{- end}} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if not $gateway.runAsRoot }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + {{- end }} + readinessProbe: + failureThreshold: 30 + httpGet: + path: /healthz/ready + port: 15021 + scheme: HTTP + initialDelaySeconds: 1 + periodSeconds: 2 + successThreshold: 1 + timeoutSeconds: 1 + resources: +{{- if $gateway.resources }} +{{ toYaml $gateway.resources | indent 12 }} +{{- else }} +{{ toYaml .Values.global.defaultResources | indent 12 }} +{{- end }} + env: + - name: JWT_POLICY + value: {{ .Values.global.jwtPolicy }} + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + - name: HOST_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.hostIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: ISTIO_META_WORKLOAD_NAME + value: {{ $gateway.name }} + - name: ISTIO_META_OWNER + value: kubernetes://apis/apps/v1/namespaces/{{ .Release.Namespace }}/deployments/{{ $gateway.name }} + {{- if $.Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ $.Values.global.meshID }}" + {{- else if .Values.meshConfig.trustDomain }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.meshConfig.trustDomain }}" + {{- end }} + {{- if .Values.meshConfig.trustDomain }} + - name: TRUST_DOMAIN + value: "{{ .Values.meshConfig.trustDomain }}" + {{- end }} + {{- if not $gateway.runAsRoot }} + - name: ISTIO_META_UNPRIVILEGED_POD + value: "true" + {{- end }} + {{- range $key, $val := $gateway.env }} + - name: {{ $key }} + value: "{{ $val }}" + {{- end }} + {{- range $key, $value := .Values.meshConfig.defaultConfig.proxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- $network_set := index $gateway.env "ISTIO_META_NETWORK" }} + {{- if and (not $network_set) .Values.global.network }} + - name: ISTIO_META_NETWORK + value: "{{ .Values.global.network }}" + {{- end }} + - name: ISTIO_META_CLUSTER_ID + value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}" + volumeMounts: + - name: istio-envoy + mountPath: /etc/istio/proxy + - name: config-volume + mountPath: /etc/istio/config +{{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert +{{- end }} +{{- if eq .Values.global.jwtPolicy "third-party-jwt" }} + - name: istio-token + mountPath: /var/run/secrets/tokens + readOnly: true +{{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - name: istio-certs + mountPath: /etc/certs + readOnly: true + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + - name: podinfo + mountPath: /etc/istio/pod + {{- range $gateway.secretVolumes }} + - name: {{ .name }} + mountPath: {{ .mountPath | quote }} + readOnly: true + {{- end }} + {{- range $gateway.configVolumes }} + {{- if .mountPath }} + - name: {{ .name }} + mountPath: {{ .mountPath | quote }} + readOnly: true + {{- end }} + {{- end }} +{{- if $gateway.additionalContainers }} +{{ toYaml $gateway.additionalContainers | indent 8 }} +{{- end }} + volumes: +{{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + configMap: + name: istio-ca-root-cert +{{- end }} + - name: podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + - name: istio-envoy + emptyDir: {} + - name: istio-data + emptyDir: {} +{{- if eq .Values.global.jwtPolicy "third-party-jwt" }} + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} +{{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - name: istio-certs + secret: + secretName: istio.istio-egressgateway-service-account + optional: true + {{- end }} + - name: config-volume + configMap: + name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + optional: true + {{- range $gateway.secretVolumes }} + - name: {{ .name }} + secret: + secretName: {{ .secretName | quote }} + optional: true + {{- end }} + {{- range $gateway.configVolumes }} + - name: {{ .name }} + configMap: + name: {{ .configMapName | quote }} + optional: true + {{- end }} + affinity: +{{ include "nodeaffinity" (dict "global" .Values.global "nodeSelector" $gateway.nodeSelector) | trim | indent 8 }} + {{- include "podAntiAffinity" $gateway | indent 6 }} +{{- if $gateway.tolerations }} + tolerations: +{{ toYaml $gateway.tolerations | indent 6 }} +{{- else if .Values.global.defaultTolerations }} + tolerations: +{{ toYaml .Values.global.defaultTolerations | indent 6 }} +{{- end }} +{{- end }} diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/gateways/istio-egress/templates/injected-deployment.yaml b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/gateways/istio-egress/templates/injected-deployment.yaml new file mode 100644 index 000000000..2252c8992 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/gateways/istio-egress/templates/injected-deployment.yaml @@ -0,0 +1,143 @@ +{{- $gateway := index .Values "gateways" "istio-egressgateway" }} +{{- if ne $gateway.injectionTemplate "" }} +{{/* This provides a minimal gateway, ready to be injected. + Any settings from values.gateways should be here - these are options specific to the gateway. + Global settings, like the image, various env vars and volumes, etc will be injected. + The normal Deployment is not suitable for this, as the original pod spec will override the injection template. */}} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ $gateway.name | default "istio-egressgateway" }} + namespace: {{ .Release.Namespace }} + labels: +{{ $gateway.labels | toYaml | indent 4 }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "EgressGateways" +spec: +{{- if not $gateway.autoscaleEnabled }} +{{- if $gateway.replicaCount }} + replicas: {{ $gateway.replicaCount }} +{{- end }} +{{- end }} + selector: + matchLabels: +{{ $gateway.labels | toYaml | indent 6 }} + strategy: + rollingUpdate: + maxSurge: {{ $gateway.rollingMaxSurge }} + maxUnavailable: {{ $gateway.rollingMaxUnavailable }} + template: + metadata: + labels: +{{ $gateway.labels | toYaml | indent 8 }} +{{- if eq .Release.Namespace "istio-system"}} + heritage: Tiller + release: istio + chart: gateways +{{- end }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "EgressGateways" + sidecar.istio.io/inject: "true" + {{- with .Values.revision }} + istio.io/rev: {{ . }} + {{- end }} + annotations: + {{- if .Values.meshConfig.enablePrometheusMerge }} + prometheus.io/port: "15020" + prometheus.io/scrape: "true" + prometheus.io/path: "/stats/prometheus" + {{- end }} + sidecar.istio.io/inject: "true" + inject.istio.io/templates: "{{ $gateway.injectionTemplate }}" +{{- if $gateway.podAnnotations }} +{{ toYaml $gateway.podAnnotations | indent 8 }} +{{ end }} + spec: +{{- if not $gateway.runAsRoot }} + securityContext: + runAsUser: 1337 + runAsGroup: 1337 + runAsNonRoot: true + fsGroup: 1337 +{{- end }} + serviceAccountName: {{ $gateway.name | default "istio-egressgateway" }}-service-account +{{- if .Values.global.priorityClassName }} + priorityClassName: "{{ .Values.global.priorityClassName }}" +{{- end }} + containers: + - name: istio-proxy + image: auto + ports: + {{- range $key, $val := $gateway.ports }} + - containerPort: {{ $val.targetPort | default $val.port }} + protocol: {{ $val.protocol | default "TCP" }} + {{- end }} + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + {{- if not $gateway.runAsRoot }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + {{- end }} + resources: +{{- if $gateway.resources }} +{{ toYaml $gateway.resources | indent 12 }} +{{- else }} +{{ toYaml .Values.global.defaultResources | indent 12 }} +{{- end }} + env: + {{- if not $gateway.runAsRoot }} + - name: ISTIO_META_UNPRIVILEGED_POD + value: "true" + {{- end }} + {{- range $key, $val := $gateway.env }} + - name: {{ $key }} + value: {{ $val }} + {{- end }} + volumeMounts: + {{- range $gateway.secretVolumes }} + - name: {{ .name }} + mountPath: {{ .mountPath | quote }} + readOnly: true + {{- end }} + {{- range $gateway.configVolumes }} + {{- if .mountPath }} + - name: {{ .name }} + mountPath: {{ .mountPath | quote }} + readOnly: true + {{- end }} + {{- end }} +{{- if $gateway.additionalContainers }} +{{ toYaml $gateway.additionalContainers | indent 8 }} +{{- end }} + volumes: + {{- range $gateway.secretVolumes }} + - name: {{ .name }} + secret: + secretName: {{ .secretName | quote }} + optional: true + {{- end }} + {{- range $gateway.configVolumes }} + - name: {{ .name }} + configMap: + name: {{ .configMapName | quote }} + optional: true + {{- end }} + affinity: +{{ include "nodeaffinity" (dict "global" .Values.global "nodeSelector" $gateway.nodeSelector) | trim | indent 8 }} + {{- include "podAntiAffinity" $gateway | indent 6 }} +{{- if $gateway.tolerations }} + tolerations: +{{ toYaml $gateway.tolerations | indent 6 }} +{{- else if .Values.global.defaultTolerations }} + tolerations: +{{ toYaml .Values.global.defaultTolerations | indent 6 }} +{{- end }} +{{- end }} diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/gateways/istio-egress/templates/poddisruptionbudget.yaml b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/gateways/istio-egress/templates/poddisruptionbudget.yaml new file mode 100644 index 000000000..7d86413ec --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/gateways/istio-egress/templates/poddisruptionbudget.yaml @@ -0,0 +1,19 @@ +{{- if .Values.global.defaultPodDisruptionBudget.enabled }} +{{ $gateway := index .Values "gateways" "istio-egressgateway" }} +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: {{ $gateway.name }} + namespace: {{ .Release.Namespace }} + labels: +{{ $gateway.labels | toYaml | trim | indent 4 }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "EgressGateways" +spec: + minAvailable: 1 + selector: + matchLabels: +{{ $gateway.labels | toYaml | trim | indent 6 }} +{{- end }} diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/gateways/istio-egress/templates/role.yaml b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/gateways/istio-egress/templates/role.yaml new file mode 100644 index 000000000..c472fcef2 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/gateways/istio-egress/templates/role.yaml @@ -0,0 +1,16 @@ +{{ $gateway := index .Values "gateways" "istio-egressgateway" }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ $gateway.name }}-sds + namespace: {{ .Release.Namespace }} + labels: + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "EgressGateways" +rules: +- apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "watch", "list"] +--- diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/gateways/istio-egress/templates/rolebindings.yaml b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/gateways/istio-egress/templates/rolebindings.yaml new file mode 100644 index 000000000..fd1ffcd70 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/gateways/istio-egress/templates/rolebindings.yaml @@ -0,0 +1,19 @@ +{{ $gateway := index .Values "gateways" "istio-egressgateway" }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ $gateway.name }}-sds + namespace: {{ .Release.Namespace }} + labels: + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "EgressGateways" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ $gateway.name }}-sds +subjects: +- kind: ServiceAccount + name: {{ $gateway.name }}-service-account +--- diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/gateways/istio-egress/templates/service.yaml b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/gateways/istio-egress/templates/service.yaml new file mode 100644 index 000000000..2f8ce959e --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/gateways/istio-egress/templates/service.yaml @@ -0,0 +1,47 @@ +{{ $gateway := index .Values "gateways" "istio-egressgateway" }} +{{- if not $gateway.customService }} +apiVersion: v1 +kind: Service +metadata: + name: {{ $gateway.name }} + namespace: {{ .Release.Namespace }} + annotations: + {{- range $key, $val := $gateway.serviceAnnotations }} + {{ $key }}: {{ $val | quote }} + {{- end }} + labels: +{{ $gateway.labels | toYaml | indent 4 }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "EgressGateways" +spec: +{{- if $gateway.loadBalancerIP }} + loadBalancerIP: "{{ $gateway.loadBalancerIP }}" +{{- end }} +{{- if $gateway.loadBalancerSourceRanges }} + loadBalancerSourceRanges: +{{ toYaml $gateway.loadBalancerSourceRanges | indent 4 }} +{{- end }} +{{- if $gateway.externalTrafficPolicy }} + externalTrafficPolicy: {{$gateway.externalTrafficPolicy }} +{{- end }} + type: {{ $gateway.type }} + selector: +{{ $gateway.labels | toYaml | indent 4 }} + ports: + + {{- range $key, $val := $gateway.ports }} + - + {{- range $pkey, $pval := $val }} + {{ $pkey}}: {{ $pval }} + {{- end }} + {{- end }} + + {{ range $app := $gateway.egressPorts }} + - + port: {{ $app.port }} + name: {{ $app.name }} + {{- end }} +--- +{{ end }} diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/gateways/istio-egress/templates/serviceaccount.yaml b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/gateways/istio-egress/templates/serviceaccount.yaml new file mode 100644 index 000000000..689fda623 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/gateways/istio-egress/templates/serviceaccount.yaml @@ -0,0 +1,18 @@ +{{ $gateway := index .Values "gateways" "istio-egressgateway" }} +apiVersion: v1 +kind: ServiceAccount +{{- if .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range .Values.global.imagePullSecrets }} + - name: {{ . }} +{{- end }} +{{- end }} +metadata: + name: {{ $gateway.name }}-service-account + namespace: {{ .Release.Namespace }} + labels: +{{ $gateway.labels | toYaml | trim | indent 4 }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "EgressGateways" diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/gateways/istio-egress/values.yaml b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/gateways/istio-egress/values.yaml new file mode 100644 index 000000000..9d8fbaa2a --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/gateways/istio-egress/values.yaml @@ -0,0 +1,308 @@ +# Standalone istio egress gateway. +# Should be installed in a separate namespace, to minimize access to config +gateways: + istio-egressgateway: + name: istio-egressgateway + ports: + - port: 80 + targetPort: 8080 + name: http2 + protocol: TCP + - port: 443 + name: https + targetPort: 8443 + protocol: TCP + + # Enable cross-cluster access using SNI matching. + # Make sure you set suffix if deploying multiple egress gateways. + zvpn: + # Must be different for each egress namespace. + # Used to control the domain name suffix for zero vpn routing. + # Domain names ending with this suffix will be routed to this egress gateway + # automatically. + # This can be a real domain name ( istio.example.com ) + suffix: global + enabled: false + + labels: + app: istio-egressgateway + istio: egressgateway + + # Scalability tuning + # replicaCount: 1 + rollingMaxSurge: 100% + rollingMaxUnavailable: 25% + autoscaleEnabled: true + autoscaleMin: 1 + autoscaleMax: 5 + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 2000m + memory: 1024Mi + cpu: + targetAverageUtilization: 80 + + serviceAnnotations: {} + podAnnotations: {} + type: ClusterIP # change to NodePort or LoadBalancer if need be + + secretVolumes: + - name: egressgateway-certs + secretName: istio-egressgateway-certs + mountPath: /etc/istio/egressgateway-certs + - name: egressgateway-ca-certs + secretName: istio-egressgateway-ca-certs + mountPath: /etc/istio/egressgateway-ca-certs + + configVolumes: [] + additionalContainers: [] + ### Advanced options ############ + # TODO: convert to real options, env should not be exposed + env: + # Set this to "external" if and only if you want the egress gateway to + # act as a transparent SNI gateway that routes mTLS/TLS traffic to + # external services defined using service entries, where the service + # entry has resolution set to DNS, has one or more endpoints with + # network field set to "external". By default its set to "" so that + # the egress gateway sees the same set of endpoints as the sidecars + # preserving backward compatibility + # ISTIO_META_REQUESTED_NETWORK_VIEW: "" + # A gateway with this mode ensures that pilot generates an additional + # set of clusters for internal services but without Istio mTLS, to + # enable cross cluster routing. + ISTIO_META_ROUTER_MODE: "standard" + + nodeSelector: {} + tolerations: [] + + # Specify the pod anti-affinity that allows you to constrain which nodes + # your pod is eligible to be scheduled based on labels on pods that are + # already running on the node rather than based on labels on nodes. + # There are currently two types of anti-affinity: + # "requiredDuringSchedulingIgnoredDuringExecution" + # "preferredDuringSchedulingIgnoredDuringExecution" + # which denote "hard" vs. "soft" requirements, you can define your values + # in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector" + # correspondingly. + # For example: + # podAntiAffinityLabelSelector: + # - key: security + # operator: In + # values: S1,S2 + # topologyKey: "kubernetes.io/hostname" + # This pod anti-affinity rule says that the pod requires not to be scheduled + # onto a node if that node is already running a pod with label having key + # "security" and value "S1". + podAntiAffinityLabelSelector: [] + podAntiAffinityTermLabelSelector: [] + + # whether to run the gateway in a privileged container + runAsRoot: false + + # The injection template to use for the gateway. If not set, no injection will be performed. + injectionTemplate: "" + +# Revision is set as 'version' label and part of the resource names when installing multiple control planes. +revision: "" + +# For Helm compatibility. +ownerName: "" + +global: + # set the default set of namespaces to which services, service entries, virtual services, destination + # rules should be exported to. Currently only one value can be provided in this list. This value + # should be one of the following two options: + # * implies these objects are visible to all namespaces, enabling any sidecar to talk to any other sidecar. + # . implies these objects are visible to only to sidecars in the same namespace, or if imported as a Sidecar.egress.host + defaultConfigVisibilitySettings: [] + + # Default node selector to be applied to all deployments so that all pods can be + # constrained to run a particular nodes. Each component can overwrite these default + # values by adding its node selector block in the relevant section below and setting + # the desired values. + defaultNodeSelector: {} + + # enable pod disruption budget for the control plane, which is used to + # ensure Istio control plane components are gradually upgraded or recovered. + defaultPodDisruptionBudget: + enabled: true + + # A minimal set of requested resources to applied to all deployments so that + # Horizontal Pod Autoscaler will be able to function (if set). + # Each component can overwrite these default values by adding its own resources + # block in the relevant section below and setting the desired resources values. + defaultResources: + requests: + cpu: 10m + # memory: 128Mi + # limits: + # cpu: 100m + # memory: 128Mi + + # Default node tolerations to be applied to all deployments so that all pods can be + # scheduled to a particular nodes with matching taints. Each component can overwrite + # these default values by adding its tolerations block in the relevant section below + # and setting the desired values. + # Configure this field in case that all pods of Istio control plane are expected to + # be scheduled to particular nodes with specified taints. + defaultTolerations: [] + + # Default hub for Istio images. + # Releases are published to docker hub under 'istio' project. + # Dev builds from prow are on gcr.io + hub: docker.io/istio + + # Default tag for Istio images. + tag: 1.11.0 + + # Specify image pull policy if default behavior isn't desired. + # Default behavior: latest images will be Always else IfNotPresent. + imagePullPolicy: "" + + # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace + # to use for pulling any images in pods that reference this ServiceAccount. + # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) + # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. + # Must be set for any cluster configured with private docker registry. + imagePullSecrets: [] + # - private-registry-key + + # To output all istio components logs in json format by adding --log_as_json argument to each container argument + logAsJson: false + + # Specify pod scheduling arch(amd64, ppc64le, s390x) and weight as follows: + # 0 - Never scheduled + # 1 - Least preferred + # 2 - No preference + # 3 - Most preferred + arch: + amd64: 2 + s390x: 2 + ppc64le: 2 + + # Comma-separated minimum per-scope logging level of messages to output, in the form of :,: + # The control plane has different scopes depending on component, but can configure default log level across all components + # If empty, default scope and level will be used as configured in code + logging: + level: "default:info" + + # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and + # system-node-critical, it is better to configure this in order to make sure your Istio pods + # will not be killed because of low priority class. + # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + # for more detail. + priorityClassName: "" + + proxy: + image: proxyv2 + + # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value + # cluster domain. Default value is "cluster.local". + clusterDomain: "cluster.local" + + # Per Component log level for proxy, applies to gateways and sidecars. If a component level is + # not set, then the global "logLevel" will be used. + componentLogLevel: "misc:error" + + # If set, newly injected sidecars will have core dumps enabled. + enableCoreDump: false + + # Log level for proxy, applies to gateways and sidecars. + # Expected values are: trace|debug|info|warning|error|critical|off + logLevel: warning + + ############################################################################################## + # The following values are found in other charts. To effectively modify these values, make # + # make sure they are consistent across your Istio helm charts # + ############################################################################################## + + # The customized CA address to retrieve certificates for the pods in the cluster. + # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. + caAddress: "" + + # Used to locate istiod. + istioNamespace: istio-system + + # Configure the policy for validating JWT. + # Currently, two options are supported: "third-party-jwt" and "first-party-jwt". + jwtPolicy: "third-party-jwt" + + # Mesh ID means Mesh Identifier. It should be unique within the scope where + # meshes will interact with each other, but it is not required to be + # globally/universally unique. For example, if any of the following are true, + # then two meshes must have different Mesh IDs: + # - Meshes will have their telemetry aggregated in one place + # - Meshes will be federated together + # - Policy will be written referencing one mesh from the other + # + # If an administrator expects that any of these conditions may become true in + # the future, they should ensure their meshes have different Mesh IDs + # assigned. + # + # Within a multicluster mesh, each cluster must be (manually or auto) + # configured to have the same Mesh ID value. If an existing cluster 'joins' a + # multicluster mesh, it will need to be migrated to the new mesh ID. Details + # of migration TBD, and it may be a disruptive operation to change the Mesh + # ID post-install. + # + # If the mesh admin does not specify a value, Istio will use the value of the + # mesh's Trust Domain. The best practice is to select a proper Trust Domain + # value. + meshID: "" + + # Use the user-specified, secret volume mounted key and certs for Pilot and workloads. + mountMtlsCerts: false + + multiCluster: + # Set to true to connect two kubernetes clusters via their respective + # ingressgateway services when pods in each cluster cannot directly + # talk to one another. All clusters should be using Istio mTLS and must + # have a shared root CA for this model to work. + enabled: false + # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection + # to properly label proxies + clusterName: "" + + # Network defines the network this cluster belong to. This name + # corresponds to the networks in the map of mesh networks. + network: "" + + # Configure the certificate provider for control plane communication. + # Currently, two providers are supported: "kubernetes" and "istiod". + # As some platforms may not have kubernetes signing APIs, + # Istiod is the default + pilotCertProvider: istiod + + sds: + # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. + # When a CSR is sent from Citadel Agent to the CA (e.g. Citadel), this aud is to make sure the + # JWT is intended for the CA. + token: + aud: istio-ca + + sts: + # The service port used by Security Token Service (STS) server to handle token exchange requests. + # Setting this port to a non-zero value enables STS server. + servicePort: 0 + +meshConfig: + enablePrometheusMerge: true + + # The trust domain corresponds to the trust root of a system + # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain + trustDomain: "cluster.local" + + defaultConfig: + proxyMetadata: {} + tracing: + # tlsSettings: + # mode: DISABLE # DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL + # clientCertificate: # example: /etc/istio/tracer/cert-chain.pem + # privateKey: # example: /etc/istio/tracer/key.pem + # caCertificates: # example: /etc/istio/tracer/root-cert.pem + # sni: # example: tracer.somedomain + # subjectAltNames: [] + # - tracer.somedomain diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/gateways/istio-ingress/Chart.yaml b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/gateways/istio-ingress/Chart.yaml new file mode 100644 index 000000000..a6b89281f --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/gateways/istio-ingress/Chart.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +name: istio-ingress +version: 1.11.0 +tillerVersion: ">=2.7.2" +description: Helm chart for deploying Istio gateways +keywords: + - istio + - ingressgateway + - gateways +sources: + - http://github.com/istio/istio +engine: gotpl +icon: https://istio.io/latest/favicons/android-192x192.png diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/gateways/istio-ingress/NOTES.txt b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/gateways/istio-ingress/NOTES.txt new file mode 100644 index 000000000..221ee5605 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/gateways/istio-ingress/NOTES.txt @@ -0,0 +1,43 @@ + +Changes: +- separate namespace allows: +-- easier reconfig of just the gateway +-- TLS secrets and domain name management is isolated, for better security +-- simplified configuration +-- multiple versions of the ingress can be used, to minimize upgrade risks + +- the new chart uses the default namespace service account, and doesn't require +additional RBAC permissions. + +- simplified label and chart structure. +- ability to run a pilot dedicated for the gateway, isolated from the main pilot. This is more robust, safer on upgrades +and allows a bit more flexibility. +- the dedicated pilot-per-ingress is required if the gateway needs to support k8s-style ingress. + +# Port and basic host configuration + +In order to configure the Service object, the install/upgrade needs to provide a list of all ports. +In the past, this was done when installing/upgrading full istio, and involved some duplication - ports configured +both in upgrade, Gateway and VirtualService. + +The new Ingress chart uses a 'values.yaml' (see user-example-ingress), which auto-generates Service ports, +Gateways and basic VirtualService. It is still possible to only configure the ports in Service, and do manual +config for the rest. + +All internal services ( telemetry, pilot debug ports, mesh expansion ) can now be configured via the new mechanism. + +# Migration from istio-system + +Istio 1.0 includes the gateways in istio-system. Since the external IP is associated +with the Service and bound to the namespace, it is recommended to: + +1. Install the new gateway in a new namespace. +2. Copy any TLS certificate to the new namespace, and configure the domains. +3. Checking the new gateway work - for example by overriding the IP in /etc/hosts +4. Modify the DNS server to add the A record of the new namespace +5. Check traffic +6. Delete the A record corresponding to the gateway in istio-system +7. Upgrade istio-system, disabling the ingressgateway +8. Delete the domain TLS certs from istio-system. + +If using certmanager, all Certificate and associated configs must be moved as well. diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/gateways/istio-ingress/templates/_affinity.tpl b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/gateways/istio-ingress/templates/_affinity.tpl new file mode 100644 index 000000000..7a4f39b2a --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/gateways/istio-ingress/templates/_affinity.tpl @@ -0,0 +1,100 @@ +{{/* affinity - https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ */}} + +{{ define "nodeaffinity" }} +nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + {{- include "nodeAffinityRequiredDuringScheduling" . }} + preferredDuringSchedulingIgnoredDuringExecution: + {{- include "nodeAffinityPreferredDuringScheduling" . }} +{{- end }} + +{{- define "nodeAffinityRequiredDuringScheduling" }} + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/arch + operator: In + values: + {{- range $key, $val := .global.arch }} + {{- if gt ($val | int) 0 }} + - {{ $key | quote }} + {{- end }} + {{- end }} + {{- $nodeSelector := default .global.defaultNodeSelector .nodeSelector -}} + {{- range $key, $val := $nodeSelector }} + - key: {{ $key }} + operator: In + values: + - {{ $val | quote }} + {{- end }} +{{- end }} + +{{- define "nodeAffinityPreferredDuringScheduling" }} + {{- range $key, $val := .global.arch }} + {{- if gt ($val | int) 0 }} + - weight: {{ $val | int }} + preference: + matchExpressions: + - key: kubernetes.io/arch + operator: In + values: + - {{ $key | quote }} + {{- end }} + {{- end }} +{{- end }} + +{{- define "podAntiAffinity" }} +{{- if or .podAntiAffinityLabelSelector .podAntiAffinityTermLabelSelector}} + podAntiAffinity: + {{- if .podAntiAffinityLabelSelector }} + requiredDuringSchedulingIgnoredDuringExecution: + {{- include "podAntiAffinityRequiredDuringScheduling" . }} + {{- end }} + {{- if .podAntiAffinityTermLabelSelector }} + preferredDuringSchedulingIgnoredDuringExecution: + {{- include "podAntiAffinityPreferredDuringScheduling" . }} + {{- end }} +{{- end }} +{{- end }} + +{{- define "podAntiAffinityRequiredDuringScheduling" }} + {{- range $index, $item := .podAntiAffinityLabelSelector }} + - labelSelector: + matchExpressions: + - key: {{ $item.key }} + operator: {{ $item.operator }} + {{- if $item.values }} + values: + {{- $vals := split "," $item.values }} + {{- range $i, $v := $vals }} + - {{ $v | quote }} + {{- end }} + {{- end }} + topologyKey: {{ $item.topologyKey }} + {{- if $item.namespaces }} + namespaces: + {{- $ns := split "," $item.namespaces }} + {{- range $i, $n := $ns }} + - {{ $n | quote }} + {{- end }} + {{- end }} + {{- end }} +{{- end }} + +{{- define "podAntiAffinityPreferredDuringScheduling" }} + {{- range $index, $item := .podAntiAffinityTermLabelSelector }} + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: {{ $item.key }} + operator: {{ $item.operator }} + {{- if $item.values }} + values: + {{- $vals := split "," $item.values }} + {{- range $i, $v := $vals }} + - {{ $v | quote }} + {{- end }} + {{- end }} + topologyKey: {{ $item.topologyKey }} + weight: 100 + {{- end }} +{{- end }} diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/gateways/istio-ingress/templates/autoscale.yaml b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/gateways/istio-ingress/templates/autoscale.yaml new file mode 100644 index 000000000..8cf8f6687 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/gateways/istio-ingress/templates/autoscale.yaml @@ -0,0 +1,27 @@ +{{ $gateway := index .Values "gateways" "istio-ingressgateway" }} +{{- if and $gateway.autoscaleEnabled $gateway.autoscaleMin $gateway.autoscaleMax }} +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ $gateway.name }} + namespace: {{ .Release.Namespace }} + labels: +{{ $gateway.labels | toYaml | indent 4 }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "IngressGateways" +spec: + maxReplicas: {{ $gateway.autoscaleMax }} + minReplicas: {{ $gateway.autoscaleMin }} + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ $gateway.name }} + metrics: + - type: Resource + resource: + name: cpu + targetAverageUtilization: {{ $gateway.cpu.targetAverageUtilization }} +--- +{{- end }} diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/gateways/istio-ingress/templates/deployment.yaml b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/gateways/istio-ingress/templates/deployment.yaml new file mode 100644 index 000000000..45d7695a4 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/gateways/istio-ingress/templates/deployment.yaml @@ -0,0 +1,327 @@ +{{- $gateway := index .Values "gateways" "istio-ingressgateway" }} +{{- if eq $gateway.injectionTemplate "" }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ $gateway.name }} + namespace: {{ .Release.Namespace }} + labels: +{{ $gateway.labels | toYaml | indent 4 }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "IngressGateways" +spec: +{{- if not $gateway.autoscaleEnabled }} +{{- if $gateway.replicaCount }} + replicas: {{ $gateway.replicaCount }} +{{- end }} +{{- end }} + selector: + matchLabels: +{{ $gateway.labels | toYaml | indent 6 }} + strategy: + rollingUpdate: + maxSurge: {{ $gateway.rollingMaxSurge }} + maxUnavailable: {{ $gateway.rollingMaxUnavailable }} + template: + metadata: + labels: +{{ $gateway.labels | toYaml | indent 8 }} +{{- if eq .Release.Namespace "istio-system"}} + heritage: Tiller + release: istio + chart: gateways +{{- end }} + service.istio.io/canonical-name: {{ $gateway.name }} + {{- if not (eq .Values.revision "") }} + service.istio.io/canonical-revision: {{ .Values.revision }} + {{- else}} + service.istio.io/canonical-revision: latest + {{- end }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "IngressGateways" + sidecar.istio.io/inject: "false" + annotations: + {{- if .Values.meshConfig.enablePrometheusMerge }} + prometheus.io/port: "15020" + prometheus.io/scrape: "true" + prometheus.io/path: "/stats/prometheus" + {{- end }} + sidecar.istio.io/inject: "false" +{{- if $gateway.podAnnotations }} +{{ toYaml $gateway.podAnnotations | indent 8 }} +{{ end }} + spec: +{{- if not $gateway.runAsRoot }} + securityContext: + runAsUser: 1337 + runAsGroup: 1337 + runAsNonRoot: true + fsGroup: 1337 +{{- end }} + serviceAccountName: {{ $gateway.name }}-service-account +{{- if .Values.global.priorityClassName }} + priorityClassName: "{{ .Values.global.priorityClassName }}" +{{- end }} +{{- if .Values.global.proxy.enableCoreDump }} + initContainers: + - name: enable-core-dump +{{- if contains "/" .Values.global.proxy.image }} + image: "{{ .Values.global.proxy.image }}" +{{- else }} + image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image | default "proxyv2" }}:{{ .Values.global.tag }}" +{{- end }} +{{- if .Values.global.imagePullPolicy }} + imagePullPolicy: {{ .Values.global.imagePullPolicy }} +{{- end }} + command: + - /bin/sh + args: + - -c + - sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited + securityContext: + runAsUser: 0 + runAsGroup: 0 + runAsNonRoot: false + privileged: true +{{- end }} + containers: + - name: istio-proxy +{{- if contains "/" .Values.global.proxy.image }} + image: "{{ .Values.global.proxy.image }}" +{{- else }} + image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image | default "proxyv2" }}:{{ .Values.global.tag }}" +{{- end }} +{{- if .Values.global.imagePullPolicy }} + imagePullPolicy: {{ .Values.global.imagePullPolicy }} +{{- end }} + ports: + {{- range $key, $val := $gateway.ports }} + - containerPort: {{ $val.targetPort | default $val.port }} + protocol: {{ $val.protocol | default "TCP" }} + {{- end }} + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - router + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + {{- if .Values.global.proxy.logLevel }} + - --proxyLogLevel={{ .Values.global.proxy.logLevel }} + {{- end}} + {{- if .Values.global.proxy.componentLogLevel }} + - --proxyComponentLogLevel={{ .Values.global.proxy.componentLogLevel }} + {{- end}} + {{- if .Values.global.logging.level }} + - --log_output_level={{ .Values.global.logging.level }} + {{- end}} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if not $gateway.runAsRoot }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + {{- end }} + readinessProbe: + failureThreshold: 30 + httpGet: + path: /healthz/ready + port: 15021 + scheme: HTTP + initialDelaySeconds: 1 + periodSeconds: 2 + successThreshold: 1 + timeoutSeconds: 1 + resources: +{{- if $gateway.resources }} +{{ toYaml $gateway.resources | indent 12 }} +{{- else }} +{{ toYaml .Values.global.defaultResources | indent 12 }} +{{- end }} + env: + - name: JWT_POLICY + value: {{ .Values.global.jwtPolicy }} + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + - name: HOST_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.hostIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: ISTIO_META_WORKLOAD_NAME + value: {{ $gateway.name }} + - name: ISTIO_META_OWNER + value: kubernetes://apis/apps/v1/namespaces/{{ .Release.Namespace }}/deployments/{{ $gateway.name }} + {{- if $.Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ $.Values.global.meshID }}" + {{- else if .Values.meshConfig.trustDomain }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.meshConfig.trustDomain }}" + {{- end }} + {{- if .Values.meshConfig.trustDomain }} + - name: TRUST_DOMAIN + value: "{{ .Values.meshConfig.trustDomain }}" + {{- end }} + {{- if not $gateway.runAsRoot }} + - name: ISTIO_META_UNPRIVILEGED_POD + value: "true" + {{- end }} + {{- range $key, $val := $gateway.env }} + - name: {{ $key }} + value: "{{ $val }}" + {{- end }} + {{- range $key, $value := .Values.meshConfig.defaultConfig.proxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- $network_set := index $gateway.env "ISTIO_META_NETWORK" }} + {{- if and (not $network_set) .Values.global.network }} + - name: ISTIO_META_NETWORK + value: "{{ .Values.global.network }}" + {{- end }} + - name: ISTIO_META_CLUSTER_ID + value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}" + volumeMounts: + - name: istio-envoy + mountPath: /etc/istio/proxy + - name: config-volume + mountPath: /etc/istio/config +{{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert +{{- end }} +{{- if eq .Values.global.jwtPolicy "third-party-jwt" }} + - name: istio-token + mountPath: /var/run/secrets/tokens + readOnly: true +{{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - name: istio-certs + mountPath: /etc/certs + readOnly: true + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + - name: podinfo + mountPath: /etc/istio/pod + {{- range $gateway.secretVolumes }} + - name: {{ .name }} + mountPath: {{ .mountPath | quote }} + readOnly: true + {{- end }} + {{- range $gateway.configVolumes }} + {{- if .mountPath }} + - name: {{ .name }} + mountPath: {{ .mountPath | quote }} + readOnly: true + {{- end }} + {{- end }} +{{- if $gateway.additionalContainers }} +{{ toYaml $gateway.additionalContainers | indent 8 }} +{{- end }} + volumes: +{{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + configMap: + name: istio-ca-root-cert +{{- end }} + - name: podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + - name: istio-envoy + emptyDir: {} + - name: istio-data + emptyDir: {} +{{- if eq .Values.global.jwtPolicy "third-party-jwt" }} + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} +{{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - name: istio-certs + secret: + secretName: istio.istio-ingressgateway-service-account + optional: true + {{- end }} + - name: config-volume + configMap: + name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + optional: true + {{- range $gateway.secretVolumes }} + - name: {{ .name }} + secret: + secretName: {{ .secretName | quote }} + optional: true + {{- end }} + {{- range $gateway.configVolumes }} + - name: {{ .name }} + configMap: + name: {{ .configMapName | quote }} + optional: true + {{- end }} + affinity: +{{ include "nodeaffinity" (dict "global" .Values.global "nodeSelector" $gateway.nodeSelector) | trim | indent 8 }} + {{- include "podAntiAffinity" $gateway | indent 6 }} +{{- if $gateway.tolerations }} + tolerations: +{{ toYaml $gateway.tolerations | indent 6 }} +{{- else if .Values.global.defaultTolerations }} + tolerations: +{{ toYaml .Values.global.defaultTolerations | indent 6 }} +{{- end }} +{{- end }} diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/gateways/istio-ingress/templates/injected-deployment.yaml b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/gateways/istio-ingress/templates/injected-deployment.yaml new file mode 100644 index 000000000..1115d18dd --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/gateways/istio-ingress/templates/injected-deployment.yaml @@ -0,0 +1,143 @@ +{{- $gateway := index .Values "gateways" "istio-ingressgateway" }} +{{- if ne $gateway.injectionTemplate "" }} +{{/* This provides a minimal gateway, ready to be injected. + Any settings from values.gateways should be here - these are options specific to the gateway. + Global settings, like the image, various env vars and volumes, etc will be injected. + The normal Deployment is not suitable for this, as the original pod spec will override the injection template. */}} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ $gateway.name | default "istio-ingressgateway" }} + namespace: {{ .Release.Namespace }} + labels: +{{ $gateway.labels | toYaml | indent 4 }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "IngressGateways" +spec: +{{- if not $gateway.autoscaleEnabled }} +{{- if $gateway.replicaCount }} + replicas: {{ $gateway.replicaCount }} +{{- end }} +{{- end }} + selector: + matchLabels: +{{ $gateway.labels | toYaml | indent 6 }} + strategy: + rollingUpdate: + maxSurge: {{ $gateway.rollingMaxSurge }} + maxUnavailable: {{ $gateway.rollingMaxUnavailable }} + template: + metadata: + labels: +{{ $gateway.labels | toYaml | indent 8 }} +{{- if eq .Release.Namespace "istio-system"}} + heritage: Tiller + release: istio + chart: gateways +{{- end }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "IngressGateways" + sidecar.istio.io/inject: "true" + {{- with .Values.revision }} + istio.io/rev: {{ . }} + {{- end }} + annotations: + {{- if .Values.meshConfig.enablePrometheusMerge }} + prometheus.io/port: "15020" + prometheus.io/scrape: "true" + prometheus.io/path: "/stats/prometheus" + {{- end }} + sidecar.istio.io/inject: "true" + inject.istio.io/templates: "{{ $gateway.injectionTemplate }}" +{{- if $gateway.podAnnotations }} +{{ toYaml $gateway.podAnnotations | indent 8 }} +{{ end }} + spec: +{{- if not $gateway.runAsRoot }} + securityContext: + runAsUser: 1337 + runAsGroup: 1337 + runAsNonRoot: true + fsGroup: 1337 +{{- end }} + serviceAccountName: {{ $gateway.name | default "istio-ingressgateway" }}-service-account +{{- if .Values.global.priorityClassName }} + priorityClassName: "{{ .Values.global.priorityClassName }}" +{{- end }} + containers: + - name: istio-proxy + image: auto + ports: + {{- range $key, $val := $gateway.ports }} + - containerPort: {{ $val.targetPort | default $val.port }} + protocol: {{ $val.protocol | default "TCP" }} + {{- end }} + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + {{- if not $gateway.runAsRoot }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + {{- end }} + resources: +{{- if $gateway.resources }} +{{ toYaml $gateway.resources | indent 12 }} +{{- else }} +{{ toYaml .Values.global.defaultResources | indent 12 }} +{{- end }} + env: + {{- if not $gateway.runAsRoot }} + - name: ISTIO_META_UNPRIVILEGED_POD + value: "true" + {{- end }} + {{- range $key, $val := $gateway.env }} + - name: {{ $key }} + value: {{ $val }} + {{- end }} + volumeMounts: + {{- range $gateway.secretVolumes }} + - name: {{ .name }} + mountPath: {{ .mountPath | quote }} + readOnly: true + {{- end }} + {{- range $gateway.configVolumes }} + {{- if .mountPath }} + - name: {{ .name }} + mountPath: {{ .mountPath | quote }} + readOnly: true + {{- end }} + {{- end }} +{{- if $gateway.additionalContainers }} +{{ toYaml $gateway.additionalContainers | indent 8 }} +{{- end }} + volumes: + {{- range $gateway.secretVolumes }} + - name: {{ .name }} + secret: + secretName: {{ .secretName | quote }} + optional: true + {{- end }} + {{- range $gateway.configVolumes }} + - name: {{ .name }} + configMap: + name: {{ .configMapName | quote }} + optional: true + {{- end }} + affinity: +{{ include "nodeaffinity" (dict "global" .Values.global "nodeSelector" $gateway.nodeSelector) | trim | indent 8 }} + {{- include "podAntiAffinity" $gateway | indent 6 }} +{{- if $gateway.tolerations }} + tolerations: +{{ toYaml $gateway.tolerations | indent 6 }} +{{- else if .Values.global.defaultTolerations }} + tolerations: +{{ toYaml .Values.global.defaultTolerations | indent 6 }} +{{- end }} +{{- end }} diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/gateways/istio-ingress/templates/poddisruptionbudget.yaml b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/gateways/istio-ingress/templates/poddisruptionbudget.yaml new file mode 100644 index 000000000..523a43fc3 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/gateways/istio-ingress/templates/poddisruptionbudget.yaml @@ -0,0 +1,19 @@ +{{- if .Values.global.defaultPodDisruptionBudget.enabled }} +{{ $gateway := index .Values "gateways" "istio-ingressgateway" }} +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: {{ $gateway.name }} + namespace: {{ .Release.Namespace }} + labels: +{{ $gateway.labels | toYaml | trim | indent 4 }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "IngressGateways" +spec: + minAvailable: 1 + selector: + matchLabels: +{{ $gateway.labels | toYaml | trim | indent 6 }} +{{- end }} diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/gateways/istio-ingress/templates/role.yaml b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/gateways/istio-ingress/templates/role.yaml new file mode 100644 index 000000000..3e21bca5b --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/gateways/istio-ingress/templates/role.yaml @@ -0,0 +1,16 @@ +{{ $gateway := index .Values "gateways" "istio-ingressgateway" }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ $gateway.name }}-sds + namespace: {{ .Release.Namespace }} + labels: + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "IngressGateways" +rules: +- apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "watch", "list"] +--- diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/gateways/istio-ingress/templates/rolebindings.yaml b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/gateways/istio-ingress/templates/rolebindings.yaml new file mode 100644 index 000000000..d45255792 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/gateways/istio-ingress/templates/rolebindings.yaml @@ -0,0 +1,19 @@ +{{ $gateway := index .Values "gateways" "istio-ingressgateway" }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ $gateway.name }}-sds + namespace: {{ .Release.Namespace }} + labels: + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "IngressGateways" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ $gateway.name }}-sds +subjects: +- kind: ServiceAccount + name: {{ $gateway.name }}-service-account +--- diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/gateways/istio-ingress/templates/service.yaml b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/gateways/istio-ingress/templates/service.yaml new file mode 100644 index 000000000..a3b97be16 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/gateways/istio-ingress/templates/service.yaml @@ -0,0 +1,47 @@ +{{ $gateway := index .Values "gateways" "istio-ingressgateway" }} +{{- if not $gateway.customService }} +apiVersion: v1 +kind: Service +metadata: + name: {{ $gateway.name }} + namespace: {{ .Release.Namespace }} + annotations: + {{- range $key, $val := $gateway.serviceAnnotations }} + {{ $key }}: {{ $val | quote }} + {{- end }} + labels: +{{ $gateway.labels | toYaml | indent 4 }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "IngressGateways" +spec: +{{- if $gateway.loadBalancerIP }} + loadBalancerIP: "{{ $gateway.loadBalancerIP }}" +{{- end }} +{{- if $gateway.loadBalancerSourceRanges }} + loadBalancerSourceRanges: +{{ toYaml $gateway.loadBalancerSourceRanges | indent 4 }} +{{- end }} +{{- if $gateway.externalTrafficPolicy }} + externalTrafficPolicy: {{$gateway.externalTrafficPolicy }} +{{- end }} + type: {{ $gateway.type }} + selector: +{{ $gateway.labels | toYaml | indent 4 }} + ports: + + {{- range $key, $val := $gateway.ports }} + - + {{- range $pkey, $pval := $val }} + {{ $pkey}}: {{ $pval }} + {{- end }} + {{- end }} + + {{ range $app := $gateway.ingressPorts }} + - + port: {{ $app.port }} + name: {{ $app.name }} + {{- end }} +--- +{{ end }} diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/gateways/istio-ingress/templates/serviceaccount.yaml b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/gateways/istio-ingress/templates/serviceaccount.yaml new file mode 100644 index 000000000..458800cb5 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/gateways/istio-ingress/templates/serviceaccount.yaml @@ -0,0 +1,18 @@ +{{ $gateway := index .Values "gateways" "istio-ingressgateway" }} +apiVersion: v1 +kind: ServiceAccount +{{- if .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range .Values.global.imagePullSecrets }} + - name: {{ . }} +{{- end }} +{{- end }} +metadata: + name: {{ $gateway.name }}-service-account + namespace: {{ .Release.Namespace }} + labels: +{{ $gateway.labels | toYaml | trim | indent 4 }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "IngressGateways" diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/gateways/istio-ingress/values.yaml b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/gateways/istio-ingress/values.yaml new file mode 100644 index 000000000..af25fac8b --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/gateways/istio-ingress/values.yaml @@ -0,0 +1,322 @@ +# A-la-carte istio ingress gateway. +# Must be installed in a separate namespace, to minimize access to secrets. + +gateways: + istio-ingressgateway: + name: istio-ingressgateway + labels: + app: istio-ingressgateway + istio: ingressgateway + ports: + ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. + # Note that AWS ELB will by default perform health checks on the first port + # on this list. Setting this to the health check port will ensure that health + # checks always work. https://github.com/istio/istio/issues/12503 + - port: 15021 + targetPort: 15021 + name: status-port + protocol: TCP + - port: 80 + targetPort: 8080 + name: http2 + protocol: TCP + - port: 443 + targetPort: 8443 + name: https + protocol: TCP + + # Scalability tuning + # replicaCount: 1 + rollingMaxSurge: 100% + rollingMaxUnavailable: 25% + autoscaleEnabled: true + autoscaleMin: 1 + autoscaleMax: 5 + + cpu: + targetAverageUtilization: 80 + + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 2000m + memory: 1024Mi + + loadBalancerIP: "" + loadBalancerSourceRanges: [] + serviceAnnotations: {} + + # Enable cross-cluster access using SNI matching + zvpn: + enabled: false + suffix: global + + # To generate an internal load balancer: + # --set serviceAnnotations.cloud.google.com/load-balancer-type=internal + #serviceAnnotations: + # cloud.google.com/load-balancer-type: "internal" + + podAnnotations: {} + type: LoadBalancer #change to NodePort, ClusterIP or LoadBalancer if need be + + ############## + secretVolumes: + - name: ingressgateway-certs + secretName: istio-ingressgateway-certs + mountPath: /etc/istio/ingressgateway-certs + - name: ingressgateway-ca-certs + secretName: istio-ingressgateway-ca-certs + mountPath: /etc/istio/ingressgateway-ca-certs + + customService: false + externalTrafficPolicy: "" + + ingressPorts: [] + additionalContainers: [] + configVolumes: [] + + ### Advanced options ############ + env: + # A gateway with this mode ensures that pilot generates an additional + # set of clusters for internal services but without Istio mTLS, to + # enable cross cluster routing. + ISTIO_META_ROUTER_MODE: "standard" + + nodeSelector: {} + tolerations: [] + + # Specify the pod anti-affinity that allows you to constrain which nodes + # your pod is eligible to be scheduled based on labels on pods that are + # already running on the node rather than based on labels on nodes. + # There are currently two types of anti-affinity: + # "requiredDuringSchedulingIgnoredDuringExecution" + # "preferredDuringSchedulingIgnoredDuringExecution" + # which denote "hard" vs. "soft" requirements, you can define your values + # in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector" + # correspondingly. + # For example: + # podAntiAffinityLabelSelector: + # - key: security + # operator: In + # values: S1,S2 + # topologyKey: "kubernetes.io/hostname" + # This pod anti-affinity rule says that the pod requires not to be scheduled + # onto a node if that node is already running a pod with label having key + # "security" and value "S1". + podAntiAffinityLabelSelector: [] + podAntiAffinityTermLabelSelector: [] + + # whether to run the gateway in a privileged container + runAsRoot: false + + # The injection template to use for the gateway. If not set, no injection will be performed. + injectionTemplate: "" + +# Revision is set as 'version' label and part of the resource names when installing multiple control planes. +revision: "" + +# For Helm compatibility. +ownerName: "" + +global: + # set the default set of namespaces to which services, service entries, virtual services, destination + # rules should be exported to. Currently only one value can be provided in this list. This value + # should be one of the following two options: + # * implies these objects are visible to all namespaces, enabling any sidecar to talk to any other sidecar. + # . implies these objects are visible to only to sidecars in the same namespace, or if imported as a Sidecar.egress.host + defaultConfigVisibilitySettings: [] + + # Default node selector to be applied to all deployments so that all pods can be + # constrained to run a particular nodes. Each component can overwrite these default + # values by adding its node selector block in the relevant section below and setting + # the desired values. + defaultNodeSelector: {} + + # enable pod disruption budget for the control plane, which is used to + # ensure Istio control plane components are gradually upgraded or recovered. + defaultPodDisruptionBudget: + enabled: true + + # A minimal set of requested resources to applied to all deployments so that + # Horizontal Pod Autoscaler will be able to function (if set). + # Each component can overwrite these default values by adding its own resources + # block in the relevant section below and setting the desired resources values. + defaultResources: + requests: + cpu: 10m + # memory: 128Mi + # limits: + # cpu: 100m + # memory: 128Mi + + # Default node tolerations to be applied to all deployments so that all pods can be + # scheduled to a particular nodes with matching taints. Each component can overwrite + # these default values by adding its tolerations block in the relevant section below + # and setting the desired values. + # Configure this field in case that all pods of Istio control plane are expected to + # be scheduled to particular nodes with specified taints. + defaultTolerations: [] + + # Default hub for Istio images. + # Releases are published to docker hub under 'istio' project. + # Dev builds from prow are on gcr.io + hub: docker.io/istio + + # Default tag for Istio images. + tag: 1.11.0 + + # Specify image pull policy if default behavior isn't desired. + # Default behavior: latest images will be Always else IfNotPresent. + imagePullPolicy: "" + + # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace + # to use for pulling any images in pods that reference this ServiceAccount. + # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) + # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. + # Must be set for any cluster configured with private docker registry. + imagePullSecrets: [] + # - private-registry-key + + # To output all istio components logs in json format by adding --log_as_json argument to each container argument + logAsJson: false + + # Specify pod scheduling arch(amd64, ppc64le, s390x) and weight as follows: + # 0 - Never scheduled + # 1 - Least preferred + # 2 - No preference + # 3 - Most preferred + arch: + amd64: 2 + s390x: 2 + ppc64le: 2 + + # Comma-separated minimum per-scope logging level of messages to output, in the form of :,: + # The control plane has different scopes depending on component, but can configure default log level across all components + # If empty, default scope and level will be used as configured in code + logging: + level: "default:info" + + # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and + # system-node-critical, it is better to configure this in order to make sure your Istio pods + # will not be killed because of low priority class. + # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + # for more detail. + priorityClassName: "" + + proxy: + image: proxyv2 + + # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value + # cluster domain. Default value is "cluster.local". + clusterDomain: "cluster.local" + + # Per Component log level for proxy, applies to gateways and sidecars. If a component level is + # not set, then the global "logLevel" will be used. + componentLogLevel: "misc:error" + + # If set, newly injected sidecars will have core dumps enabled. + enableCoreDump: false + + # Log level for proxy, applies to gateways and sidecars. + # Expected values are: trace|debug|info|warning|error|critical|off + logLevel: warning + + ############################################################################################## + # The following values are found in other charts. To effectively modify these values, make # + # make sure they are consistent across your Istio helm charts # + ############################################################################################## + + # The customized CA address to retrieve certificates for the pods in the cluster. + # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. + caAddress: "" + + # Used to locate istiod. + istioNamespace: istio-system + + # Configure the policy for validating JWT. + # Currently, two options are supported: "third-party-jwt" and "first-party-jwt". + jwtPolicy: "third-party-jwt" + + # Mesh ID means Mesh Identifier. It should be unique within the scope where + # meshes will interact with each other, but it is not required to be + # globally/universally unique. For example, if any of the following are true, + # then two meshes must have different Mesh IDs: + # - Meshes will have their telemetry aggregated in one place + # - Meshes will be federated together + # - Policy will be written referencing one mesh from the other + # + # If an administrator expects that any of these conditions may become true in + # the future, they should ensure their meshes have different Mesh IDs + # assigned. + # + # Within a multicluster mesh, each cluster must be (manually or auto) + # configured to have the same Mesh ID value. If an existing cluster 'joins' a + # multicluster mesh, it will need to be migrated to the new mesh ID. Details + # of migration TBD, and it may be a disruptive operation to change the Mesh + # ID post-install. + # + # If the mesh admin does not specify a value, Istio will use the value of the + # mesh's Trust Domain. The best practice is to select a proper Trust Domain + # value. + meshID: "" + + # Use the user-specified, secret volume mounted key and certs for Pilot and workloads. + mountMtlsCerts: false + + multiCluster: + # Set to true to connect two kubernetes clusters via their respective + # ingressgateway services when pods in each cluster cannot directly + # talk to one another. All clusters should be using Istio mTLS and must + # have a shared root CA for this model to work. + enabled: false + # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection + # to properly label proxies + clusterName: "" + # The suffix for global service names + globalDomainSuffix: "global" + # Enable envoy filter to translate `globalDomainSuffix` to cluster local suffix for cross cluster communication + includeEnvoyFilter: true + + # Network defines the network this cluster belong to. This name + # corresponds to the networks in the map of mesh networks. + network: "" + + # Configure the certificate provider for control plane communication. + # Currently, two providers are supported: "kubernetes" and "istiod". + # As some platforms may not have kubernetes signing APIs, + # Istiod is the default + pilotCertProvider: istiod + + sds: + # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. + # When a CSR is sent from Citadel Agent to the CA (e.g. Citadel), this aud is to make sure the + # JWT is intended for the CA. + token: + aud: istio-ca + + sts: + # The service port used by Security Token Service (STS) server to handle token exchange requests. + # Setting this port to a non-zero value enables STS server. + servicePort: 0 + + +meshConfig: + enablePrometheusMerge: true + + # The trust domain corresponds to the trust root of a system + # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain + trustDomain: "cluster.local" + + defaultConfig: + proxyMetadata: {} + tracing: + # tlsSettings: + # mode: DISABLE # DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL + # clientCertificate: # example: /etc/istio/tracer/cert-chain.pem + # privateKey: # example: /etc/istio/tracer/key.pem + # caCertificates: # example: /etc/istio/tracer/root-cert.pem + # sni: # example: tracer.somedomain + # subjectAltNames: [] + # - tracer.somedomain diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/install-OpenShift.md b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/install-OpenShift.md new file mode 100644 index 000000000..0417c07a3 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/install-OpenShift.md @@ -0,0 +1,43 @@ +# Installing Istio on OpenShift using Helm + +> Note: Be aware of the [platform setup required for OpenShift](https://istio.io/latest/docs/setup/platform-setup/openshift/) when installing Istio. + +To install with Helm, you must first create the namespace that you wish to install in if the namespace does not exist already. The default namespace used is `istio-system` and can be created as follows: + +```console +kubectl create namespace istio-system +``` + +The installation process using the Helm charts is as follows: + +1) `base` chart creates cluster-wide CRDs, cluster bindings and cluster resources. It is possible to change the namespace from `istio-system` but it is not recommended. + +```console +helm install istio-base -n istio-system manifests/charts/base +``` + +2) `istio-cni` chart installs the CNI plugin. This should be installed after the `base` chart and prior to `istiod` chart. Need to add `--set istio_cni.enabled=true` to the `istiod` install to enable its usage. + +```console +helm install istio-cni -n kube-system manifests/charts/istio-cni --set cni.cniBinDir="/var/lib/cni/bin" --set cni.cniConfDir="/etc/cni/multus/net.d" --set cni.chained=false --set cni.cniConfFileName="istio-cni.conf" --set cni.excludeNamespaces[0]="istio-system" --set cni.excludeNamespaces[1]="kube-system" --set cni.repair.enabled=false --set cni.logLevel=info +``` + +3) `istio-control/istio-discovery` chart installs a revision of istiod. + +```console + helm install -n istio-system istio-17 manifests/charts/istio-control/istio-discovery --set istio_cni.enabled=true --set global.jwtPolicy=first-party-jwt --set sidecarInjectorWebhook.injectedAnnotations."k8s\.v1\.cni\.cncf\.io/networks"="istio-cni" +``` + +4) `gateways` charts install a load balancer with `ingress` and `egress`. + +Ingress secrets and access should be separated from the control plane. + +```console +helm install -n istio-system istio-ingress manifests/charts/gateways/istio-ingress --set global.jwtPolicy=first-party-jwt +``` + +Egress secrets and access should be separated from the control plane. + +```console +helm install -n istio-system istio-egress manifests/charts/gateways/istio-egress --set global.jwtPolicy=first-party-jwt +``` diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-cni/Chart.yaml b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-cni/Chart.yaml new file mode 100644 index 000000000..7a03caae0 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-cni/Chart.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +name: istio-cni +version: 1.11.0 +description: Helm chart for istio-cni components +keywords: + - istio-cni + - istio +sources: + - http://github.com/istio/cni +engine: gotpl +icon: https://istio.io/latest/favicons/android-192x192.png diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-cni/templates/clusterrole.yaml b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-cni/templates/clusterrole.yaml new file mode 100644 index 000000000..7f7030de3 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-cni/templates/clusterrole.yaml @@ -0,0 +1,63 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istio-cni + labels: + app: istio-cni + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Cni" +rules: +- apiGroups: [""] + resources: + - pods + - nodes + verbs: + - get +--- +{{- if .Values.cni.repair.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istio-cni-repair-role + labels: + app: istio-cni + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Cni" +rules: +- apiGroups: [""] + resources: ["pods"] + verbs: ["get", "list", "watch", "delete", "patch", "update" ] +- apiGroups: [""] + resources: ["events"] + verbs: ["get", "list", "watch", "delete", "patch", "update", "create" ] +{{- end }} +--- + {{- if .Values.cni.taint.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istio-cni-taint-role + labels: + app: istio-cni + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Cni" +rules: + - apiGroups: [""] + resources: ["pods"] + verbs: ["get", "list", "watch", "patch"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get", "list"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "list", "create", "update"] + {{- end }} diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-cni/templates/clusterrolebinding.yaml b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-cni/templates/clusterrolebinding.yaml new file mode 100644 index 000000000..deabd5238 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-cni/templates/clusterrolebinding.yaml @@ -0,0 +1,78 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istio-cni + labels: + app: istio-cni + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Cni" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-cni +subjects: +- kind: ServiceAccount + name: istio-cni + namespace: {{ .Release.Namespace }} +--- +{{- if .Values.cni.repair.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istio-cni-repair-rolebinding + labels: + k8s-app: istio-cni-repair + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Cni" +subjects: +- kind: ServiceAccount + name: istio-cni + namespace: {{ .Release.Namespace}} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-cni-repair-role +{{- end }} +--- +{{- if ne .Values.cni.psp_cluster_role "" }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: istio-cni-psp + namespace: {{ .Release.Namespace }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Cni" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ .Values.cni.psp_cluster_role }} +subjects: +- kind: ServiceAccount + name: istio-cni + namespace: {{ .Release.Namespace }} +{{- end }} +--- +{{- if .Values.cni.taint.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istio-cni-taint-rolebinding + labels: + k8s-app: istio-cni-taint + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Cni" +subjects: + - kind: ServiceAccount + name: istio-cni + namespace: {{ .Release.Namespace}} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-cni-taint-role +{{- end }} diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-cni/templates/configmap-cni.yaml b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-cni/templates/configmap-cni.yaml new file mode 100644 index 000000000..9c51b257e --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-cni/templates/configmap-cni.yaml @@ -0,0 +1,46 @@ +kind: ConfigMap +apiVersion: v1 +metadata: + name: istio-cni-config + namespace: {{ .Release.Namespace }} + labels: + app: istio-cni + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Cni" +data: + # The CNI network configuration to add to the plugin chain on each node. The special + # values in this config will be automatically populated. + cni_network_config: |- + { + "cniVersion": "0.3.1", + "name": "istio-cni", + "type": "istio-cni", + "log_level": {{ quote .Values.cni.logLevel }}, + "log_uds_address": "__LOG_UDS_ADDRESS__", + "kubernetes": { + "kubeconfig": "__KUBECONFIG_FILEPATH__", + "cni_bin_dir": {{ quote .Values.cni.cniBinDir }}, + "exclude_namespaces": [ {{ range $idx, $ns := .Values.cni.excludeNamespaces }}{{ if $idx }}, {{ end }}{{ quote $ns }}{{ end }} ] + } + } +--- + {{- if .Values.cni.taint.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: "istio-cni-taint-configmap" + namespace: {{ .Release.Namespace }} + labels: + app: istio-cni + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Cni" +data: + config: | + - name: istio-cni + selector: k8s-app=istio-cni-node + namespace: {{ .Release.Namespace }} + {{- end }} diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-cni/templates/daemonset.yaml b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-cni/templates/daemonset.yaml new file mode 100644 index 000000000..649dcdfca --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-cni/templates/daemonset.yaml @@ -0,0 +1,157 @@ +# This manifest installs the Istio install-cni container, as well +# as the Istio CNI plugin and config on +# each master and worker node in a Kubernetes cluster. +kind: DaemonSet +apiVersion: apps/v1 +metadata: + name: istio-cni-node + namespace: {{ .Release.Namespace }} + labels: + k8s-app: istio-cni-node + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Cni" +spec: + selector: + matchLabels: + k8s-app: istio-cni-node + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 + template: + metadata: + labels: + k8s-app: istio-cni-node + sidecar.istio.io/inject: "false" + annotations: + # This, along with the CriticalAddonsOnly toleration below, + # marks the pod as a critical add-on, ensuring it gets + # priority scheduling and that its resources are reserved + # if it ever gets evicted. + scheduler.alpha.kubernetes.io/critical-pod: '' + sidecar.istio.io/inject: "false" + # Add Prometheus Scrape annotations + prometheus.io/scrape: 'true' + prometheus.io/port: "15014" + prometheus.io/path: '/metrics' + # Custom annotations + {{- if .Values.cni.podAnnotations }} +{{ toYaml .Values.cni.podAnnotations | indent 8 }} + {{- end }} + spec: + nodeSelector: + kubernetes.io/os: linux + tolerations: + # Make sure istio-cni-node gets scheduled on all nodes. + - effect: NoSchedule + operator: Exists + # Mark the pod as a critical add-on for rescheduling. + - key: CriticalAddonsOnly + operator: Exists + - effect: NoExecute + operator: Exists + priorityClassName: system-node-critical + serviceAccountName: istio-cni + # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force + # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods. + terminationGracePeriodSeconds: 5 + containers: + # This container installs the Istio CNI binaries + # and CNI network config file on each node. + - name: install-cni +{{- if contains "/" .Values.cni.image }} + image: "{{ .Values.cni.image }}" +{{- else }} + image: "{{ .Values.cni.hub | default .Values.global.hub }}/{{ .Values.cni.image | default "install-cni" }}:{{ .Values.cni.tag | default .Values.global.tag }}" +{{- end }} +{{- if or .Values.cni.pullPolicy .Values.global.imagePullPolicy }} + imagePullPolicy: {{ .Values.cni.pullPolicy | default .Values.global.imagePullPolicy }} +{{- end }} + livenessProbe: + httpGet: + path: /healthz + port: 8000 + initialDelaySeconds: 5 + readinessProbe: + httpGet: + path: /readyz + port: 8000 + command: ["install-cni"] + env: +{{- if .Values.cni.cniConfFileName }} + # Name of the CNI config file to create. + - name: CNI_CONF_NAME + value: "{{ .Values.cni.cniConfFileName }}" +{{- end }} + # The CNI network config to install on each node. + - name: CNI_NETWORK_CONFIG + valueFrom: + configMapKeyRef: + name: istio-cni-config + key: cni_network_config + - name: CNI_NET_DIR + value: {{ default "/etc/cni/net.d" .Values.cni.cniConfDir }} + # Deploy as a standalone CNI plugin or as chained? + - name: CHAINED_CNI_PLUGIN + value: "{{ .Values.cni.chained }}" + - name: REPAIR_ENABLED + value: "{{ .Values.cni.repair.enabled }}" + - name: REPAIR_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: REPAIR_LABEL_PODS + value: "{{.Values.cni.repair.labelPods}}" + # Set to true to enable pod deletion + - name: REPAIR_DELETE_PODS + value: "{{.Values.cni.repair.deletePods}}" + - name: REPAIR_RUN_AS_DAEMON + value: "true" + - name: REPAIR_SIDECAR_ANNOTATION + value: "sidecar.istio.io/status" + - name: REPAIR_INIT_CONTAINER_NAME + value: "{{ .Values.cni.repair.initContainerName }}" + - name: REPAIR_BROKEN_POD_LABEL_KEY + value: "{{.Values.cni.repair.brokenPodLabelKey}}" + - name: REPAIR_BROKEN_POD_LABEL_VALUE + value: "{{.Values.cni.repair.brokenPodLabelValue}}" + volumeMounts: + - mountPath: /host/opt/cni/bin + name: cni-bin-dir + - mountPath: /host/etc/cni/net.d + name: cni-net-dir + - mountPath: /var/run/istio-cni + name: cni-log-dir +{{- if .Values.cni.taint.enabled }} + - name: taint-controller +{{- if contains "/" .Values.cni.image }} + image: "{{ .Values.cni.image }}" +{{- else }} + image: "{{ .Values.cni.hub | default .Values.global.hub }}/{{ .Values.cni.image | default "install-cni" }}:{{ .Values.cni.tag | default .Values.global.tag }}" +{{- end }} +{{- if or .Values.cni.pullPolicy .Values.global.imagePullPolicy }} + imagePullPolicy: {{ .Values.cni.pullPolicy | default .Values.global.imagePullPolicy }} +{{- end }} + command: ["/opt/local/bin/istio-cni-taint"] + env: + - name: "TAINT_RUN-AS-DAEMON" + value: "true" + - name: "TAINT_CONFIGMAP-NAME" + value: "istio-cni-taint-configmap" + - name: "TAINT_CONFIGMAP-NAMESPACE" + value: {{ .Release.Namespace | quote }} +{{- end }} + volumes: + # Used to install CNI. + - name: cni-bin-dir + hostPath: + path: {{ default "/opt/cni/bin" .Values.cni.cniBinDir }} + - name: cni-net-dir + hostPath: + path: {{ default "/etc/cni/net.d" .Values.cni.cniConfDir }} + # Used for UDS log + - name: cni-log-dir + hostPath: + path: /var/run/istio-cni diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-cni/templates/serviceaccount.yaml b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-cni/templates/serviceaccount.yaml new file mode 100644 index 000000000..4645db63a --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-cni/templates/serviceaccount.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: ServiceAccount +{{- if .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range .Values.global.imagePullSecrets }} + - name: {{ . }} +{{- end }} +{{- end }} +metadata: + name: istio-cni + namespace: {{ .Release.Namespace }} + labels: + app: istio-cni + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Cni" diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-cni/values.yaml b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-cni/values.yaml new file mode 100644 index 000000000..ecb1ef5e3 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-cni/values.yaml @@ -0,0 +1,79 @@ +cni: + hub: "" + tag: "" + image: install-cni + pullPolicy: "" + + logLevel: info + + # Configuration file to insert istio-cni plugin configuration + # by default this will be the first file found in the cni-conf-dir + # Example + # cniConfFileName: 10-calico.conflist + + # CNI bin and conf dir override settings + # defaults: + cniBinDir: /opt/cni/bin + cniConfDir: /etc/cni/net.d + cniConfFileName: "" + + excludeNamespaces: + - istio-system + - kube-system + + # Custom annotations on pod level, if you need them + podAnnotations: {} + + # If this value is set a RoleBinding will be created + # in the same namespace as the istio-cni DaemonSet is created. + # This can be used to bind a preexisting ClusterRole to the istio/cni ServiceAccount + # e.g. if you use PodSecurityPolicies + psp_cluster_role: "" + + # Deploy the config files as plugin chain (value "true") or as standalone files in the conf dir (value "false")? + # Some k8s flavors (e.g. OpenShift) do not support the chain approach, set to false if this is the case + chained: true + + repair: + enabled: true + hub: "" + tag: "" + + labelPods: true + deletePods: true + + initContainerName: "istio-validation" + + brokenPodLabelKey: "cni.istio.io/uninitialized" + brokenPodLabelValue: "true" + + # Experimental taint controller for further race condition mitigation + taint: + enabled: false + +# Revision is set as 'version' label and part of the resource names when installing multiple control planes. +revision: "" + +# For Helm compatibility. +ownerName: "" + +global: + # Default hub for Istio images. + # Releases are published to docker hub under 'istio' project. + # Dev builds from prow are on gcr.io + hub: docker.io/istio + + # Default tag for Istio images. + tag: 1.11.0 + + # Specify image pull policy if default behavior isn't desired. + # Default behavior: latest images will be Always else IfNotPresent. + imagePullPolicy: "" + + # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace + # to use for pulling any images in pods that reference this ServiceAccount. + # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) + # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. + # Must be set for any cluster configured with private docker registry. + imagePullSecrets: [] + # - private-registry-key diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-control/istio-discovery/Chart.yaml b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-control/istio-discovery/Chart.yaml new file mode 100644 index 000000000..98ef7c808 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-control/istio-discovery/Chart.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +name: istio-discovery +version: 1.11.0 +tillerVersion: ">=2.7.2" +description: Helm chart for istio control plane +keywords: + - istio + - istiod + - istio-discovery +sources: + - http://github.com/istio/istio +engine: gotpl +icon: https://istio.io/latest/favicons/android-192x192.png diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-control/istio-discovery/NOTES.txt b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-control/istio-discovery/NOTES.txt new file mode 100644 index 000000000..298b6921d --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-control/istio-discovery/NOTES.txt @@ -0,0 +1,8 @@ +Minimal control plane for Istio. Pilot and mesh config are included. + +MCP and injector should optionally be installed in the same namespace. Alternatively remote +address of an MCP server can be set. + + +Thank you for installing Istio 1.11. Please take a few minutes to tell us about your install/upgrade experience! + https://forms.gle/kWULBRjUv7hHci7T6 diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-control/istio-discovery/files/gateway-injection-template.yaml b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-control/istio-discovery/files/gateway-injection-template.yaml new file mode 100644 index 000000000..6d7588377 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-control/istio-discovery/files/gateway-injection-template.yaml @@ -0,0 +1,205 @@ +{{- $containers := list }} +{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} +metadata: + labels: + service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} + service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} + istio.io/rev: {{ .Revision | default "default" | quote }} + annotations: { + {{- if eq (len $containers) 1 }} + kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", + kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", + {{ end }} + } +spec: + containers: + - name: istio-proxy + {{- if contains "/" .Values.global.proxy.image }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}" + {{- end }} + ports: + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - router + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} + - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} + - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + {{- if .Values.global.proxy.lifecycle }} + lifecycle: + {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} + {{- end }} + env: + - name: JWT_POLICY + value: {{ .Values.global.jwtPolicy }} + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + - name: ISTIO_META_POD_PORTS + value: |- + [ + {{- $first := true }} + {{- range $index1, $c := .Spec.Containers }} + {{- range $index2, $p := $c.Ports }} + {{- if (structToJSON $p) }} + {{if not $first}},{{end}}{{ structToJSON $p }} + {{- $first = false }} + {{- end }} + {{- end}} + {{- end}} + ] + - name: ISTIO_META_APP_CONTAINERS + value: "{{ $containers | join "," }}" + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + - name: ISTIO_META_INTERCEPTION_MODE + value: "{{ .ProxyConfig.InterceptionMode.String }}" + {{- if .Values.global.network }} + - name: ISTIO_META_NETWORK + value: "{{ .Values.global.network }}" + {{- end }} + {{- if .DeploymentMeta.Name }} + - name: ISTIO_META_WORKLOAD_NAME + value: "{{ .DeploymentMeta.Name }}" + {{ end }} + {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} + - name: ISTIO_META_OWNER + value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} + {{- end}} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + readinessProbe: + httpGet: + path: /healthz/ready + port: 15021 + initialDelaySeconds: {{.Values.global.proxy.readinessInitialDelaySeconds }} + periodSeconds: {{ .Values.global.proxy.readinessPeriodSeconds }} + timeoutSeconds: 3 + failureThreshold: {{ .Values.global.proxy.readinessFailureThreshold }} + volumeMounts: + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + # SDS channel between istioagent and Envoy + - mountPath: /etc/istio/proxy + name: istio-envoy + {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} + - mountPath: /var/run/secrets/tokens + name: istio-token + {{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - mountPath: /etc/certs/ + name: istio-certs + readOnly: true + {{- end }} + - name: istio-podinfo + mountPath: /etc/istio/pod + volumes: + # SDS channel between istioagent and Envoy + - emptyDir: + medium: Memory + name: istio-envoy + - name: istio-data + emptyDir: {} + - name: istio-podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + configMap: + name: istio-ca-root-cert + {{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - name: istio-certs + secret: + optional: true + {{ if eq .Spec.ServiceAccountName "" }} + secretName: istio.default + {{ else -}} + secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} + {{ end -}} + {{- end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} + {{- if eq (env "ENABLE_LEGACY_FSGROUP_INJECTION" "true") "true" }} + securityContext: + fsGroup: 1337 + {{- end }} diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-control/istio-discovery/files/gen-istio.yaml b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-control/istio-discovery/files/gen-istio.yaml new file mode 100644 index 000000000..5f374363c --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-control/istio-discovery/files/gen-istio.yaml @@ -0,0 +1,3020 @@ +--- +# Source: istio-discovery/templates/poddisruptionbudget.yaml +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: istiod + namespace: istio-system + labels: + app: istiod + istio.io/rev: default + install.operator.istio.io/owning-resource: unknown + operator.istio.io/component: "Pilot" + release: istio + istio: pilot +spec: + minAvailable: 1 + selector: + matchLabels: + app: istiod + istio: pilot +--- +# Source: istio-discovery/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: istiod + namespace: istio-system + labels: + app: istiod + release: istio +--- +# Source: istio-discovery/templates/configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio + namespace: istio-system + labels: + istio.io/rev: default + install.operator.istio.io/owning-resource: unknown + operator.istio.io/component: "Pilot" + release: istio +data: + + # Configuration file for the mesh networks to be used by the Split Horizon EDS. + meshNetworks: |- + networks: {} + + mesh: |- + defaultConfig: + discoveryAddress: istiod.istio-system.svc:15012 + tracing: + zipkin: + address: zipkin.istio-system:9411 + enablePrometheusMerge: true + rootNamespace: istio-system + trustDomain: cluster.local +--- +# Source: istio-discovery/templates/istiod-injector-configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-sidecar-injector + namespace: istio-system + labels: + istio.io/rev: default + install.operator.istio.io/owning-resource: unknown + operator.istio.io/component: "Pilot" + release: istio +data: + + values: |- + { + "global": { + "caAddress": "", + "configCluster": false, + "configValidation": true, + "defaultPodDisruptionBudget": { + "enabled": true + }, + "defaultResources": { + "requests": { + "cpu": "10m" + } + }, + "externalIstiod": false, + "hub": "gcr.io/istio-testing", + "imagePullPolicy": "", + "imagePullSecrets": [], + "istioNamespace": "istio-system", + "istiod": { + "enableAnalysis": false + }, + "jwtPolicy": "third-party-jwt", + "logAsJson": false, + "logging": { + "level": "default:info" + }, + "meshID": "", + "meshNetworks": {}, + "mountMtlsCerts": false, + "multiCluster": { + "clusterName": "", + "enabled": false + }, + "network": "", + "omitSidecarInjectorConfigMap": false, + "oneNamespace": false, + "operatorManageWebhooks": false, + "pilotCertProvider": "istiod", + "priorityClassName": "", + "proxy": { + "autoInject": "enabled", + "clusterDomain": "cluster.local", + "componentLogLevel": "misc:error", + "enableCoreDump": false, + "excludeIPRanges": "", + "excludeInboundPorts": "", + "excludeOutboundPorts": "", + "holdApplicationUntilProxyStarts": false, + "image": "proxyv2", + "includeIPRanges": "*", + "logLevel": "warning", + "privileged": false, + "readinessFailureThreshold": 30, + "readinessInitialDelaySeconds": 1, + "readinessPeriodSeconds": 2, + "resources": { + "limits": { + "cpu": "2000m", + "memory": "1024Mi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "statusPort": 15020, + "tracer": "zipkin" + }, + "proxy_init": { + "image": "proxyv2", + "resources": { + "limits": { + "cpu": "2000m", + "memory": "1024Mi" + }, + "requests": { + "cpu": "10m", + "memory": "10Mi" + } + } + }, + "remotePilotAddress": "", + "sds": { + "token": { + "aud": "istio-ca" + } + }, + "sts": { + "servicePort": 0 + }, + "tag": "latest", + "tracer": { + "datadog": { + "address": "$(HOST_IP):8126" + }, + "lightstep": { + "accessToken": "", + "address": "" + }, + "stackdriver": { + "debug": false, + "maxNumberOfAnnotations": 200, + "maxNumberOfAttributes": 200, + "maxNumberOfMessageEvents": 200 + }, + "zipkin": { + "address": "" + } + }, + "useMCP": false + }, + "revision": "", + "sidecarInjectorWebhook": { + "alwaysInjectSelector": [], + "defaultTemplates": [], + "enableNamespacesByDefault": false, + "injectedAnnotations": {}, + "neverInjectSelector": [], + "objectSelector": { + "autoInject": true, + "enabled": true + }, + "rewriteAppHTTPProbe": true, + "templates": {} + } + } + + # To disable injection: use omitSidecarInjectorConfigMap, which disables the webhook patching + # and istiod webhook functionality. + # + # New fields should not use Values - it is a 'primary' config object, users should be able + # to fine tune it or use it with kube-inject. + config: |- + # defaultTemplates defines the default template to use for pods that do not explicitly specify a template + defaultTemplates: [sidecar] + policy: enabled + alwaysInjectSelector: + [] + neverInjectSelector: + [] + injectedAnnotations: + template: "{{ Template_Version_And_Istio_Version_Mismatched_Check_Installation }}" + templates: + sidecar: | + {{- $containers := list }} + {{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} + metadata: + labels: + security.istio.io/tlsMode: {{ index .ObjectMeta.Labels `security.istio.io/tlsMode` | default "istio" | quote }} + service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} + service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} + annotations: { + {{- if eq (len $containers) 1 }} + kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", + kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", + {{ end }} + {{- if .Values.istio_cni.enabled }} + {{- if not .Values.istio_cni.chained }} + k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `istio-cni` }}', + {{- end }} + sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}", + {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}traffic.sidecar.istio.io/includeOutboundIPRanges: "{{.}}",{{ end }} + {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{.}}",{{ end }} + traffic.sidecar.istio.io/includeInboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` `*` }}", + traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}", + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") }} + traffic.sidecar.istio.io/includeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}", + {{- end }} + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }} + traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}", + {{- end }} + {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}traffic.sidecar.istio.io/kubevirtInterfaces: "{{.}}",{{ end }} + {{- end }} + } + spec: + {{- $holdProxy := or .ProxyConfig.HoldApplicationUntilProxyStarts.GetValue .Values.global.proxy.holdApplicationUntilProxyStarts }} + initContainers: + {{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }} + {{ if .Values.istio_cni.enabled -}} + - name: istio-validation + {{ else -}} + - name: istio-init + {{ end -}} + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}" + {{- else }} + image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}" + {{- end }} + args: + - istio-iptables + - "-p" + - "15001" + - "-z" + - "15006" + - "-u" + - "1337" + - "-m" + - "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}" + - "-i" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}" + - "-x" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}" + - "-b" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` `*` }}" + - "-d" + {{- if excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }} + - "15090,15021,{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}" + {{- else }} + - "15090,15021" + {{- end }} + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") -}} + - "-q" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}" + {{ end -}} + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}} + - "-o" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}" + {{ end -}} + {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}} + - "-k" + - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}" + {{ end -}} + {{ if .Values.istio_cni.enabled -}} + - "--run-validation" + - "--skip-rule-apply" + {{ end -}} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + {{- if .ProxyConfig.ProxyMetadata }} + env: + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- end }} + resources: + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} + requests: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" + {{ end }} + {{- end }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + limits: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" + {{ end }} + {{- end }} + {{- else }} + {{- if .Values.global.proxy.resources }} + {{ toYaml .Values.global.proxy.resources | indent 6 }} + {{- end }} + {{- end }} + securityContext: + allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} + privileged: {{ .Values.global.proxy.privileged }} + capabilities: + {{- if not .Values.istio_cni.enabled }} + add: + - NET_ADMIN + - NET_RAW + {{- end }} + drop: + - ALL + {{- if not .Values.istio_cni.enabled }} + readOnlyRootFilesystem: false + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 + {{- else }} + readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsUser: 1337 + runAsNonRoot: true + {{- end }} + restartPolicy: Always + {{ end -}} + {{- if eq (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }} + - name: enable-core-dump + args: + - -c + - sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited + command: + - /bin/sh + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}" + {{- else }} + image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}" + {{- end }} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + resources: {} + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - SYS_ADMIN + drop: + - ALL + privileged: true + readOnlyRootFilesystem: false + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 + {{ end }} + containers: + - name: istio-proxy + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}" + {{- end }} + ports: + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - sidecar + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} + - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} + - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + {{- if gt .EstimatedConcurrency 0 }} + - --concurrency + - "{{ .EstimatedConcurrency }}" + {{- end -}} + {{- if .Values.global.proxy.lifecycle }} + lifecycle: + {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} + {{- else if $holdProxy }} + lifecycle: + postStart: + exec: + command: + - pilot-agent + - wait + {{- end }} + env: + {{- if eq (env "PILOT_ENABLE_INBOUND_PASSTHROUGH" "true") "false" }} + - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION + value: "true" + {{- end }} + - name: JWT_POLICY + value: {{ .Values.global.jwtPolicy }} + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + - name: ISTIO_META_POD_PORTS + value: |- + [ + {{- $first := true }} + {{- range $index1, $c := .Spec.Containers }} + {{- range $index2, $p := $c.Ports }} + {{- if (structToJSON $p) }} + {{if not $first}},{{end}}{{ structToJSON $p }} + {{- $first = false }} + {{- end }} + {{- end}} + {{- end}} + ] + - name: ISTIO_META_APP_CONTAINERS + value: "{{ $containers | join "," }}" + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + - name: ISTIO_META_INTERCEPTION_MODE + value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}" + {{- if .Values.global.network }} + - name: ISTIO_META_NETWORK + value: "{{ .Values.global.network }}" + {{- end }} + {{- if .DeploymentMeta.Name }} + - name: ISTIO_META_WORKLOAD_NAME + value: "{{ .DeploymentMeta.Name }}" + {{ end }} + {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} + - name: ISTIO_META_OWNER + value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} + {{- end}} + {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - name: ISTIO_BOOTSTRAP_OVERRIDE + value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" + {{- end }} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} + {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- end }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} + readinessProbe: + httpGet: + path: /healthz/ready + port: 15021 + initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} + periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} + timeoutSeconds: 3 + failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} + {{ end -}} + securityContext: + allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} + capabilities: + {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} + add: + {{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}} + - NET_ADMIN + {{- end }} + {{ if eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true` -}} + - NET_BIND_SERVICE + {{- end }} + {{- end }} + drop: + - ALL + privileged: {{ .Values.global.proxy.privileged }} + readOnlyRootFilesystem: {{ ne (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }} + runAsGroup: 1337 + fsGroup: 1337 + {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} + runAsNonRoot: false + runAsUser: 0 + {{- else -}} + runAsNonRoot: true + runAsUser: 1337 + {{- end }} + resources: + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} + requests: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" + {{ end }} + {{- end }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + limits: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" + {{ end }} + {{- end }} + {{- else }} + {{- if .Values.global.proxy.resources }} + {{ toYaml .Values.global.proxy.resources | indent 6 }} + {{- end }} + {{- end }} + volumeMounts: + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - mountPath: /etc/istio/custom-bootstrap + name: custom-bootstrap-volume + {{- end }} + # SDS channel between istioagent and Envoy + - mountPath: /etc/istio/proxy + name: istio-envoy + {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} + - mountPath: /var/run/secrets/tokens + name: istio-token + {{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - mountPath: /etc/certs/ + name: istio-certs + readOnly: true + {{- end }} + - name: istio-podinfo + mountPath: /etc/istio/pod + {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} + - mountPath: {{ directory .ProxyConfig.GetTracing.GetTlsSettings.GetCaCertificates }} + name: lightstep-certs + readOnly: true + {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} + {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 6 }} + {{ end }} + {{- end }} + volumes: + {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - name: custom-bootstrap-volume + configMap: + name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} + {{- end }} + # SDS channel between istioagent and Envoy + - emptyDir: + medium: Memory + name: istio-envoy + - name: istio-data + emptyDir: {} + - name: istio-podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + configMap: + name: istio-ca-root-cert + {{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - name: istio-certs + secret: + optional: true + {{ if eq .Spec.ServiceAccountName "" }} + secretName: istio.default + {{ else -}} + secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} + {{ end -}} + {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} + {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 4 }} + {{ end }} + {{ end }} + {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} + - name: lightstep-certs + secret: + optional: true + secretName: lightstep.cacert + {{- end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} + {{- if eq (env "ENABLE_LEGACY_FSGROUP_INJECTION" "true") "true" }} + securityContext: + fsGroup: 1337 + {{- end }} + gateway: | + {{- $containers := list }} + {{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} + metadata: + labels: + service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} + service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} + istio.io/rev: {{ .Revision | default "default" | quote }} + annotations: { + {{- if eq (len $containers) 1 }} + kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", + kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", + {{ end }} + } + spec: + containers: + - name: istio-proxy + {{- if contains "/" .Values.global.proxy.image }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}" + {{- end }} + ports: + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - router + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} + - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} + - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + {{- if .Values.global.proxy.lifecycle }} + lifecycle: + {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} + {{- end }} + env: + - name: JWT_POLICY + value: {{ .Values.global.jwtPolicy }} + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + - name: ISTIO_META_POD_PORTS + value: |- + [ + {{- $first := true }} + {{- range $index1, $c := .Spec.Containers }} + {{- range $index2, $p := $c.Ports }} + {{- if (structToJSON $p) }} + {{if not $first}},{{end}}{{ structToJSON $p }} + {{- $first = false }} + {{- end }} + {{- end}} + {{- end}} + ] + - name: ISTIO_META_APP_CONTAINERS + value: "{{ $containers | join "," }}" + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + - name: ISTIO_META_INTERCEPTION_MODE + value: "{{ .ProxyConfig.InterceptionMode.String }}" + {{- if .Values.global.network }} + - name: ISTIO_META_NETWORK + value: "{{ .Values.global.network }}" + {{- end }} + {{- if .DeploymentMeta.Name }} + - name: ISTIO_META_WORKLOAD_NAME + value: "{{ .DeploymentMeta.Name }}" + {{ end }} + {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} + - name: ISTIO_META_OWNER + value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} + {{- end}} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + readinessProbe: + httpGet: + path: /healthz/ready + port: 15021 + initialDelaySeconds: {{.Values.global.proxy.readinessInitialDelaySeconds }} + periodSeconds: {{ .Values.global.proxy.readinessPeriodSeconds }} + timeoutSeconds: 3 + failureThreshold: {{ .Values.global.proxy.readinessFailureThreshold }} + volumeMounts: + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + # SDS channel between istioagent and Envoy + - mountPath: /etc/istio/proxy + name: istio-envoy + {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} + - mountPath: /var/run/secrets/tokens + name: istio-token + {{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - mountPath: /etc/certs/ + name: istio-certs + readOnly: true + {{- end }} + - name: istio-podinfo + mountPath: /etc/istio/pod + volumes: + # SDS channel between istioagent and Envoy + - emptyDir: + medium: Memory + name: istio-envoy + - name: istio-data + emptyDir: {} + - name: istio-podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + configMap: + name: istio-ca-root-cert + {{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - name: istio-certs + secret: + optional: true + {{ if eq .Spec.ServiceAccountName "" }} + secretName: istio.default + {{ else -}} + secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} + {{ end -}} + {{- end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} + {{- if eq (env "ENABLE_LEGACY_FSGROUP_INJECTION" "true") "true" }} + securityContext: + fsGroup: 1337 + {{- end }} + grpc-simple: | + spec: + initContainers: + - name: grpc-bootstrap-init + image: busybox:1.28 + volumeMounts: + - mountPath: /var/lib/grpc/data/ + name: grpc-io-proxyless-bootstrap + env: + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + command: + - sh + - "-c" + - |- + NODE_ID="sidecar~${INSTANCE_IP}~${POD_NAME}.${POD_NAMESPACE}~cluster.local" + echo ' + { + "xds_servers": [ + { + "server_uri": "dns:///istiod.istio-system.svc:15010", + "channel_creds": [{"type": "insecure"}], + "server_features" : ["xds_v3"] + } + ], + "node": { + "id": "'${NODE_ID}'", + "metadata": { + "GENERATOR": "grpc" + } + } + }' > /var/lib/grpc/data/bootstrap.json + containers: + {{- range $index, $container := .Spec.Containers }} + - name: {{ $container.Name }} + env: + - name: GRPC_XDS_BOOTSTRAP + value: /var/lib/grpc/data/bootstrap.json + - name: GRPC_GO_LOG_VERBOSITY_LEVEL + value: "99" + - name: GRPC_GO_LOG_SEVERITY_LEVEL + value: info + volumeMounts: + - mountPath: /var/lib/grpc/data/ + name: grpc-io-proxyless-bootstrap + {{- end }} + volumes: + - name: grpc-io-proxyless-bootstrap + emptyDir: {} + grpc-agent: | + {{- $containers := list }} + {{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} + metadata: + annotations: { + {{- if eq (len $containers) 1 }} + kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", + kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", + {{ end }} + } + spec: + containers: + {{- range $index, $container := .Spec.Containers }} + {{ if not (eq $container.Name "istio-proxy") }} + - name: {{ $container.Name }} + env: + - name: "GRPC_XDS_BOOTSTRAP" + value: "/var/lib/istio/data/grpc-bootstrap.json" + - name: "GRPC_XDS_EXPERIMENTAL_SECURITY_SUPPORT" + value: "true" + volumeMounts: + - mountPath: /var/lib/istio/data + name: istio-data + # UDS channel between istioagent and gRPC client for XDS/SDS + - mountPath: /etc/istio/proxy + name: istio-xds + {{- end }} + {{- end }} + - name: istio-proxy + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}" + {{- end }} + args: + - proxy + - sidecar + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + env: + - name: "GRPC_XDS_BOOTSTRAP" + value: "/var/lib/istio/data/grpc-bootstrap.json" + - name: ISTIO_META_GENERATOR + value: grpc + - name: OUTPUT_CERTS + value: /var/lib/istio/data + {{- if eq (env "PILOT_ENABLE_INBOUND_PASSTHROUGH" "true") "false" }} + - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION + value: "true" + {{- end }} + - name: JWT_POLICY + value: {{ .Values.global.jwtPolicy }} + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + - name: ISTIO_META_POD_PORTS + value: |- + [ + {{- $first := true }} + {{- range $index1, $c := .Spec.Containers }} + {{- range $index2, $p := $c.Ports }} + {{- if (structToJSON $p) }} + {{if not $first}},{{end}}{{ structToJSON $p }} + {{- $first = false }} + {{- end }} + {{- end}} + {{- end}} + ] + - name: ISTIO_META_APP_CONTAINERS + value: "{{ $containers | join "," }}" + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + - name: ISTIO_META_INTERCEPTION_MODE + value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}" + {{- if .Values.global.network }} + - name: ISTIO_META_NETWORK + value: "{{ .Values.global.network }}" + {{- end }} + {{- if .DeploymentMeta.Name }} + - name: ISTIO_META_WORKLOAD_NAME + value: "{{ .DeploymentMeta.Name }}" + {{ end }} + {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} + - name: ISTIO_META_OWNER + value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} + {{- end}} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + # grpc uses xds:/// to resolve – no need to resolve VIP + - name: ISTIO_META_DNS_CAPTURE + value: "false" + - name: DISABLE_ENVOY + value: "true" + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} + readinessProbe: + httpGet: + path: /healthz/ready + port: {{ .Values.global.proxy.statusPort }} + initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} + periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} + timeoutSeconds: 3 + failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} + {{ end -}} + resources: + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} + requests: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" + {{ end }} + {{- end }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + limits: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" + {{ end }} + {{- end }} + {{- else }} + {{- if .Values.global.proxy.resources }} + {{ toYaml .Values.global.proxy.resources | indent 6 }} + {{- end }} + {{- end }} + volumeMounts: + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + # UDS channel between istioagent and gRPC client for XDS/SDS + - mountPath: /etc/istio/proxy + name: istio-xds + {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} + - mountPath: /var/run/secrets/tokens + name: istio-token + {{- end }} + - name: istio-podinfo + mountPath: /etc/istio/pod + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} + {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 6 }} + {{ end }} + {{- end }} + volumes: + # UDS channel between istioagent and gRPC client for XDS/SDS + - emptyDir: + medium: Memory + name: istio-xds + - name: istio-data + emptyDir: {} + - name: istio-podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + configMap: + name: istio-ca-root-cert + {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} + {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 4 }} + {{ end }} + {{ end }} +--- +# Source: istio-discovery/templates/clusterrole.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istiod-clusterrole-istio-system + labels: + app: istiod + release: istio +rules: + # sidecar injection controller + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update", "patch"] + + # configuration validation webhook controller + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update"] + + # istio configuration + # removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382) + # please proceed with caution + - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io"] + verbs: ["get", "watch", "list"] + resources: ["*"] + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "workloadentries" ] + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "workloadentries/status" ] + + # auto-detect installed CRD definitions + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "list", "watch"] + + # discovery and routing + - apiGroups: [""] + resources: ["pods", "nodes", "services", "namespaces", "endpoints"] + verbs: ["get", "list", "watch"] + - apiGroups: ["discovery.k8s.io"] + resources: ["endpointslices"] + verbs: ["get", "list", "watch"] + + # ingress controller + - apiGroups: ["networking.k8s.io"] + resources: ["ingresses", "ingressclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["networking.k8s.io"] + resources: ["ingresses/status"] + verbs: ["*"] + + # required for CA's namespace controller + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["create", "get", "list", "watch", "update"] + + # Istiod and bootstrap. + - apiGroups: ["certificates.k8s.io"] + resources: + - "certificatesigningrequests" + - "certificatesigningrequests/approval" + - "certificatesigningrequests/status" + verbs: ["update", "create", "get", "delete", "watch"] + - apiGroups: ["certificates.k8s.io"] + resources: + - "signers" + resourceNames: + - "kubernetes.io/legacy-unknown" + verbs: ["approve"] + + # Used by Istiod to verify the JWT tokens + - apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] + + # Used by Istiod to verify gateway SDS + - apiGroups: ["authorization.k8s.io"] + resources: ["subjectaccessreviews"] + verbs: ["create"] + + # Use for Kubernetes Service APIs + - apiGroups: ["networking.x-k8s.io"] + resources: ["*"] + verbs: ["get", "watch", "list"] + - apiGroups: ["networking.x-k8s.io"] + resources: ["*"] # TODO: should be on just */status but wildcard is not supported + verbs: ["update"] + + # Needed for multicluster secret reading, possibly ingress certs in the future + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "watch", "list"] + + # Used for MCS serviceexport management + - apiGroups: ["multicluster.x-k8s.io"] + resources: ["serviceexports"] + verbs: ["get", "watch", "list", "create", "delete"] +--- +# Source: istio-discovery/templates/reader-clusterrole.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istio-reader-clusterrole-istio-system + labels: + app: istio-reader + release: istio +rules: + - apiGroups: + - "config.istio.io" + - "security.istio.io" + - "networking.istio.io" + - "authentication.istio.io" + - "rbac.istio.io" + resources: ["*"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets"] + verbs: ["get", "list", "watch"] + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list" ] + resources: [ "workloadentries" ] + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "list", "watch"] + - apiGroups: ["discovery.k8s.io"] + resources: ["endpointslices"] + verbs: ["get", "list", "watch"] + - apiGroups: ["apps"] + resources: ["replicasets"] + verbs: ["get", "list", "watch"] + - apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] + - apiGroups: ["authorization.k8s.io"] + resources: ["subjectaccessreviews"] + verbs: ["create"] +--- +# Source: istio-discovery/templates/clusterrolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istiod-clusterrole-istio-system + labels: + app: istiod + release: istio +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istiod-clusterrole-istio-system +subjects: + - kind: ServiceAccount + name: istiod + namespace: istio-system +--- +# Source: istio-discovery/templates/reader-clusterrolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istio-reader-clusterrole-istio-system + labels: + app: istio-reader + release: istio +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-reader-clusterrole-istio-system +subjects: + - kind: ServiceAccount + name: istio-reader-service-account + namespace: istio-system +--- +# Source: istio-discovery/templates/role.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: istiod + namespace: istio-system + labels: + app: istiod + release: istio +rules: +# permissions to verify the webhook is ready and rejecting +# invalid config. We use --server-dry-run so no config is persisted. +- apiGroups: ["networking.istio.io"] + verbs: ["create"] + resources: ["gateways"] + +# For storing CA secret +- apiGroups: [""] + resources: ["secrets"] + # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config + verbs: ["create", "get", "watch", "list", "update", "delete"] +--- +# Source: istio-discovery/templates/rolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: istiod + namespace: istio-system + labels: + app: istiod + release: istio +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: istiod +subjects: + - kind: ServiceAccount + name: istiod + namespace: istio-system +--- +# Source: istio-discovery/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: istiod + namespace: istio-system + labels: + istio.io/rev: default + install.operator.istio.io/owning-resource: unknown + operator.istio.io/component: "Pilot" + app: istiod + istio: pilot + release: istio +spec: + ports: + - port: 15010 + name: grpc-xds # plaintext + protocol: TCP + - port: 15012 + name: https-dns # mTLS with k8s-signed cert + protocol: TCP + - port: 443 + name: https-webhook # validation and injection + targetPort: 15017 + protocol: TCP + - port: 15014 + name: http-monitoring # prometheus stats + protocol: TCP + selector: + app: istiod + # Label used by the 'default' service. For versioned deployments we match with app and version. + # This avoids default deployment picking the canary + istio: pilot +--- +# Source: istio-discovery/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: istiod + namespace: istio-system + labels: + app: istiod + istio.io/rev: default + install.operator.istio.io/owning-resource: unknown + operator.istio.io/component: "Pilot" + istio: pilot + release: istio +spec: + strategy: + rollingUpdate: + maxSurge: 100% + maxUnavailable: 25% + selector: + matchLabels: + istio: pilot + template: + metadata: + labels: + app: istiod + istio.io/rev: default + install.operator.istio.io/owning-resource: unknown + sidecar.istio.io/inject: "false" + operator.istio.io/component: "Pilot" + istio: pilot + annotations: + prometheus.io/port: "15014" + prometheus.io/scrape: "true" + sidecar.istio.io/inject: "false" + spec: + serviceAccountName: istiod + securityContext: + fsGroup: 1337 + containers: + - name: discovery + image: "gcr.io/istio-testing/pilot:latest" + args: + - "discovery" + - --monitoringAddr=:15014 + - --log_output_level=default:info + - --domain + - cluster.local + - --keepaliveMaxServerConnectionAge + - "30m" + ports: + - containerPort: 8080 + protocol: TCP + - containerPort: 15010 + protocol: TCP + - containerPort: 15017 + protocol: TCP + readinessProbe: + httpGet: + path: /ready + port: 8080 + initialDelaySeconds: 1 + periodSeconds: 3 + timeoutSeconds: 5 + env: + - name: REVISION + value: "default" + - name: JWT_POLICY + value: third-party-jwt + - name: PILOT_CERT_PROVIDER + value: istiod + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.serviceAccountName + - name: KUBECONFIG + value: /var/run/secrets/remote/config + - name: PILOT_TRACE_SAMPLING + value: "1" + - name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_OUTBOUND + value: "true" + - name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_INBOUND + value: "true" + - name: ISTIOD_ADDR + value: istiod.istio-system.svc:15012 + - name: PILOT_ENABLE_ANALYSIS + value: "false" + - name: CLUSTER_ID + value: "Kubernetes" + resources: + requests: + cpu: 500m + memory: 2048Mi + securityContext: + runAsUser: 1337 + runAsGroup: 1337 + runAsNonRoot: true + capabilities: + drop: + - ALL + volumeMounts: + - name: istio-token + mountPath: /var/run/secrets/tokens + readOnly: true + - name: local-certs + mountPath: /var/run/secrets/istio-dns + - name: cacerts + mountPath: /etc/cacerts + readOnly: true + - name: istio-kubeconfig + mountPath: /var/run/secrets/remote + readOnly: true + volumes: + # Technically not needed on this pod - but it helps debugging/testing SDS + # Should be removed after everything works. + - emptyDir: + medium: Memory + name: local-certs + - name: istio-token + projected: + sources: + - serviceAccountToken: + audience: istio-ca + expirationSeconds: 43200 + path: istio-token + # Optional: user-generated root + - name: cacerts + secret: + secretName: cacerts + optional: true + - name: istio-kubeconfig + secret: + secretName: istio-kubeconfig + optional: true +--- +# Source: istio-discovery/templates/autoscale.yaml +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: istiod + namespace: istio-system + labels: + app: istiod + release: istio + istio.io/rev: default + install.operator.istio.io/owning-resource: unknown + operator.istio.io/component: "Pilot" +spec: + maxReplicas: 5 + minReplicas: 1 + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: istiod + metrics: + - type: Resource + resource: + name: cpu + targetAverageUtilization: 80 +--- +# Source: istio-discovery/templates/revision-tags.yaml +# Adapted from istio-discovery/templates/mutatingwebhook.yaml +# Removed paths for legacy and default selectors since a revision tag +# is inherently created from a specific revision +--- +# Source: istio-discovery/templates/telemetryv2_1.10.yaml +# Note: metadata exchange filter is wasm enabled only in sidecars. +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: metadata-exchange-1.10 + namespace: istio-system + labels: + istio.io/rev: default + install.operator.istio.io/owning-resource: unknown + operator.istio.io/component: "Pilot" +spec: + configPatches: + - applyTo: HTTP_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.10.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + patch: + operation: INSERT_BEFORE + value: + name: istio.metadata_exchange + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {} + vm_config: + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.metadata_exchange + - applyTo: HTTP_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.10.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + patch: + operation: INSERT_BEFORE + value: + name: istio.metadata_exchange + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {} + vm_config: + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.metadata_exchange + - applyTo: HTTP_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.10.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + patch: + operation: INSERT_BEFORE + value: + name: istio.metadata_exchange + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {} + vm_config: + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.metadata_exchange +--- +# Source: istio-discovery/templates/telemetryv2_1.10.yaml +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: tcp-metadata-exchange-1.10 + namespace: istio-system + labels: + istio.io/rev: default +spec: + configPatches: + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.10.*' + listener: {} + patch: + operation: INSERT_BEFORE + value: + name: istio.metadata_exchange + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange + value: + protocol: istio-peer-exchange + - applyTo: CLUSTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.10.*' + cluster: {} + patch: + operation: MERGE + value: + filters: + - name: istio.metadata_exchange + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange + value: + protocol: istio-peer-exchange + - applyTo: CLUSTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.10.*' + cluster: {} + patch: + operation: MERGE + value: + filters: + - name: istio.metadata_exchange + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange + value: + protocol: istio-peer-exchange +--- +# Source: istio-discovery/templates/telemetryv2_1.10.yaml +# Note: http stats filter is wasm enabled only in sidecars. +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: stats-filter-1.10 + namespace: istio-system + labels: + istio.io/rev: default +spec: + configPatches: + - applyTo: HTTP_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.10.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + { + "debug": "false", + "stat_prefix": "istio" + } + vm_config: + vm_id: stats_outbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats + - applyTo: HTTP_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.10.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stats_inbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + { + "debug": "false", + "stat_prefix": "istio", + "disable_host_header_fallback": true, + "metrics": [ + { + "dimensions": { + "destination_cluster": "node.metadata['CLUSTER_ID']", + "source_cluster": "downstream_peer.cluster_id" + } + } + ] + } + vm_config: + vm_id: stats_inbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats + - applyTo: HTTP_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.10.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + { + "debug": "false", + "stat_prefix": "istio", + "disable_host_header_fallback": true + } + vm_config: + vm_id: stats_outbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats +--- +# Source: istio-discovery/templates/telemetryv2_1.10.yaml +# Note: tcp stats filter is wasm enabled only in sidecars. +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: tcp-stats-filter-1.10 + namespace: istio-system + labels: + istio.io/rev: default +spec: + configPatches: + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.10.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stats_inbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + { + "debug": "false", + "stat_prefix": "istio", + "metrics": [ + { + "dimensions": { + "destination_cluster": "node.metadata['CLUSTER_ID']", + "source_cluster": "downstream_peer.cluster_id" + } + } + ] + } + vm_config: + vm_id: tcp_stats_inbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: "envoy.wasm.stats" + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.10.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + { + "debug": "false", + "stat_prefix": "istio" + } + vm_config: + vm_id: tcp_stats_outbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: "envoy.wasm.stats" + - applyTo: NETWORK_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.10.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + { + "debug": "false", + "stat_prefix": "istio" + } + vm_config: + vm_id: tcp_stats_outbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: "envoy.wasm.stats" +--- +# Source: istio-discovery/templates/telemetryv2_1.11.yaml +# Note: metadata exchange filter is wasm enabled only in sidecars. +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: metadata-exchange-1.11 + namespace: istio-system + labels: + istio.io/rev: default + install.operator.istio.io/owning-resource: unknown + operator.istio.io/component: "Pilot" +spec: + configPatches: + - applyTo: HTTP_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.11.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + patch: + operation: INSERT_BEFORE + value: + name: istio.metadata_exchange + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {} + vm_config: + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.metadata_exchange + - applyTo: HTTP_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.11.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + patch: + operation: INSERT_BEFORE + value: + name: istio.metadata_exchange + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {} + vm_config: + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.metadata_exchange + - applyTo: HTTP_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.11.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + patch: + operation: INSERT_BEFORE + value: + name: istio.metadata_exchange + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {} + vm_config: + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.metadata_exchange +--- +# Source: istio-discovery/templates/telemetryv2_1.11.yaml +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: tcp-metadata-exchange-1.11 + namespace: istio-system + labels: + istio.io/rev: default +spec: + configPatches: + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.11.*' + listener: {} + patch: + operation: INSERT_BEFORE + value: + name: istio.metadata_exchange + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange + value: + protocol: istio-peer-exchange + - applyTo: CLUSTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.11.*' + cluster: {} + patch: + operation: MERGE + value: + filters: + - name: istio.metadata_exchange + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange + value: + protocol: istio-peer-exchange + - applyTo: CLUSTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.11.*' + cluster: {} + patch: + operation: MERGE + value: + filters: + - name: istio.metadata_exchange + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange + value: + protocol: istio-peer-exchange +--- +# Source: istio-discovery/templates/telemetryv2_1.11.yaml +# Note: http stats filter is wasm enabled only in sidecars. +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: stats-filter-1.11 + namespace: istio-system + labels: + istio.io/rev: default +spec: + configPatches: + - applyTo: HTTP_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.11.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + { + "debug": "false", + "stat_prefix": "istio" + } + vm_config: + vm_id: stats_outbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats + - applyTo: HTTP_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.11.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stats_inbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + { + "debug": "false", + "stat_prefix": "istio", + "disable_host_header_fallback": true, + "metrics": [ + { + "dimensions": { + "destination_cluster": "node.metadata['CLUSTER_ID']", + "source_cluster": "downstream_peer.cluster_id" + } + } + ] + } + vm_config: + vm_id: stats_inbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats + - applyTo: HTTP_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.11.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + { + "debug": "false", + "stat_prefix": "istio", + "disable_host_header_fallback": true + } + vm_config: + vm_id: stats_outbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats +--- +# Source: istio-discovery/templates/telemetryv2_1.11.yaml +# Note: tcp stats filter is wasm enabled only in sidecars. +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: tcp-stats-filter-1.11 + namespace: istio-system + labels: + istio.io/rev: default +spec: + configPatches: + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.11.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stats_inbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + { + "debug": "false", + "stat_prefix": "istio", + "metrics": [ + { + "dimensions": { + "destination_cluster": "node.metadata['CLUSTER_ID']", + "source_cluster": "downstream_peer.cluster_id" + } + } + ] + } + vm_config: + vm_id: tcp_stats_inbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: "envoy.wasm.stats" + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.11.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + { + "debug": "false", + "stat_prefix": "istio" + } + vm_config: + vm_id: tcp_stats_outbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: "envoy.wasm.stats" + - applyTo: NETWORK_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.11.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + { + "debug": "false", + "stat_prefix": "istio" + } + vm_config: + vm_id: tcp_stats_outbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: "envoy.wasm.stats" +--- +# Source: istio-discovery/templates/telemetryv2_1.9.yaml +# Note: metadata exchange filter is wasm enabled only in sidecars. +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: metadata-exchange-1.9 + namespace: istio-system + labels: + istio.io/rev: default + install.operator.istio.io/owning-resource: unknown + operator.istio.io/component: "Pilot" +spec: + configPatches: + - applyTo: HTTP_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.9.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + patch: + operation: INSERT_BEFORE + value: + name: istio.metadata_exchange + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {} + vm_config: + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.metadata_exchange + - applyTo: HTTP_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.9.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + patch: + operation: INSERT_BEFORE + value: + name: istio.metadata_exchange + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {} + vm_config: + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.metadata_exchange + - applyTo: HTTP_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.9.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + patch: + operation: INSERT_BEFORE + value: + name: istio.metadata_exchange + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {} + vm_config: + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.metadata_exchange +--- +# Source: istio-discovery/templates/telemetryv2_1.9.yaml +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: tcp-metadata-exchange-1.9 + namespace: istio-system + labels: + istio.io/rev: default +spec: + configPatches: + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.9.*' + listener: {} + patch: + operation: INSERT_BEFORE + value: + name: istio.metadata_exchange + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange + value: + protocol: istio-peer-exchange + - applyTo: CLUSTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.9.*' + cluster: {} + patch: + operation: MERGE + value: + filters: + - name: istio.metadata_exchange + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange + value: + protocol: istio-peer-exchange + - applyTo: CLUSTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.9.*' + cluster: {} + patch: + operation: MERGE + value: + filters: + - name: istio.metadata_exchange + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange + value: + protocol: istio-peer-exchange +--- +# Source: istio-discovery/templates/telemetryv2_1.9.yaml +# Note: http stats filter is wasm enabled only in sidecars. +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: stats-filter-1.9 + namespace: istio-system + labels: + istio.io/rev: default +spec: + configPatches: + - applyTo: HTTP_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.9.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + { + "debug": "false", + "stat_prefix": "istio", + "metrics": [ + { + "dimensions": { + "source_cluster": "node.metadata['CLUSTER_ID']", + "destination_cluster": "upstream_peer.cluster_id" + } + } + ] + } + vm_config: + vm_id: stats_outbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats + - applyTo: HTTP_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.9.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stats_inbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + { + "debug": "false", + "stat_prefix": "istio", + "metrics": [ + { + "dimensions": { + "destination_cluster": "node.metadata['CLUSTER_ID']", + "source_cluster": "downstream_peer.cluster_id" + } + } + ] + } + vm_config: + vm_id: stats_inbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats + - applyTo: HTTP_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.9.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + { + "debug": "false", + "stat_prefix": "istio", + "disable_host_header_fallback": true, + "metrics": [ + { + "dimensions": { + "source_cluster": "node.metadata['CLUSTER_ID']", + "destination_cluster": "upstream_peer.cluster_id" + } + } + ] + } + vm_config: + vm_id: stats_outbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats +--- +# Source: istio-discovery/templates/telemetryv2_1.9.yaml +# Note: tcp stats filter is wasm enabled only in sidecars. +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: tcp-stats-filter-1.9 + namespace: istio-system + labels: + istio.io/rev: default +spec: + configPatches: + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.9.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stats_inbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + { + "debug": "false", + "stat_prefix": "istio", + "metrics": [ + { + "dimensions": { + "destination_cluster": "node.metadata['CLUSTER_ID']", + "source_cluster": "downstream_peer.cluster_id" + } + } + ] + } + vm_config: + vm_id: tcp_stats_inbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: "envoy.wasm.stats" + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.9.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + { + "debug": "false", + "stat_prefix": "istio", + "metrics": [ + { + "dimensions": { + "source_cluster": "node.metadata['CLUSTER_ID']", + "destination_cluster": "upstream_peer.cluster_id" + } + } + ] + } + vm_config: + vm_id: tcp_stats_outbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: "envoy.wasm.stats" + - applyTo: NETWORK_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.9.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + { + "debug": "false", + "stat_prefix": "istio", + "metrics": [ + { + "dimensions": { + "source_cluster": "node.metadata['CLUSTER_ID']", + "destination_cluster": "upstream_peer.cluster_id" + } + } + ] + } + vm_config: + vm_id: tcp_stats_outbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: "envoy.wasm.stats" +--- +# Source: istio-discovery/templates/mutatingwebhook.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: istio-sidecar-injector + labels: + istio.io/rev: default + install.operator.istio.io/owning-resource: unknown + operator.istio.io/component: "Pilot" + app: sidecar-injector + release: istio +webhooks: +- name: rev.namespace.sidecar-injector.istio.io + clientConfig: + service: + name: istiod + namespace: istio-system + path: "/inject" + port: 443 + caBundle: "" + sideEffects: None + rules: + - operations: [ "CREATE" ] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + failurePolicy: Fail + admissionReviewVersions: ["v1beta1", "v1"] + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + - "default" + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" +- name: rev.object.sidecar-injector.istio.io + clientConfig: + service: + name: istiod + namespace: istio-system + path: "/inject" + port: 443 + caBundle: "" + sideEffects: None + rules: + - operations: [ "CREATE" ] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + failurePolicy: Fail + admissionReviewVersions: ["v1beta1", "v1"] + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: DoesNotExist + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + - key: istio.io/rev + operator: In + values: + - "default" +- name: namespace.sidecar-injector.istio.io + clientConfig: + service: + name: istiod + namespace: istio-system + path: "/inject" + port: 443 + caBundle: "" + sideEffects: None + rules: + - operations: [ "CREATE" ] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + failurePolicy: Fail + admissionReviewVersions: ["v1beta1", "v1"] + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: In + values: + - enabled + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" +- name: object.sidecar-injector.istio.io + clientConfig: + service: + name: istiod + namespace: istio-system + path: "/inject" + port: 443 + caBundle: "" + sideEffects: None + rules: + - operations: [ "CREATE" ] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + failurePolicy: Fail + admissionReviewVersions: ["v1beta1", "v1"] + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: In + values: + - "true" + - key: istio.io/rev + operator: DoesNotExist +--- +# Source: istio-discovery/templates/validatingwebhookconfiguration.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: istio-validator-istio-system + labels: + app: istiod + release: istio + istio: istiod + istio.io/rev: default +webhooks: + # Webhook handling per-revision validation. Mostly here so we can determine whether webhooks + # are rejecting invalid configs on a per-revision basis. + - name: rev.validation.istio.io + clientConfig: + # Should change from base but cannot for API compat + service: + name: istiod + namespace: istio-system + path: "/validate" + caBundle: "" # patched at runtime when the webhook is ready. + rules: + - operations: + - CREATE + - UPDATE + apiGroups: + - security.istio.io + - networking.istio.io + apiVersions: + - "*" + resources: + - "*" + # Fail open until the validation webhook is ready. The webhook controller + # will update this to `Fail` and patch in the `caBundle` when the webhook + # endpoint is ready. + failurePolicy: Ignore + sideEffects: None + admissionReviewVersions: ["v1beta1", "v1"] + objectSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + - "default" + # Webhook handling default validation + - name: validation.istio.io + clientConfig: + # Should change from base but cannot for API compat + service: + name: istiod + namespace: istio-system + path: "/validate" + caBundle: "" + rules: + - operations: + - CREATE + - UPDATE + apiGroups: + - security.istio.io + - networking.istio.io + - telemetry.istio.io + apiVersions: + - "*" + resources: + - "*" + failurePolicy: Ignore + sideEffects: None + admissionReviewVersions: ["v1beta1", "v1"] + objectSelector: + matchExpressions: + - key: istio.io/rev + operator: DoesNotExist diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-control/istio-discovery/files/grpc-agent.yaml b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-control/istio-discovery/files/grpc-agent.yaml new file mode 100644 index 000000000..b20a9c47d --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-control/istio-discovery/files/grpc-agent.yaml @@ -0,0 +1,234 @@ +{{- $containers := list }} +{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} +metadata: + annotations: { + {{- if eq (len $containers) 1 }} + kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", + kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", + {{ end }} + } +spec: + containers: + {{- range $index, $container := .Spec.Containers }} + {{ if not (eq $container.Name "istio-proxy") }} + - name: {{ $container.Name }} + env: + - name: "GRPC_XDS_BOOTSTRAP" + value: "/var/lib/istio/data/grpc-bootstrap.json" + - name: "GRPC_XDS_EXPERIMENTAL_SECURITY_SUPPORT" + value: "true" + volumeMounts: + - mountPath: /var/lib/istio/data + name: istio-data + # UDS channel between istioagent and gRPC client for XDS/SDS + - mountPath: /etc/istio/proxy + name: istio-xds + {{- end }} + {{- end }} + - name: istio-proxy + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}" + {{- end }} + args: + - proxy + - sidecar + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + env: + - name: "GRPC_XDS_BOOTSTRAP" + value: "/var/lib/istio/data/grpc-bootstrap.json" + - name: ISTIO_META_GENERATOR + value: grpc + - name: OUTPUT_CERTS + value: /var/lib/istio/data + {{- if eq (env "PILOT_ENABLE_INBOUND_PASSTHROUGH" "true") "false" }} + - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION + value: "true" + {{- end }} + - name: JWT_POLICY + value: {{ .Values.global.jwtPolicy }} + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + - name: ISTIO_META_POD_PORTS + value: |- + [ + {{- $first := true }} + {{- range $index1, $c := .Spec.Containers }} + {{- range $index2, $p := $c.Ports }} + {{- if (structToJSON $p) }} + {{if not $first}},{{end}}{{ structToJSON $p }} + {{- $first = false }} + {{- end }} + {{- end}} + {{- end}} + ] + - name: ISTIO_META_APP_CONTAINERS + value: "{{ $containers | join "," }}" + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + - name: ISTIO_META_INTERCEPTION_MODE + value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}" + {{- if .Values.global.network }} + - name: ISTIO_META_NETWORK + value: "{{ .Values.global.network }}" + {{- end }} + {{- if .DeploymentMeta.Name }} + - name: ISTIO_META_WORKLOAD_NAME + value: "{{ .DeploymentMeta.Name }}" + {{ end }} + {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} + - name: ISTIO_META_OWNER + value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} + {{- end}} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + # grpc uses xds:/// to resolve – no need to resolve VIP + - name: ISTIO_META_DNS_CAPTURE + value: "false" + - name: DISABLE_ENVOY + value: "true" + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} + readinessProbe: + httpGet: + path: /healthz/ready + port: {{ .Values.global.proxy.statusPort }} + initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} + periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} + timeoutSeconds: 3 + failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} + {{ end -}} + resources: + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} + requests: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" + {{ end }} + {{- end }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + limits: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" + {{ end }} + {{- end }} + {{- else }} + {{- if .Values.global.proxy.resources }} + {{ toYaml .Values.global.proxy.resources | indent 6 }} + {{- end }} + {{- end }} + volumeMounts: + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + # UDS channel between istioagent and gRPC client for XDS/SDS + - mountPath: /etc/istio/proxy + name: istio-xds + {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} + - mountPath: /var/run/secrets/tokens + name: istio-token + {{- end }} + - name: istio-podinfo + mountPath: /etc/istio/pod + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} + {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 6 }} + {{ end }} + {{- end }} + volumes: + # UDS channel between istioagent and gRPC client for XDS/SDS + - emptyDir: + medium: Memory + name: istio-xds + - name: istio-data + emptyDir: {} + - name: istio-podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations +{{- if eq .Values.global.jwtPolicy "third-party-jwt" }} + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} +{{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + configMap: + name: istio-ca-root-cert + {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} + {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 4 }} + {{ end }} + {{ end }} diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-control/istio-discovery/files/grpc-simple.yaml b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-control/istio-discovery/files/grpc-simple.yaml new file mode 100644 index 000000000..cf592e681 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-control/istio-discovery/files/grpc-simple.yaml @@ -0,0 +1,58 @@ +spec: + initContainers: + - name: grpc-bootstrap-init + image: busybox:1.28 + volumeMounts: + - mountPath: /var/lib/grpc/data/ + name: grpc-io-proxyless-bootstrap + env: + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + command: + - sh + - "-c" + - |- + NODE_ID="sidecar~${INSTANCE_IP}~${POD_NAME}.${POD_NAMESPACE}~cluster.local" + echo ' + { + "xds_servers": [ + { + "server_uri": "dns:///istiod.istio-system.svc:15010", + "channel_creds": [{"type": "insecure"}], + "server_features" : ["xds_v3"] + } + ], + "node": { + "id": "'${NODE_ID}'", + "metadata": { + "GENERATOR": "grpc" + } + } + }' > /var/lib/grpc/data/bootstrap.json + containers: + {{- range $index, $container := .Spec.Containers }} + - name: {{ $container.Name }} + env: + - name: GRPC_XDS_BOOTSTRAP + value: /var/lib/grpc/data/bootstrap.json + - name: GRPC_GO_LOG_VERBOSITY_LEVEL + value: "99" + - name: GRPC_GO_LOG_SEVERITY_LEVEL + value: info + volumeMounts: + - mountPath: /var/lib/grpc/data/ + name: grpc-io-proxyless-bootstrap + {{- end }} + volumes: + - name: grpc-io-proxyless-bootstrap + emptyDir: {} diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-control/istio-discovery/files/injection-template.yaml b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-control/istio-discovery/files/injection-template.yaml new file mode 100644 index 000000000..e8659bbb9 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-control/istio-discovery/files/injection-template.yaml @@ -0,0 +1,466 @@ +{{- $containers := list }} +{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} +metadata: + labels: + security.istio.io/tlsMode: {{ index .ObjectMeta.Labels `security.istio.io/tlsMode` | default "istio" | quote }} + service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} + service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} + annotations: { + {{- if eq (len $containers) 1 }} + kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", + kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", + {{ end }} +{{- if .Values.istio_cni.enabled }} + {{- if not .Values.istio_cni.chained }} + k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `istio-cni` }}', + {{- end }} + sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}", + {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}traffic.sidecar.istio.io/includeOutboundIPRanges: "{{.}}",{{ end }} + {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{.}}",{{ end }} + traffic.sidecar.istio.io/includeInboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` `*` }}", + traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}", + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") }} + traffic.sidecar.istio.io/includeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}", + {{- end }} + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }} + traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}", + {{- end }} + {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}traffic.sidecar.istio.io/kubevirtInterfaces: "{{.}}",{{ end }} +{{- end }} + } +spec: + {{- $holdProxy := or .ProxyConfig.HoldApplicationUntilProxyStarts.GetValue .Values.global.proxy.holdApplicationUntilProxyStarts }} + initContainers: + {{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }} + {{ if .Values.istio_cni.enabled -}} + - name: istio-validation + {{ else -}} + - name: istio-init + {{ end -}} + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}" + {{- else }} + image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}" + {{- end }} + args: + - istio-iptables + - "-p" + - "15001" + - "-z" + - "15006" + - "-u" + - "1337" + - "-m" + - "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}" + - "-i" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}" + - "-x" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}" + - "-b" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` `*` }}" + - "-d" + {{- if excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }} + - "15090,15021,{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}" + {{- else }} + - "15090,15021" + {{- end }} + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") -}} + - "-q" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}" + {{ end -}} + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}} + - "-o" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}" + {{ end -}} + {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}} + - "-k" + - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}" + {{ end -}} + {{ if .Values.istio_cni.enabled -}} + - "--run-validation" + - "--skip-rule-apply" + {{ end -}} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + {{- if .ProxyConfig.ProxyMetadata }} + env: + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- end }} + resources: + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} + requests: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" + {{ end }} + {{- end }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + limits: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" + {{ end }} + {{- end }} + {{- else }} + {{- if .Values.global.proxy.resources }} + {{ toYaml .Values.global.proxy.resources | indent 6 }} + {{- end }} + {{- end }} + securityContext: + allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} + privileged: {{ .Values.global.proxy.privileged }} + capabilities: + {{- if not .Values.istio_cni.enabled }} + add: + - NET_ADMIN + - NET_RAW + {{- end }} + drop: + - ALL + {{- if not .Values.istio_cni.enabled }} + readOnlyRootFilesystem: false + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 + {{- else }} + readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsUser: 1337 + runAsNonRoot: true + {{- end }} + restartPolicy: Always + {{ end -}} + {{- if eq (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }} + - name: enable-core-dump + args: + - -c + - sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited + command: + - /bin/sh + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}" + {{- else }} + image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}" + {{- end }} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + resources: {} + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - SYS_ADMIN + drop: + - ALL + privileged: true + readOnlyRootFilesystem: false + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 + {{ end }} + containers: + - name: istio-proxy + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}" + {{- end }} + ports: + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - sidecar + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} + - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} + - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + {{- if gt .EstimatedConcurrency 0 }} + - --concurrency + - "{{ .EstimatedConcurrency }}" + {{- end -}} + {{- if .Values.global.proxy.lifecycle }} + lifecycle: + {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} + {{- else if $holdProxy }} + lifecycle: + postStart: + exec: + command: + - pilot-agent + - wait + {{- end }} + env: + {{- if eq (env "PILOT_ENABLE_INBOUND_PASSTHROUGH" "true") "false" }} + - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION + value: "true" + {{- end }} + - name: JWT_POLICY + value: {{ .Values.global.jwtPolicy }} + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + - name: ISTIO_META_POD_PORTS + value: |- + [ + {{- $first := true }} + {{- range $index1, $c := .Spec.Containers }} + {{- range $index2, $p := $c.Ports }} + {{- if (structToJSON $p) }} + {{if not $first}},{{end}}{{ structToJSON $p }} + {{- $first = false }} + {{- end }} + {{- end}} + {{- end}} + ] + - name: ISTIO_META_APP_CONTAINERS + value: "{{ $containers | join "," }}" + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + - name: ISTIO_META_INTERCEPTION_MODE + value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}" + {{- if .Values.global.network }} + - name: ISTIO_META_NETWORK + value: "{{ .Values.global.network }}" + {{- end }} + {{- if .DeploymentMeta.Name }} + - name: ISTIO_META_WORKLOAD_NAME + value: "{{ .DeploymentMeta.Name }}" + {{ end }} + {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} + - name: ISTIO_META_OWNER + value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} + {{- end}} + {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - name: ISTIO_BOOTSTRAP_OVERRIDE + value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" + {{- end }} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} + {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- end }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} + readinessProbe: + httpGet: + path: /healthz/ready + port: 15021 + initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} + periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} + timeoutSeconds: 3 + failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} + {{ end -}} + securityContext: + allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} + capabilities: + {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} + add: + {{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}} + - NET_ADMIN + {{- end }} + {{ if eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true` -}} + - NET_BIND_SERVICE + {{- end }} + {{- end }} + drop: + - ALL + privileged: {{ .Values.global.proxy.privileged }} + readOnlyRootFilesystem: {{ ne (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }} + runAsGroup: 1337 + fsGroup: 1337 + {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} + runAsNonRoot: false + runAsUser: 0 + {{- else -}} + runAsNonRoot: true + runAsUser: 1337 + {{- end }} + resources: + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} + requests: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" + {{ end }} + {{- end }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + limits: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" + {{ end }} + {{- end }} + {{- else }} + {{- if .Values.global.proxy.resources }} + {{ toYaml .Values.global.proxy.resources | indent 6 }} + {{- end }} + {{- end }} + volumeMounts: + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - mountPath: /etc/istio/custom-bootstrap + name: custom-bootstrap-volume + {{- end }} + # SDS channel between istioagent and Envoy + - mountPath: /etc/istio/proxy + name: istio-envoy + {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} + - mountPath: /var/run/secrets/tokens + name: istio-token + {{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - mountPath: /etc/certs/ + name: istio-certs + readOnly: true + {{- end }} + - name: istio-podinfo + mountPath: /etc/istio/pod + {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} + - mountPath: {{ directory .ProxyConfig.GetTracing.GetTlsSettings.GetCaCertificates }} + name: lightstep-certs + readOnly: true + {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} + {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 6 }} + {{ end }} + {{- end }} + volumes: + {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - name: custom-bootstrap-volume + configMap: + name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} + {{- end }} + # SDS channel between istioagent and Envoy + - emptyDir: + medium: Memory + name: istio-envoy + - name: istio-data + emptyDir: {} + - name: istio-podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + configMap: + name: istio-ca-root-cert + {{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - name: istio-certs + secret: + optional: true + {{ if eq .Spec.ServiceAccountName "" }} + secretName: istio.default + {{ else -}} + secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} + {{ end -}} + {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} + {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 4 }} + {{ end }} + {{ end }} + {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} + - name: lightstep-certs + secret: + optional: true + secretName: lightstep.cacert + {{- end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} + {{- if eq (env "ENABLE_LEGACY_FSGROUP_INJECTION" "true") "true" }} + securityContext: + fsGroup: 1337 + {{- end }} diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-control/istio-discovery/kustomization.yaml b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-control/istio-discovery/kustomization.yaml new file mode 100644 index 000000000..7f9bbc394 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-control/istio-discovery/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - files/gen-istio.yaml diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-control/istio-discovery/templates/autoscale.yaml b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-control/istio-discovery/templates/autoscale.yaml new file mode 100644 index 000000000..b8b14ad0b --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-control/istio-discovery/templates/autoscale.yaml @@ -0,0 +1,26 @@ +{{- if and .Values.pilot.autoscaleEnabled .Values.pilot.autoscaleMin .Values.pilot.autoscaleMax }} +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Pilot" +spec: + maxReplicas: {{ .Values.pilot.autoscaleMax }} + minReplicas: {{ .Values.pilot.autoscaleMin }} + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + metrics: + - type: Resource + resource: + name: cpu + targetAverageUtilization: {{ .Values.pilot.cpu.targetAverageUtilization }} +--- +{{- end }} diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-control/istio-discovery/templates/clusterrole.yaml b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-control/istio-discovery/templates/clusterrole.yaml new file mode 100644 index 000000000..0956c9b48 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-control/istio-discovery/templates/clusterrole.yaml @@ -0,0 +1,112 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} +rules: + # sidecar injection controller + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update", "patch"] + + # configuration validation webhook controller + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update"] + + # istio configuration + # removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382) + # please proceed with caution + - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io"] + verbs: ["get", "watch", "list"] + resources: ["*"] +{{- if .Values.global.istiod.enableAnalysis }} + - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io"] + verbs: ["update"] + # TODO: should be on just */status but wildcard is not supported + resources: ["*"] +{{- end }} + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "workloadentries" ] + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "workloadentries/status" ] + + # auto-detect installed CRD definitions + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "list", "watch"] + + # discovery and routing + - apiGroups: [""] + resources: ["pods", "nodes", "services", "namespaces", "endpoints"] + verbs: ["get", "list", "watch"] + - apiGroups: ["discovery.k8s.io"] + resources: ["endpointslices"] + verbs: ["get", "list", "watch"] + + # ingress controller +{{- if .Values.global.istiod.enableAnalysis }} + - apiGroups: ["extensions", "networking.k8s.io"] + resources: ["ingresses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["extensions", "networking.k8s.io"] + resources: ["ingresses/status"] + verbs: ["*"] +{{- end}} + - apiGroups: ["networking.k8s.io"] + resources: ["ingresses", "ingressclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["networking.k8s.io"] + resources: ["ingresses/status"] + verbs: ["*"] + + # required for CA's namespace controller + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["create", "get", "list", "watch", "update"] + + # Istiod and bootstrap. + - apiGroups: ["certificates.k8s.io"] + resources: + - "certificatesigningrequests" + - "certificatesigningrequests/approval" + - "certificatesigningrequests/status" + verbs: ["update", "create", "get", "delete", "watch"] + - apiGroups: ["certificates.k8s.io"] + resources: + - "signers" + resourceNames: + - "kubernetes.io/legacy-unknown" + verbs: ["approve"] + + # Used by Istiod to verify the JWT tokens + - apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] + + # Used by Istiod to verify gateway SDS + - apiGroups: ["authorization.k8s.io"] + resources: ["subjectaccessreviews"] + verbs: ["create"] + + # Use for Kubernetes Service APIs + - apiGroups: ["networking.x-k8s.io"] + resources: ["*"] + verbs: ["get", "watch", "list"] + - apiGroups: ["networking.x-k8s.io"] + resources: ["*"] # TODO: should be on just */status but wildcard is not supported + verbs: ["update"] + + # Needed for multicluster secret reading, possibly ingress certs in the future + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "watch", "list"] + + # Used for MCS serviceexport management + - apiGroups: ["multicluster.x-k8s.io"] + resources: ["serviceexports"] + verbs: ["get", "watch", "list", "create", "delete"] diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-control/istio-discovery/templates/clusterrolebinding.yaml b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-control/istio-discovery/templates/clusterrolebinding.yaml new file mode 100644 index 000000000..cadb5996b --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-control/istio-discovery/templates/clusterrolebinding.yaml @@ -0,0 +1,15 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} +subjects: + - kind: ServiceAccount + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-control/istio-discovery/templates/configmap-jwks.yaml b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-control/istio-discovery/templates/configmap-jwks.yaml new file mode 100644 index 000000000..7b719ac7e --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-control/istio-discovery/templates/configmap-jwks.yaml @@ -0,0 +1,14 @@ +{{- if .Values.pilot.jwksResolverExtraRootCA }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Pilot" +data: + extra.pem: {{ .Values.pilot.jwksResolverExtraRootCA | quote }} +{{- end }} diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-control/istio-discovery/templates/configmap.yaml b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-control/istio-discovery/templates/configmap.yaml new file mode 100644 index 000000000..17b52f101 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-control/istio-discovery/templates/configmap.yaml @@ -0,0 +1,100 @@ +{{- define "mesh" }} + # The trust domain corresponds to the trust root of a system. + # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain + trustDomain: "cluster.local" + + # The namespace to treat as the administrative root namespace for Istio configuration. + # When processing a leaf namespace Istio will search for declarations in that namespace first + # and if none are found it will search in the root namespace. Any matching declaration found in the root namespace + # is processed as if it were declared in the leaf namespace. + rootNamespace: {{ .Values.meshConfig.rootNamespace | default .Values.global.istioNamespace }} + + defaultConfig: + {{- if .Values.global.meshID }} + meshId: {{ .Values.global.meshID }} + {{- end }} + tracing: + {{- if eq .Values.global.proxy.tracer "lightstep" }} + lightstep: + # Address of the LightStep Satellite pool + address: {{ .Values.global.tracer.lightstep.address }} + # Access Token used to communicate with the Satellite pool + accessToken: {{ .Values.global.tracer.lightstep.accessToken }} + {{- else if eq .Values.global.proxy.tracer "zipkin" }} + zipkin: + # Address of the Zipkin collector + address: {{ .Values.global.tracer.zipkin.address | default (print "zipkin." .Values.global.istioNamespace ":9411") }} + {{- else if eq .Values.global.proxy.tracer "datadog" }} + datadog: + # Address of the Datadog Agent + address: {{ .Values.global.tracer.datadog.address | default "$(HOST_IP):8126" }} + {{- else if eq .Values.global.proxy.tracer "stackdriver" }} + stackdriver: + # enables trace output to stdout. + {{- if $.Values.global.tracer.stackdriver.debug }} + debug: {{ $.Values.global.tracer.stackdriver.debug }} + {{- end }} + {{- if $.Values.global.tracer.stackdriver.maxNumberOfAttributes }} + # The global default max number of attributes per span. + maxNumberOfAttributes: {{ $.Values.global.tracer.stackdriver.maxNumberOfAttributes | default "200" }} + {{- end }} + {{- if $.Values.global.tracer.stackdriver.maxNumberOfAnnotations }} + # The global default max number of annotation events per span. + maxNumberOfAnnotations: {{ $.Values.global.tracer.stackdriver.maxNumberOfAnnotations | default "200" }} + {{- end }} + {{- if $.Values.global.tracer.stackdriver.maxNumberOfMessageEvents }} + # The global default max number of message events per span. + maxNumberOfMessageEvents: {{ $.Values.global.tracer.stackdriver.maxNumberOfMessageEvents | default "200" }} + {{- end }} + {{- else if eq .Values.global.proxy.tracer "openCensusAgent" }} + {{/* Fill in openCensusAgent configuration from meshConfig so it isn't overwritten below */}} +{{ toYaml $.Values.meshConfig.defaultConfig.tracing | indent 8 }} + {{- else }} + {} + {{- end }} + {{- if .Values.global.remotePilotAddress }} + {{- if not .Values.global.externalIstiod }} + discoveryAddress: {{ printf "istiod-remote.%s.svc" .Release.Namespace }}:15012 + {{- else }} + discoveryAddress: {{ printf "istiod.%s.svc" .Release.Namespace }}:15012 + {{- end }} + {{- else }} + discoveryAddress: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{.Release.Namespace}}.svc:15012 + {{- end }} +{{- end }} + +{{/* We take the mesh config above, defined with individual values.yaml, and merge with .Values.meshConfig */}} +{{/* The intent here is that meshConfig.foo becomes the API, rather than re-inventing the API in values.yaml */}} +{{- $originalMesh := include "mesh" . | fromYaml }} +{{- $mesh := mergeOverwrite $originalMesh .Values.meshConfig }} + +{{- if .Values.pilot.configMap }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Pilot" + release: {{ .Release.Name }} +data: + + # Configuration file for the mesh networks to be used by the Split Horizon EDS. + meshNetworks: |- + {{- if .Values.global.meshNetworks }} + networks: +{{ toYaml .Values.global.meshNetworks | trim | indent 6 }} + {{- else }} + networks: {} + {{- end }} + + mesh: |- +{{- if .Values.meshConfig }} +{{ $mesh | toYaml | indent 4 }} +{{- else }} +{{- include "mesh" . }} +{{- end }} +--- +{{- end }} diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-control/istio-discovery/templates/deployment.yaml b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-control/istio-discovery/templates/deployment.yaml new file mode 100644 index 000000000..6eba599f7 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-control/istio-discovery/templates/deployment.yaml @@ -0,0 +1,215 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app: istiod + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Pilot" + istio: pilot + release: {{ .Release.Name }} +{{- range $key, $val := .Values.pilot.deploymentLabels }} + {{ $key }}: "{{ $val }}" +{{- end }} +spec: +{{- if not .Values.pilot.autoscaleEnabled }} +{{- if .Values.pilot.replicaCount }} + replicas: {{ .Values.pilot.replicaCount }} +{{- end }} +{{- end }} + strategy: + rollingUpdate: + maxSurge: {{ .Values.pilot.rollingMaxSurge }} + maxUnavailable: {{ .Values.pilot.rollingMaxUnavailable }} + selector: + matchLabels: + {{- if ne .Values.revision "" }} + app: istiod + istio.io/rev: {{ .Values.revision | default "default" }} + {{- else }} + istio: pilot + {{- end }} + template: + metadata: + labels: + app: istiod + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + sidecar.istio.io/inject: "false" + operator.istio.io/component: "Pilot" + {{- if ne .Values.revision "" }} + istio: istiod + {{- else }} + istio: pilot + {{- end }} + annotations: + {{- if .Values.meshConfig.enablePrometheusMerge }} + prometheus.io/port: "15014" + prometheus.io/scrape: "true" + {{- end }} + sidecar.istio.io/inject: "false" + {{- if .Values.pilot.podAnnotations }} +{{ toYaml .Values.pilot.podAnnotations | indent 8 }} + {{- end }} + spec: + serviceAccountName: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} +{{- if .Values.global.priorityClassName }} + priorityClassName: "{{ .Values.global.priorityClassName }}" +{{- end }} + securityContext: + fsGroup: 1337 + containers: + - name: discovery +{{- if contains "/" .Values.pilot.image }} + image: "{{ .Values.pilot.image }}" +{{- else }} + image: "{{ .Values.pilot.hub | default .Values.global.hub }}/{{ .Values.pilot.image | default "pilot" }}:{{ .Values.pilot.tag | default .Values.global.tag }}" +{{- end }} +{{- if .Values.global.imagePullPolicy }} + imagePullPolicy: {{ .Values.global.imagePullPolicy }} +{{- end }} + args: + - "discovery" + - --monitoringAddr=:15014 +{{- if .Values.global.logging.level }} + - --log_output_level={{ .Values.global.logging.level }} +{{- end}} +{{- if .Values.global.logAsJson }} + - --log_as_json +{{- end }} + - --domain + - {{ .Values.global.proxy.clusterDomain }} +{{- if .Values.global.oneNamespace }} + - "-a" + - {{ .Release.Namespace }} +{{- end }} +{{- if .Values.pilot.plugins }} + - --plugins={{ .Values.pilot.plugins }} +{{- end }} + - --keepaliveMaxServerConnectionAge + - "{{ .Values.pilot.keepaliveMaxServerConnectionAge }}" + ports: + - containerPort: 8080 + protocol: TCP + - containerPort: 15010 + protocol: TCP + - containerPort: 15017 + protocol: TCP + readinessProbe: + httpGet: + path: /ready + port: 8080 + initialDelaySeconds: 1 + periodSeconds: 3 + timeoutSeconds: 5 + env: + - name: REVISION + value: "{{ .Values.revision | default `default` }}" + - name: JWT_POLICY + value: {{ .Values.global.jwtPolicy }} + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.serviceAccountName + - name: KUBECONFIG + value: /var/run/secrets/remote/config + {{- if .Values.pilot.env }} + {{- range $key, $val := .Values.pilot.env }} + - name: {{ $key }} + value: "{{ $val }}" + {{- end }} + {{- end }} +{{- if .Values.pilot.traceSampling }} + - name: PILOT_TRACE_SAMPLING + value: "{{ .Values.pilot.traceSampling }}" +{{- end }} + - name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_OUTBOUND + value: "{{ .Values.pilot.enableProtocolSniffingForOutbound }}" + - name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_INBOUND + value: "{{ .Values.pilot.enableProtocolSniffingForInbound }}" + - name: ISTIOD_ADDR + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Release.Namespace }}.svc:15012 + - name: PILOT_ENABLE_ANALYSIS + value: "{{ .Values.global.istiod.enableAnalysis }}" + - name: CLUSTER_ID + value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}" +{{- if not .Values.telemetry.v2.enabled }} + - name: PILOT_ENDPOINT_TELEMETRY_LABEL + value: "false" +{{- end }} + resources: +{{- if .Values.pilot.resources }} +{{ toYaml .Values.pilot.resources | trim | indent 12 }} +{{- else }} +{{ toYaml .Values.global.defaultResources | trim | indent 12 }} +{{- end }} + securityContext: + runAsUser: 1337 + runAsGroup: 1337 + runAsNonRoot: true + capabilities: + drop: + - ALL + volumeMounts: + {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} + - name: istio-token + mountPath: /var/run/secrets/tokens + readOnly: true + {{- end }} + - name: local-certs + mountPath: /var/run/secrets/istio-dns + - name: cacerts + mountPath: /etc/cacerts + readOnly: true + - name: istio-kubeconfig + mountPath: /var/run/secrets/remote + readOnly: true + {{- if .Values.pilot.jwksResolverExtraRootCA }} + - name: extracacerts + mountPath: /cacerts + {{- end }} + volumes: + # Technically not needed on this pod - but it helps debugging/testing SDS + # Should be removed after everything works. + - emptyDir: + medium: Memory + name: local-certs + {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} + - name: istio-token + projected: + sources: + - serviceAccountToken: + audience: {{ .Values.global.sds.token.aud }} + expirationSeconds: 43200 + path: istio-token + {{- end }} + # Optional: user-generated root + - name: cacerts + secret: + secretName: cacerts + optional: true + - name: istio-kubeconfig + secret: + secretName: istio-kubeconfig + optional: true + {{- if .Values.pilot.jwksResolverExtraRootCA }} + - name: extracacerts + configMap: + name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- end }} +--- diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-control/istio-discovery/templates/istiod-injector-configmap.yaml b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-control/istio-discovery/templates/istiod-injector-configmap.yaml new file mode 100644 index 000000000..b6b1fa8e8 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-control/istio-discovery/templates/istiod-injector-configmap.yaml @@ -0,0 +1,67 @@ +{{- if not .Values.global.omitSidecarInjectorConfigMap }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Pilot" + release: {{ .Release.Name }} +data: +{{/* Scope the values to just top level fields used in the template, to reduce the size. */}} + values: |- +{{ pick .Values "global" "istio_cni" "sidecarInjectorWebhook" "revision" | toPrettyJson | indent 4 }} + + # To disable injection: use omitSidecarInjectorConfigMap, which disables the webhook patching + # and istiod webhook functionality. + # + # New fields should not use Values - it is a 'primary' config object, users should be able + # to fine tune it or use it with kube-inject. + config: |- + # defaultTemplates defines the default template to use for pods that do not explicitly specify a template + {{- if .Values.sidecarInjectorWebhook.defaultTemplates }} + defaultTemplates: +{{- range .Values.sidecarInjectorWebhook.defaultTemplates}} + - {{ . }} +{{- end }} + {{- else }} + defaultTemplates: [sidecar] + {{- end }} + policy: {{ .Values.global.proxy.autoInject }} + alwaysInjectSelector: +{{ toYaml .Values.sidecarInjectorWebhook.alwaysInjectSelector | trim | indent 6 }} + neverInjectSelector: +{{ toYaml .Values.sidecarInjectorWebhook.neverInjectSelector | trim | indent 6 }} + injectedAnnotations: + {{- range $key, $val := .Values.sidecarInjectorWebhook.injectedAnnotations }} + "{{ $key }}": "{{ $val }}" + {{- end }} + {{- /* If someone ends up with this new template, but an older Istiod image, they will attempt to render this template + which will fail with "Pod injection failed: template: inject:1: function "Istio_1_9_Required_Template_And_Version_Mismatched" not defined". + This should make it obvious that their installation is broken. + */}} + template: {{ `{{ Template_Version_And_Istio_Version_Mismatched_Check_Installation }}` | quote }} + templates: +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "sidecar") }} + sidecar: | +{{ .Files.Get "files/injection-template.yaml" | trim | indent 8 }} +{{- end }} +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "gateway") }} + gateway: | +{{ .Files.Get "files/gateway-injection-template.yaml" | trim | indent 8 }} +{{- end }} +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-simple") }} + grpc-simple: | +{{ .Files.Get "files/grpc-simple.yaml" | trim | indent 8 }} +{{- end }} +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-agent") }} + grpc-agent: | +{{ .Files.Get "files/grpc-agent.yaml" | trim | indent 8 }} +{{- end }} +{{- with .Values.sidecarInjectorWebhook.templates }} +{{ toYaml . | trim | indent 6 }} +{{- end }} + +{{- end }} diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-control/istio-discovery/templates/mutatingwebhook.yaml b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-control/istio-discovery/templates/mutatingwebhook.yaml new file mode 100644 index 000000000..dcb84dde3 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-control/istio-discovery/templates/mutatingwebhook.yaml @@ -0,0 +1,144 @@ +{{- /* Core defines the common configuration used by all webhook segments */}} +{{- define "core" }} +{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign +a unique prefix to each. */}} +- name: {{.Prefix}}sidecar-injector.istio.io + clientConfig: + {{- if .Values.istiodRemote.injectionURL }} + url: "{{ .Values.istiodRemote.injectionURL }}" + {{- else }} + service: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + path: "{{ .Values.istiodRemote.injectionPath }}" + port: 443 + {{- end }} + caBundle: "" + sideEffects: None + rules: + - operations: [ "CREATE" ] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + failurePolicy: Fail + admissionReviewVersions: ["v1beta1", "v1"] +{{- end }} +{{- /* Installed for each revision - not installed for cluster resources ( cluster roles, bindings, crds) */}} +{{- if not .Values.global.operatorManageWebhooks }} +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: +{{- if eq .Release.Namespace "istio-system"}} + name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} +{{- else }} + name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} +{{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Pilot" + app: sidecar-injector + release: {{ .Release.Name }} +webhooks: +{{- /* Set up the selectors. First section is for revision, rest is for "default" revision */}} + +{{- /* Case 1: namespace selector matches, and object doesn't disable */}} +{{- /* Note: if both revision and legacy selector, we give precedence to the legacy one */}} +{{- include "core" (mergeOverwrite (deepCopy .) (dict "Prefix" "rev.namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + {{- if (eq .Values.revision "") }} + - "default" + {{- else }} + - "{{ .Values.revision }}" + {{- end }} + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + +{{- /* Case 2: No namespace selector, but object selects our revision (and doesn't disable) */}} +{{- include "core" (mergeOverwrite (deepCopy .) (dict "Prefix" "rev.object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: DoesNotExist + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + - key: istio.io/rev + operator: In + values: + {{- if (eq .Values.revision "") }} + - "default" + {{- else }} + - "{{ .Values.revision }}" + {{- end }} + + +{{- /* Webhooks for default revision */}} +{{- if (eq .Values.revision "") }} + +{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} +{{- include "core" (mergeOverwrite (deepCopy .) (dict "Prefix" "namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: In + values: + - enabled + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + +{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} +{{- include "core" (mergeOverwrite (deepCopy .) (dict "Prefix" "object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: In + values: + - "true" + - key: istio.io/rev + operator: DoesNotExist + +{{- if .Values.sidecarInjectorWebhook.enableNamespacesByDefault }} +{{- /* Special case 3: no labels at all */}} +{{- include "core" (mergeOverwrite (deepCopy .) (dict "Prefix" "auto.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist +{{- end }} + +{{- end }} +{{- end }} diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-control/istio-discovery/templates/poddisruptionbudget.yaml b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-control/istio-discovery/templates/poddisruptionbudget.yaml new file mode 100644 index 000000000..40b2e6015 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-control/istio-discovery/templates/poddisruptionbudget.yaml @@ -0,0 +1,25 @@ +{{- if .Values.global.defaultPodDisruptionBudget.enabled }} +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app: istiod + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Pilot" + release: {{ .Release.Name }} + istio: pilot +spec: + minAvailable: 1 + selector: + matchLabels: + app: istiod + {{- if ne .Values.revision "" }} + istio.io/rev: {{ .Values.revision }} + {{- else }} + istio: pilot + {{- end }} +--- +{{- end }} diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-control/istio-discovery/templates/reader-clusterrole.yaml b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-control/istio-discovery/templates/reader-clusterrole.yaml new file mode 100644 index 000000000..f19f1e869 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-control/istio-discovery/templates/reader-clusterrole.yaml @@ -0,0 +1,48 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istio-reader + release: {{ .Release.Name }} +rules: + - apiGroups: + - "config.istio.io" + - "security.istio.io" + - "networking.istio.io" + - "authentication.istio.io" + - "rbac.istio.io" + resources: ["*"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets"] + verbs: ["get", "list", "watch"] + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list" ] + resources: [ "workloadentries" ] + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "list", "watch"] + - apiGroups: ["discovery.k8s.io"] + resources: ["endpointslices"] + verbs: ["get", "list", "watch"] + - apiGroups: ["apps"] + resources: ["replicasets"] + verbs: ["get", "list", "watch"] + - apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] + - apiGroups: ["authorization.k8s.io"] + resources: ["subjectaccessreviews"] + verbs: ["create"] +{{- if .Values.global.externalIstiod }} + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["create", "get", "list", "watch", "update"] + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update"] +{{- end}} diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-control/istio-discovery/templates/reader-clusterrolebinding.yaml b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-control/istio-discovery/templates/reader-clusterrolebinding.yaml new file mode 100644 index 000000000..4f9925c9d --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-control/istio-discovery/templates/reader-clusterrolebinding.yaml @@ -0,0 +1,15 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istio-reader + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} +subjects: + - kind: ServiceAccount + name: istio-reader-service-account + namespace: {{ .Values.global.istioNamespace }} diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-control/istio-discovery/templates/revision-tags.yaml b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-control/istio-discovery/templates/revision-tags.yaml new file mode 100644 index 000000000..fc500eb5f --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-control/istio-discovery/templates/revision-tags.yaml @@ -0,0 +1,113 @@ +# Adapted from istio-discovery/templates/mutatingwebhook.yaml +# Removed paths for legacy and default selectors since a revision tag +# is inherently created from a specific revision +{{- define "core" }} +- name: {{.Prefix}}sidecar-injector.istio.io + clientConfig: + {{- if .Values.istiodRemote.injectionURL }} + url: "{{ .Values.istiodRemote.injectionURL }}" + {{- else }} + service: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + path: "{{ .Values.istiodRemote.injectionPath }}" + {{- end }} + caBundle: "" + sideEffects: None + rules: + - operations: [ "CREATE" ] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + failurePolicy: Fail + admissionReviewVersions: ["v1beta1", "v1"] +{{- end }} + +{{- range $tagName := $.Values.revisionTags }} +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: +{{- if eq $.Release.Namespace "istio-system"}} + name: istio-revision-tag-{{ $tagName }} +{{- else }} + name: istio-revision-tag-{{ $tagName }}-{{ $.Release.Namespace }} +{{- end }} + labels: + istio.io/tag: {{ $tagName }} + istio.io/rev: {{ $.Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ $.Values.ownerName | default "unknown" }} + operator.istio.io/component: "Pilot" + app: sidecar-injector + release: {{ $.Release.Name }} +webhooks: +{{- include "core" (mergeOverwrite (deepCopy $) (dict "Prefix" "rev.namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + - "{{ $tagName }}" + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" +{{- include "core" (mergeOverwrite (deepCopy $) (dict "Prefix" "rev.object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: DoesNotExist + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + - key: istio.io/rev + operator: In + values: + - "{{ $tagName }}" + +{{- /* When the tag is "default" we want to create webhooks for the default revision */}} +{{- /* These webhooks should be kept in sync with istio-discovery/templates/mutatingwebhook.yaml */}} +{{- if (eq $tagName "default") }} + +{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} +{{- include "core" (mergeOverwrite (deepCopy $) (dict "Prefix" "namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: In + values: + - enabled + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + +{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} +{{- include "core" (mergeOverwrite (deepCopy $) (dict "Prefix" "object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: In + values: + - "true" + - key: istio.io/rev + operator: DoesNotExist + +{{- end }} +{{- end }} diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-control/istio-discovery/templates/role.yaml b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-control/istio-discovery/templates/role.yaml new file mode 100644 index 000000000..25c4f5c3b --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-control/istio-discovery/templates/role.yaml @@ -0,0 +1,20 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} +rules: +# permissions to verify the webhook is ready and rejecting +# invalid config. We use --server-dry-run so no config is persisted. +- apiGroups: ["networking.istio.io"] + verbs: ["create"] + resources: ["gateways"] + +# For storing CA secret +- apiGroups: [""] + resources: ["secrets"] + # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config + verbs: ["create", "get", "watch", "list", "update", "delete"] diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-control/istio-discovery/templates/rolebinding.yaml b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-control/istio-discovery/templates/rolebinding.yaml new file mode 100644 index 000000000..0d700f008 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-control/istio-discovery/templates/rolebinding.yaml @@ -0,0 +1,16 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} +subjects: + - kind: ServiceAccount + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-control/istio-discovery/templates/service.yaml b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-control/istio-discovery/templates/service.yaml new file mode 100644 index 000000000..1d4d9febb --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-control/istio-discovery/templates/service.yaml @@ -0,0 +1,37 @@ +apiVersion: v1 +kind: Service +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Pilot" + app: istiod + istio: pilot + release: {{ .Release.Name }} +spec: + ports: + - port: 15010 + name: grpc-xds # plaintext + protocol: TCP + - port: 15012 + name: https-dns # mTLS with k8s-signed cert + protocol: TCP + - port: 443 + name: https-webhook # validation and injection + targetPort: 15017 + protocol: TCP + - port: 15014 + name: http-monitoring # prometheus stats + protocol: TCP + selector: + app: istiod + {{- if ne .Values.revision "" }} + istio.io/rev: {{ .Values.revision }} + {{- else }} + # Label used by the 'default' service. For versioned deployments we match with app and version. + # This avoids default deployment picking the canary + istio: pilot + {{- end }} +--- diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-control/istio-discovery/templates/serviceaccount.yaml b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-control/istio-discovery/templates/serviceaccount.yaml new file mode 100644 index 000000000..ee6cbc326 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-control/istio-discovery/templates/serviceaccount.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: ServiceAccount + {{- if .Values.global.imagePullSecrets }} +imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} +--- diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-control/istio-discovery/templates/telemetryv2_1.10.yaml b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-control/istio-discovery/templates/telemetryv2_1.10.yaml new file mode 100644 index 000000000..bc7b72562 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-control/istio-discovery/templates/telemetryv2_1.10.yaml @@ -0,0 +1,783 @@ +{{- if and .Values.telemetry.enabled .Values.telemetry.v2.enabled }} +# Note: metadata exchange filter is wasm enabled only in sidecars. +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: metadata-exchange-1.10{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- if .Values.meshConfig.rootNamespace }} + namespace: {{ .Values.meshConfig.rootNamespace }} + {{- else }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Pilot" +spec: + configPatches: + - applyTo: HTTP_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.10.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + patch: + operation: INSERT_BEFORE + value: + name: istio.metadata_exchange + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {} + vm_config: + {{- if .Values.telemetry.v2.metadataExchange.wasmEnabled }} + runtime: envoy.wasm.runtime.v8 + allow_precompiled: true + code: + local: + filename: /etc/istio/extensions/metadata-exchange-filter.compiled.wasm + {{- else }} + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.metadata_exchange + {{- end }} + - applyTo: HTTP_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.10.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + patch: + operation: INSERT_BEFORE + value: + name: istio.metadata_exchange + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {} + vm_config: + {{- if .Values.telemetry.v2.metadataExchange.wasmEnabled }} + runtime: envoy.wasm.runtime.v8 + allow_precompiled: true + code: + local: + filename: /etc/istio/extensions/metadata-exchange-filter.compiled.wasm + {{- else }} + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.metadata_exchange + {{- end }} + - applyTo: HTTP_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.10.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + patch: + operation: INSERT_BEFORE + value: + name: istio.metadata_exchange + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {} + vm_config: + {{- if .Values.telemetry.v2.metadataExchange.wasmEnabled }} + runtime: envoy.wasm.runtime.v8 + allow_precompiled: true + code: + local: + filename: /etc/istio/extensions/metadata-exchange-filter.compiled.wasm + {{- else }} + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.metadata_exchange + {{- end }} +--- +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: tcp-metadata-exchange-1.10{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- if .Values.meshConfig.rootNamespace }} + namespace: {{ .Values.meshConfig.rootNamespace }} + {{- else }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} +spec: + configPatches: + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.10.*' + listener: {} + patch: + operation: INSERT_BEFORE + value: + name: istio.metadata_exchange + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange + value: + protocol: istio-peer-exchange + - applyTo: CLUSTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.10.*' + cluster: {} + patch: + operation: MERGE + value: + filters: + - name: istio.metadata_exchange + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange + value: + protocol: istio-peer-exchange + - applyTo: CLUSTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.10.*' + cluster: {} + patch: + operation: MERGE + value: + filters: + - name: istio.metadata_exchange + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange + value: + protocol: istio-peer-exchange +--- +# Note: http stats filter is wasm enabled only in sidecars. +{{- if .Values.telemetry.v2.prometheus.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: stats-filter-1.10{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- if .Values.meshConfig.rootNamespace }} + namespace: {{ .Values.meshConfig.rootNamespace }} + {{- else }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} +spec: + configPatches: + - applyTo: HTTP_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.10.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }} + { + "debug": "false", + "stat_prefix": "istio" + } + {{- else }} + {{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }} + {{- end }} + vm_config: + vm_id: stats_outbound + {{- if .Values.telemetry.v2.prometheus.wasmEnabled }} + runtime: envoy.wasm.runtime.v8 + allow_precompiled: true + code: + local: + filename: /etc/istio/extensions/stats-filter.compiled.wasm + {{- else }} + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats + {{- end }} + - applyTo: HTTP_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.10.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stats_inbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.prometheus.configOverride.inboundSidecar }} + { + "debug": "false", + "stat_prefix": "istio", + "disable_host_header_fallback": true, + "metrics": [ + { + "dimensions": { + "destination_cluster": "node.metadata['CLUSTER_ID']", + "source_cluster": "downstream_peer.cluster_id" + } + } + ] + } + {{- else }} + {{ toJson .Values.telemetry.v2.prometheus.configOverride.inboundSidecar | indent 18 }} + {{- end }} + vm_config: + vm_id: stats_inbound + {{- if .Values.telemetry.v2.prometheus.wasmEnabled }} + runtime: envoy.wasm.runtime.v8 + allow_precompiled: true + code: + local: + filename: /etc/istio/extensions/stats-filter.compiled.wasm + {{- else }} + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats + {{- end }} + - applyTo: HTTP_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.10.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.prometheus.configOverride.gateway }} + { + "debug": "false", + "stat_prefix": "istio", + "disable_host_header_fallback": true + } + {{- else }} + {{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }} + {{- end }} + vm_config: + vm_id: stats_outbound + {{- if .Values.telemetry.v2.prometheus.wasmEnabled }} + runtime: envoy.wasm.runtime.v8 + allow_precompiled: true + code: + local: + filename: /etc/istio/extensions/stats-filter.compiled.wasm + {{- else }} + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats + {{- end }} +--- +# Note: tcp stats filter is wasm enabled only in sidecars. +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: tcp-stats-filter-1.10{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- if .Values.meshConfig.rootNamespace }} + namespace: {{ .Values.meshConfig.rootNamespace }} + {{- else }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} +spec: + configPatches: + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.10.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stats_inbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.prometheus.configOverride.inboundSidecar }} + { + "debug": "false", + "stat_prefix": "istio", + "metrics": [ + { + "dimensions": { + "destination_cluster": "node.metadata['CLUSTER_ID']", + "source_cluster": "downstream_peer.cluster_id" + } + } + ] + } + {{- else }} + {{ toJson .Values.telemetry.v2.prometheus.configOverride.inboundSidecar | indent 18 }} + {{- end }} + vm_config: + vm_id: tcp_stats_inbound + {{- if .Values.telemetry.v2.prometheus.wasmEnabled }} + runtime: envoy.wasm.runtime.v8 + allow_precompiled: true + code: + local: + filename: /etc/istio/extensions/stats-filter.compiled.wasm + {{- else }} + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: "envoy.wasm.stats" + {{- end }} + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.10.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }} + { + "debug": "false", + "stat_prefix": "istio" + } + {{- else }} + {{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }} + {{- end }} + vm_config: + vm_id: tcp_stats_outbound + {{- if .Values.telemetry.v2.prometheus.wasmEnabled }} + runtime: envoy.wasm.runtime.v8 + allow_precompiled: true + code: + local: + filename: /etc/istio/extensions/stats-filter.compiled.wasm + {{- else }} + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: "envoy.wasm.stats" + {{- end }} + - applyTo: NETWORK_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.10.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.prometheus.configOverride.gateway }} + { + "debug": "false", + "stat_prefix": "istio" + } + {{- else }} + {{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }} + {{- end }} + vm_config: + vm_id: tcp_stats_outbound + {{- if .Values.telemetry.v2.prometheus.wasmEnabled }} + runtime: envoy.wasm.runtime.v8 + allow_precompiled: true + code: + local: + filename: /etc/istio/extensions/stats-filter.compiled.wasm + {{- else }} + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: "envoy.wasm.stats" + {{- end }} +--- +{{- end }} +{{- if .Values.telemetry.v2.stackdriver.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: stackdriver-filter-1.10{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- if .Values.meshConfig.rootNamespace }} + namespace: {{ .Values.meshConfig.rootNamespace }} + {{- else }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} +spec: + configPatches: +{{- if not .Values.telemetry.v2.stackdriver.disableOutbound }} + - applyTo: HTTP_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.10.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stackdriver + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stackdriver_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.stackdriver.configOverride }} + {"access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}"} + {{- else }} + {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} + {{- end }} + vm_config: + vm_id: stackdriver_outbound + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: envoy.wasm.null.stackdriver } +{{- end }} + - applyTo: HTTP_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.10.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stackdriver + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stackdriver_inbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.stackdriver.configOverride }} + {"disable_server_access_logging": {{ not .Values.telemetry.v2.stackdriver.logging }}, "access_logging": "{{ .Values.telemetry.v2.stackdriver.inboundAccessLogging }}", "disable_host_header_fallback": true} + {{- else }} + {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} + {{- end }} + vm_config: + vm_id: stackdriver_inbound + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: envoy.wasm.null.stackdriver } + - applyTo: HTTP_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.10.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stackdriver + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stackdriver_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.stackdriver.configOverride }} + {"access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", "disable_host_header_fallback": true} + {{- else }} + {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} + {{- end }} + vm_config: + vm_id: stackdriver_outbound + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: envoy.wasm.null.stackdriver } +--- +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: tcp-stackdriver-filter-1.10{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- if .Values.meshConfig.rootNamespace }} + namespace: {{ .Values.meshConfig.rootNamespace }} + {{- else }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} +spec: + configPatches: + {{- if not .Values.telemetry.v2.stackdriver.disableOutbound }} + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.10.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stackdriver + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stackdriver_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.stackdriver.configOverride }} + {"access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}"} + {{- else }} + {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} + {{- end }} + vm_config: + vm_id: stackdriver_outbound + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: envoy.wasm.null.stackdriver } + {{- end }} + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.10.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stackdriver + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stackdriver_inbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.stackdriver.configOverride }} + {"disable_server_access_logging": {{ not .Values.telemetry.v2.stackdriver.logging }}, "access_logging": "{{ .Values.telemetry.v2.stackdriver.inboundAccessLogging }}"} + {{- else }} + {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} + {{- end }} + vm_config: + vm_id: stackdriver_inbound + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: envoy.wasm.null.stackdriver } + - applyTo: NETWORK_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.10.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stackdriver + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stackdriver_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.stackdriver.configOverride }} + {"access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}"} + {{- else }} + {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} + {{- end }} + vm_config: + vm_id: stackdriver_outbound + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: envoy.wasm.null.stackdriver } +--- +{{- if .Values.telemetry.v2.accessLogPolicy.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: stackdriver-sampling-accesslog-filter-1.10{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- if .Values.meshConfig.rootNamespace }} + namespace: {{ .Values.meshConfig.rootNamespace }} + {{- else }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} +spec: + configPatches: + - applyTo: HTTP_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '1\.10.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "istio.stackdriver" + patch: + operation: INSERT_BEFORE + value: + name: istio.access_log + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + { + "log_window_duration": "{{ .Values.telemetry.v2.accessLogPolicy.logWindowDuration }}" + } + vm_config: + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: "envoy.wasm.access_log_policy" } +--- +{{- end }} +{{- end }} +{{- end }} diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-control/istio-discovery/templates/telemetryv2_1.11.yaml b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-control/istio-discovery/templates/telemetryv2_1.11.yaml new file mode 100644 index 000000000..0fe4ff6ee --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-control/istio-discovery/templates/telemetryv2_1.11.yaml @@ -0,0 +1,783 @@ +{{- if and .Values.telemetry.enabled .Values.telemetry.v2.enabled }} +# Note: metadata exchange filter is wasm enabled only in sidecars. +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: metadata-exchange-1.11{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- if .Values.meshConfig.rootNamespace }} + namespace: {{ .Values.meshConfig.rootNamespace }} + {{- else }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Pilot" +spec: + configPatches: + - applyTo: HTTP_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.11.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + patch: + operation: INSERT_BEFORE + value: + name: istio.metadata_exchange + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {} + vm_config: + {{- if .Values.telemetry.v2.metadataExchange.wasmEnabled }} + runtime: envoy.wasm.runtime.v8 + allow_precompiled: true + code: + local: + filename: /etc/istio/extensions/metadata-exchange-filter.compiled.wasm + {{- else }} + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.metadata_exchange + {{- end }} + - applyTo: HTTP_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.11.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + patch: + operation: INSERT_BEFORE + value: + name: istio.metadata_exchange + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {} + vm_config: + {{- if .Values.telemetry.v2.metadataExchange.wasmEnabled }} + runtime: envoy.wasm.runtime.v8 + allow_precompiled: true + code: + local: + filename: /etc/istio/extensions/metadata-exchange-filter.compiled.wasm + {{- else }} + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.metadata_exchange + {{- end }} + - applyTo: HTTP_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.11.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + patch: + operation: INSERT_BEFORE + value: + name: istio.metadata_exchange + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {} + vm_config: + {{- if .Values.telemetry.v2.metadataExchange.wasmEnabled }} + runtime: envoy.wasm.runtime.v8 + allow_precompiled: true + code: + local: + filename: /etc/istio/extensions/metadata-exchange-filter.compiled.wasm + {{- else }} + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.metadata_exchange + {{- end }} +--- +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: tcp-metadata-exchange-1.11{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- if .Values.meshConfig.rootNamespace }} + namespace: {{ .Values.meshConfig.rootNamespace }} + {{- else }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} +spec: + configPatches: + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.11.*' + listener: {} + patch: + operation: INSERT_BEFORE + value: + name: istio.metadata_exchange + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange + value: + protocol: istio-peer-exchange + - applyTo: CLUSTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.11.*' + cluster: {} + patch: + operation: MERGE + value: + filters: + - name: istio.metadata_exchange + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange + value: + protocol: istio-peer-exchange + - applyTo: CLUSTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.11.*' + cluster: {} + patch: + operation: MERGE + value: + filters: + - name: istio.metadata_exchange + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange + value: + protocol: istio-peer-exchange +--- +# Note: http stats filter is wasm enabled only in sidecars. +{{- if .Values.telemetry.v2.prometheus.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: stats-filter-1.11{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- if .Values.meshConfig.rootNamespace }} + namespace: {{ .Values.meshConfig.rootNamespace }} + {{- else }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} +spec: + configPatches: + - applyTo: HTTP_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.11.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }} + { + "debug": "false", + "stat_prefix": "istio" + } + {{- else }} + {{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }} + {{- end }} + vm_config: + vm_id: stats_outbound + {{- if .Values.telemetry.v2.prometheus.wasmEnabled }} + runtime: envoy.wasm.runtime.v8 + allow_precompiled: true + code: + local: + filename: /etc/istio/extensions/stats-filter.compiled.wasm + {{- else }} + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats + {{- end }} + - applyTo: HTTP_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.11.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stats_inbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.prometheus.configOverride.inboundSidecar }} + { + "debug": "false", + "stat_prefix": "istio", + "disable_host_header_fallback": true, + "metrics": [ + { + "dimensions": { + "destination_cluster": "node.metadata['CLUSTER_ID']", + "source_cluster": "downstream_peer.cluster_id" + } + } + ] + } + {{- else }} + {{ toJson .Values.telemetry.v2.prometheus.configOverride.inboundSidecar | indent 18 }} + {{- end }} + vm_config: + vm_id: stats_inbound + {{- if .Values.telemetry.v2.prometheus.wasmEnabled }} + runtime: envoy.wasm.runtime.v8 + allow_precompiled: true + code: + local: + filename: /etc/istio/extensions/stats-filter.compiled.wasm + {{- else }} + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats + {{- end }} + - applyTo: HTTP_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.11.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.prometheus.configOverride.gateway }} + { + "debug": "false", + "stat_prefix": "istio", + "disable_host_header_fallback": true + } + {{- else }} + {{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }} + {{- end }} + vm_config: + vm_id: stats_outbound + {{- if .Values.telemetry.v2.prometheus.wasmEnabled }} + runtime: envoy.wasm.runtime.v8 + allow_precompiled: true + code: + local: + filename: /etc/istio/extensions/stats-filter.compiled.wasm + {{- else }} + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats + {{- end }} +--- +# Note: tcp stats filter is wasm enabled only in sidecars. +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: tcp-stats-filter-1.11{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- if .Values.meshConfig.rootNamespace }} + namespace: {{ .Values.meshConfig.rootNamespace }} + {{- else }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} +spec: + configPatches: + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.11.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stats_inbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.prometheus.configOverride.inboundSidecar }} + { + "debug": "false", + "stat_prefix": "istio", + "metrics": [ + { + "dimensions": { + "destination_cluster": "node.metadata['CLUSTER_ID']", + "source_cluster": "downstream_peer.cluster_id" + } + } + ] + } + {{- else }} + {{ toJson .Values.telemetry.v2.prometheus.configOverride.inboundSidecar | indent 18 }} + {{- end }} + vm_config: + vm_id: tcp_stats_inbound + {{- if .Values.telemetry.v2.prometheus.wasmEnabled }} + runtime: envoy.wasm.runtime.v8 + allow_precompiled: true + code: + local: + filename: /etc/istio/extensions/stats-filter.compiled.wasm + {{- else }} + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: "envoy.wasm.stats" + {{- end }} + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.11.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }} + { + "debug": "false", + "stat_prefix": "istio" + } + {{- else }} + {{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }} + {{- end }} + vm_config: + vm_id: tcp_stats_outbound + {{- if .Values.telemetry.v2.prometheus.wasmEnabled }} + runtime: envoy.wasm.runtime.v8 + allow_precompiled: true + code: + local: + filename: /etc/istio/extensions/stats-filter.compiled.wasm + {{- else }} + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: "envoy.wasm.stats" + {{- end }} + - applyTo: NETWORK_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.11.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.prometheus.configOverride.gateway }} + { + "debug": "false", + "stat_prefix": "istio" + } + {{- else }} + {{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }} + {{- end }} + vm_config: + vm_id: tcp_stats_outbound + {{- if .Values.telemetry.v2.prometheus.wasmEnabled }} + runtime: envoy.wasm.runtime.v8 + allow_precompiled: true + code: + local: + filename: /etc/istio/extensions/stats-filter.compiled.wasm + {{- else }} + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: "envoy.wasm.stats" + {{- end }} +--- +{{- end }} +{{- if .Values.telemetry.v2.stackdriver.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: stackdriver-filter-1.11{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- if .Values.meshConfig.rootNamespace }} + namespace: {{ .Values.meshConfig.rootNamespace }} + {{- else }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} +spec: + configPatches: +{{- if not .Values.telemetry.v2.stackdriver.disableOutbound }} + - applyTo: HTTP_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.11.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stackdriver + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stackdriver_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.stackdriver.configOverride }} + {"access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}"} + {{- else }} + {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} + {{- end }} + vm_config: + vm_id: stackdriver_outbound + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: envoy.wasm.null.stackdriver } +{{- end }} + - applyTo: HTTP_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.11.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stackdriver + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stackdriver_inbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.stackdriver.configOverride }} + {"disable_server_access_logging": {{ not .Values.telemetry.v2.stackdriver.logging }}, "access_logging": "{{ .Values.telemetry.v2.stackdriver.inboundAccessLogging }}", "disable_host_header_fallback": true} + {{- else }} + {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} + {{- end }} + vm_config: + vm_id: stackdriver_inbound + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: envoy.wasm.null.stackdriver } + - applyTo: HTTP_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.11.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stackdriver + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stackdriver_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.stackdriver.configOverride }} + {"access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", "disable_host_header_fallback": true} + {{- else }} + {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} + {{- end }} + vm_config: + vm_id: stackdriver_outbound + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: envoy.wasm.null.stackdriver } +--- +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: tcp-stackdriver-filter-1.11{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- if .Values.meshConfig.rootNamespace }} + namespace: {{ .Values.meshConfig.rootNamespace }} + {{- else }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} +spec: + configPatches: + {{- if not .Values.telemetry.v2.stackdriver.disableOutbound }} + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.11.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stackdriver + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stackdriver_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.stackdriver.configOverride }} + {"access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}"} + {{- else }} + {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} + {{- end }} + vm_config: + vm_id: stackdriver_outbound + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: envoy.wasm.null.stackdriver } + {{- end }} + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.11.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stackdriver + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stackdriver_inbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.stackdriver.configOverride }} + {"disable_server_access_logging": {{ not .Values.telemetry.v2.stackdriver.logging }}, "access_logging": "{{ .Values.telemetry.v2.stackdriver.inboundAccessLogging }}"} + {{- else }} + {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} + {{- end }} + vm_config: + vm_id: stackdriver_inbound + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: envoy.wasm.null.stackdriver } + - applyTo: NETWORK_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.11.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stackdriver + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stackdriver_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.stackdriver.configOverride }} + {"access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}"} + {{- else }} + {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} + {{- end }} + vm_config: + vm_id: stackdriver_outbound + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: envoy.wasm.null.stackdriver } +--- +{{- if .Values.telemetry.v2.accessLogPolicy.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: stackdriver-sampling-accesslog-filter-1.11{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- if .Values.meshConfig.rootNamespace }} + namespace: {{ .Values.meshConfig.rootNamespace }} + {{- else }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} +spec: + configPatches: + - applyTo: HTTP_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '1\.11.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "istio.stackdriver" + patch: + operation: INSERT_BEFORE + value: + name: istio.access_log + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + { + "log_window_duration": "{{ .Values.telemetry.v2.accessLogPolicy.logWindowDuration }}" + } + vm_config: + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: "envoy.wasm.access_log_policy" } +--- +{{- end }} +{{- end }} +{{- end }} diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-control/istio-discovery/templates/telemetryv2_1.9.yaml b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-control/istio-discovery/templates/telemetryv2_1.9.yaml new file mode 100644 index 000000000..158651ef0 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-control/istio-discovery/templates/telemetryv2_1.9.yaml @@ -0,0 +1,814 @@ +{{- if and .Values.telemetry.enabled .Values.telemetry.v2.enabled }} +# Note: metadata exchange filter is wasm enabled only in sidecars. +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: metadata-exchange-1.9{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- if .Values.meshConfig.rootNamespace }} + namespace: {{ .Values.meshConfig.rootNamespace }} + {{- else }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Pilot" +spec: + configPatches: + - applyTo: HTTP_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.9.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + patch: + operation: INSERT_BEFORE + value: + name: istio.metadata_exchange + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {} + vm_config: + {{- if .Values.telemetry.v2.metadataExchange.wasmEnabled }} + runtime: envoy.wasm.runtime.v8 + allow_precompiled: true + code: + local: + filename: /etc/istio/extensions/metadata-exchange-filter.compiled.wasm + {{- else }} + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.metadata_exchange + {{- end }} + - applyTo: HTTP_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.9.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + patch: + operation: INSERT_BEFORE + value: + name: istio.metadata_exchange + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {} + vm_config: + {{- if .Values.telemetry.v2.metadataExchange.wasmEnabled }} + runtime: envoy.wasm.runtime.v8 + allow_precompiled: true + code: + local: + filename: /etc/istio/extensions/metadata-exchange-filter.compiled.wasm + {{- else }} + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.metadata_exchange + {{- end }} + - applyTo: HTTP_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.9.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + patch: + operation: INSERT_BEFORE + value: + name: istio.metadata_exchange + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {} + vm_config: + {{- if .Values.telemetry.v2.metadataExchange.wasmEnabled }} + runtime: envoy.wasm.runtime.v8 + allow_precompiled: true + code: + local: + filename: /etc/istio/extensions/metadata-exchange-filter.compiled.wasm + {{- else }} + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.metadata_exchange + {{- end }} +--- +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: tcp-metadata-exchange-1.9{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- if .Values.meshConfig.rootNamespace }} + namespace: {{ .Values.meshConfig.rootNamespace }} + {{- else }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} +spec: + configPatches: + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.9.*' + listener: {} + patch: + operation: INSERT_BEFORE + value: + name: istio.metadata_exchange + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange + value: + protocol: istio-peer-exchange + - applyTo: CLUSTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.9.*' + cluster: {} + patch: + operation: MERGE + value: + filters: + - name: istio.metadata_exchange + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange + value: + protocol: istio-peer-exchange + - applyTo: CLUSTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.9.*' + cluster: {} + patch: + operation: MERGE + value: + filters: + - name: istio.metadata_exchange + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange + value: + protocol: istio-peer-exchange +--- +# Note: http stats filter is wasm enabled only in sidecars. +{{- if .Values.telemetry.v2.prometheus.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: stats-filter-1.9{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- if .Values.meshConfig.rootNamespace }} + namespace: {{ .Values.meshConfig.rootNamespace }} + {{- else }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} +spec: + configPatches: + - applyTo: HTTP_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.9.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }} + { + "debug": "false", + "stat_prefix": "istio", + "metrics": [ + { + "dimensions": { + "source_cluster": "node.metadata['CLUSTER_ID']", + "destination_cluster": "upstream_peer.cluster_id" + } + } + ] + } + {{- else }} + {{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }} + {{- end }} + vm_config: + vm_id: stats_outbound + {{- if .Values.telemetry.v2.prometheus.wasmEnabled }} + runtime: envoy.wasm.runtime.v8 + allow_precompiled: true + code: + local: + filename: /etc/istio/extensions/stats-filter.compiled.wasm + {{- else }} + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats + {{- end }} + - applyTo: HTTP_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.9.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stats_inbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.prometheus.configOverride.inboundSidecar }} + { + "debug": "false", + "stat_prefix": "istio", + "metrics": [ + { + "dimensions": { + "destination_cluster": "node.metadata['CLUSTER_ID']", + "source_cluster": "downstream_peer.cluster_id" + } + } + ] + } + {{- else }} + {{ toJson .Values.telemetry.v2.prometheus.configOverride.inboundSidecar | indent 18 }} + {{- end }} + vm_config: + vm_id: stats_inbound + {{- if .Values.telemetry.v2.prometheus.wasmEnabled }} + runtime: envoy.wasm.runtime.v8 + allow_precompiled: true + code: + local: + filename: /etc/istio/extensions/stats-filter.compiled.wasm + {{- else }} + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats + {{- end }} + - applyTo: HTTP_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.9.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.prometheus.configOverride.gateway }} + { + "debug": "false", + "stat_prefix": "istio", + "disable_host_header_fallback": true, + "metrics": [ + { + "dimensions": { + "source_cluster": "node.metadata['CLUSTER_ID']", + "destination_cluster": "upstream_peer.cluster_id" + } + } + ] + } + {{- else }} + {{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }} + {{- end }} + vm_config: + vm_id: stats_outbound + {{- if .Values.telemetry.v2.prometheus.wasmEnabled }} + runtime: envoy.wasm.runtime.v8 + allow_precompiled: true + code: + local: + filename: /etc/istio/extensions/stats-filter.compiled.wasm + {{- else }} + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats + {{- end }} +--- +# Note: tcp stats filter is wasm enabled only in sidecars. +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: tcp-stats-filter-1.9{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- if .Values.meshConfig.rootNamespace }} + namespace: {{ .Values.meshConfig.rootNamespace }} + {{- else }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} +spec: + configPatches: + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.9.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stats_inbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.prometheus.configOverride.inboundSidecar }} + { + "debug": "false", + "stat_prefix": "istio", + "metrics": [ + { + "dimensions": { + "destination_cluster": "node.metadata['CLUSTER_ID']", + "source_cluster": "downstream_peer.cluster_id" + } + } + ] + } + {{- else }} + {{ toJson .Values.telemetry.v2.prometheus.configOverride.inboundSidecar | indent 18 }} + {{- end }} + vm_config: + vm_id: tcp_stats_inbound + {{- if .Values.telemetry.v2.prometheus.wasmEnabled }} + runtime: envoy.wasm.runtime.v8 + allow_precompiled: true + code: + local: + filename: /etc/istio/extensions/stats-filter.compiled.wasm + {{- else }} + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: "envoy.wasm.stats" + {{- end }} + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.9.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }} + { + "debug": "false", + "stat_prefix": "istio", + "metrics": [ + { + "dimensions": { + "source_cluster": "node.metadata['CLUSTER_ID']", + "destination_cluster": "upstream_peer.cluster_id" + } + } + ] + } + {{- else }} + {{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }} + {{- end }} + vm_config: + vm_id: tcp_stats_outbound + {{- if .Values.telemetry.v2.prometheus.wasmEnabled }} + runtime: envoy.wasm.runtime.v8 + allow_precompiled: true + code: + local: + filename: /etc/istio/extensions/stats-filter.compiled.wasm + {{- else }} + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: "envoy.wasm.stats" + {{- end }} + - applyTo: NETWORK_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.9.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.prometheus.configOverride.gateway }} + { + "debug": "false", + "stat_prefix": "istio", + "metrics": [ + { + "dimensions": { + "source_cluster": "node.metadata['CLUSTER_ID']", + "destination_cluster": "upstream_peer.cluster_id" + } + } + ] + } + {{- else }} + {{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }} + {{- end }} + vm_config: + vm_id: tcp_stats_outbound + {{- if .Values.telemetry.v2.prometheus.wasmEnabled }} + runtime: envoy.wasm.runtime.v8 + allow_precompiled: true + code: + local: + filename: /etc/istio/extensions/stats-filter.compiled.wasm + {{- else }} + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: "envoy.wasm.stats" + {{- end }} +--- +{{- end }} +{{- if .Values.telemetry.v2.stackdriver.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: stackdriver-filter-1.9{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- if .Values.meshConfig.rootNamespace }} + namespace: {{ .Values.meshConfig.rootNamespace }} + {{- else }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} +spec: + configPatches: +{{- if not .Values.telemetry.v2.stackdriver.disableOutbound }} + - applyTo: HTTP_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.9.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stackdriver + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stackdriver_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.stackdriver.configOverride }} + {"access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}"} + {{- else }} + {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} + {{- end }} + vm_config: + vm_id: stackdriver_outbound + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: envoy.wasm.null.stackdriver } +{{- end }} + - applyTo: HTTP_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.9.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stackdriver + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stackdriver_inbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.stackdriver.configOverride }} + {"disable_server_access_logging": {{ not .Values.telemetry.v2.stackdriver.logging }}, "access_logging": "{{ .Values.telemetry.v2.stackdriver.inboundAccessLogging }}", "disable_host_header_fallback": true} + {{- else }} + {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} + {{- end }} + vm_config: + vm_id: stackdriver_inbound + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: envoy.wasm.null.stackdriver } + - applyTo: HTTP_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.9.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stackdriver + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stackdriver_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.stackdriver.configOverride }} + {"access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", "disable_host_header_fallback": true} + {{- else }} + {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} + {{- end }} + vm_config: + vm_id: stackdriver_outbound + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: envoy.wasm.null.stackdriver } +--- +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: tcp-stackdriver-filter-1.9{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- if .Values.meshConfig.rootNamespace }} + namespace: {{ .Values.meshConfig.rootNamespace }} + {{- else }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} +spec: + configPatches: + {{- if not .Values.telemetry.v2.stackdriver.disableOutbound }} + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.9.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stackdriver + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stackdriver_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.stackdriver.configOverride }} + {"access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}"} + {{- else }} + {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} + {{- end }} + vm_config: + vm_id: stackdriver_outbound + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: envoy.wasm.null.stackdriver } + {{- end }} + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.9.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stackdriver + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stackdriver_inbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.stackdriver.configOverride }} + {"disable_server_access_logging": {{ not .Values.telemetry.v2.stackdriver.logging }}, "access_logging": "{{ .Values.telemetry.v2.stackdriver.inboundAccessLogging }}"} + {{- else }} + {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} + {{- end }} + vm_config: + vm_id: stackdriver_inbound + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: envoy.wasm.null.stackdriver } + - applyTo: NETWORK_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.9.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stackdriver + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stackdriver_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.stackdriver.configOverride }} + {"access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}"} + {{- else }} + {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} + {{- end }} + vm_config: + vm_id: stackdriver_outbound + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: envoy.wasm.null.stackdriver } +--- +{{- if .Values.telemetry.v2.accessLogPolicy.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: stackdriver-sampling-accesslog-filter-1.9{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- if .Values.meshConfig.rootNamespace }} + namespace: {{ .Values.meshConfig.rootNamespace }} + {{- else }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} +spec: + configPatches: + - applyTo: HTTP_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '1\.9.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "istio.stackdriver" + patch: + operation: INSERT_BEFORE + value: + name: istio.access_log + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + { + "log_window_duration": "{{ .Values.telemetry.v2.accessLogPolicy.logWindowDuration }}" + } + vm_config: + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: "envoy.wasm.access_log_policy" } +--- +{{- end }} +{{- end }} +{{- end }} diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-control/istio-discovery/templates/validatingwebhookconfiguration.yaml b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-control/istio-discovery/templates/validatingwebhookconfiguration.yaml new file mode 100644 index 000000000..890370e7c --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-control/istio-discovery/templates/validatingwebhookconfiguration.yaml @@ -0,0 +1,86 @@ +{{- if .Values.global.configValidation }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: istio-validator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} + istio: istiod + istio.io/rev: {{ .Values.revision | default "default" }} +webhooks: + # Webhook handling per-revision validation. Mostly here so we can determine whether webhooks + # are rejecting invalid configs on a per-revision basis. + - name: rev.validation.istio.io + clientConfig: + # Should change from base but cannot for API compat + {{- if .Values.base.validationURL }} + url: {{ .Values.base.validationURL }} + {{- else }} + service: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} + path: "/validate" + {{- end }} + caBundle: "" # patched at runtime when the webhook is ready. + rules: + - operations: + - CREATE + - UPDATE + apiGroups: + - security.istio.io + - networking.istio.io + apiVersions: + - "*" + resources: + - "*" + # Fail open until the validation webhook is ready. The webhook controller + # will update this to `Fail` and patch in the `caBundle` when the webhook + # endpoint is ready. + failurePolicy: Ignore + sideEffects: None + admissionReviewVersions: ["v1beta1", "v1"] + objectSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + {{- if (eq .Values.revision "") }} + - "default" + {{- else }} + - "{{ .Values.revision }}" + {{- end }} + # Webhook handling default validation + - name: validation.istio.io + clientConfig: + # Should change from base but cannot for API compat + {{- if .Values.base.validationURL }} + url: {{ .Values.base.validationURL }} + {{- else }} + service: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} + path: "/validate" + {{- end }} + caBundle: "" + rules: + - operations: + - CREATE + - UPDATE + apiGroups: + - security.istio.io + - networking.istio.io + - telemetry.istio.io + apiVersions: + - "*" + resources: + - "*" + failurePolicy: Ignore + sideEffects: None + admissionReviewVersions: ["v1beta1", "v1"] + objectSelector: + matchExpressions: + - key: istio.io/rev + operator: DoesNotExist +--- +{{- end }} diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-control/istio-discovery/values.yaml b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-control/istio-discovery/values.yaml new file mode 100644 index 000000000..12099015b --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-control/istio-discovery/values.yaml @@ -0,0 +1,525 @@ +#.Values.pilot for discovery and mesh wide config + +## Discovery Settings +pilot: + autoscaleEnabled: true + autoscaleMin: 1 + autoscaleMax: 5 + replicaCount: 1 + rollingMaxSurge: 100% + rollingMaxUnavailable: 25% + + hub: "" + tag: "" + + # Can be a full hub/image:tag + image: pilot + traceSampling: 1.0 + + # Resources for a small pilot install + resources: + requests: + cpu: 500m + memory: 2048Mi + + env: {} + + cpu: + targetAverageUtilization: 80 + + # if protocol sniffing is enabled for outbound + enableProtocolSniffingForOutbound: true + # if protocol sniffing is enabled for inbound + enableProtocolSniffingForInbound: true + + nodeSelector: {} + podAnnotations: {} + + # You can use jwksResolverExtraRootCA to provide a root certificate + # in PEM format. This will then be trusted by pilot when resolving + # JWKS URIs. + jwksResolverExtraRootCA: "" + + # This is used to set the source of configuration for + # the associated address in configSource, if nothing is specificed + # the default MCP is assumed. + configSource: + subscribedResources: [] + + plugins: [] + + # The following is used to limit how long a sidecar can be connected + # to a pilot. It balances out load across pilot instances at the cost of + # increasing system churn. + keepaliveMaxServerConnectionAge: 30m + + # Additional labels to apply to the deployment. + deploymentLabels: {} + + + ## Mesh config settings + + # Install the mesh config map, generated from values.yaml. + # If false, pilot wil use default values (by default) or user-supplied values. + configMap: true + + +sidecarInjectorWebhook: + # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or + # always skip the injection on pods that match that label selector, regardless of the global policy. + # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions + neverInjectSelector: [] + alwaysInjectSelector: [] + + # injectedAnnotations are additional annotations that will be added to the pod spec after injection + # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations: + # + # annotations: + # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default + # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default + # + # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before + # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify: + # injectedAnnotations: + # container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default + # container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default + injectedAnnotations: {} + + # This enables injection of sidecar in all namespaces, + # with the exception of namespaces with "istio-injection:disabled" annotation + # Only one environment should have this enabled. + enableNamespacesByDefault: false + + # Enable objectSelector to filter out pods with no need for sidecar before calling istiod. + # It is enabled by default as the minimum supported Kubernetes version is 1.15+ + objectSelector: + enabled: true + autoInject: true + + rewriteAppHTTPProbe: true + + # Templates defines a set of custom injection templates that can be used. For example, defining: + # + # templates: + # hello: | + # metadata: + # labels: + # hello: world + # + # Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod + # being injected with the hello=world labels. + # This is intended for advanced configuration only; most users should use the built in template + templates: {} + + # Default templates specifies a set of default templates that are used in sidecar injection. + # By default, a template `sidecar` is always provided, which contains the template of default sidecar. + # To inject other additional templates, define it using the `templates` option, and add it to + # the default templates list. + # For example: + # + # templates: + # hello: | + # metadata: + # labels: + # hello: world + # + # defaultTemplates: ["sidecar", "hello"] + defaultTemplates: [] +istiodRemote: + # Sidecar injector mutating webhook configuration clientConfig.url value. + # For example: https://$remotePilotAddress:15017/inject + # The host should not refer to a service running in the cluster; use a service reference by specifying + # the clientConfig.service field instead. + injectionURL: "" + + # Sidecar injector mutating webhook configuration path value for the clientConfig.service field. + # Override to pass env variables, for example: /inject/cluster/remote/net/network2 + injectionPath: "/inject" +telemetry: + enabled: true + v2: + # For Null VM case now. + # This also enables metadata exchange. + enabled: true + metadataExchange: + # Indicates whether to enable WebAssembly runtime for metadata exchange filter. + wasmEnabled: false + # Indicate if prometheus stats filter is enabled or not + prometheus: + enabled: true + # Indicates whether to enable WebAssembly runtime for stats filter. + wasmEnabled: false + # overrides stats EnvoyFilter configuration. + configOverride: + gateway: {} + inboundSidecar: {} + outboundSidecar: {} + # stackdriver filter settings. + stackdriver: + enabled: false + logging: false + monitoring: false + topology: false # deprecated. setting this to true will have no effect, as this option is no longer supported. + disableOutbound: false + # configOverride parts give you the ability to override the low level configuration params passed to envoy filter. + + configOverride: {} + # e.g. + # disable_server_access_logging: false + # disable_host_header_fallback: true + # Access Log Policy Filter Settings. This enables filtering of access logs from stackdriver. + accessLogPolicy: + enabled: false + # To reduce the number of successful logs, default log window duration is + # set to 12 hours. + logWindowDuration: "43200s" +# Revision is set as 'version' label and part of the resource names when installing multiple control planes. +revision: "" + +# Revision tags are aliases to Istio control plane revisions +revisionTags: [] + +# For Helm compatibility. +ownerName: "" + +# meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior +# See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options +meshConfig: + enablePrometheusMerge: true + # Config for the default ProxyConfig. + # Initially using directly the proxy metadata - can also be activated using annotations + # on the pod. This is an unsupported low-level API, pending review and decisions on + # enabling the feature. Enabling the DNS listener is safe - and allows further testing + # and gradual adoption by setting capture only on specific workloads. It also allows + # VMs to use other DNS options, like dnsmasq or unbound. + + # The namespace to treat as the administrative root namespace for Istio configuration. + # When processing a leaf namespace Istio will search for declarations in that namespace first + # and if none are found it will search in the root namespace. Any matching declaration found in the root namespace + # is processed as if it were declared in the leaf namespace. + + rootNamespace: + + # The trust domain corresponds to the trust root of a system + # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain + trustDomain: "cluster.local" + + # TODO: the intent is to eventually have this enabled by default when security is used. + # It is not clear if user should normally need to configure - the metadata is typically + # used as an escape and to control testing and rollout, but it is not intended as a long-term + # stable API. + + # What we may configure in mesh config is the ".global" - and use of other suffixes. + # No hurry to do this in 1.6, we're trying to prove the code. + +global: + # Used to locate istiod. + istioNamespace: istio-system + # enable pod disruption budget for the control plane, which is used to + # ensure Istio control plane components are gradually upgraded or recovered. + defaultPodDisruptionBudget: + enabled: true + # The values aren't mutable due to a current PodDisruptionBudget limitation + # minAvailable: 1 + + # A minimal set of requested resources to applied to all deployments so that + # Horizontal Pod Autoscaler will be able to function (if set). + # Each component can overwrite these default values by adding its own resources + # block in the relevant section below and setting the desired resources values. + defaultResources: + requests: + cpu: 10m + # memory: 128Mi + # limits: + # cpu: 100m + # memory: 128Mi + + # Default hub for Istio images. + # Releases are published to docker hub under 'istio' project. + # Dev builds from prow are on gcr.io + hub: docker.io/istio + # Default tag for Istio images. + tag: 1.11.0 + + # Specify image pull policy if default behavior isn't desired. + # Default behavior: latest images will be Always else IfNotPresent. + imagePullPolicy: "" + + # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace + # to use for pulling any images in pods that reference this ServiceAccount. + # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) + # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. + # Must be set for any cluster configured with private docker registry. + imagePullSecrets: [] + # - private-registry-key + + # Enabled by default in master for maximising testing. + istiod: + enableAnalysis: false + + # To output all istio components logs in json format by adding --log_as_json argument to each container argument + logAsJson: false + + # Comma-separated minimum per-scope logging level of messages to output, in the form of :,: + # The control plane has different scopes depending on component, but can configure default log level across all components + # If empty, default scope and level will be used as configured in code + logging: + level: "default:info" + + omitSidecarInjectorConfigMap: false + + # Whether to restrict the applications namespace the controller manages; + # If not set, controller watches all namespaces + oneNamespace: false + + # Configure whether Operator manages webhook configurations. The current behavior + # of Istiod is to manage its own webhook configurations. + # When this option is set as true, Istio Operator, instead of webhooks, manages the + # webhook configurations. When this option is set as false, webhooks manage their + # own webhook configurations. + operatorManageWebhooks: false + + # Custom DNS config for the pod to resolve names of services in other + # clusters. Use this to add additional search domains, and other settings. + # see + # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config + # This does not apply to gateway pods as they typically need a different + # set of DNS settings than the normal application pods (e.g., in + # multicluster scenarios). + # NOTE: If using templates, follow the pattern in the commented example below. + #podDNSSearchNamespaces: + #- global + #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global" + + # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and + # system-node-critical, it is better to configure this in order to make sure your Istio pods + # will not be killed because of low priority class. + # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + # for more detail. + priorityClassName: "" + + proxy: + image: proxyv2 + + # This controls the 'policy' in the sidecar injector. + autoInject: enabled + + # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value + # cluster domain. Default value is "cluster.local". + clusterDomain: "cluster.local" + + # Per Component log level for proxy, applies to gateways and sidecars. If a component level is + # not set, then the global "logLevel" will be used. + componentLogLevel: "misc:error" + + # If set, newly injected sidecars will have core dumps enabled. + enableCoreDump: false + + # istio ingress capture allowlist + # examples: + # Redirect only selected ports: --includeInboundPorts="80,8080" + excludeInboundPorts: "" + + # istio egress capture allowlist + # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly + # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16" + # would only capture egress traffic on those two IP Ranges, all other outbound traffic would + # be allowed by the sidecar + includeIPRanges: "*" + excludeIPRanges: "" + excludeOutboundPorts: "" + + # Log level for proxy, applies to gateways and sidecars. + # Expected values are: trace|debug|info|warning|error|critical|off + logLevel: warning + + #If set to true, istio-proxy container will have privileged securityContext + privileged: true + + # The number of successive failed probes before indicating readiness failure. + readinessFailureThreshold: 30 + + # The initial delay for readiness probes in seconds. + readinessInitialDelaySeconds: 1 + + # The period between readiness probes. + readinessPeriodSeconds: 2 + + # Resources for the sidecar. + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 2000m + memory: 1024Mi + + # Default port for Pilot agent health checks. A value of 0 will disable health checking. + statusPort: 15020 + + # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver. + # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file. + tracer: "zipkin" + + # Controls if sidecar is injected at the front of the container list and blocks the start of the other containers until the proxy is ready + holdApplicationUntilProxyStarts: false + + proxy_init: + # Base name for the proxy_init container, used to configure iptables. + image: proxyv2 + resources: + limits: + cpu: 2000m + memory: 1024Mi + requests: + cpu: 10m + memory: 10Mi + + # configure remote pilot and istiod service and endpoint + remotePilotAddress: "" + + ############################################################################################## + # The following values are found in other charts. To effectively modify these values, make # + # make sure they are consistent across your Istio helm charts # + ############################################################################################## + + # The customized CA address to retrieve certificates for the pods in the cluster. + # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. + # If not set explicitly, default to the Istio discovery address. + caAddress: "" + + # Configure a remote cluster data plane controlled by an external istiod. + # When set to true, istiod is not deployed locally and only a subset of the other + # discovery charts are enabled. + externalIstiod: false + + # Configure a remote cluster as the config cluster for an external istiod. + configCluster: false + + # Configure the policy for validating JWT. + # Currently, two options are supported: "third-party-jwt" and "first-party-jwt". + jwtPolicy: "third-party-jwt" + + # Mesh ID means Mesh Identifier. It should be unique within the scope where + # meshes will interact with each other, but it is not required to be + # globally/universally unique. For example, if any of the following are true, + # then two meshes must have different Mesh IDs: + # - Meshes will have their telemetry aggregated in one place + # - Meshes will be federated together + # - Policy will be written referencing one mesh from the other + # + # If an administrator expects that any of these conditions may become true in + # the future, they should ensure their meshes have different Mesh IDs + # assigned. + # + # Within a multicluster mesh, each cluster must be (manually or auto) + # configured to have the same Mesh ID value. If an existing cluster 'joins' a + # multicluster mesh, it will need to be migrated to the new mesh ID. Details + # of migration TBD, and it may be a disruptive operation to change the Mesh + # ID post-install. + # + # If the mesh admin does not specify a value, Istio will use the value of the + # mesh's Trust Domain. The best practice is to select a proper Trust Domain + # value. + meshID: "" + + # Configure the mesh networks to be used by the Split Horizon EDS. + # + # The following example defines two networks with different endpoints association methods. + # For `network1` all endpoints that their IP belongs to the provided CIDR range will be + # mapped to network1. The gateway for this network example is specified by its public IP + # address and port. + # The second network, `network2`, in this example is defined differently with all endpoints + # retrieved through the specified Multi-Cluster registry being mapped to network2. The + # gateway is also defined differently with the name of the gateway service on the remote + # cluster. The public IP for the gateway will be determined from that remote service (only + # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service, + # it still need to be configured manually). + # + # meshNetworks: + # network1: + # endpoints: + # - fromCidr: "192.168.0.1/24" + # gateways: + # - address: 1.1.1.1 + # port: 80 + # network2: + # endpoints: + # - fromRegistry: reg1 + # gateways: + # - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local + # port: 443 + # + meshNetworks: {} + + # Use the user-specified, secret volume mounted key and certs for Pilot and workloads. + mountMtlsCerts: false + + multiCluster: + # Set to true to connect two kubernetes clusters via their respective + # ingressgateway services when pods in each cluster cannot directly + # talk to one another. All clusters should be using Istio mTLS and must + # have a shared root CA for this model to work. + enabled: false + # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection + # to properly label proxies + clusterName: "" + + # Network defines the network this cluster belong to. This name + # corresponds to the networks in the map of mesh networks. + network: "" + + # Configure the certificate provider for control plane communication. + # Currently, two providers are supported: "kubernetes" and "istiod". + # As some platforms may not have kubernetes signing APIs, + # Istiod is the default + pilotCertProvider: istiod + + sds: + # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. + # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the + # JWT is intended for the CA. + token: + aud: istio-ca + + sts: + # The service port used by Security Token Service (STS) server to handle token exchange requests. + # Setting this port to a non-zero value enables STS server. + servicePort: 0 + + # Configuration for each of the supported tracers + tracer: + # Configuration for envoy to send trace data to LightStep. + # Disabled by default. + # address: the : of the satellite pool + # accessToken: required for sending data to the pool + # + datadog: + # Host:Port for submitting traces to the Datadog agent. + address: "$(HOST_IP):8126" + lightstep: + address: "" # example: lightstep-satellite:443 + accessToken: "" # example: abcdefg1234567 + stackdriver: + # enables trace output to stdout. + debug: false + # The global default max number of message events per span. + maxNumberOfMessageEvents: 200 + # The global default max number of annotation events per span. + maxNumberOfAnnotations: 200 + # The global default max number of attributes per span. + maxNumberOfAttributes: 200 + zipkin: + # Host:Port for reporting trace data in zipkin format. If not specified, will default to + # zipkin service (port 9411) in the same namespace as the other istio components. + address: "" + + # Use the Mesh Control Protocol (MCP) for configuring Istiod. Requires an MCP source. + useMCP: false + + # Determines whether this istiod performs resource validation. + configValidation: true + +base: + # For istioctl usage to disable istio config crds in base + enableIstioConfigCRDs: true diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-operator/Chart.yaml b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-operator/Chart.yaml new file mode 100644 index 000000000..127cf2414 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-operator/Chart.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +name: istio-operator +version: 1.11.0 +tillerVersion: ">=2.7.2" +description: Helm chart for deploying Istio operator +keywords: + - istio + - operator +sources: + - https://github.com/istio/istio/tree/master/operator +engine: gotpl +icon: https://istio.io/latest/favicons/android-192x192.png diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-operator/crds/crd-operator.yaml b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-operator/crds/crd-operator.yaml new file mode 100644 index 000000000..93ac1de07 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-operator/crds/crd-operator.yaml @@ -0,0 +1,48 @@ +# SYNC WITH manifests/charts/base/files +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: istiooperators.install.istio.io + labels: + release: istio +spec: + conversion: + strategy: None + group: install.istio.io + names: + kind: IstioOperator + listKind: IstioOperatorList + plural: istiooperators + singular: istiooperator + shortNames: + - iop + - io + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Istio control plane revision + jsonPath: .spec.revision + name: Revision + type: string + - description: IOP current state + jsonPath: .status.status + name: Status + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + subresources: + status: {} + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + served: true + storage: true +--- diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-operator/files/gen-operator.yaml b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-operator/files/gen-operator.yaml new file mode 100644 index 000000000..f2b1f0251 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-operator/files/gen-operator.yaml @@ -0,0 +1,220 @@ +--- +# Source: istio-operator/templates/namespace.yaml +apiVersion: v1 +kind: Namespace +metadata: + name: istio-operator + labels: + istio-operator-managed: Reconcile + istio-injection: disabled +--- +# Source: istio-operator/templates/service_account.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + namespace: istio-operator + name: istio-operator +--- +# Source: istio-operator/templates/clusterrole.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + name: istio-operator +rules: +# istio groups +- apiGroups: + - authentication.istio.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - config.istio.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - install.istio.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - networking.istio.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - security.istio.io + resources: + - '*' + verbs: + - '*' +# k8s groups +- apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + verbs: + - '*' +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions.apiextensions.k8s.io + - customresourcedefinitions + verbs: + - '*' +- apiGroups: + - apps + - extensions + resources: + - daemonsets + - deployments + - deployments/finalizers + - replicasets + verbs: + - '*' +- apiGroups: + - autoscaling + resources: + - horizontalpodautoscalers + verbs: + - '*' +- apiGroups: + - monitoring.coreos.com + resources: + - servicemonitors + verbs: + - get + - create + - update +- apiGroups: + - policy + resources: + - poddisruptionbudgets + verbs: + - '*' +- apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterrolebindings + - clusterroles + - roles + - rolebindings + verbs: + - '*' +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - create + - update +- apiGroups: + - "" + resources: + - configmaps + - endpoints + - events + - namespaces + - pods + - pods/proxy + - persistentvolumeclaims + - secrets + - services + - serviceaccounts + verbs: + - '*' +--- +# Source: istio-operator/templates/clusterrole_binding.yaml +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: istio-operator +subjects: +- kind: ServiceAccount + name: istio-operator + namespace: istio-operator +roleRef: + kind: ClusterRole + name: istio-operator + apiGroup: rbac.authorization.k8s.io +--- +# Source: istio-operator/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + namespace: istio-operator + labels: + name: istio-operator + name: istio-operator +spec: + ports: + - name: http-metrics + port: 8383 + targetPort: 8383 + protocol: TCP + selector: + name: istio-operator +--- +# Source: istio-operator/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + namespace: istio-operator + name: istio-operator +spec: + replicas: 1 + selector: + matchLabels: + name: istio-operator + template: + metadata: + labels: + name: istio-operator + spec: + serviceAccountName: istio-operator + containers: + - name: istio-operator + image: gcr.io/istio-testing/operator:1.11-dev + command: + - operator + - server + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsUser: 1337 + runAsNonRoot: true + imagePullPolicy: IfNotPresent + resources: + limits: + cpu: 200m + memory: 256Mi + requests: + cpu: 50m + memory: 128Mi + env: + - name: WATCH_NAMESPACE + value: "istio-system" + - name: LEADER_ELECTION_NAMESPACE + value: "istio-operator" + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: OPERATOR_NAME + value: "istio-operator" + - name: WAIT_FOR_RESOURCES_TIMEOUT + value: "300s" + - name: REVISION + value: "" diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-operator/templates/clusterrole.yaml b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-operator/templates/clusterrole.yaml new file mode 100644 index 000000000..4e6bd74f3 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-operator/templates/clusterrole.yaml @@ -0,0 +1,115 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} +rules: +# istio groups +- apiGroups: + - authentication.istio.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - config.istio.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - install.istio.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - networking.istio.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - security.istio.io + resources: + - '*' + verbs: + - '*' +# k8s groups +- apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + verbs: + - '*' +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions.apiextensions.k8s.io + - customresourcedefinitions + verbs: + - '*' +- apiGroups: + - apps + - extensions + resources: + - daemonsets + - deployments + - deployments/finalizers + - replicasets + verbs: + - '*' +- apiGroups: + - autoscaling + resources: + - horizontalpodautoscalers + verbs: + - '*' +- apiGroups: + - monitoring.coreos.com + resources: + - servicemonitors + verbs: + - get + - create + - update +- apiGroups: + - policy + resources: + - poddisruptionbudgets + verbs: + - '*' +- apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterrolebindings + - clusterroles + - roles + - rolebindings + verbs: + - '*' +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - create + - update +- apiGroups: + - "" + resources: + - configmaps + - endpoints + - events + - namespaces + - pods + - pods/proxy + - persistentvolumeclaims + - secrets + - services + - serviceaccounts + verbs: + - '*' +--- diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-operator/templates/clusterrole_binding.yaml b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-operator/templates/clusterrole_binding.yaml new file mode 100644 index 000000000..9b9df7da8 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-operator/templates/clusterrole_binding.yaml @@ -0,0 +1,13 @@ +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} +subjects: +- kind: ServiceAccount + name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{.Values.operatorNamespace}} +roleRef: + kind: ClusterRole + name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + apiGroup: rbac.authorization.k8s.io +--- diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-operator/templates/crds.yaml b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-operator/templates/crds.yaml new file mode 100644 index 000000000..a37036508 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-operator/templates/crds.yaml @@ -0,0 +1,6 @@ +{{- if .Values.enableCRDTemplates -}} +{{- range $path, $bytes := .Files.Glob "crds/*.yaml" -}} +--- +{{ $.Files.Get $path }} +{{- end -}} +{{- end -}} diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-operator/templates/deployment.yaml b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-operator/templates/deployment.yaml new file mode 100644 index 000000000..1baaa8df4 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-operator/templates/deployment.yaml @@ -0,0 +1,51 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + namespace: {{.Values.operatorNamespace}} + name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} +spec: + replicas: 1 + selector: + matchLabels: + name: istio-operator + template: + metadata: + labels: + name: istio-operator + spec: + serviceAccountName: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + containers: + - name: istio-operator + image: {{.Values.hub}}/operator:{{.Values.tag}} + command: + - operator + - server + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsUser: 1337 + runAsNonRoot: true + imagePullPolicy: IfNotPresent + resources: +{{ toYaml .Values.operator.resources | trim | indent 12 }} + env: + - name: WATCH_NAMESPACE + value: {{.Values.watchedNamespaces | quote}} + - name: LEADER_ELECTION_NAMESPACE + value: {{.Values.operatorNamespace | quote}} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: OPERATOR_NAME + value: {{.Values.operatorNamespace | quote}} + - name: WAIT_FOR_RESOURCES_TIMEOUT + value: {{.Values.waitForResourcesTimeout | quote}} + - name: REVISION + value: {{.Values.revision | quote}} +--- diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-operator/templates/namespace.yaml b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-operator/templates/namespace.yaml new file mode 100644 index 000000000..31dc5aaee --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-operator/templates/namespace.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: {{.Values.operatorNamespace}} + labels: + istio-operator-managed: Reconcile + istio-injection: disabled +--- diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-operator/templates/service.yaml b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-operator/templates/service.yaml new file mode 100644 index 000000000..ab3ed5700 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-operator/templates/service.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Service +metadata: + namespace: {{.Values.operatorNamespace}} + labels: + name: istio-operator + name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} +spec: + ports: + - name: http-metrics + port: 8383 + targetPort: 8383 + protocol: TCP + selector: + name: istio-operator +--- diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-operator/templates/service_account.yaml b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-operator/templates/service_account.yaml new file mode 100644 index 000000000..03e937780 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-operator/templates/service_account.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + namespace: {{.Values.operatorNamespace}} + name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} +{{- if .Values.imagePullSecrets }} +imagePullSecrets: +{{- range .Values.imagePullSecrets }} +- name: {{ . }} +{{- end }} +{{- end }} +--- diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-operator/values.yaml b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-operator/values.yaml new file mode 100644 index 000000000..e21021cbe --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istio-operator/values.yaml @@ -0,0 +1,28 @@ +hub: docker.io/istio +tag: 1.11.0 + +# ImagePullSecrets for operator ServiceAccount, list of secrets in the same namespace +# used to pull operator image. Must be set for any cluster configured with private docker registry. +imagePullSecrets: [] + +operatorNamespace: istio-operator + +# Used to replace istioNamespace to support operator watch multiple namespaces. +watchedNamespaces: istio-system +waitForResourcesTimeout: 300s + +# Used for helm2 to add the CRDs to templates. +enableCRDTemplates: false + +# revision for the operator resources +revision: "" + +# Operator resource defaults +operator: + resources: + limits: + cpu: 200m + memory: 256Mi + requests: + cpu: 50m + memory: 128Mi diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istiod-remote/Chart.yaml b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istiod-remote/Chart.yaml new file mode 100644 index 000000000..5bff72ca5 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istiod-remote/Chart.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +name: config +version: 1.2.0 +tillerVersion: ">=2.7.2" +description: Helm chart for a remote cluster using an external istio control plane +keywords: + - istio + - external-istiod +sources: + - http://github.com/istio/istio +engine: gotpl +icon: https://istio.io/latest/favicons/android-192x192.png diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istiod-remote/NOTES.txt b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istiod-remote/NOTES.txt new file mode 100644 index 000000000..0230b6f86 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istiod-remote/NOTES.txt @@ -0,0 +1,4 @@ +Install for a remote cluster using an external control plane. + +The templates in this directory are copies of base and istio-discovery templates. +DO NOT EDIT! Make changes in the corresponding files in base or istio-discovery and they will be copied here by make gen. diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istiod-remote/files/gateway-injection-template.yaml b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istiod-remote/files/gateway-injection-template.yaml new file mode 100644 index 000000000..6d7588377 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istiod-remote/files/gateway-injection-template.yaml @@ -0,0 +1,205 @@ +{{- $containers := list }} +{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} +metadata: + labels: + service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} + service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} + istio.io/rev: {{ .Revision | default "default" | quote }} + annotations: { + {{- if eq (len $containers) 1 }} + kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", + kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", + {{ end }} + } +spec: + containers: + - name: istio-proxy + {{- if contains "/" .Values.global.proxy.image }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}" + {{- end }} + ports: + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - router + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} + - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} + - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + {{- if .Values.global.proxy.lifecycle }} + lifecycle: + {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} + {{- end }} + env: + - name: JWT_POLICY + value: {{ .Values.global.jwtPolicy }} + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + - name: ISTIO_META_POD_PORTS + value: |- + [ + {{- $first := true }} + {{- range $index1, $c := .Spec.Containers }} + {{- range $index2, $p := $c.Ports }} + {{- if (structToJSON $p) }} + {{if not $first}},{{end}}{{ structToJSON $p }} + {{- $first = false }} + {{- end }} + {{- end}} + {{- end}} + ] + - name: ISTIO_META_APP_CONTAINERS + value: "{{ $containers | join "," }}" + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + - name: ISTIO_META_INTERCEPTION_MODE + value: "{{ .ProxyConfig.InterceptionMode.String }}" + {{- if .Values.global.network }} + - name: ISTIO_META_NETWORK + value: "{{ .Values.global.network }}" + {{- end }} + {{- if .DeploymentMeta.Name }} + - name: ISTIO_META_WORKLOAD_NAME + value: "{{ .DeploymentMeta.Name }}" + {{ end }} + {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} + - name: ISTIO_META_OWNER + value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} + {{- end}} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + readinessProbe: + httpGet: + path: /healthz/ready + port: 15021 + initialDelaySeconds: {{.Values.global.proxy.readinessInitialDelaySeconds }} + periodSeconds: {{ .Values.global.proxy.readinessPeriodSeconds }} + timeoutSeconds: 3 + failureThreshold: {{ .Values.global.proxy.readinessFailureThreshold }} + volumeMounts: + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + # SDS channel between istioagent and Envoy + - mountPath: /etc/istio/proxy + name: istio-envoy + {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} + - mountPath: /var/run/secrets/tokens + name: istio-token + {{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - mountPath: /etc/certs/ + name: istio-certs + readOnly: true + {{- end }} + - name: istio-podinfo + mountPath: /etc/istio/pod + volumes: + # SDS channel between istioagent and Envoy + - emptyDir: + medium: Memory + name: istio-envoy + - name: istio-data + emptyDir: {} + - name: istio-podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + configMap: + name: istio-ca-root-cert + {{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - name: istio-certs + secret: + optional: true + {{ if eq .Spec.ServiceAccountName "" }} + secretName: istio.default + {{ else -}} + secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} + {{ end -}} + {{- end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} + {{- if eq (env "ENABLE_LEGACY_FSGROUP_INJECTION" "true") "true" }} + securityContext: + fsGroup: 1337 + {{- end }} diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istiod-remote/files/injection-template.yaml b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istiod-remote/files/injection-template.yaml new file mode 100644 index 000000000..e8659bbb9 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istiod-remote/files/injection-template.yaml @@ -0,0 +1,466 @@ +{{- $containers := list }} +{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} +metadata: + labels: + security.istio.io/tlsMode: {{ index .ObjectMeta.Labels `security.istio.io/tlsMode` | default "istio" | quote }} + service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} + service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} + annotations: { + {{- if eq (len $containers) 1 }} + kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", + kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", + {{ end }} +{{- if .Values.istio_cni.enabled }} + {{- if not .Values.istio_cni.chained }} + k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `istio-cni` }}', + {{- end }} + sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}", + {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}traffic.sidecar.istio.io/includeOutboundIPRanges: "{{.}}",{{ end }} + {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{.}}",{{ end }} + traffic.sidecar.istio.io/includeInboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` `*` }}", + traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}", + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") }} + traffic.sidecar.istio.io/includeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}", + {{- end }} + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }} + traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}", + {{- end }} + {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}traffic.sidecar.istio.io/kubevirtInterfaces: "{{.}}",{{ end }} +{{- end }} + } +spec: + {{- $holdProxy := or .ProxyConfig.HoldApplicationUntilProxyStarts.GetValue .Values.global.proxy.holdApplicationUntilProxyStarts }} + initContainers: + {{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }} + {{ if .Values.istio_cni.enabled -}} + - name: istio-validation + {{ else -}} + - name: istio-init + {{ end -}} + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}" + {{- else }} + image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}" + {{- end }} + args: + - istio-iptables + - "-p" + - "15001" + - "-z" + - "15006" + - "-u" + - "1337" + - "-m" + - "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}" + - "-i" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}" + - "-x" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}" + - "-b" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` `*` }}" + - "-d" + {{- if excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }} + - "15090,15021,{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}" + {{- else }} + - "15090,15021" + {{- end }} + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") -}} + - "-q" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}" + {{ end -}} + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}} + - "-o" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}" + {{ end -}} + {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}} + - "-k" + - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}" + {{ end -}} + {{ if .Values.istio_cni.enabled -}} + - "--run-validation" + - "--skip-rule-apply" + {{ end -}} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + {{- if .ProxyConfig.ProxyMetadata }} + env: + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- end }} + resources: + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} + requests: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" + {{ end }} + {{- end }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + limits: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" + {{ end }} + {{- end }} + {{- else }} + {{- if .Values.global.proxy.resources }} + {{ toYaml .Values.global.proxy.resources | indent 6 }} + {{- end }} + {{- end }} + securityContext: + allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} + privileged: {{ .Values.global.proxy.privileged }} + capabilities: + {{- if not .Values.istio_cni.enabled }} + add: + - NET_ADMIN + - NET_RAW + {{- end }} + drop: + - ALL + {{- if not .Values.istio_cni.enabled }} + readOnlyRootFilesystem: false + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 + {{- else }} + readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsUser: 1337 + runAsNonRoot: true + {{- end }} + restartPolicy: Always + {{ end -}} + {{- if eq (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }} + - name: enable-core-dump + args: + - -c + - sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited + command: + - /bin/sh + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}" + {{- else }} + image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}" + {{- end }} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + resources: {} + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - SYS_ADMIN + drop: + - ALL + privileged: true + readOnlyRootFilesystem: false + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 + {{ end }} + containers: + - name: istio-proxy + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}" + {{- end }} + ports: + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - sidecar + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} + - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} + - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + {{- if gt .EstimatedConcurrency 0 }} + - --concurrency + - "{{ .EstimatedConcurrency }}" + {{- end -}} + {{- if .Values.global.proxy.lifecycle }} + lifecycle: + {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} + {{- else if $holdProxy }} + lifecycle: + postStart: + exec: + command: + - pilot-agent + - wait + {{- end }} + env: + {{- if eq (env "PILOT_ENABLE_INBOUND_PASSTHROUGH" "true") "false" }} + - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION + value: "true" + {{- end }} + - name: JWT_POLICY + value: {{ .Values.global.jwtPolicy }} + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + - name: ISTIO_META_POD_PORTS + value: |- + [ + {{- $first := true }} + {{- range $index1, $c := .Spec.Containers }} + {{- range $index2, $p := $c.Ports }} + {{- if (structToJSON $p) }} + {{if not $first}},{{end}}{{ structToJSON $p }} + {{- $first = false }} + {{- end }} + {{- end}} + {{- end}} + ] + - name: ISTIO_META_APP_CONTAINERS + value: "{{ $containers | join "," }}" + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + - name: ISTIO_META_INTERCEPTION_MODE + value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}" + {{- if .Values.global.network }} + - name: ISTIO_META_NETWORK + value: "{{ .Values.global.network }}" + {{- end }} + {{- if .DeploymentMeta.Name }} + - name: ISTIO_META_WORKLOAD_NAME + value: "{{ .DeploymentMeta.Name }}" + {{ end }} + {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} + - name: ISTIO_META_OWNER + value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} + {{- end}} + {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - name: ISTIO_BOOTSTRAP_OVERRIDE + value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" + {{- end }} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} + {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- end }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} + readinessProbe: + httpGet: + path: /healthz/ready + port: 15021 + initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} + periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} + timeoutSeconds: 3 + failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} + {{ end -}} + securityContext: + allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} + capabilities: + {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} + add: + {{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}} + - NET_ADMIN + {{- end }} + {{ if eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true` -}} + - NET_BIND_SERVICE + {{- end }} + {{- end }} + drop: + - ALL + privileged: {{ .Values.global.proxy.privileged }} + readOnlyRootFilesystem: {{ ne (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }} + runAsGroup: 1337 + fsGroup: 1337 + {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} + runAsNonRoot: false + runAsUser: 0 + {{- else -}} + runAsNonRoot: true + runAsUser: 1337 + {{- end }} + resources: + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} + requests: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" + {{ end }} + {{- end }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + limits: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" + {{ end }} + {{- end }} + {{- else }} + {{- if .Values.global.proxy.resources }} + {{ toYaml .Values.global.proxy.resources | indent 6 }} + {{- end }} + {{- end }} + volumeMounts: + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - mountPath: /etc/istio/custom-bootstrap + name: custom-bootstrap-volume + {{- end }} + # SDS channel between istioagent and Envoy + - mountPath: /etc/istio/proxy + name: istio-envoy + {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} + - mountPath: /var/run/secrets/tokens + name: istio-token + {{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - mountPath: /etc/certs/ + name: istio-certs + readOnly: true + {{- end }} + - name: istio-podinfo + mountPath: /etc/istio/pod + {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} + - mountPath: {{ directory .ProxyConfig.GetTracing.GetTlsSettings.GetCaCertificates }} + name: lightstep-certs + readOnly: true + {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} + {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 6 }} + {{ end }} + {{- end }} + volumes: + {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - name: custom-bootstrap-volume + configMap: + name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} + {{- end }} + # SDS channel between istioagent and Envoy + - emptyDir: + medium: Memory + name: istio-envoy + - name: istio-data + emptyDir: {} + - name: istio-podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + configMap: + name: istio-ca-root-cert + {{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - name: istio-certs + secret: + optional: true + {{ if eq .Spec.ServiceAccountName "" }} + secretName: istio.default + {{ else -}} + secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} + {{ end -}} + {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} + {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 4 }} + {{ end }} + {{ end }} + {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} + - name: lightstep-certs + secret: + optional: true + secretName: lightstep.cacert + {{- end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} + {{- if eq (env "ENABLE_LEGACY_FSGROUP_INJECTION" "true") "true" }} + securityContext: + fsGroup: 1337 + {{- end }} diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istiod-remote/templates/clusterrole.yaml b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istiod-remote/templates/clusterrole.yaml new file mode 100644 index 000000000..9112bd92e --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istiod-remote/templates/clusterrole.yaml @@ -0,0 +1,114 @@ +{{- if .Values.global.configCluster }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} +rules: + # sidecar injection controller + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update", "patch"] + + # configuration validation webhook controller + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update"] + + # istio configuration + # removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382) + # please proceed with caution + - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io"] + verbs: ["get", "watch", "list"] + resources: ["*"] +{{- if .Values.global.istiod.enableAnalysis }} + - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io"] + verbs: ["update"] + # TODO: should be on just */status but wildcard is not supported + resources: ["*"] +{{- end }} + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "workloadentries" ] + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "workloadentries/status" ] + + # auto-detect installed CRD definitions + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "list", "watch"] + + # discovery and routing + - apiGroups: [""] + resources: ["pods", "nodes", "services", "namespaces", "endpoints"] + verbs: ["get", "list", "watch"] + - apiGroups: ["discovery.k8s.io"] + resources: ["endpointslices"] + verbs: ["get", "list", "watch"] + + # ingress controller +{{- if .Values.global.istiod.enableAnalysis }} + - apiGroups: ["extensions", "networking.k8s.io"] + resources: ["ingresses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["extensions", "networking.k8s.io"] + resources: ["ingresses/status"] + verbs: ["*"] +{{- end}} + - apiGroups: ["networking.k8s.io"] + resources: ["ingresses", "ingressclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["networking.k8s.io"] + resources: ["ingresses/status"] + verbs: ["*"] + + # required for CA's namespace controller + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["create", "get", "list", "watch", "update"] + + # Istiod and bootstrap. + - apiGroups: ["certificates.k8s.io"] + resources: + - "certificatesigningrequests" + - "certificatesigningrequests/approval" + - "certificatesigningrequests/status" + verbs: ["update", "create", "get", "delete", "watch"] + - apiGroups: ["certificates.k8s.io"] + resources: + - "signers" + resourceNames: + - "kubernetes.io/legacy-unknown" + verbs: ["approve"] + + # Used by Istiod to verify the JWT tokens + - apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] + + # Used by Istiod to verify gateway SDS + - apiGroups: ["authorization.k8s.io"] + resources: ["subjectaccessreviews"] + verbs: ["create"] + + # Use for Kubernetes Service APIs + - apiGroups: ["networking.x-k8s.io"] + resources: ["*"] + verbs: ["get", "watch", "list"] + - apiGroups: ["networking.x-k8s.io"] + resources: ["*"] # TODO: should be on just */status but wildcard is not supported + verbs: ["update"] + + # Needed for multicluster secret reading, possibly ingress certs in the future + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "watch", "list"] + + # Used for MCS serviceexport management + - apiGroups: ["multicluster.x-k8s.io"] + resources: ["serviceexports"] + verbs: ["get", "watch", "list", "create", "delete"] +{{- end }} diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istiod-remote/templates/clusterrolebinding.yaml b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istiod-remote/templates/clusterrolebinding.yaml new file mode 100644 index 000000000..0536b7831 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istiod-remote/templates/clusterrolebinding.yaml @@ -0,0 +1,17 @@ +{{- if .Values.global.configCluster }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} +subjects: + - kind: ServiceAccount + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} +{{- end }} diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istiod-remote/templates/configmap.yaml b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istiod-remote/templates/configmap.yaml new file mode 100644 index 000000000..17b52f101 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istiod-remote/templates/configmap.yaml @@ -0,0 +1,100 @@ +{{- define "mesh" }} + # The trust domain corresponds to the trust root of a system. + # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain + trustDomain: "cluster.local" + + # The namespace to treat as the administrative root namespace for Istio configuration. + # When processing a leaf namespace Istio will search for declarations in that namespace first + # and if none are found it will search in the root namespace. Any matching declaration found in the root namespace + # is processed as if it were declared in the leaf namespace. + rootNamespace: {{ .Values.meshConfig.rootNamespace | default .Values.global.istioNamespace }} + + defaultConfig: + {{- if .Values.global.meshID }} + meshId: {{ .Values.global.meshID }} + {{- end }} + tracing: + {{- if eq .Values.global.proxy.tracer "lightstep" }} + lightstep: + # Address of the LightStep Satellite pool + address: {{ .Values.global.tracer.lightstep.address }} + # Access Token used to communicate with the Satellite pool + accessToken: {{ .Values.global.tracer.lightstep.accessToken }} + {{- else if eq .Values.global.proxy.tracer "zipkin" }} + zipkin: + # Address of the Zipkin collector + address: {{ .Values.global.tracer.zipkin.address | default (print "zipkin." .Values.global.istioNamespace ":9411") }} + {{- else if eq .Values.global.proxy.tracer "datadog" }} + datadog: + # Address of the Datadog Agent + address: {{ .Values.global.tracer.datadog.address | default "$(HOST_IP):8126" }} + {{- else if eq .Values.global.proxy.tracer "stackdriver" }} + stackdriver: + # enables trace output to stdout. + {{- if $.Values.global.tracer.stackdriver.debug }} + debug: {{ $.Values.global.tracer.stackdriver.debug }} + {{- end }} + {{- if $.Values.global.tracer.stackdriver.maxNumberOfAttributes }} + # The global default max number of attributes per span. + maxNumberOfAttributes: {{ $.Values.global.tracer.stackdriver.maxNumberOfAttributes | default "200" }} + {{- end }} + {{- if $.Values.global.tracer.stackdriver.maxNumberOfAnnotations }} + # The global default max number of annotation events per span. + maxNumberOfAnnotations: {{ $.Values.global.tracer.stackdriver.maxNumberOfAnnotations | default "200" }} + {{- end }} + {{- if $.Values.global.tracer.stackdriver.maxNumberOfMessageEvents }} + # The global default max number of message events per span. + maxNumberOfMessageEvents: {{ $.Values.global.tracer.stackdriver.maxNumberOfMessageEvents | default "200" }} + {{- end }} + {{- else if eq .Values.global.proxy.tracer "openCensusAgent" }} + {{/* Fill in openCensusAgent configuration from meshConfig so it isn't overwritten below */}} +{{ toYaml $.Values.meshConfig.defaultConfig.tracing | indent 8 }} + {{- else }} + {} + {{- end }} + {{- if .Values.global.remotePilotAddress }} + {{- if not .Values.global.externalIstiod }} + discoveryAddress: {{ printf "istiod-remote.%s.svc" .Release.Namespace }}:15012 + {{- else }} + discoveryAddress: {{ printf "istiod.%s.svc" .Release.Namespace }}:15012 + {{- end }} + {{- else }} + discoveryAddress: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{.Release.Namespace}}.svc:15012 + {{- end }} +{{- end }} + +{{/* We take the mesh config above, defined with individual values.yaml, and merge with .Values.meshConfig */}} +{{/* The intent here is that meshConfig.foo becomes the API, rather than re-inventing the API in values.yaml */}} +{{- $originalMesh := include "mesh" . | fromYaml }} +{{- $mesh := mergeOverwrite $originalMesh .Values.meshConfig }} + +{{- if .Values.pilot.configMap }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Pilot" + release: {{ .Release.Name }} +data: + + # Configuration file for the mesh networks to be used by the Split Horizon EDS. + meshNetworks: |- + {{- if .Values.global.meshNetworks }} + networks: +{{ toYaml .Values.global.meshNetworks | trim | indent 6 }} + {{- else }} + networks: {} + {{- end }} + + mesh: |- +{{- if .Values.meshConfig }} +{{ $mesh | toYaml | indent 4 }} +{{- else }} +{{- include "mesh" . }} +{{- end }} +--- +{{- end }} diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istiod-remote/templates/crd-all.gen.yaml b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istiod-remote/templates/crd-all.gen.yaml new file mode 100644 index 000000000..3c2c321c8 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istiod-remote/templates/crd-all.gen.yaml @@ -0,0 +1,5719 @@ +{{- if .Values.global.configCluster }} +# DO NOT EDIT - Generated by Cue OpenAPI generator based on Istio APIs. +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: destinationrules.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: DestinationRule + listKind: DestinationRuleList + plural: destinationrules + shortNames: + - dr + singular: destinationrule + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The name of a service from the service registry + jsonPath: .spec.host + name: Host + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting load balancing, outlier detection, + etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html' + properties: + exportTo: + description: A list of namespaces to which this destination rule is + exported. + items: + type: string + type: array + host: + description: The name of a service from the service registry. + type: string + subsets: + items: + properties: + labels: + additionalProperties: + type: string + type: object + name: + description: Name of the subset. + type: string + trafficPolicy: + description: Traffic policies that apply to this subset. + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should + be upgraded to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP requests + to a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will + be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the + socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query + parameter. + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute or + failover can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to + traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this + is DestinationRule-level and will override mesh + wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only failover or distribute + can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + type: string + type: object + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host + is ejected from the connection pool. + nullable: true + type: integer + consecutiveLocalOriginFailures: + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local + origin failures from external errors. + type: boolean + type: object + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection + should be upgraded to http2 for the associated + destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP + requests to a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to + a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream + connection pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per + connection to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol + will be preserved while initiating connection + to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and + TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP + connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE + on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between + keep-alive probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer + algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP + header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP + query parameter. + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute + or failover can be set.' + items: + properties: + from: + description: Originating locality, '/' + separated, e.g. + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities + to traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, + this is DestinationRule-level and will override + mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only failover or distribute + can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + type: string + type: object + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host + is ejected from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a + host is ejected from the connection pool. + nullable: true + type: integer + consecutiveLocalOriginFailures: + nullable: true + type: integer + interval: + description: Time interval between ejection sweep + analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish + local origin failures from external errors. + type: boolean + type: object + port: + properties: + number: + type: integer + type: object + tls: + description: TLS related settings for connections + to the upstream service. + properties: + caCertificates: + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server + during TLS handshake. + type: string + subjectAltNames: + items: + type: string + type: array + type: object + type: object + type: array + tls: + description: TLS related settings for connections to the + upstream service. + properties: + caCertificates: + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during + TLS handshake. + type: string + subjectAltNames: + items: + type: string + type: array + type: object + type: object + type: object + type: array + trafficPolicy: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should be upgraded + to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP requests to + a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved + while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket + to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query parameter. + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute or failover + can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to traffic + distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this is DestinationRule-level + and will override mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only failover or distribute can + be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + type: string + type: object + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host is ejected + from the connection pool. + nullable: true + type: integer + consecutiveLocalOriginFailures: + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local origin + failures from external errors. + type: boolean + type: object + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should + be upgraded to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP requests + to a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will + be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the + socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query + parameter. + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute or + failover can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to + traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this + is DestinationRule-level and will override mesh + wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only failover or distribute + can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + type: string + type: object + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host + is ejected from the connection pool. + nullable: true + type: integer + consecutiveLocalOriginFailures: + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local + origin failures from external errors. + type: boolean + type: object + port: + properties: + number: + type: integer + type: object + tls: + description: TLS related settings for connections to the + upstream service. + properties: + caCertificates: + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during + TLS handshake. + type: string + subjectAltNames: + items: + type: string + type: array + type: object + type: object + type: array + tls: + description: TLS related settings for connections to the upstream + service. + properties: + caCertificates: + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during TLS + handshake. + type: string + subjectAltNames: + items: + type: string + type: array + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: The name of a service from the service registry + jsonPath: .spec.host + name: Host + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting load balancing, outlier detection, + etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html' + properties: + exportTo: + description: A list of namespaces to which this destination rule is + exported. + items: + type: string + type: array + host: + description: The name of a service from the service registry. + type: string + subsets: + items: + properties: + labels: + additionalProperties: + type: string + type: object + name: + description: Name of the subset. + type: string + trafficPolicy: + description: Traffic policies that apply to this subset. + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should + be upgraded to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP requests + to a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will + be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the + socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query + parameter. + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute or + failover can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to + traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this + is DestinationRule-level and will override mesh + wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only failover or distribute + can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + type: string + type: object + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host + is ejected from the connection pool. + nullable: true + type: integer + consecutiveLocalOriginFailures: + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local + origin failures from external errors. + type: boolean + type: object + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection + should be upgraded to http2 for the associated + destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP + requests to a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to + a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream + connection pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per + connection to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol + will be preserved while initiating connection + to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and + TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP + connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE + on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between + keep-alive probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer + algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP + header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP + query parameter. + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute + or failover can be set.' + items: + properties: + from: + description: Originating locality, '/' + separated, e.g. + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities + to traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, + this is DestinationRule-level and will override + mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only failover or distribute + can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + type: string + type: object + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host + is ejected from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a + host is ejected from the connection pool. + nullable: true + type: integer + consecutiveLocalOriginFailures: + nullable: true + type: integer + interval: + description: Time interval between ejection sweep + analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish + local origin failures from external errors. + type: boolean + type: object + port: + properties: + number: + type: integer + type: object + tls: + description: TLS related settings for connections + to the upstream service. + properties: + caCertificates: + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server + during TLS handshake. + type: string + subjectAltNames: + items: + type: string + type: array + type: object + type: object + type: array + tls: + description: TLS related settings for connections to the + upstream service. + properties: + caCertificates: + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during + TLS handshake. + type: string + subjectAltNames: + items: + type: string + type: array + type: object + type: object + type: object + type: array + trafficPolicy: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should be upgraded + to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP requests to + a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved + while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket + to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query parameter. + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute or failover + can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to traffic + distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this is DestinationRule-level + and will override mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only failover or distribute can + be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + type: string + type: object + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host is ejected + from the connection pool. + nullable: true + type: integer + consecutiveLocalOriginFailures: + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local origin + failures from external errors. + type: boolean + type: object + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should + be upgraded to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP requests + to a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will + be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the + socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query + parameter. + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute or + failover can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to + traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this + is DestinationRule-level and will override mesh + wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only failover or distribute + can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + type: string + type: object + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host + is ejected from the connection pool. + nullable: true + type: integer + consecutiveLocalOriginFailures: + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local + origin failures from external errors. + type: boolean + type: object + port: + properties: + number: + type: integer + type: object + tls: + description: TLS related settings for connections to the + upstream service. + properties: + caCertificates: + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during + TLS handshake. + type: string + subjectAltNames: + items: + type: string + type: array + type: object + type: object + type: array + tls: + description: TLS related settings for connections to the upstream + service. + properties: + caCertificates: + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + type: string + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during TLS + handshake. + type: string + subjectAltNames: + items: + type: string + type: array + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: envoyfilters.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: EnvoyFilter + listKind: EnvoyFilterList + plural: envoyfilters + singular: envoyfilter + scope: Namespaced + versions: + - name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Customizing Envoy configuration generated by Istio. See + more details at: https://istio.io/docs/reference/config/networking/envoy-filter.html' + properties: + configPatches: + description: One or more patches with match conditions. + items: + properties: + applyTo: + enum: + - INVALID + - LISTENER + - FILTER_CHAIN + - NETWORK_FILTER + - HTTP_FILTER + - ROUTE_CONFIGURATION + - VIRTUAL_HOST + - HTTP_ROUTE + - CLUSTER + - EXTENSION_CONFIG + - BOOTSTRAP + type: string + match: + description: Match on listener/route configuration/cluster. + oneOf: + - not: + anyOf: + - required: + - listener + - required: + - routeConfiguration + - required: + - cluster + - required: + - listener + - required: + - routeConfiguration + - required: + - cluster + properties: + cluster: + description: Match on envoy cluster attributes. + properties: + name: + description: The exact name of the cluster to match. + type: string + portNumber: + description: The service port for which this cluster + was generated. + type: integer + service: + description: The fully qualified service name for this + cluster. + type: string + subset: + description: The subset associated with the service. + type: string + type: object + context: + description: The specific config generation context to match + on. + enum: + - ANY + - SIDECAR_INBOUND + - SIDECAR_OUTBOUND + - GATEWAY + type: string + listener: + description: Match on envoy listener attributes. + properties: + filterChain: + description: Match a specific filter chain in a listener. + properties: + applicationProtocols: + description: Applies only to sidecars. + type: string + destinationPort: + description: The destination_port value used by + a filter chain's match condition. + type: integer + filter: + description: The name of a specific filter to apply + the patch to. + properties: + name: + description: The filter name to match on. + type: string + subFilter: + properties: + name: + description: The filter name to match on. + type: string + type: object + type: object + name: + description: The name assigned to the filter chain. + type: string + sni: + description: The SNI value used by a filter chain's + match condition. + type: string + transportProtocol: + description: Applies only to `SIDECAR_INBOUND` context. + type: string + type: object + name: + description: Match a specific listener by its name. + type: string + portName: + type: string + portNumber: + type: integer + type: object + proxy: + description: Match on properties associated with a proxy. + properties: + metadata: + additionalProperties: + type: string + type: object + proxyVersion: + type: string + type: object + routeConfiguration: + description: Match on envoy HTTP route configuration attributes. + properties: + gateway: + type: string + name: + description: Route configuration name to match on. + type: string + portName: + description: Applicable only for GATEWAY context. + type: string + portNumber: + type: integer + vhost: + properties: + name: + type: string + route: + description: Match a specific route within the virtual + host. + properties: + action: + description: Match a route with specific action + type. + enum: + - ANY + - ROUTE + - REDIRECT + - DIRECT_RESPONSE + type: string + name: + type: string + type: object + type: object + type: object + type: object + patch: + description: The patch to apply along with the operation. + properties: + filterClass: + description: Determines the filter insertion order. + enum: + - UNSPECIFIED + - AUTHN + - AUTHZ + - STATS + type: string + operation: + description: Determines how the patch should be applied. + enum: + - INVALID + - MERGE + - ADD + - REMOVE + - INSERT_BEFORE + - INSERT_AFTER + - INSERT_FIRST + - REPLACE + type: string + value: + description: The JSON config of the object being patched. + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + priority: + description: Priority defines the order in which patch sets are applied + within a context. + format: int32 + type: integer + workloadSelector: + properties: + labels: + additionalProperties: + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: gateways.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: Gateway + listKind: GatewayList + plural: gateways + shortNames: + - gw + singular: gateway + scope: Namespaced + versions: + - name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting edge load balancer. See more details + at: https://istio.io/docs/reference/config/networking/gateway.html' + properties: + selector: + additionalProperties: + type: string + type: object + servers: + description: A list of server specifications. + items: + properties: + bind: + type: string + defaultEndpoint: + type: string + hosts: + description: One or more hosts exposed by this gateway. + items: + type: string + type: array + name: + description: An optional name of the server, when set must be + unique across all servers. + type: string + port: + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + type: integer + type: object + tls: + description: Set of TLS related options that govern the server's + behavior. + properties: + caCertificates: + description: REQUIRED if mode is `MUTUAL`. + type: string + cipherSuites: + description: 'Optional: If specified, only support the specified + cipher list.' + items: + type: string + type: array + credentialName: + type: string + httpsRedirect: + type: boolean + maxProtocolVersion: + description: 'Optional: Maximum TLS protocol version.' + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + minProtocolVersion: + description: 'Optional: Minimum TLS protocol version.' + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + mode: + enum: + - PASSTHROUGH + - SIMPLE + - MUTUAL + - AUTO_PASSTHROUGH + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + serverCertificate: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + subjectAltNames: + items: + type: string + type: array + verifyCertificateHash: + items: + type: string + type: array + verifyCertificateSpki: + items: + type: string + type: array + type: object + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting edge load balancer. See more details + at: https://istio.io/docs/reference/config/networking/gateway.html' + properties: + selector: + additionalProperties: + type: string + type: object + servers: + description: A list of server specifications. + items: + properties: + bind: + type: string + defaultEndpoint: + type: string + hosts: + description: One or more hosts exposed by this gateway. + items: + type: string + type: array + name: + description: An optional name of the server, when set must be + unique across all servers. + type: string + port: + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + type: integer + type: object + tls: + description: Set of TLS related options that govern the server's + behavior. + properties: + caCertificates: + description: REQUIRED if mode is `MUTUAL`. + type: string + cipherSuites: + description: 'Optional: If specified, only support the specified + cipher list.' + items: + type: string + type: array + credentialName: + type: string + httpsRedirect: + type: boolean + maxProtocolVersion: + description: 'Optional: Maximum TLS protocol version.' + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + minProtocolVersion: + description: 'Optional: Minimum TLS protocol version.' + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + mode: + enum: + - PASSTHROUGH + - SIMPLE + - MUTUAL + - AUTO_PASSTHROUGH + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + serverCertificate: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + subjectAltNames: + items: + type: string + type: array + verifyCertificateHash: + items: + type: string + type: array + verifyCertificateSpki: + items: + type: string + type: array + type: object + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: serviceentries.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: ServiceEntry + listKind: ServiceEntryList + plural: serviceentries + shortNames: + - se + singular: serviceentry + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The hosts associated with the ServiceEntry + jsonPath: .spec.hosts + name: Hosts + type: string + - description: Whether the service is external to the mesh or part of the mesh + (MESH_EXTERNAL or MESH_INTERNAL) + jsonPath: .spec.location + name: Location + type: string + - description: Service discovery mode for the hosts (NONE, STATIC, or DNS) + jsonPath: .spec.resolution + name: Resolution + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting service registry. See more details + at: https://istio.io/docs/reference/config/networking/service-entry.html' + properties: + addresses: + description: The virtual IP addresses associated with the service. + items: + type: string + type: array + endpoints: + description: One or more endpoints associated with the service. + items: + properties: + address: + type: string + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + type: string + network: + type: string + ports: + additionalProperties: + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + type: string + weight: + description: The load balancing weight associated with the endpoint. + type: integer + type: object + type: array + exportTo: + description: A list of namespaces to which this service is exported. + items: + type: string + type: array + hosts: + description: The hosts associated with the ServiceEntry. + items: + type: string + type: array + location: + enum: + - MESH_EXTERNAL + - MESH_INTERNAL + type: string + ports: + description: The ports associated with the external service. + items: + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + type: integer + type: object + type: array + resolution: + description: Service discovery mode for the hosts. + enum: + - NONE + - STATIC + - DNS + type: string + subjectAltNames: + items: + type: string + type: array + workloadSelector: + description: Applicable only for MESH_INTERNAL services. + properties: + labels: + additionalProperties: + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: The hosts associated with the ServiceEntry + jsonPath: .spec.hosts + name: Hosts + type: string + - description: Whether the service is external to the mesh or part of the mesh + (MESH_EXTERNAL or MESH_INTERNAL) + jsonPath: .spec.location + name: Location + type: string + - description: Service discovery mode for the hosts (NONE, STATIC, or DNS) + jsonPath: .spec.resolution + name: Resolution + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting service registry. See more details + at: https://istio.io/docs/reference/config/networking/service-entry.html' + properties: + addresses: + description: The virtual IP addresses associated with the service. + items: + type: string + type: array + endpoints: + description: One or more endpoints associated with the service. + items: + properties: + address: + type: string + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + type: string + network: + type: string + ports: + additionalProperties: + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + type: string + weight: + description: The load balancing weight associated with the endpoint. + type: integer + type: object + type: array + exportTo: + description: A list of namespaces to which this service is exported. + items: + type: string + type: array + hosts: + description: The hosts associated with the ServiceEntry. + items: + type: string + type: array + location: + enum: + - MESH_EXTERNAL + - MESH_INTERNAL + type: string + ports: + description: The ports associated with the external service. + items: + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + type: integer + type: object + type: array + resolution: + description: Service discovery mode for the hosts. + enum: + - NONE + - STATIC + - DNS + type: string + subjectAltNames: + items: + type: string + type: array + workloadSelector: + description: Applicable only for MESH_INTERNAL services. + properties: + labels: + additionalProperties: + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: sidecars.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: Sidecar + listKind: SidecarList + plural: sidecars + singular: sidecar + scope: Namespaced + versions: + - name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting network reachability of a sidecar. + See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' + properties: + egress: + items: + properties: + bind: + type: string + captureMode: + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + hosts: + items: + type: string + type: array + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + type: integer + type: object + type: object + type: array + ingress: + items: + properties: + bind: + description: The IP to which the listener should be bound. + type: string + captureMode: + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + defaultEndpoint: + type: string + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + type: integer + type: object + type: object + type: array + outboundTrafficPolicy: + description: Configuration for the outbound traffic policy. + properties: + egressProxy: + properties: + host: + description: The name of a service from the service registry. + type: string + port: + description: Specifies the port on the host that is being + addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + type: object + mode: + enum: + - REGISTRY_ONLY + - ALLOW_ANY + type: string + type: object + workloadSelector: + properties: + labels: + additionalProperties: + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting network reachability of a sidecar. + See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' + properties: + egress: + items: + properties: + bind: + type: string + captureMode: + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + hosts: + items: + type: string + type: array + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + type: integer + type: object + type: object + type: array + ingress: + items: + properties: + bind: + description: The IP to which the listener should be bound. + type: string + captureMode: + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + defaultEndpoint: + type: string + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + type: integer + type: object + type: object + type: array + outboundTrafficPolicy: + description: Configuration for the outbound traffic policy. + properties: + egressProxy: + properties: + host: + description: The name of a service from the service registry. + type: string + port: + description: Specifies the port on the host that is being + addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + type: object + mode: + enum: + - REGISTRY_ONLY + - ALLOW_ANY + type: string + type: object + workloadSelector: + properties: + labels: + additionalProperties: + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: virtualservices.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: VirtualService + listKind: VirtualServiceList + plural: virtualservices + shortNames: + - vs + singular: virtualservice + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The names of gateways and sidecars that should apply these routes + jsonPath: .spec.gateways + name: Gateways + type: string + - description: The destination hosts to which traffic is being sent + jsonPath: .spec.hosts + name: Hosts + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting label/content routing, sni routing, + etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html' + properties: + exportTo: + description: A list of namespaces to which this virtual service is + exported. + items: + type: string + type: array + gateways: + description: The names of gateways and sidecars that should apply + these routes. + items: + type: string + type: array + hosts: + description: The destination hosts to which traffic is being sent. + items: + type: string + type: array + http: + description: An ordered list of route rules for HTTP traffic. + items: + properties: + corsPolicy: + description: Cross-Origin Resource Sharing policy (CORS). + properties: + allowCredentials: + nullable: true + type: boolean + allowHeaders: + items: + type: string + type: array + allowMethods: + description: List of HTTP methods allowed to access the + resource. + items: + type: string + type: array + allowOrigin: + description: The list of origins that are allowed to perform + CORS requests. + items: + type: string + type: array + allowOrigins: + description: String patterns that match allowed origins. + items: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + type: array + exposeHeaders: + items: + type: string + type: array + maxAge: + type: string + type: object + delegate: + properties: + name: + description: Name specifies the name of the delegate VirtualService. + type: string + namespace: + description: Namespace specifies the namespace where the + delegate VirtualService resides. + type: string + type: object + fault: + description: Fault injection policy to apply on HTTP traffic + at the client side. + properties: + abort: + oneOf: + - not: + anyOf: + - required: + - httpStatus + - required: + - grpcStatus + - required: + - http2Error + - required: + - httpStatus + - required: + - grpcStatus + - required: + - http2Error + properties: + grpcStatus: + type: string + http2Error: + type: string + httpStatus: + description: HTTP status code to use to abort the Http + request. + format: int32 + type: integer + percentage: + description: Percentage of requests to be aborted with + the error code provided. + properties: + value: + format: double + type: number + type: object + type: object + delay: + oneOf: + - not: + anyOf: + - required: + - fixedDelay + - required: + - exponentialDelay + - required: + - fixedDelay + - required: + - exponentialDelay + properties: + exponentialDelay: + type: string + fixedDelay: + description: Add a fixed delay before forwarding the + request. + type: string + percent: + description: Percentage of requests on which the delay + will be injected (0-100). + format: int32 + type: integer + percentage: + description: Percentage of requests on which the delay + will be injected. + properties: + value: + format: double + type: number + type: object + type: object + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + type: object + match: + items: + properties: + authority: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + gateways: + description: Names of gateways where the rule should be + applied. + items: + type: string + type: array + headers: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + type: object + ignoreUriCase: + description: Flag to specify whether the URI matching + should be case-insensitive. + type: boolean + method: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + name: + description: The name assigned to a match. + type: string + port: + description: Specifies the ports on the host that is being + addressed. + type: integer + queryParams: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + description: Query parameters for matching. + type: object + scheme: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + sourceLabels: + additionalProperties: + type: string + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + type: string + uri: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + withoutHeaders: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + description: withoutHeader has the same syntax with the + header, but has opposite meaning. + type: object + type: object + type: array + mirror: + properties: + host: + description: The name of a service from the service registry. + type: string + port: + description: Specifies the port on the host that is being + addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + type: object + mirror_percent: + description: Percentage of the traffic to be mirrored by the + `mirror` field. + nullable: true + type: integer + mirrorPercent: + description: Percentage of the traffic to be mirrored by the + `mirror` field. + nullable: true + type: integer + mirrorPercentage: + description: Percentage of the traffic to be mirrored by the + `mirror` field. + properties: + value: + format: double + type: number + type: object + name: + description: The name assigned to the route for debugging purposes. + type: string + redirect: + description: A HTTP rule can either redirect or forward (default) + traffic. + properties: + authority: + type: string + redirectCode: + type: integer + uri: + type: string + type: object + retries: + description: Retry policy for HTTP requests. + properties: + attempts: + description: Number of retries to be allowed for a given + request. + format: int32 + type: integer + perTryTimeout: + description: Timeout per attempt for a given request, including + the initial call and any retries. + type: string + retryOn: + description: Specifies the conditions under which retry + takes place. + type: string + retryRemoteLocalities: + description: Flag to specify whether the retries should + retry to other localities. + nullable: true + type: boolean + type: object + rewrite: + description: Rewrite HTTP URIs and Authority headers. + properties: + authority: + description: rewrite the Authority/Host header with this + value. + type: string + uri: + type: string + type: object + route: + description: A HTTP rule can either redirect or forward (default) + traffic. + items: + properties: + destination: + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + type: object + weight: + format: int32 + type: integer + type: object + type: array + timeout: + description: Timeout for HTTP requests, default is disabled. + type: string + type: object + type: array + tcp: + description: An ordered list of route rules for opaque TCP traffic. + items: + properties: + match: + items: + properties: + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination + with optional subnet. + items: + type: string + type: array + gateways: + description: Names of gateways where the rule should be + applied. + items: + type: string + type: array + port: + description: Specifies the port on the host that is being + addressed. + type: integer + sourceLabels: + additionalProperties: + type: string + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + type: string + sourceSubnet: + description: IPv4 or IPv6 ip address of source with optional + subnet. + type: string + type: object + type: array + route: + description: The destination to which the connection should + be forwarded to. + items: + properties: + destination: + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + type: object + weight: + format: int32 + type: integer + type: object + type: array + type: object + type: array + tls: + items: + properties: + match: + items: + properties: + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination + with optional subnet. + items: + type: string + type: array + gateways: + description: Names of gateways where the rule should be + applied. + items: + type: string + type: array + port: + description: Specifies the port on the host that is being + addressed. + type: integer + sniHosts: + description: SNI (server name indicator) to match on. + items: + type: string + type: array + sourceLabels: + additionalProperties: + type: string + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + type: string + type: object + type: array + route: + description: The destination to which the connection should + be forwarded to. + items: + properties: + destination: + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + type: object + weight: + format: int32 + type: integer + type: object + type: array + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: The names of gateways and sidecars that should apply these routes + jsonPath: .spec.gateways + name: Gateways + type: string + - description: The destination hosts to which traffic is being sent + jsonPath: .spec.hosts + name: Hosts + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting label/content routing, sni routing, + etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html' + properties: + exportTo: + description: A list of namespaces to which this virtual service is + exported. + items: + type: string + type: array + gateways: + description: The names of gateways and sidecars that should apply + these routes. + items: + type: string + type: array + hosts: + description: The destination hosts to which traffic is being sent. + items: + type: string + type: array + http: + description: An ordered list of route rules for HTTP traffic. + items: + properties: + corsPolicy: + description: Cross-Origin Resource Sharing policy (CORS). + properties: + allowCredentials: + nullable: true + type: boolean + allowHeaders: + items: + type: string + type: array + allowMethods: + description: List of HTTP methods allowed to access the + resource. + items: + type: string + type: array + allowOrigin: + description: The list of origins that are allowed to perform + CORS requests. + items: + type: string + type: array + allowOrigins: + description: String patterns that match allowed origins. + items: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + type: array + exposeHeaders: + items: + type: string + type: array + maxAge: + type: string + type: object + delegate: + properties: + name: + description: Name specifies the name of the delegate VirtualService. + type: string + namespace: + description: Namespace specifies the namespace where the + delegate VirtualService resides. + type: string + type: object + fault: + description: Fault injection policy to apply on HTTP traffic + at the client side. + properties: + abort: + oneOf: + - not: + anyOf: + - required: + - httpStatus + - required: + - grpcStatus + - required: + - http2Error + - required: + - httpStatus + - required: + - grpcStatus + - required: + - http2Error + properties: + grpcStatus: + type: string + http2Error: + type: string + httpStatus: + description: HTTP status code to use to abort the Http + request. + format: int32 + type: integer + percentage: + description: Percentage of requests to be aborted with + the error code provided. + properties: + value: + format: double + type: number + type: object + type: object + delay: + oneOf: + - not: + anyOf: + - required: + - fixedDelay + - required: + - exponentialDelay + - required: + - fixedDelay + - required: + - exponentialDelay + properties: + exponentialDelay: + type: string + fixedDelay: + description: Add a fixed delay before forwarding the + request. + type: string + percent: + description: Percentage of requests on which the delay + will be injected (0-100). + format: int32 + type: integer + percentage: + description: Percentage of requests on which the delay + will be injected. + properties: + value: + format: double + type: number + type: object + type: object + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + type: object + match: + items: + properties: + authority: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + gateways: + description: Names of gateways where the rule should be + applied. + items: + type: string + type: array + headers: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + type: object + ignoreUriCase: + description: Flag to specify whether the URI matching + should be case-insensitive. + type: boolean + method: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + name: + description: The name assigned to a match. + type: string + port: + description: Specifies the ports on the host that is being + addressed. + type: integer + queryParams: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + description: Query parameters for matching. + type: object + scheme: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + sourceLabels: + additionalProperties: + type: string + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + type: string + uri: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + withoutHeaders: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + description: withoutHeader has the same syntax with the + header, but has opposite meaning. + type: object + type: object + type: array + mirror: + properties: + host: + description: The name of a service from the service registry. + type: string + port: + description: Specifies the port on the host that is being + addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + type: object + mirror_percent: + description: Percentage of the traffic to be mirrored by the + `mirror` field. + nullable: true + type: integer + mirrorPercent: + description: Percentage of the traffic to be mirrored by the + `mirror` field. + nullable: true + type: integer + mirrorPercentage: + description: Percentage of the traffic to be mirrored by the + `mirror` field. + properties: + value: + format: double + type: number + type: object + name: + description: The name assigned to the route for debugging purposes. + type: string + redirect: + description: A HTTP rule can either redirect or forward (default) + traffic. + properties: + authority: + type: string + redirectCode: + type: integer + uri: + type: string + type: object + retries: + description: Retry policy for HTTP requests. + properties: + attempts: + description: Number of retries to be allowed for a given + request. + format: int32 + type: integer + perTryTimeout: + description: Timeout per attempt for a given request, including + the initial call and any retries. + type: string + retryOn: + description: Specifies the conditions under which retry + takes place. + type: string + retryRemoteLocalities: + description: Flag to specify whether the retries should + retry to other localities. + nullable: true + type: boolean + type: object + rewrite: + description: Rewrite HTTP URIs and Authority headers. + properties: + authority: + description: rewrite the Authority/Host header with this + value. + type: string + uri: + type: string + type: object + route: + description: A HTTP rule can either redirect or forward (default) + traffic. + items: + properties: + destination: + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + type: object + weight: + format: int32 + type: integer + type: object + type: array + timeout: + description: Timeout for HTTP requests, default is disabled. + type: string + type: object + type: array + tcp: + description: An ordered list of route rules for opaque TCP traffic. + items: + properties: + match: + items: + properties: + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination + with optional subnet. + items: + type: string + type: array + gateways: + description: Names of gateways where the rule should be + applied. + items: + type: string + type: array + port: + description: Specifies the port on the host that is being + addressed. + type: integer + sourceLabels: + additionalProperties: + type: string + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + type: string + sourceSubnet: + description: IPv4 or IPv6 ip address of source with optional + subnet. + type: string + type: object + type: array + route: + description: The destination to which the connection should + be forwarded to. + items: + properties: + destination: + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + type: object + weight: + format: int32 + type: integer + type: object + type: array + type: object + type: array + tls: + items: + properties: + match: + items: + properties: + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination + with optional subnet. + items: + type: string + type: array + gateways: + description: Names of gateways where the rule should be + applied. + items: + type: string + type: array + port: + description: Specifies the port on the host that is being + addressed. + type: integer + sniHosts: + description: SNI (server name indicator) to match on. + items: + type: string + type: array + sourceLabels: + additionalProperties: + type: string + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + type: string + type: object + type: array + route: + description: The destination to which the connection should + be forwarded to. + items: + properties: + destination: + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + type: object + weight: + format: int32 + type: integer + type: object + type: array + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: workloadentries.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: WorkloadEntry + listKind: WorkloadEntryList + plural: workloadentries + shortNames: + - we + singular: workloadentry + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: Address associated with the network endpoint. + jsonPath: .spec.address + name: Address + type: string + name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting VMs onboarded into the mesh. See + more details at: https://istio.io/docs/reference/config/networking/workload-entry.html' + properties: + address: + type: string + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + type: string + network: + type: string + ports: + additionalProperties: + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + type: string + weight: + description: The load balancing weight associated with the endpoint. + type: integer + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: Address associated with the network endpoint. + jsonPath: .spec.address + name: Address + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting VMs onboarded into the mesh. See + more details at: https://istio.io/docs/reference/config/networking/workload-entry.html' + properties: + address: + type: string + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + type: string + network: + type: string + ports: + additionalProperties: + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + type: string + weight: + description: The load balancing weight associated with the endpoint. + type: integer + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: workloadgroups.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: WorkloadGroup + listKind: WorkloadGroupList + plural: workloadgroups + shortNames: + - wg + singular: workloadgroup + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Describes a collection of workload instances. See more details + at: https://istio.io/docs/reference/config/networking/workload-group.html' + properties: + metadata: + description: Metadata that will be used for all corresponding `WorkloadEntries`. + properties: + annotations: + additionalProperties: + type: string + type: object + labels: + additionalProperties: + type: string + type: object + type: object + probe: + description: '`ReadinessProbe` describes the configuration the user + must provide for healthchecking on their workload.' + oneOf: + - not: + anyOf: + - required: + - httpGet + - required: + - tcpSocket + - required: + - exec + - required: + - httpGet + - required: + - tcpSocket + - required: + - exec + properties: + exec: + description: Health is determined by how the command that is executed + exited. + properties: + command: + description: Command to run. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for the probe to be + considered failed after having succeeded. + format: int32 + type: integer + httpGet: + properties: + host: + description: Host name to connect to, defaults to the pod + IP. + type: string + httpHeaders: + description: Headers the proxy will pass on to make the request. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + description: Port on which the endpoint lives. + type: integer + scheme: + type: string + type: object + initialDelaySeconds: + description: Number of seconds after the container has started + before readiness probes are initiated. + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform the probe. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for the probe to be + considered successful after having failed. + format: int32 + type: integer + tcpSocket: + description: Health is determined by if the proxy is able to connect. + properties: + host: + type: string + port: + type: integer + type: object + timeoutSeconds: + description: Number of seconds after which the probe times out. + format: int32 + type: integer + type: object + template: + description: Template to be used for the generation of `WorkloadEntry` + resources that belong to this `WorkloadGroup`. + properties: + address: + type: string + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + type: string + network: + type: string + ports: + additionalProperties: + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + type: string + weight: + description: The load balancing weight associated with the endpoint. + type: integer + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + istio: security + release: istio + name: authorizationpolicies.security.istio.io +spec: + group: security.istio.io + names: + categories: + - istio-io + - security-istio-io + kind: AuthorizationPolicy + listKind: AuthorizationPolicyList + plural: authorizationpolicies + singular: authorizationpolicy + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration for access control on workloads. See more + details at: https://istio.io/docs/reference/config/security/authorization-policy.html' + oneOf: + - not: + anyOf: + - required: + - provider + - required: + - provider + properties: + action: + description: Optional. + enum: + - ALLOW + - DENY + - AUDIT + - CUSTOM + type: string + provider: + description: Specifies detailed configuration of the CUSTOM action. + properties: + name: + description: Specifies the name of the extension provider. + type: string + type: object + rules: + description: Optional. + items: + properties: + from: + description: Optional. + items: + properties: + source: + description: Source specifies the source of a request. + properties: + ipBlocks: + description: Optional. + items: + type: string + type: array + namespaces: + description: Optional. + items: + type: string + type: array + notIpBlocks: + description: Optional. + items: + type: string + type: array + notNamespaces: + description: Optional. + items: + type: string + type: array + notPrincipals: + description: Optional. + items: + type: string + type: array + notRemoteIpBlocks: + description: Optional. + items: + type: string + type: array + notRequestPrincipals: + description: Optional. + items: + type: string + type: array + principals: + description: Optional. + items: + type: string + type: array + remoteIpBlocks: + description: Optional. + items: + type: string + type: array + requestPrincipals: + description: Optional. + items: + type: string + type: array + type: object + type: object + type: array + to: + description: Optional. + items: + properties: + operation: + description: Operation specifies the operation of a request. + properties: + hosts: + description: Optional. + items: + type: string + type: array + methods: + description: Optional. + items: + type: string + type: array + notHosts: + description: Optional. + items: + type: string + type: array + notMethods: + description: Optional. + items: + type: string + type: array + notPaths: + description: Optional. + items: + type: string + type: array + notPorts: + description: Optional. + items: + type: string + type: array + paths: + description: Optional. + items: + type: string + type: array + ports: + description: Optional. + items: + type: string + type: array + type: object + type: object + type: array + when: + description: Optional. + items: + properties: + key: + description: The name of an Istio attribute. + type: string + notValues: + description: Optional. + items: + type: string + type: array + values: + description: Optional. + items: + type: string + type: array + type: object + type: array + type: object + type: array + selector: + description: Optional. + properties: + matchLabels: + additionalProperties: + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + istio: security + release: istio + name: peerauthentications.security.istio.io +spec: + group: security.istio.io + names: + categories: + - istio-io + - security-istio-io + kind: PeerAuthentication + listKind: PeerAuthenticationList + plural: peerauthentications + shortNames: + - pa + singular: peerauthentication + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Defines the mTLS mode used for peer authentication. + jsonPath: .spec.mtls.mode + name: Mode + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: PeerAuthentication defines how traffic will be tunneled (or + not) to the sidecar. + properties: + mtls: + description: Mutual TLS settings for workload. + properties: + mode: + description: Defines the mTLS mode used for peer authentication. + enum: + - UNSET + - DISABLE + - PERMISSIVE + - STRICT + type: string + type: object + portLevelMtls: + additionalProperties: + properties: + mode: + description: Defines the mTLS mode used for peer authentication. + enum: + - UNSET + - DISABLE + - PERMISSIVE + - STRICT + type: string + type: object + description: Port specific mutual TLS settings. + type: object + selector: + description: The selector determines the workloads to apply the ChannelAuthentication + on. + properties: + matchLabels: + additionalProperties: + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + istio: security + release: istio + name: requestauthentications.security.istio.io +spec: + group: security.istio.io + names: + categories: + - istio-io + - security-istio-io + kind: RequestAuthentication + listKind: RequestAuthenticationList + plural: requestauthentications + shortNames: + - ra + singular: requestauthentication + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: RequestAuthentication defines what request authentication + methods are supported by a workload. + properties: + jwtRules: + description: Define the list of JWTs that can be validated at the + selected workloads' proxy. + items: + properties: + audiences: + items: + type: string + type: array + forwardOriginalToken: + description: If set to true, the orginal token will be kept + for the ustream request. + type: boolean + fromHeaders: + description: List of header locations from which JWT is expected. + items: + properties: + name: + description: The HTTP header name. + type: string + prefix: + description: The prefix that should be stripped before + decoding the token. + type: string + type: object + type: array + fromParams: + description: List of query parameters from which JWT is expected. + items: + type: string + type: array + issuer: + description: Identifies the issuer that issued the JWT. + type: string + jwks: + description: JSON Web Key Set of public keys to validate signature + of the JWT. + type: string + jwks_uri: + type: string + jwksUri: + type: string + outputPayloadToHeader: + type: string + type: object + type: array + selector: + description: The selector determines the workloads to apply the RequestAuthentication + on. + properties: + matchLabels: + additionalProperties: + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + istio: telemetry + release: istio + name: telemetries.telemetry.istio.io +spec: + group: telemetry.istio.io + names: + categories: + - istio-io + - telemetry-istio-io + kind: Telemetry + listKind: TelemetryList + plural: telemetries + shortNames: + - telemetry + singular: telemetry + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + description: Telemetry defines how the telemetry is generated for workloads + within a mesh. + properties: + accessLogging: + description: Optional. + items: + properties: + disabled: + description: Controls logging. + nullable: true + type: boolean + providers: + description: Optional. + items: + properties: + name: + description: Required. + type: string + type: object + type: array + type: object + type: array + metrics: + description: Optional. + items: + properties: + overrides: + description: Optional. + items: + properties: + disabled: + description: Optional. + nullable: true + type: boolean + match: + description: Match allows provides the scope of the override. + oneOf: + - not: + anyOf: + - required: + - metric + - required: + - customMetric + - required: + - metric + - required: + - customMetric + properties: + customMetric: + description: Allows free-form specification of a metric. + type: string + metric: + description: One of the well-known Istio Standard + Metrics. + enum: + - ALL_METRICS + - REQUEST_COUNT + - REQUEST_DURATION + - REQUEST_SIZE + - RESPONSE_SIZE + - TCP_OPENED_CONNECTIONS + - TCP_CLOSED_CONNECTIONS + - TCP_SENT_BYTES + - TCP_RECEIVED_BYTES + - GRPC_REQUEST_MESSAGES + - GRPC_RESPONSE_MESSAGES + type: string + mode: + description: 'Controls which mode of metrics generation + is selected: CLIENT and/or SERVER.' + enum: + - CLIENT_AND_SERVER + - CLIENT + - SERVER + type: string + type: object + tagOverrides: + additionalProperties: + properties: + operation: + description: Operation controls whether or not to + update/add a tag, or to remove it. + enum: + - UPSERT + - REMOVE + type: string + value: + description: Value is only considered if the operation + is `UPSERT`. + type: string + type: object + description: Optional. + type: object + type: object + type: array + providers: + description: Optional. + items: + properties: + name: + description: Required. + type: string + type: object + type: array + type: object + type: array + selector: + description: Optional. + properties: + matchLabels: + additionalProperties: + type: string + type: object + type: object + tracing: + description: Optional. + items: + properties: + customTags: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - literal + - required: + - environment + - required: + - header + - required: + - literal + - required: + - environment + - required: + - header + properties: + environment: + description: Environment adds the value of an environment + variable to each span. + properties: + defaultValue: + description: Optional. + type: string + name: + description: Name of the environment variable from + which to extract the tag value. + type: string + type: object + header: + description: RequestHeader adds the value of an header + from the request to each span. + properties: + defaultValue: + description: Optional. + type: string + name: + description: Name of the header from which to extract + the tag value. + type: string + type: object + literal: + description: Literal adds the same, hard-coded value to + each span. + properties: + value: + description: The tag value to use. + type: string + type: object + type: object + description: Optional. + type: object + disableSpanReporting: + description: Controls span reporting. + nullable: true + type: boolean + providers: + description: Optional. + items: + properties: + name: + description: Required. + type: string + type: object + type: array + randomSamplingPercentage: + nullable: true + type: number + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + +--- +{{- end }} diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istiod-remote/templates/crd-operator.yaml b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istiod-remote/templates/crd-operator.yaml new file mode 100644 index 000000000..42e95ee8e --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istiod-remote/templates/crd-operator.yaml @@ -0,0 +1,50 @@ +{{- if .Values.global.configCluster }} +# SYNC WITH manifests/charts/istio-operator/templates +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: istiooperators.install.istio.io + labels: + release: istio +spec: + conversion: + strategy: None + group: install.istio.io + names: + kind: IstioOperator + listKind: IstioOperatorList + plural: istiooperators + singular: istiooperator + shortNames: + - iop + - io + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Istio control plane revision + jsonPath: .spec.revision + name: Revision + type: string + - description: IOP current state + jsonPath: .status.status + name: Status + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + subresources: + status: {} + name: v1alpha1 + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + served: true + storage: true +--- +{{- end }} diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istiod-remote/templates/istiod-injector-configmap.yaml b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istiod-remote/templates/istiod-injector-configmap.yaml new file mode 100644 index 000000000..b6b1fa8e8 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istiod-remote/templates/istiod-injector-configmap.yaml @@ -0,0 +1,67 @@ +{{- if not .Values.global.omitSidecarInjectorConfigMap }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Pilot" + release: {{ .Release.Name }} +data: +{{/* Scope the values to just top level fields used in the template, to reduce the size. */}} + values: |- +{{ pick .Values "global" "istio_cni" "sidecarInjectorWebhook" "revision" | toPrettyJson | indent 4 }} + + # To disable injection: use omitSidecarInjectorConfigMap, which disables the webhook patching + # and istiod webhook functionality. + # + # New fields should not use Values - it is a 'primary' config object, users should be able + # to fine tune it or use it with kube-inject. + config: |- + # defaultTemplates defines the default template to use for pods that do not explicitly specify a template + {{- if .Values.sidecarInjectorWebhook.defaultTemplates }} + defaultTemplates: +{{- range .Values.sidecarInjectorWebhook.defaultTemplates}} + - {{ . }} +{{- end }} + {{- else }} + defaultTemplates: [sidecar] + {{- end }} + policy: {{ .Values.global.proxy.autoInject }} + alwaysInjectSelector: +{{ toYaml .Values.sidecarInjectorWebhook.alwaysInjectSelector | trim | indent 6 }} + neverInjectSelector: +{{ toYaml .Values.sidecarInjectorWebhook.neverInjectSelector | trim | indent 6 }} + injectedAnnotations: + {{- range $key, $val := .Values.sidecarInjectorWebhook.injectedAnnotations }} + "{{ $key }}": "{{ $val }}" + {{- end }} + {{- /* If someone ends up with this new template, but an older Istiod image, they will attempt to render this template + which will fail with "Pod injection failed: template: inject:1: function "Istio_1_9_Required_Template_And_Version_Mismatched" not defined". + This should make it obvious that their installation is broken. + */}} + template: {{ `{{ Template_Version_And_Istio_Version_Mismatched_Check_Installation }}` | quote }} + templates: +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "sidecar") }} + sidecar: | +{{ .Files.Get "files/injection-template.yaml" | trim | indent 8 }} +{{- end }} +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "gateway") }} + gateway: | +{{ .Files.Get "files/gateway-injection-template.yaml" | trim | indent 8 }} +{{- end }} +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-simple") }} + grpc-simple: | +{{ .Files.Get "files/grpc-simple.yaml" | trim | indent 8 }} +{{- end }} +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-agent") }} + grpc-agent: | +{{ .Files.Get "files/grpc-agent.yaml" | trim | indent 8 }} +{{- end }} +{{- with .Values.sidecarInjectorWebhook.templates }} +{{ toYaml . | trim | indent 6 }} +{{- end }} + +{{- end }} diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istiod-remote/templates/mutatingwebhook.yaml b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istiod-remote/templates/mutatingwebhook.yaml new file mode 100644 index 000000000..dcb84dde3 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istiod-remote/templates/mutatingwebhook.yaml @@ -0,0 +1,144 @@ +{{- /* Core defines the common configuration used by all webhook segments */}} +{{- define "core" }} +{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign +a unique prefix to each. */}} +- name: {{.Prefix}}sidecar-injector.istio.io + clientConfig: + {{- if .Values.istiodRemote.injectionURL }} + url: "{{ .Values.istiodRemote.injectionURL }}" + {{- else }} + service: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + path: "{{ .Values.istiodRemote.injectionPath }}" + port: 443 + {{- end }} + caBundle: "" + sideEffects: None + rules: + - operations: [ "CREATE" ] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + failurePolicy: Fail + admissionReviewVersions: ["v1beta1", "v1"] +{{- end }} +{{- /* Installed for each revision - not installed for cluster resources ( cluster roles, bindings, crds) */}} +{{- if not .Values.global.operatorManageWebhooks }} +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: +{{- if eq .Release.Namespace "istio-system"}} + name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} +{{- else }} + name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} +{{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Pilot" + app: sidecar-injector + release: {{ .Release.Name }} +webhooks: +{{- /* Set up the selectors. First section is for revision, rest is for "default" revision */}} + +{{- /* Case 1: namespace selector matches, and object doesn't disable */}} +{{- /* Note: if both revision and legacy selector, we give precedence to the legacy one */}} +{{- include "core" (mergeOverwrite (deepCopy .) (dict "Prefix" "rev.namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + {{- if (eq .Values.revision "") }} + - "default" + {{- else }} + - "{{ .Values.revision }}" + {{- end }} + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + +{{- /* Case 2: No namespace selector, but object selects our revision (and doesn't disable) */}} +{{- include "core" (mergeOverwrite (deepCopy .) (dict "Prefix" "rev.object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: DoesNotExist + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + - key: istio.io/rev + operator: In + values: + {{- if (eq .Values.revision "") }} + - "default" + {{- else }} + - "{{ .Values.revision }}" + {{- end }} + + +{{- /* Webhooks for default revision */}} +{{- if (eq .Values.revision "") }} + +{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} +{{- include "core" (mergeOverwrite (deepCopy .) (dict "Prefix" "namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: In + values: + - enabled + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + +{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} +{{- include "core" (mergeOverwrite (deepCopy .) (dict "Prefix" "object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: In + values: + - "true" + - key: istio.io/rev + operator: DoesNotExist + +{{- if .Values.sidecarInjectorWebhook.enableNamespacesByDefault }} +{{- /* Special case 3: no labels at all */}} +{{- include "core" (mergeOverwrite (deepCopy .) (dict "Prefix" "auto.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist +{{- end }} + +{{- end }} +{{- end }} diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istiod-remote/templates/reader-clusterrole.yaml b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istiod-remote/templates/reader-clusterrole.yaml new file mode 100644 index 000000000..f19f1e869 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istiod-remote/templates/reader-clusterrole.yaml @@ -0,0 +1,48 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istio-reader + release: {{ .Release.Name }} +rules: + - apiGroups: + - "config.istio.io" + - "security.istio.io" + - "networking.istio.io" + - "authentication.istio.io" + - "rbac.istio.io" + resources: ["*"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets"] + verbs: ["get", "list", "watch"] + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list" ] + resources: [ "workloadentries" ] + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "list", "watch"] + - apiGroups: ["discovery.k8s.io"] + resources: ["endpointslices"] + verbs: ["get", "list", "watch"] + - apiGroups: ["apps"] + resources: ["replicasets"] + verbs: ["get", "list", "watch"] + - apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] + - apiGroups: ["authorization.k8s.io"] + resources: ["subjectaccessreviews"] + verbs: ["create"] +{{- if .Values.global.externalIstiod }} + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["create", "get", "list", "watch", "update"] + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update"] +{{- end}} diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istiod-remote/templates/reader-clusterrolebinding.yaml b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istiod-remote/templates/reader-clusterrolebinding.yaml new file mode 100644 index 000000000..4f9925c9d --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istiod-remote/templates/reader-clusterrolebinding.yaml @@ -0,0 +1,15 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istio-reader + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} +subjects: + - kind: ServiceAccount + name: istio-reader-service-account + namespace: {{ .Values.global.istioNamespace }} diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istiod-remote/templates/reader-serviceaccount.yaml b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istiod-remote/templates/reader-serviceaccount.yaml new file mode 100644 index 000000000..d9ce18c27 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istiod-remote/templates/reader-serviceaccount.yaml @@ -0,0 +1,16 @@ +# This service account aggregates reader permissions for the revisions in a given cluster +# Should be used for remote secret creation. +apiVersion: v1 +kind: ServiceAccount + {{- if .Values.global.imagePullSecrets }} +imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +metadata: + name: istio-reader-service-account + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istio-reader + release: {{ .Release.Name }} diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istiod-remote/templates/role.yaml b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istiod-remote/templates/role.yaml new file mode 100644 index 000000000..699491275 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istiod-remote/templates/role.yaml @@ -0,0 +1,22 @@ +{{- if .Values.global.configCluster }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} +rules: +# permissions to verify the webhook is ready and rejecting +# invalid config. We use --server-dry-run so no config is persisted. +- apiGroups: ["networking.istio.io"] + verbs: ["create"] + resources: ["gateways"] + +# For storing CA secret +- apiGroups: [""] + resources: ["secrets"] + # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config + verbs: ["create", "get", "watch", "list", "update", "delete"] +{{- end }} diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istiod-remote/templates/rolebinding.yaml b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istiod-remote/templates/rolebinding.yaml new file mode 100644 index 000000000..f65b3b122 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istiod-remote/templates/rolebinding.yaml @@ -0,0 +1,18 @@ +{{- if .Values.global.configCluster }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} +subjects: + - kind: ServiceAccount + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} +{{- end }} diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istiod-remote/templates/serviceaccount.yaml b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istiod-remote/templates/serviceaccount.yaml new file mode 100644 index 000000000..4f8d20f6a --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istiod-remote/templates/serviceaccount.yaml @@ -0,0 +1,17 @@ +{{- if .Values.global.configCluster }} +apiVersion: v1 +kind: ServiceAccount + {{- if .Values.global.imagePullSecrets }} +imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} +--- +{{- end }} diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istiod-remote/templates/validatingwebhookconfiguration.yaml b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istiod-remote/templates/validatingwebhookconfiguration.yaml new file mode 100644 index 000000000..0a8f39dd6 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istiod-remote/templates/validatingwebhookconfiguration.yaml @@ -0,0 +1,88 @@ +{{- if .Values.global.configCluster }} +{{- if .Values.global.configValidation }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: istio-validator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} + istio: istiod + istio.io/rev: {{ .Values.revision | default "default" }} +webhooks: + # Webhook handling per-revision validation. Mostly here so we can determine whether webhooks + # are rejecting invalid configs on a per-revision basis. + - name: rev.validation.istio.io + clientConfig: + # Should change from base but cannot for API compat + {{- if .Values.base.validationURL }} + url: {{ .Values.base.validationURL }} + {{- else }} + service: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} + path: "/validate" + {{- end }} + caBundle: "" # patched at runtime when the webhook is ready. + rules: + - operations: + - CREATE + - UPDATE + apiGroups: + - security.istio.io + - networking.istio.io + apiVersions: + - "*" + resources: + - "*" + # Fail open until the validation webhook is ready. The webhook controller + # will update this to `Fail` and patch in the `caBundle` when the webhook + # endpoint is ready. + failurePolicy: Ignore + sideEffects: None + admissionReviewVersions: ["v1beta1", "v1"] + objectSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + {{- if (eq .Values.revision "") }} + - "default" + {{- else }} + - "{{ .Values.revision }}" + {{- end }} + # Webhook handling default validation + - name: validation.istio.io + clientConfig: + # Should change from base but cannot for API compat + {{- if .Values.base.validationURL }} + url: {{ .Values.base.validationURL }} + {{- else }} + service: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} + path: "/validate" + {{- end }} + caBundle: "" + rules: + - operations: + - CREATE + - UPDATE + apiGroups: + - security.istio.io + - networking.istio.io + - telemetry.istio.io + apiVersions: + - "*" + resources: + - "*" + failurePolicy: Ignore + sideEffects: None + admissionReviewVersions: ["v1beta1", "v1"] + objectSelector: + matchExpressions: + - key: istio.io/rev + operator: DoesNotExist +--- +{{- end }} +{{- end }} diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istiod-remote/values.yaml b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istiod-remote/values.yaml new file mode 100644 index 000000000..bca741cda --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/charts/istiod-remote/values.yaml @@ -0,0 +1,451 @@ +#.Values.pilot for discovery and mesh wide config + +## Discovery Settings +pilot: + autoscaleEnabled: true + autoscaleMin: 1 + autoscaleMax: 5 + replicaCount: 1 + rollingMaxSurge: 100% + rollingMaxUnavailable: 25% + hub: "" + tag: "" + # Can be a full hub/image:tag + image: pilot + traceSampling: 1.0 + # Resources for a small pilot install + resources: + requests: + cpu: 500m + memory: 2048Mi + env: {} + cpu: + targetAverageUtilization: 80 + # if protocol sniffing is enabled for outbound + enableProtocolSniffingForOutbound: true + # if protocol sniffing is enabled for inbound + enableProtocolSniffingForInbound: true + nodeSelector: {} + podAnnotations: {} + # You can use jwksResolverExtraRootCA to provide a root certificate + # in PEM format. This will then be trusted by pilot when resolving + # JWKS URIs. + jwksResolverExtraRootCA: "" + # This is used to set the source of configuration for + # the associated address in configSource, if nothing is specificed + # the default MCP is assumed. + configSource: + subscribedResources: [] + plugins: [] + # The following is used to limit how long a sidecar can be connected + # to a pilot. It balances out load across pilot instances at the cost of + # increasing system churn. + keepaliveMaxServerConnectionAge: 30m + # Additional labels to apply to the deployment. + deploymentLabels: {} + ## Mesh config settings + + # Install the mesh config map, generated from values.yaml. + # If false, pilot wil use default values (by default) or user-supplied values. + configMap: false +sidecarInjectorWebhook: + # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or + # always skip the injection on pods that match that label selector, regardless of the global policy. + # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions + neverInjectSelector: [] + alwaysInjectSelector: [] + # injectedAnnotations are additional annotations that will be added to the pod spec after injection + # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations: + # + # annotations: + # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default + # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default + # + # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before + # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify: + # injectedAnnotations: + # container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default + # container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default + injectedAnnotations: {} + # This enables injection of sidecar in all namespaces, + # with the exception of namespaces with "istio-injection:disabled" annotation + # Only one environment should have this enabled. + enableNamespacesByDefault: false + # Enable objectSelector to filter out pods with no need for sidecar before calling istiod. + # It is enabled by default as the minimum supported Kubernetes version is 1.15+ + objectSelector: + enabled: true + autoInject: true + rewriteAppHTTPProbe: true + # Templates defines a set of custom injection templates that can be used. For example, defining: + # + # templates: + # hello: | + # metadata: + # labels: + # hello: world + # + # Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod + # being injected with the hello=world labels. + # This is intended for advanced configuration only; most users should use the built in template + templates: {} + # Default templates specifies a set of default templates that are used in sidecar injection. + # By default, a template `sidecar` is always provided, which contains the template of default sidecar. + # To inject other additional templates, define it using the `templates` option, and add it to + # the default templates list. + # For example: + # + # templates: + # hello: | + # metadata: + # labels: + # hello: world + # + # defaultTemplates: ["sidecar", "hello"] + defaultTemplates: [] +istiodRemote: + # Sidecar injector mutating webhook configuration clientConfig.url value. + # For example: https://$remotePilotAddress:15017/inject + # The host should not refer to a service running in the cluster; use a service reference by specifying + # the clientConfig.service field instead. + injectionURL: "" + # Sidecar injector mutating webhook configuration path value for the clientConfig.service field. + # Override to pass env variables, for example: /inject/cluster/remote/net/network2 + injectionPath: "/inject" +telemetry: + enabled: false + v2: + # For Null VM case now. + # This also enables metadata exchange. + enabled: true + metadataExchange: + # Indicates whether to enable WebAssembly runtime for metadata exchange filter. + wasmEnabled: false + # Indicate if prometheus stats filter is enabled or not + prometheus: + enabled: true + # Indicates whether to enable WebAssembly runtime for stats filter. + wasmEnabled: false + # overrides stats EnvoyFilter configuration. + configOverride: + gateway: {} + inboundSidecar: {} + outboundSidecar: {} + # stackdriver filter settings. + stackdriver: + enabled: false + logging: false + monitoring: false + topology: false # deprecated. setting this to true will have no effect, as this option is no longer supported. + disableOutbound: false + # configOverride parts give you the ability to override the low level configuration params passed to envoy filter. + + configOverride: {} + # e.g. + # disable_server_access_logging: false + # disable_host_header_fallback: true + # Access Log Policy Filter Settings. This enables filtering of access logs from stackdriver. + accessLogPolicy: + enabled: false + # To reduce the number of successful logs, default log window duration is + # set to 12 hours. + logWindowDuration: "43200s" +# Revision is set as 'version' label and part of the resource names when installing multiple control planes. +revision: "" +# Revision tags are aliases to Istio control plane revisions +revisionTags: [] +# For Helm compatibility. +ownerName: "" +# meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior +# See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options +meshConfig: + enablePrometheusMerge: true + # Config for the default ProxyConfig. + # Initially using directly the proxy metadata - can also be activated using annotations + # on the pod. This is an unsupported low-level API, pending review and decisions on + # enabling the feature. Enabling the DNS listener is safe - and allows further testing + # and gradual adoption by setting capture only on specific workloads. It also allows + # VMs to use other DNS options, like dnsmasq or unbound. + + # The namespace to treat as the administrative root namespace for Istio configuration. + # When processing a leaf namespace Istio will search for declarations in that namespace first + # and if none are found it will search in the root namespace. Any matching declaration found in the root namespace + # is processed as if it were declared in the leaf namespace. + rootNamespace: + # The trust domain corresponds to the trust root of a system + # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain + trustDomain: "cluster.local" + # TODO: the intent is to eventually have this enabled by default when security is used. + # It is not clear if user should normally need to configure - the metadata is typically + # used as an escape and to control testing and rollout, but it is not intended as a long-term + # stable API. +# What we may configure in mesh config is the ".global" - and use of other suffixes. +# No hurry to do this in 1.6, we're trying to prove the code. + +global: + # Used to locate istiod. + istioNamespace: istio-system + # enable pod disruption budget for the control plane, which is used to + # ensure Istio control plane components are gradually upgraded or recovered. + defaultPodDisruptionBudget: + enabled: true + # The values aren't mutable due to a current PodDisruptionBudget limitation + # minAvailable: 1 + # A minimal set of requested resources to applied to all deployments so that + # Horizontal Pod Autoscaler will be able to function (if set). + # Each component can overwrite these default values by adding its own resources + # block in the relevant section below and setting the desired resources values. + defaultResources: + requests: + cpu: 10m + # memory: 128Mi + # limits: + # cpu: 100m + # memory: 128Mi + # Default hub for Istio images. + # Releases are published to docker hub under 'istio' project. + # Dev builds from prow are on gcr.io + hub: gcr.io/istio-testing + # Default tag for Istio images. + tag: latest + # Specify image pull policy if default behavior isn't desired. + # Default behavior: latest images will be Always else IfNotPresent. + imagePullPolicy: "" + # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace + # to use for pulling any images in pods that reference this ServiceAccount. + # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) + # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. + # Must be set for any cluster configured with private docker registry. + imagePullSecrets: [] + # - private-registry-key + + # Enabled by default in master for maximising testing. + istiod: + enableAnalysis: false + # To output all istio components logs in json format by adding --log_as_json argument to each container argument + logAsJson: false + # Comma-separated minimum per-scope logging level of messages to output, in the form of :,: + # The control plane has different scopes depending on component, but can configure default log level across all components + # If empty, default scope and level will be used as configured in code + logging: + level: "default:info" + omitSidecarInjectorConfigMap: true + # Whether to restrict the applications namespace the controller manages; + # If not set, controller watches all namespaces + oneNamespace: false + # Configure whether Operator manages webhook configurations. The current behavior + # of Istiod is to manage its own webhook configurations. + # When this option is set as true, Istio Operator, instead of webhooks, manages the + # webhook configurations. When this option is set as false, webhooks manage their + # own webhook configurations. + operatorManageWebhooks: false + # Custom DNS config for the pod to resolve names of services in other + # clusters. Use this to add additional search domains, and other settings. + # see + # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config + # This does not apply to gateway pods as they typically need a different + # set of DNS settings than the normal application pods (e.g., in + # multicluster scenarios). + # NOTE: If using templates, follow the pattern in the commented example below. + #podDNSSearchNamespaces: + #- global + #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global" + + # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and + # system-node-critical, it is better to configure this in order to make sure your Istio pods + # will not be killed because of low priority class. + # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + # for more detail. + priorityClassName: "" + proxy: + image: proxyv2 + # This controls the 'policy' in the sidecar injector. + autoInject: enabled + # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value + # cluster domain. Default value is "cluster.local". + clusterDomain: "cluster.local" + # Per Component log level for proxy, applies to gateways and sidecars. If a component level is + # not set, then the global "logLevel" will be used. + componentLogLevel: "misc:error" + # If set, newly injected sidecars will have core dumps enabled. + enableCoreDump: false + # istio ingress capture allowlist + # examples: + # Redirect only selected ports: --includeInboundPorts="80,8080" + excludeInboundPorts: "" + # istio egress capture allowlist + # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly + # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16" + # would only capture egress traffic on those two IP Ranges, all other outbound traffic would + # be allowed by the sidecar + includeIPRanges: "*" + excludeIPRanges: "" + excludeOutboundPorts: "" + # Log level for proxy, applies to gateways and sidecars. + # Expected values are: trace|debug|info|warning|error|critical|off + logLevel: warning + #If set to true, istio-proxy container will have privileged securityContext + privileged: false + # The number of successive failed probes before indicating readiness failure. + readinessFailureThreshold: 30 + # The initial delay for readiness probes in seconds. + readinessInitialDelaySeconds: 1 + # The period between readiness probes. + readinessPeriodSeconds: 2 + # Resources for the sidecar. + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 2000m + memory: 1024Mi + # Default port for Pilot agent health checks. A value of 0 will disable health checking. + statusPort: 15020 + # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver. + # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file. + tracer: "zipkin" + # Controls if sidecar is injected at the front of the container list and blocks the start of the other containers until the proxy is ready + holdApplicationUntilProxyStarts: false + proxy_init: + # Base name for the proxy_init container, used to configure iptables. + image: proxyv2 + resources: + limits: + cpu: 2000m + memory: 1024Mi + requests: + cpu: 10m + memory: 10Mi + # configure remote pilot and istiod service and endpoint + remotePilotAddress: "" + ############################################################################################## + # The following values are found in other charts. To effectively modify these values, make # + # make sure they are consistent across your Istio helm charts # + ############################################################################################## + + # The customized CA address to retrieve certificates for the pods in the cluster. + # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. + # If not set explicitly, default to the Istio discovery address. + caAddress: "" + # Configure a remote cluster data plane controlled by an external istiod. + # When set to true, istiod is not deployed locally and only a subset of the other + # discovery charts are enabled. + externalIstiod: true + # Configure a remote cluster as the config cluster for an external istiod. + configCluster: false + # Configure the policy for validating JWT. + # Currently, two options are supported: "third-party-jwt" and "first-party-jwt". + jwtPolicy: "third-party-jwt" + # Mesh ID means Mesh Identifier. It should be unique within the scope where + # meshes will interact with each other, but it is not required to be + # globally/universally unique. For example, if any of the following are true, + # then two meshes must have different Mesh IDs: + # - Meshes will have their telemetry aggregated in one place + # - Meshes will be federated together + # - Policy will be written referencing one mesh from the other + # + # If an administrator expects that any of these conditions may become true in + # the future, they should ensure their meshes have different Mesh IDs + # assigned. + # + # Within a multicluster mesh, each cluster must be (manually or auto) + # configured to have the same Mesh ID value. If an existing cluster 'joins' a + # multicluster mesh, it will need to be migrated to the new mesh ID. Details + # of migration TBD, and it may be a disruptive operation to change the Mesh + # ID post-install. + # + # If the mesh admin does not specify a value, Istio will use the value of the + # mesh's Trust Domain. The best practice is to select a proper Trust Domain + # value. + meshID: "" + # Configure the mesh networks to be used by the Split Horizon EDS. + # + # The following example defines two networks with different endpoints association methods. + # For `network1` all endpoints that their IP belongs to the provided CIDR range will be + # mapped to network1. The gateway for this network example is specified by its public IP + # address and port. + # The second network, `network2`, in this example is defined differently with all endpoints + # retrieved through the specified Multi-Cluster registry being mapped to network2. The + # gateway is also defined differently with the name of the gateway service on the remote + # cluster. The public IP for the gateway will be determined from that remote service (only + # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service, + # it still need to be configured manually). + # + # meshNetworks: + # network1: + # endpoints: + # - fromCidr: "192.168.0.1/24" + # gateways: + # - address: 1.1.1.1 + # port: 80 + # network2: + # endpoints: + # - fromRegistry: reg1 + # gateways: + # - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local + # port: 443 + # + meshNetworks: {} + # Use the user-specified, secret volume mounted key and certs for Pilot and workloads. + mountMtlsCerts: false + multiCluster: + # Set to true to connect two kubernetes clusters via their respective + # ingressgateway services when pods in each cluster cannot directly + # talk to one another. All clusters should be using Istio mTLS and must + # have a shared root CA for this model to work. + enabled: false + # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection + # to properly label proxies + clusterName: "" + # Network defines the network this cluster belong to. This name + # corresponds to the networks in the map of mesh networks. + network: "" + # Configure the certificate provider for control plane communication. + # Currently, two providers are supported: "kubernetes" and "istiod". + # As some platforms may not have kubernetes signing APIs, + # Istiod is the default + pilotCertProvider: istiod + sds: + # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. + # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the + # JWT is intended for the CA. + token: + aud: istio-ca + sts: + # The service port used by Security Token Service (STS) server to handle token exchange requests. + # Setting this port to a non-zero value enables STS server. + servicePort: 0 + # Configuration for each of the supported tracers + tracer: + # Configuration for envoy to send trace data to LightStep. + # Disabled by default. + # address: the : of the satellite pool + # accessToken: required for sending data to the pool + # + datadog: + # Host:Port for submitting traces to the Datadog agent. + address: "$(HOST_IP):8126" + lightstep: + address: "" # example: lightstep-satellite:443 + accessToken: "" # example: abcdefg1234567 + stackdriver: + # enables trace output to stdout. + debug: false + # The global default max number of message events per span. + maxNumberOfMessageEvents: 200 + # The global default max number of annotation events per span. + maxNumberOfAnnotations: 200 + # The global default max number of attributes per span. + maxNumberOfAttributes: 200 + zipkin: + # Host:Port for reporting trace data in zipkin format. If not specified, will default to + # zipkin service (port 9411) in the same namespace as the other istio components. + address: "" + # Use the Mesh Control Protocol (MCP) for configuring Istiod. Requires an MCP source. + useMCP: false + # Determines whether this istiod performs resource validation. + configValidation: true +base: + # For istioctl usage to disable istio config crds in base + enableIstioConfigCRDs: true diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/examples/customresource/istio_v1alpha1_istiooperator_cr.yaml b/terraform-modules/aws/istio/istio-1.11.0/manifests/examples/customresource/istio_v1alpha1_istiooperator_cr.yaml new file mode 100644 index 000000000..48303976e --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/examples/customresource/istio_v1alpha1_istiooperator_cr.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: install.istio.io/v1alpha1 +kind: IstioOperator +metadata: + namespace: istio-system + name: example-istiocontrolplane +spec: + profile: demo +... diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/examples/user-gateway/ingress-gateway-only.yaml b/terraform-modules/aws/istio/istio-1.11.0/manifests/examples/user-gateway/ingress-gateway-only.yaml new file mode 100644 index 000000000..c37e85b01 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/examples/user-gateway/ingress-gateway-only.yaml @@ -0,0 +1,8 @@ +apiVersion: install.istio.io/v1alpha1 +kind: IstioOperator +spec: + profile: empty + components: + ingressGateways: + - enabled: true + namespace: my-namespace diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/profiles/default.yaml b/terraform-modules/aws/istio/istio-1.11.0/manifests/profiles/default.yaml new file mode 100644 index 000000000..2c2cd857b --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/profiles/default.yaml @@ -0,0 +1,184 @@ +apiVersion: install.istio.io/v1alpha1 +kind: IstioOperator +metadata: + namespace: istio-system +spec: + hub: docker.io/istio + tag: 1.11.0 + + # You may override parts of meshconfig by uncommenting the following lines. + meshConfig: + defaultConfig: + proxyMetadata: {} + enablePrometheusMerge: true + # Opt-out of global http2 upgrades. + # Destination rule is used to opt-in. + # h2_upgrade_policy: DO_NOT_UPGRADE + + # Traffic management feature + components: + base: + enabled: true + pilot: + enabled: true + + # Istio Gateway feature + ingressGateways: + - name: istio-ingressgateway + enabled: true + egressGateways: + - name: istio-egressgateway + enabled: false + + # Istio CNI feature + cni: + enabled: false + + # Remote and config cluster configuration for an external istiod + istiodRemote: + enabled: false + + # Global values passed through to helm global.yaml. + # Please keep this in sync with manifests/charts/global.yaml + values: + global: + istioNamespace: istio-system + istiod: + enableAnalysis: false + logging: + level: "default:info" + logAsJson: false + pilotCertProvider: istiod + jwtPolicy: third-party-jwt + proxy: + image: proxyv2 + clusterDomain: "cluster.local" + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 2000m + memory: 1024Mi + logLevel: warning + componentLogLevel: "misc:error" + privileged: false + enableCoreDump: false + statusPort: 15020 + readinessInitialDelaySeconds: 1 + readinessPeriodSeconds: 2 + readinessFailureThreshold: 30 + includeIPRanges: "*" + excludeIPRanges: "" + excludeOutboundPorts: "" + excludeInboundPorts: "" + autoInject: enabled + tracer: "zipkin" + proxy_init: + image: proxyv2 + resources: + limits: + cpu: 2000m + memory: 1024Mi + requests: + cpu: 10m + memory: 10Mi + # Specify image pull policy if default behavior isn't desired. + # Default behavior: latest images will be Always else IfNotPresent. + imagePullPolicy: "" + operatorManageWebhooks: false + tracer: + lightstep: {} + zipkin: {} + datadog: {} + stackdriver: {} + imagePullSecrets: [] + oneNamespace: false + defaultNodeSelector: {} + configValidation: true + multiCluster: + enabled: false + clusterName: "" + omitSidecarInjectorConfigMap: false + network: "" + defaultResources: + requests: + cpu: 10m + defaultPodDisruptionBudget: + enabled: true + priorityClassName: "" + useMCP: false + sds: + token: + aud: istio-ca + sts: + servicePort: 0 + meshNetworks: {} + mountMtlsCerts: false + base: + enableCRDTemplates: false + validationURL: "" + pilot: + autoscaleEnabled: true + autoscaleMin: 1 + autoscaleMax: 5 + replicaCount: 1 + image: pilot + traceSampling: 1.0 + env: {} + cpu: + targetAverageUtilization: 80 + nodeSelector: {} + keepaliveMaxServerConnectionAge: 30m + enableProtocolSniffingForOutbound: true + enableProtocolSniffingForInbound: true + deploymentLabels: + configMap: true + + telemetry: + enabled: true + v2: + enabled: true + metadataExchange: + wasmEnabled: false + prometheus: + wasmEnabled: false + enabled: true + stackdriver: + enabled: false + logging: false + monitoring: false + topology: false + configOverride: {} + + istiodRemote: + injectionURL: "" + + gateways: + istio-egressgateway: + zvpn: {} + env: {} + autoscaleEnabled: true + type: ClusterIP + name: istio-egressgateway + secretVolumes: + - name: egressgateway-certs + secretName: istio-egressgateway-certs + mountPath: /etc/istio/egressgateway-certs + - name: egressgateway-ca-certs + secretName: istio-egressgateway-ca-certs + mountPath: /etc/istio/egressgateway-ca-certs + + istio-ingressgateway: + autoscaleEnabled: true + type: LoadBalancer + name: istio-ingressgateway + zvpn: {} + env: {} + secretVolumes: + - name: ingressgateway-certs + secretName: istio-ingressgateway-certs + mountPath: /etc/istio/ingressgateway-certs + - name: ingressgateway-ca-certs + secretName: istio-ingressgateway-ca-certs + mountPath: /etc/istio/ingressgateway-ca-certs diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/profiles/demo.yaml b/terraform-modules/aws/istio/istio-1.11.0/manifests/profiles/demo.yaml new file mode 100644 index 000000000..0dd56210d --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/profiles/demo.yaml @@ -0,0 +1,72 @@ +apiVersion: install.istio.io/v1alpha1 +kind: IstioOperator +spec: + meshConfig: + accessLogFile: /dev/stdout + components: + egressGateways: + - name: istio-egressgateway + enabled: true + k8s: + resources: + requests: + cpu: 10m + memory: 40Mi + + ingressGateways: + - name: istio-ingressgateway + enabled: true + k8s: + resources: + requests: + cpu: 10m + memory: 40Mi + service: + ports: + ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. + # Note that AWS ELB will by default perform health checks on the first port + # on this list. Setting this to the health check port will ensure that health + # checks always work. https://github.com/istio/istio/issues/12503 + - port: 15021 + targetPort: 15021 + name: status-port + - port: 80 + targetPort: 8080 + name: http2 + - port: 443 + targetPort: 8443 + name: https + - port: 31400 + targetPort: 31400 + name: tcp + # This is the port where sni routing happens + - port: 15443 + targetPort: 15443 + name: tls + + pilot: + k8s: + env: + - name: PILOT_TRACE_SAMPLING + value: "100" + resources: + requests: + cpu: 10m + memory: 100Mi + + values: + global: + proxy: + resources: + requests: + cpu: 10m + memory: 40Mi + + pilot: + autoscaleEnabled: false + + gateways: + istio-egressgateway: + autoscaleEnabled: false + istio-ingressgateway: + autoscaleEnabled: false diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/profiles/empty.yaml b/terraform-modules/aws/istio/istio-1.11.0/manifests/profiles/empty.yaml new file mode 100644 index 000000000..07de5b1e0 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/profiles/empty.yaml @@ -0,0 +1,13 @@ +# The empty profile has everything disabled +# This is useful as a base for custom user configuration +apiVersion: install.istio.io/v1alpha1 +kind: IstioOperator +spec: + components: + base: + enabled: false + pilot: + enabled: false + ingressGateways: + - name: istio-ingressgateway + enabled: false diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/profiles/external.yaml b/terraform-modules/aws/istio/istio-1.11.0/manifests/profiles/external.yaml new file mode 100644 index 000000000..75b54588b --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/profiles/external.yaml @@ -0,0 +1,22 @@ +# The external profile is used to configure a mesh using an external control plane. +# Only the injector mutating webhook configuration is installed. +apiVersion: install.istio.io/v1alpha1 +kind: IstioOperator +spec: + components: + base: + enabled: false + pilot: + enabled: false + ingressGateways: + - name: istio-ingressgateway + enabled: false + istiodRemote: + enabled: true + values: + global: + externalIstiod: true + omitSidecarInjectorConfigMap: true + configCluster: false + pilot: + configMap: false diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/profiles/minimal.yaml b/terraform-modules/aws/istio/istio-1.11.0/manifests/profiles/minimal.yaml new file mode 100644 index 000000000..075881ee0 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/profiles/minimal.yaml @@ -0,0 +1,8 @@ +# The minimal profile will install just the core control plane +apiVersion: install.istio.io/v1alpha1 +kind: IstioOperator +spec: + components: + ingressGateways: + - name: istio-ingressgateway + enabled: false diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/profiles/openshift.yaml b/terraform-modules/aws/istio/istio-1.11.0/manifests/profiles/openshift.yaml new file mode 100644 index 000000000..dd9e4a0af --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/profiles/openshift.yaml @@ -0,0 +1,27 @@ +apiVersion: install.istio.io/v1alpha1 +kind: IstioOperator +spec: + components: + cni: + enabled: true + namespace: kube-system + k8s: + overlays: + - kind: DaemonSet + name: istio-cni-node + patches: + - path: spec.template.spec.containers[0].securityContext.privileged + value: true + values: + cni: + cniBinDir: /var/lib/cni/bin + cniConfDir: /etc/cni/multus/net.d + chained: false + cniConfFileName: "istio-cni.conf" + excludeNamespaces: + - istio-system + - kube-system + logLevel: info + sidecarInjectorWebhook: + injectedAnnotations: + k8s.v1.cni.cncf.io/networks: istio-cni diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/profiles/preview.yaml b/terraform-modules/aws/istio/istio-1.11.0/manifests/profiles/preview.yaml new file mode 100644 index 000000000..e0d9b636a --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/profiles/preview.yaml @@ -0,0 +1,21 @@ +# The preview profile contains features that are experimental. +# This is intended to explore new features coming to Istio. +# Stability, security, and performance are not guaranteed - use at your own risk. +apiVersion: install.istio.io/v1alpha1 +kind: IstioOperator +spec: + meshConfig: + defaultConfig: + proxyMetadata: + # Enable Istio agent to handle DNS requests for known hosts + # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf + ISTIO_META_DNS_CAPTURE: "true" + # Enable dynamic bootstrap generation. + BOOTSTRAP_XDS_AGENT: "true" + values: + telemetry: + v2: + metadataExchange: + wasmEnabled: true + prometheus: + wasmEnabled: true diff --git a/terraform-modules/aws/istio/istio-1.11.0/manifests/profiles/remote.yaml b/terraform-modules/aws/istio/istio-1.11.0/manifests/profiles/remote.yaml new file mode 100644 index 000000000..dbbc49aea --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/manifests/profiles/remote.yaml @@ -0,0 +1,4 @@ +# Deprecated. Use the `default` profile instead. +apiVersion: install.istio.io/v1alpha1 +kind: IstioOperator +spec: {} diff --git a/terraform-modules/aws/istio/istio-1.11.0/samples/README.md b/terraform-modules/aws/istio/istio-1.11.0/samples/README.md new file mode 100644 index 000000000..a1a140f8c --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/samples/README.md @@ -0,0 +1,3 @@ +# Istio Samples + +This directory contains sample applications highlighting various Istio features. diff --git a/terraform-modules/aws/istio/istio-1.11.0/samples/addons/README.md b/terraform-modules/aws/istio/istio-1.11.0/samples/addons/README.md new file mode 100644 index 000000000..9f8f32e67 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/samples/addons/README.md @@ -0,0 +1,92 @@ +# Telemetry Addons + +This directory contains sample deployments of various addons that integrate with Istio. While these applications +are not a part of Istio, they are essential to making the most of Istio's observability features. + +The deployments here are meant to quickly get up and running, and are optimized for this case. As a result, +they may not be suitable for production. See below for more info on integrating a production grade version of each +addon. + +## Getting started + +To quickly deploy all addons: + +```shell script +kubectl apply -f samples/addons +``` + +Alternatively, you can deploy individual addons: + +```shell script +kubectl apply -f samples/addons/prometheus.yaml +``` + +## Addons + +### Prometheus + +[Prometheus](https://prometheus.io/) is an open source monitoring system and time series database. +You can use Prometheus with Istio to record metrics that track the health of Istio and of applications within the service mesh. +You can visualize metrics using tools like [Grafana](#grafana) and [Kiali](#kiali). + +For more information about integrating with Prometheus, please see the [Prometheus integration page](https://istio.io/docs/ops/integrations/prometheus/). + +### Grafana + +[Grafana](http://grafana.com/) is an open source monitoring solution that can be used to configure dashboards for Istio. +You can use Grafana to monitor the health of Istio and of applications within the service mesh. + +This sample provides the following dashboards: + +* [Mesh Dashboard](https://grafana.com/grafana/dashboards/7639) provides an overview of all services in the mesh. +* [Service Dashboard](https://grafana.com/grafana/dashboards/7636) provides a detailed breakdown of metrics for a service. +* [Workload Dashboard](https://grafana.com/grafana/dashboards/7630) provides a detailed breakdown of metrics for a workload. +* [Performance Dashboard](https://grafana.com/grafana/dashboards/11829) monitors the resource usage of the mesh. +* [Control Plane Dashboard](https://grafana.com/grafana/dashboards/7645) monitors the health and performance of the control plane. +* [WASM Extension Dashboard](https://grafana.com/grafana/dashboards/13277) provides an overview of mesh wide WebAssembly extension runtime and loading state. + +For more information about integrating with Grafana, please see the [Grafana integration page](https://istio.io/docs/ops/integrations/grafana/). + +### Kiali + +[Kiali](https://kiali.io/) is an observability console for Istio with service mesh configuration capabilities. +It helps you to understand the structure of your service mesh by inferring the topology, and also provides the health of your mesh. +Kiali provides detailed metrics, and a basic [Grafana](#grafana) integration is available for advanced queries. +Distributed tracing is provided by integrating [Jaeger](#jaeger). + +For more information about using Kiali, see the [Visualizing Your Mesh](https://istio.io/docs/tasks/observability/kiali/) task. + +### Jaeger + +[Jaeger](https://www.jaegertracing.io/) is an open source end to end distributed tracing system, allowing users to monitor and troubleshoot transactions in complex distributed systems. + +Jaeger helps in a variety of tasks including: + +* Distributed context propagation +* Distributed transaction monitoring +* Root cause analysis +* Service dependency analysis +* Performance / latency optimization + +For more information about integrating with Jaeger, please see the [Jaeger integration page](https://istio.io/docs/tasks/observability/distributed-tracing/jaeger/). + +### Zipkin + +[Zipkin](https://zipkin.io/) is a distributed tracing system. It helps gather timing data needed to troubleshoot latency problems in service architectures. Features include both the collection and lookup of this data. + +Zipkin is an alternative to Jaeger and is not deployed by default. To replace Jaeger with Zipkin, run `kubectl apply -f samples/addons/extras/zipkin.yaml`. +You may also want to remove the Jaeger deployment, which will not be used, with `kubectl delete deployment jaeger`, or avoid installing it +to begin with by following the selective install steps in [Getting Started](#getting-started). + +For more information about integrating with Zipkin, please see the [Zipkin integration page](https://istio.io/docs/tasks/observability/distributed-tracing/zipkin/). + +### Prometheus Operator + +The [Prometheus Operator](https://github.com/coreos/prometheus-operator) manages and operators a Prometheus instance. + +As an alternative to the standard Prometheus deployment, we provide a `ServiceMonitor` to monitor the Istio control plane and `PodMonitor` +Envoy proxies. To use these, make sure you have the Prometheus operator deployed, then run `kubectl apply -f samples/addons/extras/prometheus-operator.yaml`. + +Note: The example `PodMonitor` requires [metrics merging](https://istio.io/latest/docs/ops/integrations/prometheus/#option-1-metrics-merging) to be enabled. This is enabled by default. + +Note: The configurations here are only for Istio deployments, and do not scrape metrics from the Kubernetes components. See the [Cluster Monitoring](https://coreos.com/operators/prometheus/docs/latest/user-guides/cluster-monitoring.html) documentation for configuring this. diff --git a/terraform-modules/aws/istio/istio-1.11.0/samples/addons/extras/prometheus-operator.yaml b/terraform-modules/aws/istio/istio-1.11.0/samples/addons/extras/prometheus-operator.yaml new file mode 100644 index 000000000..39a044468 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/samples/addons/extras/prometheus-operator.yaml @@ -0,0 +1,57 @@ +apiVersion: monitoring.coreos.com/v1 +kind: PodMonitor +metadata: + name: envoy-stats-monitor + namespace: istio-system + labels: + monitoring: istio-proxies + release: istio +spec: + selector: + matchExpressions: + - {key: istio-prometheus-ignore, operator: DoesNotExist} + namespaceSelector: + any: true + jobLabel: envoy-stats + podMetricsEndpoints: + - path: /stats/prometheus + interval: 15s + relabelings: + - action: keep + sourceLabels: [__meta_kubernetes_pod_container_name] + regex: "istio-proxy" + - action: keep + sourceLabels: [__meta_kubernetes_pod_annotationpresent_prometheus_io_scrape] + - sourceLabels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port] + action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + targetLabel: __address__ + - action: labeldrop + regex: "__meta_kubernetes_pod_label_(.+)" + - sourceLabels: [__meta_kubernetes_namespace] + action: replace + targetLabel: namespace + - sourceLabels: [__meta_kubernetes_pod_name] + action: replace + targetLabel: pod_name +--- +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: istio-component-monitor + namespace: istio-system + labels: + monitoring: istio-components + release: istio +spec: + jobLabel: istio + targetLabels: [app] + selector: + matchExpressions: + - {key: istio, operator: In, values: [pilot]} + namespaceSelector: + any: true + endpoints: + - port: http-monitoring + interval: 15s diff --git a/terraform-modules/aws/istio/istio-1.11.0/samples/addons/extras/prometheus_vm.yaml b/terraform-modules/aws/istio/istio-1.11.0/samples/addons/extras/prometheus_vm.yaml new file mode 100644 index 000000000..f38882fe0 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/samples/addons/extras/prometheus_vm.yaml @@ -0,0 +1,531 @@ +--- +# Source: prometheus/templates/server/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.6.0 + heritage: Helm + name: prometheus + namespace: istio-system + annotations: + {} +--- +# Source: prometheus/templates/server/cm.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.6.0 + heritage: Helm + name: prometheus + namespace: istio-system +data: + alerting_rules.yml: | + {} + alerts: | + {} + prometheus.yml: | + global: + evaluation_interval: 1m + scrape_interval: 15s + scrape_timeout: 10s + rule_files: + - /etc/config/recording_rules.yml + - /etc/config/alerting_rules.yml + - /etc/config/rules + - /etc/config/alerts + scrape_configs: + - job_name: prometheus + static_configs: + - targets: + - localhost:9090 + - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + job_name: kubernetes-apiservers + kubernetes_sd_configs: + - role: endpoints + relabel_configs: + - action: keep + regex: default;kubernetes;https + source_labels: + - __meta_kubernetes_namespace + - __meta_kubernetes_service_name + - __meta_kubernetes_endpoint_port_name + scheme: https + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + insecure_skip_verify: true + - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + job_name: kubernetes-nodes + kubernetes_sd_configs: + - role: node + relabel_configs: + - action: labelmap + regex: __meta_kubernetes_node_label_(.+) + - replacement: kubernetes.default.svc:443 + target_label: __address__ + - regex: (.+) + replacement: /api/v1/nodes/$1/proxy/metrics + source_labels: + - __meta_kubernetes_node_name + target_label: __metrics_path__ + scheme: https + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + insecure_skip_verify: true + - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + job_name: kubernetes-nodes-cadvisor + kubernetes_sd_configs: + - role: node + relabel_configs: + - action: labelmap + regex: __meta_kubernetes_node_label_(.+) + - replacement: kubernetes.default.svc:443 + target_label: __address__ + - regex: (.+) + replacement: /api/v1/nodes/$1/proxy/metrics/cadvisor + source_labels: + - __meta_kubernetes_node_name + target_label: __metrics_path__ + scheme: https + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + insecure_skip_verify: true + - job_name: kubernetes-service-endpoints + kubernetes_sd_configs: + - role: endpoints + relabel_configs: + - action: keep + regex: true + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_scrape + - action: replace + regex: (https?) + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_scheme + target_label: __scheme__ + - action: replace + regex: (.+) + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_path + target_label: __metrics_path__ + - action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + source_labels: + - __address__ + - __meta_kubernetes_service_annotation_prometheus_io_port + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_service_label_(.+) + - action: replace + source_labels: + - __meta_kubernetes_namespace + target_label: kubernetes_namespace + - action: replace + source_labels: + - __meta_kubernetes_service_name + target_label: kubernetes_name + - action: replace + source_labels: + - __meta_kubernetes_pod_node_name + target_label: kubernetes_node + - job_name: kubernetes-service-endpoints-slow + kubernetes_sd_configs: + - role: endpoints + relabel_configs: + - action: keep + regex: true + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_scrape_slow + - action: replace + regex: (https?) + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_scheme + target_label: __scheme__ + - action: replace + regex: (.+) + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_path + target_label: __metrics_path__ + - action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + source_labels: + - __address__ + - __meta_kubernetes_service_annotation_prometheus_io_port + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_service_label_(.+) + - action: replace + source_labels: + - __meta_kubernetes_namespace + target_label: kubernetes_namespace + - action: replace + source_labels: + - __meta_kubernetes_service_name + target_label: kubernetes_name + - action: replace + source_labels: + - __meta_kubernetes_pod_node_name + target_label: kubernetes_node + scrape_interval: 5m + scrape_timeout: 30s + - honor_labels: true + job_name: prometheus-pushgateway + kubernetes_sd_configs: + - role: service + relabel_configs: + - action: keep + regex: pushgateway + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_probe + - job_name: kubernetes-services + kubernetes_sd_configs: + - role: service + metrics_path: /probe + params: + module: + - http_2xx + relabel_configs: + - action: keep + regex: true + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_probe + - source_labels: + - __address__ + target_label: __param_target + - replacement: blackbox + target_label: __address__ + - source_labels: + - __param_target + target_label: instance + - action: labelmap + regex: __meta_kubernetes_service_label_(.+) + - source_labels: + - __meta_kubernetes_namespace + target_label: kubernetes_namespace + - source_labels: + - __meta_kubernetes_service_name + target_label: kubernetes_name + - job_name: kubernetes-pods + kubernetes_sd_configs: + - role: pod + relabel_configs: + - action: keep + regex: true + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_scrape + - action: replace + regex: (https?) + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_scheme + target_label: __scheme__ + - action: replace + regex: (.+) + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_path + target_label: __metrics_path__ + - action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + source_labels: + - __address__ + - __meta_kubernetes_pod_annotation_prometheus_io_port + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_pod_label_(.+) + - action: replace + source_labels: + - __meta_kubernetes_namespace + target_label: kubernetes_namespace + - action: replace + source_labels: + - __meta_kubernetes_pod_name + target_label: kubernetes_pod_name + - action: drop + regex: Pending|Succeeded|Failed + source_labels: + - __meta_kubernetes_pod_phase + - job_name: kubernetes-pods-slow + kubernetes_sd_configs: + - role: pod + relabel_configs: + - action: keep + regex: true + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_scrape_slow + - action: replace + regex: (https?) + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_scheme + target_label: __scheme__ + - action: replace + regex: (.+) + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_path + target_label: __metrics_path__ + - action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + source_labels: + - __address__ + - __meta_kubernetes_pod_annotation_prometheus_io_port + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_pod_label_(.+) + - action: replace + source_labels: + - __meta_kubernetes_namespace + target_label: kubernetes_namespace + - action: replace + source_labels: + - __meta_kubernetes_pod_name + target_label: kubernetes_pod_name + - action: drop + regex: Pending|Succeeded|Failed + source_labels: + - __meta_kubernetes_pod_phase + scrape_interval: 5m + scrape_timeout: 30s + - job_name: kubernetes-file-sd-endpoints + kubernetes_sd_configs: + - role: endpoints + file_sd_configs: + - files: + - /etc/file_sd/*.json + relabel_configs: + - action: keep + regex: (.+) + source_labels: + - __meta_filepath + - replacement: /stats/prometheus + target_label: __metrics_path__ + + recording_rules.yml: | + {} + rules: | + {} +--- +# Source: prometheus/templates/server/clusterrole.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.6.0 + heritage: Helm + name: prometheus +rules: + - apiGroups: + - "" + resources: + - nodes + - nodes/proxy + - nodes/metrics + - services + - endpoints + - pods + - ingresses + verbs: + - get + - list + - watch + - apiGroups: + - "extensions" + - "networking.k8s.io" + resources: + - ingresses/status + - ingresses + verbs: + - get + - list + - watch + - nonResourceURLs: + - "/metrics" + verbs: + - get + - apiGroups: + - "networking.istio.io" + verbs: + - get + - watch + - list + resources: + - workloadentries + - apiGroups: + - "" + verbs: + - get + - watch + - list + - create + - update + - patch + - delete + resources: + - configmaps +--- +# Source: prometheus/templates/server/clusterrolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.6.0 + heritage: Helm + name: prometheus +subjects: + - kind: ServiceAccount + name: prometheus + namespace: istio-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: prometheus +--- +# Source: prometheus/templates/server/service.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.6.0 + heritage: Helm + name: prometheus + namespace: istio-system +spec: + ports: + - name: http + port: 9090 + protocol: TCP + targetPort: 9090 + selector: + component: "server" + app: prometheus + release: prometheus + sessionAffinity: None + type: "ClusterIP" +--- +# Source: prometheus/templates/server/deploy.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.6.0 + heritage: Helm + name: prometheus + namespace: istio-system +spec: + selector: + matchLabels: + component: "server" + app: prometheus + release: prometheus + replicas: 1 + template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.6.0 + heritage: Helm + spec: + serviceAccountName: prometheus + containers: + - name: prometheus-server-configmap-reload + image: "jimmidyson/configmap-reload:v0.5.0" + imagePullPolicy: "IfNotPresent" + args: + - --volume-dir=/etc/config + - --webhook-url=http://127.0.0.1:9090/-/reload + resources: + {} + volumeMounts: + - name: config-volume + mountPath: /etc/config + readOnly: true + - name: file-sd-volume + mountPath: /etc/file_sd + readOnly: true + + - name: prometheus-server + image: "prom/prometheus:v2.24.0" + imagePullPolicy: "IfNotPresent" + args: + - --storage.tsdb.retention.time=15d + - --config.file=/etc/config/prometheus.yml + - --storage.tsdb.path=/data + - --web.console.libraries=/etc/prometheus/console_libraries + - --web.console.templates=/etc/prometheus/consoles + - --web.enable-lifecycle + ports: + - containerPort: 9090 + readinessProbe: + httpGet: + path: /-/ready + port: 9090 + initialDelaySeconds: 0 + periodSeconds: 5 + timeoutSeconds: 4 + failureThreshold: 3 + successThreshold: 1 + livenessProbe: + httpGet: + path: /-/healthy + port: 9090 + initialDelaySeconds: 30 + periodSeconds: 15 + timeoutSeconds: 10 + failureThreshold: 3 + successThreshold: 1 + resources: + {} + volumeMounts: + - name: config-volume + mountPath: /etc/config + - name: storage-volume + mountPath: /data + subPath: "" + - name: file-sd-volume + mountPath: /etc/file_sd + - name: vm-discovery + image: "istioecosystem/vm-discovery:latest" + imagePullPolicy: "IfNotPresent" + hostNetwork: false + dnsPolicy: ClusterFirst + securityContext: + fsGroup: 65534 + runAsGroup: 65534 + runAsNonRoot: true + runAsUser: 65534 + terminationGracePeriodSeconds: 300 + volumes: + - name: config-volume + configMap: + name: prometheus + - name: file-sd-volume + configMap: + name: file-sd-config + optional: true + - name: storage-volume + emptyDir: + {} \ No newline at end of file diff --git a/terraform-modules/aws/istio/istio-1.11.0/samples/addons/extras/prometheus_vm_tls.yaml b/terraform-modules/aws/istio/istio-1.11.0/samples/addons/extras/prometheus_vm_tls.yaml new file mode 100644 index 000000000..4e3358424 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/samples/addons/extras/prometheus_vm_tls.yaml @@ -0,0 +1,548 @@ +--- +# Source: prometheus/templates/server/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.6.0 + heritage: Helm + name: prometheus + namespace: istio-system + annotations: + {} +--- +# Source: prometheus/templates/server/cm.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.6.0 + heritage: Helm + name: prometheus + namespace: istio-system +data: + alerting_rules.yml: | + {} + alerts: | + {} + prometheus.yml: | + global: + evaluation_interval: 1m + scrape_interval: 15s + scrape_timeout: 10s + rule_files: + - /etc/config/recording_rules.yml + - /etc/config/alerting_rules.yml + - /etc/config/rules + - /etc/config/alerts + scrape_configs: + - job_name: prometheus + static_configs: + - targets: + - localhost:9090 + - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + job_name: kubernetes-apiservers + kubernetes_sd_configs: + - role: endpoints + relabel_configs: + - action: keep + regex: default;kubernetes;https + source_labels: + - __meta_kubernetes_namespace + - __meta_kubernetes_service_name + - __meta_kubernetes_endpoint_port_name + scheme: https + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + insecure_skip_verify: true + - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + job_name: kubernetes-nodes + kubernetes_sd_configs: + - role: node + relabel_configs: + - action: labelmap + regex: __meta_kubernetes_node_label_(.+) + - replacement: kubernetes.default.svc:443 + target_label: __address__ + - regex: (.+) + replacement: /api/v1/nodes/$1/proxy/metrics + source_labels: + - __meta_kubernetes_node_name + target_label: __metrics_path__ + scheme: https + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + insecure_skip_verify: true + - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + job_name: kubernetes-nodes-cadvisor + kubernetes_sd_configs: + - role: node + relabel_configs: + - action: labelmap + regex: __meta_kubernetes_node_label_(.+) + - replacement: kubernetes.default.svc:443 + target_label: __address__ + - regex: (.+) + replacement: /api/v1/nodes/$1/proxy/metrics/cadvisor + source_labels: + - __meta_kubernetes_node_name + target_label: __metrics_path__ + scheme: https + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + insecure_skip_verify: true + - job_name: kubernetes-service-endpoints + kubernetes_sd_configs: + - role: endpoints + relabel_configs: + - action: keep + regex: true + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_scrape + - action: replace + regex: (https?) + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_scheme + target_label: __scheme__ + - action: replace + regex: (.+) + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_path + target_label: __metrics_path__ + - action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + source_labels: + - __address__ + - __meta_kubernetes_service_annotation_prometheus_io_port + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_service_label_(.+) + - action: replace + source_labels: + - __meta_kubernetes_namespace + target_label: kubernetes_namespace + - action: replace + source_labels: + - __meta_kubernetes_service_name + target_label: kubernetes_name + - action: replace + source_labels: + - __meta_kubernetes_pod_node_name + target_label: kubernetes_node + - job_name: kubernetes-service-endpoints-slow + kubernetes_sd_configs: + - role: endpoints + relabel_configs: + - action: keep + regex: true + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_scrape_slow + - action: replace + regex: (https?) + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_scheme + target_label: __scheme__ + - action: replace + regex: (.+) + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_path + target_label: __metrics_path__ + - action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + source_labels: + - __address__ + - __meta_kubernetes_service_annotation_prometheus_io_port + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_service_label_(.+) + - action: replace + source_labels: + - __meta_kubernetes_namespace + target_label: kubernetes_namespace + - action: replace + source_labels: + - __meta_kubernetes_service_name + target_label: kubernetes_name + - action: replace + source_labels: + - __meta_kubernetes_pod_node_name + target_label: kubernetes_node + scrape_interval: 5m + scrape_timeout: 30s + - honor_labels: true + job_name: prometheus-pushgateway + kubernetes_sd_configs: + - role: service + relabel_configs: + - action: keep + regex: pushgateway + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_probe + - job_name: kubernetes-services + kubernetes_sd_configs: + - role: service + metrics_path: /probe + params: + module: + - http_2xx + relabel_configs: + - action: keep + regex: true + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_probe + - source_labels: + - __address__ + target_label: __param_target + - replacement: blackbox + target_label: __address__ + - source_labels: + - __param_target + target_label: instance + - action: labelmap + regex: __meta_kubernetes_service_label_(.+) + - source_labels: + - __meta_kubernetes_namespace + target_label: kubernetes_namespace + - source_labels: + - __meta_kubernetes_service_name + target_label: kubernetes_name + - job_name: kubernetes-pods + kubernetes_sd_configs: + - role: pod + relabel_configs: + - action: keep + regex: true + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_scrape + - action: replace + regex: (https?) + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_scheme + target_label: __scheme__ + - action: replace + regex: (.+) + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_path + target_label: __metrics_path__ + - action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + source_labels: + - __address__ + - __meta_kubernetes_pod_annotation_prometheus_io_port + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_pod_label_(.+) + - action: replace + source_labels: + - __meta_kubernetes_namespace + target_label: kubernetes_namespace + - action: replace + source_labels: + - __meta_kubernetes_pod_name + target_label: kubernetes_pod_name + - action: drop + regex: Pending|Succeeded|Failed + source_labels: + - __meta_kubernetes_pod_phase + - job_name: kubernetes-pods-slow + kubernetes_sd_configs: + - role: pod + relabel_configs: + - action: keep + regex: true + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_scrape_slow + - action: replace + regex: (https?) + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_scheme + target_label: __scheme__ + - action: replace + regex: (.+) + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_path + target_label: __metrics_path__ + - action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + source_labels: + - __address__ + - __meta_kubernetes_pod_annotation_prometheus_io_port + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_pod_label_(.+) + - action: replace + source_labels: + - __meta_kubernetes_namespace + target_label: kubernetes_namespace + - action: replace + source_labels: + - __meta_kubernetes_pod_name + target_label: kubernetes_pod_name + - action: drop + regex: Pending|Succeeded|Failed + source_labels: + - __meta_kubernetes_pod_phase + scrape_interval: 5m + scrape_timeout: 30s + - job_name: kubernetes-file-sd-endpoints + kubernetes_sd_configs: + - role: endpoints + file_sd_configs: + - files: + - /etc/file_sd/*.json + scheme: https + tls_config: + ca_file: /etc/prom-certs/root-cert.pem + cert_file: /etc/prom-certs/cert-chain.pem + key_file: /etc/prom-certs/key.pem + insecure_skip_verify: true # Prometheus does not support Istio security naming, thus skip verifying target pod ceritifcate + relabel_configs: + - action: keep + regex: (.+) + source_labels: + - __meta_filepath + - replacement: /stats/prometheus + target_label: __metrics_path__ + + recording_rules.yml: | + {} + rules: | + {} +--- +# Source: prometheus/templates/server/clusterrole.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.6.0 + heritage: Helm + name: prometheus +rules: + - apiGroups: + - "" + resources: + - nodes + - nodes/proxy + - nodes/metrics + - services + - endpoints + - pods + - ingresses + verbs: + - get + - list + - watch + - apiGroups: + - "extensions" + - "networking.k8s.io" + resources: + - ingresses/status + - ingresses + verbs: + - get + - list + - watch + - nonResourceURLs: + - "/metrics" + verbs: + - get + - apiGroups: + - "networking.istio.io" + verbs: + - get + - watch + - list + resources: + - workloadentries + - apiGroups: + - "" + verbs: + - get + - watch + - list + - create + - update + - patch + - delete + resources: + - configmaps +--- +# Source: prometheus/templates/server/clusterrolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.6.0 + heritage: Helm + name: prometheus +subjects: + - kind: ServiceAccount + name: prometheus + namespace: istio-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: prometheus +--- +# Source: prometheus/templates/server/service.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.6.0 + heritage: Helm + name: prometheus + namespace: istio-system +spec: + ports: + - name: http + port: 9090 + protocol: TCP + targetPort: 9090 + selector: + component: "server" + app: prometheus + release: prometheus + sessionAffinity: None + type: "ClusterIP" +--- +# Source: prometheus/templates/server/deploy.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.6.0 + heritage: Helm + name: prometheus + namespace: istio-system +spec: + selector: + matchLabels: + component: "server" + app: prometheus + release: prometheus + replicas: 1 + template: + metadata: + annotations: + sidecar.istio.io/inject: "true" + traffic.sidecar.istio.io/includeInboundPorts: "" # do not intercept any inbound ports + traffic.sidecar.istio.io/includeOutboundIPRanges: "" # do not intercept any outbound traffic + proxy.istio.io/config: | # configure an env variable `OUTPUT_CERTS` to write certificates to the given folder + proxyMetadata: + OUTPUT_CERTS: /etc/istio-output-certs + sidecar.istio.io/userVolumeMount: '[{"name": "istio-certs", "mountPath": "/etc/istio-output-certs"}]' # mount the shared volume at sidecar proxy + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-13.6.0 + heritage: Helm + spec: + serviceAccountName: prometheus + containers: + - name: prometheus-server-configmap-reload + image: "jimmidyson/configmap-reload:v0.5.0" + imagePullPolicy: "IfNotPresent" + args: + - --volume-dir=/etc/config + - --webhook-url=http://127.0.0.1:9090/-/reload + resources: + {} + volumeMounts: + - name: config-volume + mountPath: /etc/config + readOnly: true + - name: file-sd-volume + mountPath: /etc/file_sd + readOnly: true + + - name: prometheus-server + image: "prom/prometheus:v2.24.0" + imagePullPolicy: "IfNotPresent" + args: + - --storage.tsdb.retention.time=15d + - --config.file=/etc/config/prometheus.yml + - --storage.tsdb.path=/data + - --web.console.libraries=/etc/prometheus/console_libraries + - --web.console.templates=/etc/prometheus/consoles + - --web.enable-lifecycle + ports: + - containerPort: 9090 + readinessProbe: + httpGet: + path: /-/ready + port: 9090 + initialDelaySeconds: 0 + periodSeconds: 5 + timeoutSeconds: 4 + failureThreshold: 3 + successThreshold: 1 + livenessProbe: + httpGet: + path: /-/healthy + port: 9090 + initialDelaySeconds: 30 + periodSeconds: 15 + timeoutSeconds: 10 + failureThreshold: 3 + successThreshold: 1 + resources: + {} + volumeMounts: + - name: config-volume + mountPath: /etc/config + - name: storage-volume + mountPath: /data + subPath: "" + - name: file-sd-volume + mountPath: /etc/file_sd + - name: istio-certs + mountPath: /etc/prom-certs/ + - name: vm-discovery + image: "istioecosystem/vm-discovery:latest" + imagePullPolicy: "IfNotPresent" + hostNetwork: false + dnsPolicy: ClusterFirst + securityContext: + fsGroup: 65534 + runAsGroup: 65534 + runAsNonRoot: true + runAsUser: 65534 + terminationGracePeriodSeconds: 300 + volumes: + - name: config-volume + configMap: + name: prometheus + - name: file-sd-volume + configMap: + name: file-sd-config + optional: true + - name: istio-certs + emptyDir: + medium: Memory + - name: storage-volume + emptyDir: + {} \ No newline at end of file diff --git a/terraform-modules/aws/istio/istio-1.11.0/samples/addons/extras/zipkin.yaml b/terraform-modules/aws/istio/istio-1.11.0/samples/addons/extras/zipkin.yaml new file mode 100644 index 000000000..516b8e8fa --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/samples/addons/extras/zipkin.yaml @@ -0,0 +1,62 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: zipkin + namespace: istio-system + labels: + app: zipkin +spec: + selector: + matchLabels: + app: zipkin + template: + metadata: + labels: + app: zipkin + annotations: + sidecar.istio.io/inject: "false" + spec: + containers: + - name: zipkin + image: openzipkin/zipkin-slim:2.23.0 + env: + - name: STORAGE_METHOD + value: "mem" + readinessProbe: + httpGet: + path: /health + port: 9411 + initialDelaySeconds: 5 + periodSeconds: 5 +--- +apiVersion: v1 +kind: Service +metadata: + name: tracing + namespace: istio-system + labels: + app: zipkin +spec: + type: ClusterIP + ports: + - name: http-query + port: 80 + protocol: TCP + targetPort: 9411 + selector: + app: zipkin +--- +apiVersion: v1 +kind: Service +metadata: + labels: + name: zipkin + name: zipkin + namespace: istio-system +spec: + ports: + - port: 9411 + targetPort: 9411 + name: http-query + selector: + app: zipkin diff --git a/terraform-modules/aws/istio/istio-1.11.0/samples/addons/grafana.yaml b/terraform-modules/aws/istio/istio-1.11.0/samples/addons/grafana.yaml new file mode 100644 index 000000000..d74056824 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/samples/addons/grafana.yaml @@ -0,0 +1,1110 @@ +--- +# Source: grafana/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + helm.sh/chart: grafana-6.11.0 + app.kubernetes.io/name: grafana + app.kubernetes.io/instance: grafana + app.kubernetes.io/version: "7.5.5" + app.kubernetes.io/managed-by: Helm + name: grafana + namespace: istio-system +--- +# Source: grafana/templates/configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: grafana + namespace: istio-system + labels: + helm.sh/chart: grafana-6.11.0 + app.kubernetes.io/name: grafana + app.kubernetes.io/instance: grafana + app.kubernetes.io/version: "7.5.5" + app.kubernetes.io/managed-by: Helm +data: + grafana.ini: | + [analytics] + check_for_updates = true + [grafana_net] + url = https://grafana.net + [log] + mode = console + [paths] + data = /var/lib/grafana/ + logs = /var/log/grafana + plugins = /var/lib/grafana/plugins + provisioning = /etc/grafana/provisioning + + datasources.yaml: | + apiVersion: 1 + datasources: + - access: proxy + editable: true + isDefault: true + jsonData: + timeInterval: 5s + name: Prometheus + orgId: 1 + type: prometheus + url: http://prometheus:9090 + dashboardproviders.yaml: | + apiVersion: 1 + providers: + - disableDeletion: false + folder: istio + name: istio + options: + path: /var/lib/grafana/dashboards/istio + orgId: 1 + type: file + - disableDeletion: false + folder: istio + name: istio-services + options: + path: /var/lib/grafana/dashboards/istio-services + orgId: 1 + type: file +--- +# Source: grafana/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: grafana + namespace: istio-system + labels: + helm.sh/chart: grafana-6.11.0 + app.kubernetes.io/name: grafana + app.kubernetes.io/instance: grafana + app.kubernetes.io/version: "7.5.5" + app.kubernetes.io/managed-by: Helm +spec: + type: ClusterIP + ports: + - name: service + port: 3000 + protocol: TCP + targetPort: 3000 + + selector: + app.kubernetes.io/name: grafana + app.kubernetes.io/instance: grafana +--- +# Source: grafana/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: grafana + namespace: istio-system + labels: + helm.sh/chart: grafana-6.11.0 + app.kubernetes.io/name: grafana + app.kubernetes.io/instance: grafana + app.kubernetes.io/version: "7.5.5" + app.kubernetes.io/managed-by: Helm +spec: + replicas: 1 + revisionHistoryLimit: 10 + selector: + matchLabels: + app.kubernetes.io/name: grafana + app.kubernetes.io/instance: grafana + strategy: + type: RollingUpdate + template: + metadata: + labels: + app.kubernetes.io/name: grafana + app.kubernetes.io/instance: grafana + app: grafana + annotations: + checksum/config: af4530cc6e67e63b6285f3ceccaf0aaa2a20d322e35c9f0ae48721add3b58eb0 + checksum/dashboards-json-config: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b + checksum/sc-dashboard-provider-config: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b + sidecar.istio.io/inject: "false" + spec: + + serviceAccountName: grafana + securityContext: + fsGroup: 472 + runAsGroup: 472 + runAsUser: 472 + containers: + - name: grafana + image: "grafana/grafana:7.5.5" + imagePullPolicy: IfNotPresent + volumeMounts: + - name: config + mountPath: "/etc/grafana/grafana.ini" + subPath: grafana.ini + - name: storage + mountPath: "/var/lib/grafana" + - name: dashboards-istio + mountPath: "/var/lib/grafana/dashboards/istio" + - name: dashboards-istio-services + mountPath: "/var/lib/grafana/dashboards/istio-services" + - name: config + mountPath: "/etc/grafana/provisioning/datasources/datasources.yaml" + subPath: datasources.yaml + - name: config + mountPath: "/etc/grafana/provisioning/dashboards/dashboardproviders.yaml" + subPath: dashboardproviders.yaml + ports: + - name: service + containerPort: 3000 + protocol: TCP + - name: grafana + containerPort: 3000 + protocol: TCP + env: + + - name: GF_PATHS_DATA + value: /var/lib/grafana/ + - name: GF_PATHS_LOGS + value: /var/log/grafana + - name: GF_PATHS_PLUGINS + value: /var/lib/grafana/plugins + - name: GF_PATHS_PROVISIONING + value: /etc/grafana/provisioning + - name: "GF_AUTH_ANONYMOUS_ENABLED" + value: "true" + - name: "GF_AUTH_ANONYMOUS_ORG_ROLE" + value: "Admin" + - name: "GF_AUTH_BASIC_ENABLED" + value: "false" + - name: "GF_SECURITY_ADMIN_PASSWORD" + value: "-" + - name: "GF_SECURITY_ADMIN_USER" + value: "-" + livenessProbe: + failureThreshold: 10 + httpGet: + path: /api/health + port: 3000 + initialDelaySeconds: 60 + timeoutSeconds: 30 + readinessProbe: + httpGet: + path: /api/health + port: 3000 + resources: + {} + volumes: + - name: config + configMap: + name: grafana + + - name: dashboards-istio + configMap: + name: istio-grafana-dashboards + - name: dashboards-istio-services + configMap: + name: istio-services-grafana-dashboards + - name: storage + emptyDir: {} + +--- + +apiVersion: v1 +data: + istio-performance-dashboard.json: | + {"annotations":{"list":[{"builtIn":1,"datasource":"-- Grafana --","enable":true,"hide":true,"iconColor":"rgba(0, 211, 255, 1)","name":"Annotations & Alerts","type":"dashboard"}]},"editable":false,"gnetId":null,"graphTooltip":0,"links":[],"panels":[{"collapsed":true,"gridPos":{"h":1,"w":24,"x":0,"y":0},"id":21,"panels":[{"content":"The charts on this dashboard are intended to show Istio main components cost in terms of resources utilization under steady load.\n\n- **vCPU / 1k rps:** shows vCPU utilization by the main Istio components normalized by 1000 requests/second. When idle or low traffic, this chart will be blank. The curve for istio-proxy refers to the services sidecars only.\n- **vCPU:** vCPU utilization by Istio components, not normalized.\n- **Memory:** memory footprint for the components. Telemetry and policy are normalized by 1k rps, and no data is shown when there is no traffic. For ingress and istio-proxy, the data is per instance.\n- **Bytes transferred / sec:** shows the number of bytes flowing through each Istio component.\n\n\n","gridPos":{"h":6,"w":24,"x":0,"y":1},"id":19,"links":[],"mode":"markdown","timeFrom":null,"timeShift":null,"title":"Performance Dashboard README","transparent":true,"type":"text"}],"title":"Performance Dashboard Notes","type":"row"},{"collapsed":false,"gridPos":{"h":1,"w":24,"x":0,"y":1},"id":6,"panels":[],"title":"vCPU Usage","type":"row"},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":8,"w":12,"x":0,"y":2},"id":4,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":2,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"(sum(irate(container_cpu_usage_seconds_total{pod=~\"istio-ingressgateway-.*\",container=\"istio-proxy\"}[1m])) / (round(sum(irate(istio_requests_total{source_workload=\"istio-ingressgateway\", reporter=\"source\"}[1m])), 0.001)/1000))","format":"time_series","hide":false,"intervalFactor":1,"legendFormat":"istio-ingressgateway","refId":"A"},{"expr":"(sum(irate(container_cpu_usage_seconds_total{namespace!=\"istio-system\",container=\"istio-proxy\"}[1m]))/ (round(sum(irate(istio_requests_total[1m])), 0.001)/1000))/ (sum(irate(istio_requests_total{source_workload=\"istio-ingressgateway\"}[1m])) >bool 10)","format":"time_series","intervalFactor":1,"legendFormat":"istio-proxy","refId":"B"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"vCPU / 1k rps","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":8,"w":12,"x":12,"y":2},"id":7,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":2,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"sum(rate(container_cpu_usage_seconds_total{pod=~\"istio-ingressgateway-.*\",container=\"istio-proxy\"}[1m]))","format":"time_series","intervalFactor":1,"legendFormat":"istio-ingressgateway","refId":"A"},{"expr":"sum(rate(container_cpu_usage_seconds_total{namespace!=\"istio-system\",container=\"istio-proxy\"}[1m]))","format":"time_series","intervalFactor":1,"legendFormat":"istio-proxy","refId":"B"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"vCPU","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}},{"collapsed":false,"gridPos":{"h":1,"w":24,"x":0,"y":10},"id":13,"panels":[],"title":"Memory and Data Rates","type":"row"},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":8,"w":12,"x":0,"y":11},"id":902,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":2,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"sum(container_memory_working_set_bytes{pod=~\"istio-ingressgateway-.*\"}) / count(container_memory_working_set_bytes{pod=~\"istio-ingressgateway-.*\",container!=\"POD\"})","format":"time_series","intervalFactor":1,"legendFormat":"per istio-ingressgateway","refId":"A"},{"expr":"sum(container_memory_working_set_bytes{namespace!=\"istio-system\",container=\"istio-proxy\"}) / count(container_memory_working_set_bytes{namespace!=\"istio-system\",container=\"istio-proxy\"})","format":"time_series","intervalFactor":1,"legendFormat":"per istio proxy","refId":"B"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Memory Usage","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"bytes","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":8,"w":12,"x":12,"y":11},"id":11,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":2,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"sum(irate(istio_response_bytes_sum{source_workload=\"istio-ingressgateway\", reporter=\"source\"}[1m]))","format":"time_series","intervalFactor":1,"legendFormat":"istio-ingressgateway","refId":"A"},{"expr":"sum(irate(istio_response_bytes_sum{source_workload_namespace!=\"istio-system\", reporter=\"source\"}[1m])) + sum(irate(istio_request_bytes_sum{source_workload_namespace!=\"istio-system\", reporter=\"source\"}[1m]))","format":"time_series","intervalFactor":1,"legendFormat":"istio-proxy","refId":"B"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Bytes transferred / sec","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"Bps","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}},{"collapsed":false,"gridPos":{"h":1,"w":24,"x":0,"y":19},"id":17,"panels":[],"title":"Istio Component Versions","type":"row"},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":8,"w":24,"x":0,"y":20},"id":15,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":2,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"sum(istio_build) by (component, tag)","format":"time_series","intervalFactor":1,"legendFormat":"{{ component }}: {{ tag }}","refId":"A"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Istio Components by Version","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}},{"collapsed":false,"gridPos":{"h":1,"w":24,"x":0,"y":31},"id":71,"panels":[],"title":"Proxy Resource Usage","type":"row"},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":7,"w":6,"x":0,"y":32},"id":72,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"sum(container_memory_working_set_bytes{container=\"istio-proxy\"})","format":"time_series","hide":false,"intervalFactor":2,"legendFormat":"Total (k8s)","refId":"A","step":2}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Memory","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"bytes","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":false}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":7,"w":6,"x":6,"y":32},"id":73,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"sum(rate(container_cpu_usage_seconds_total{container=\"istio-proxy\"}[1m]))","format":"time_series","hide":false,"intervalFactor":2,"legendFormat":"Total (k8s)","refId":"A","step":2}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"vCPU","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":7,"w":6,"x":12,"y":32},"id":702,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"sum(container_fs_usage_bytes{container=\"istio-proxy\"})","format":"time_series","intervalFactor":2,"legendFormat":"Total (k8s)","refId":"A","step":2}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Disk","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"bytes","label":"","logBase":1,"max":null,"min":null,"show":true},{"decimals":null,"format":"none","label":"","logBase":1024,"max":null,"min":null,"show":false}],"yaxis":{"align":false,"alignLevel":null}},{"collapsed":false,"gridPos":{"h":1,"w":24,"x":0,"y":39},"id":69,"panels":[],"title":"Istiod Resource Usage","type":"row"},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":7,"w":6,"x":0,"y":40},"id":5,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"process_virtual_memory_bytes{app=\"istiod\"}","format":"time_series","instant":false,"intervalFactor":2,"legendFormat":"Virtual Memory","refId":"I","step":2},{"expr":"process_resident_memory_bytes{app=\"istiod\"}","format":"time_series","intervalFactor":2,"legendFormat":"Resident Memory","refId":"H","step":2},{"expr":"go_memstats_heap_sys_bytes{app=\"istiod\"}","format":"time_series","hide":true,"intervalFactor":2,"legendFormat":"heap sys","refId":"A"},{"expr":"go_memstats_heap_alloc_bytes{app=\"istiod\"}","format":"time_series","hide":true,"intervalFactor":2,"legendFormat":"heap alloc","refId":"D"},{"expr":"go_memstats_alloc_bytes{app=\"istiod\"}","format":"time_series","intervalFactor":2,"legendFormat":"Alloc","refId":"F","step":2},{"expr":"go_memstats_heap_inuse_bytes{app=\"istiod\"}","format":"time_series","hide":false,"intervalFactor":2,"legendFormat":"Heap in-use","refId":"E","step":2},{"expr":"go_memstats_stack_inuse_bytes{app=\"istiod\"}","format":"time_series","intervalFactor":2,"legendFormat":"Stack in-use","refId":"G","step":2},{"expr":"sum(container_memory_working_set_bytes{container=~\"discovery|istio-proxy\", pod=~\"istiod-.*\"})","format":"time_series","hide":false,"intervalFactor":2,"legendFormat":"Total (k8s)","refId":"C","step":2},{"expr":"container_memory_working_set_bytes{container=~\"discovery|istio-proxy\", pod=~\"istiod-.*\"}","format":"time_series","hide":false,"intervalFactor":2,"legendFormat":"{{ container }} (k8s)","refId":"B","step":2}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Memory","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"bytes","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":false}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":7,"w":6,"x":6,"y":40},"id":602,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"sum(rate(container_cpu_usage_seconds_total{container=~\"discovery|istio-proxy\", pod=~\"istiod-.*\"}[1m]))","format":"time_series","hide":false,"intervalFactor":2,"legendFormat":"Total (k8s)","refId":"A","step":2},{"expr":"sum(rate(container_cpu_usage_seconds_total{container=~\"discovery|istio-proxy\", pod=~\"istiod-.*\"}[1m])) by (container)","format":"time_series","hide":false,"intervalFactor":2,"legendFormat":"{{ container }} (k8s)","refId":"B","step":2},{"expr":"irate(process_cpu_seconds_total{app=\"istiod\"}[1m])","format":"time_series","hide":false,"intervalFactor":2,"legendFormat":"pilot (self-reported)","refId":"C","step":2}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"vCPU","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":7,"w":6,"x":12,"y":40},"id":74,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"process_open_fds{app=\"istiod\"}","format":"time_series","hide":true,"instant":false,"interval":"","intervalFactor":2,"legendFormat":"Open FDs (pilot)","refId":"A"},{"expr":"container_fs_usage_bytes{ container=~\"discovery|istio-proxy\", pod=~\"istiod-.*\"}","format":"time_series","intervalFactor":2,"legendFormat":"{{ container }}","refId":"B","step":2}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Disk","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"bytes","label":"","logBase":1,"max":null,"min":null,"show":true},{"decimals":null,"format":"none","label":"","logBase":1024,"max":null,"min":null,"show":false}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":7,"w":6,"x":18,"y":40},"id":402,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":false,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"go_goroutines{app=\"istiod\"}","format":"time_series","intervalFactor":2,"legendFormat":"Number of Goroutines","refId":"A","step":2}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Goroutines","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"short","label":"","logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}}],"refresh":"10s","schemaVersion":18,"style":"dark","tags":[],"templating":{"list":[]},"time":{"from":"now-5m","to":"now"},"timepicker":{"refresh_intervals":["5s","10s","30s","1m","5m","15m","30m","1h","2h","1d"],"time_options":["5m","15m","1h","6h","12h","24h","2d","7d","30d"]},"timezone":"","title":"Istio Performance Dashboard","uid":"vu8e0VWZk","version":22} + pilot-dashboard.json: | + {"annotations":{"list":[{"builtIn":1,"datasource":"-- Grafana --","enable":true,"hide":true,"iconColor":"rgba(0, 211, 255, 1)","name":"Annotations & Alerts","type":"dashboard"}]},"editable":false,"gnetId":null,"graphTooltip":1,"links":[],"panels":[{"collapsed":false,"gridPos":{"h":1,"w":24,"x":0,"y":0},"id":60,"panels":[],"title":"Deployed Versions","type":"row"},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":5,"w":24,"x":0,"y":1},"id":56,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"sum(istio_build{component=\"pilot\"}) by (tag)","format":"time_series","intervalFactor":1,"legendFormat":"{{ tag }}","refId":"A"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Pilot Versions","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":false}],"yaxis":{"align":false,"alignLevel":null}},{"collapsed":false,"gridPos":{"h":1,"w":24,"x":0,"y":6},"id":62,"panels":[],"title":"Resource Usage","type":"row"},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":7,"w":6,"x":0,"y":7},"id":5,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"process_virtual_memory_bytes{app=\"istiod\"}","format":"time_series","instant":false,"intervalFactor":2,"legendFormat":"Virtual Memory","refId":"I","step":2},{"expr":"process_resident_memory_bytes{app=\"istiod\"}","format":"time_series","intervalFactor":2,"legendFormat":"Resident Memory","refId":"H","step":2},{"expr":"go_memstats_heap_sys_bytes{app=\"istiod\"}","format":"time_series","hide":true,"intervalFactor":2,"legendFormat":"heap sys","refId":"A"},{"expr":"go_memstats_heap_alloc_bytes{app=\"istiod\"}","format":"time_series","hide":true,"intervalFactor":2,"legendFormat":"heap alloc","refId":"D"},{"expr":"go_memstats_alloc_bytes{app=\"istiod\"}","format":"time_series","intervalFactor":2,"legendFormat":"Alloc","refId":"F","step":2},{"expr":"go_memstats_heap_inuse_bytes{app=\"istiod\"}","format":"time_series","hide":false,"intervalFactor":2,"legendFormat":"Heap in-use","refId":"E","step":2},{"expr":"go_memstats_stack_inuse_bytes{app=\"istiod\"}","format":"time_series","intervalFactor":2,"legendFormat":"Stack in-use","refId":"G","step":2},{"expr":"container_memory_working_set_bytes{container=~\"discovery\", pod=~\"istiod-.*|istio-pilot-.*\"}","format":"time_series","hide":false,"intervalFactor":2,"legendFormat":"Discovery (container)","refId":"B","step":2},{"expr":"container_memory_working_set_bytes{container=~\"istio-proxy\", pod=~\"istiod-.*|istio-pilot-.*\"}","format":"time_series","intervalFactor":1,"legendFormat":"Sidecar (container)","refId":"C"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Memory","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"bytes","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":false}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":7,"w":6,"x":6,"y":7},"id":6,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"sum(irate(container_cpu_usage_seconds_total{container=\"discovery\", pod=~\"istiod-.*|istio-pilot-.*\"}[1m]))","format":"time_series","intervalFactor":1,"legendFormat":"Discovery (container)","refId":"A"},{"expr":"irate(process_cpu_seconds_total{app=\"istiod\"}[1m])","format":"time_series","hide":false,"intervalFactor":2,"legendFormat":"Discovery (process)","refId":"C","step":2},{"expr":"sum(irate(container_cpu_usage_seconds_total{container=\"istio-proxy\", pod=~\"istiod-.*|istio-pilot-.*\"}[1m]))","format":"time_series","hide":false,"intervalFactor":2,"legendFormat":"Sidecar (container)","refId":"B","step":2}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"CPU","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":7,"w":6,"x":12,"y":7},"id":7,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"container_fs_usage_bytes{container=\"discovery\", pod=~\"istiod-.*|istio-pilot-.*\"}","format":"time_series","intervalFactor":2,"legendFormat":"Discovery","refId":"B","step":2},{"expr":"container_fs_usage_bytes{container=\"istio-proxy\", pod=~\"istiod-.*|istio-pilot-.*\"}","format":"time_series","intervalFactor":1,"legendFormat":"Sidecar","refId":"A"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Disk","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"bytes","label":"","logBase":1,"max":null,"min":null,"show":true},{"decimals":null,"format":"none","label":"","logBase":1024,"max":null,"min":null,"show":false}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":7,"w":6,"x":18,"y":7},"id":4,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":false,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"go_goroutines{app=\"istiod\"}","format":"time_series","intervalFactor":2,"legendFormat":"Number of Goroutines","refId":"A","step":2}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Goroutines","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"short","label":"","logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}},{"collapsed":false,"gridPos":{"h":1,"w":24,"x":0,"y":14},"id":58,"panels":[],"title":"Pilot Push Information","type":"row"},{"aliasColors":{},"bars":true,"dashLength":10,"dashes":false,"datasource":"Prometheus","description":"Shows the rate of pilot pushes","fill":1,"gridPos":{"h":8,"w":8,"x":0,"y":15},"id":622,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":false,"linewidth":1,"links":[],"nullPointMode":"null as zero","paceLength":10,"percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":true,"steppedLine":false,"targets":[{"expr":"sum(irate(pilot_xds_pushes{type=\"cds\"}[1m]))","format":"time_series","intervalFactor":1,"legendFormat":"Cluster","refId":"C"},{"expr":"sum(irate(pilot_xds_pushes{type=\"eds\"}[1m]))","format":"time_series","intervalFactor":1,"legendFormat":"Endpoints","refId":"D"},{"expr":"sum(irate(pilot_xds_pushes{type=\"lds\"}[1m]))","format":"time_series","intervalFactor":1,"legendFormat":"Listeners","refId":"A"},{"expr":"sum(irate(pilot_xds_pushes{type=\"rds\"}[1m]))","format":"time_series","intervalFactor":1,"legendFormat":"Routes","refId":"E"},{"expr":"sum(irate(pilot_xds_pushes{type=\"sds\"}[1m]))","interval":"","legendFormat":"Secrets","refId":"B"},{"expr":"sum(irate(pilot_xds_pushes{type=\"nds\"}[1m]))","interval":"","legendFormat":"Nametables","refId":"F"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Pilot Pushes","tooltip":{"shared":false,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":["total"]},"yaxes":[{"format":"ops","label":null,"logBase":1,"max":null,"min":"0","show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":false}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","description":"Captures a variety of pilot errors","fill":1,"gridPos":{"h":8,"w":8,"x":8,"y":15},"id":67,"legend":{"avg":false,"current":false,"hideEmpty":true,"hideZero":true,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"sum(pilot_xds_cds_reject{app=\"istiod\"}) or (absent(pilot_xds_cds_reject{app=\"istiod\"}) - 1)","format":"time_series","hide":false,"intervalFactor":1,"legendFormat":"Rejected CDS Configs","refId":"C"},{"expr":"sum(pilot_xds_eds_reject{app=\"istiod\"}) or (absent(pilot_xds_eds_reject{app=\"istiod\"}) - 1)","format":"time_series","hide":false,"intervalFactor":1,"legendFormat":"Rejected EDS Configs","refId":"D"},{"expr":"sum(pilot_xds_rds_reject{app=\"istiod\"}) or (absent(pilot_xds_rds_reject{app=\"istiod\"}) - 1)","format":"time_series","hide":false,"intervalFactor":1,"legendFormat":"Rejected RDS Configs","refId":"A"},{"expr":"sum(pilot_xds_lds_reject{app=\"istiod\"}) or (absent(pilot_xds_lds_reject{app=\"istiod\"}) - 1)","format":"time_series","hide":false,"intervalFactor":1,"legendFormat":"Rejected LDS Configs","refId":"B"},{"expr":"sum(rate(pilot_xds_write_timeout{app=\"istiod\"}[1m]))","format":"time_series","intervalFactor":1,"legendFormat":"Write Timeouts","refId":"F"},{"expr":"sum(rate(pilot_total_xds_internal_errors{app=\"istiod\"}[1m]))","format":"time_series","hide":false,"intervalFactor":1,"legendFormat":"Internal Errors","refId":"H"},{"expr":"sum(rate(pilot_total_xds_rejects{app=\"istiod\"}[1m]))","format":"time_series","hide":false,"intervalFactor":1,"legendFormat":"Config Rejection Rate","refId":"E"},{"expr":"sum(rate(pilot_xds_push_context_errors{app=\"istiod\"}[1m]))","format":"time_series","hide":false,"intervalFactor":1,"legendFormat":"Push Context Errors","refId":"K"},{"expr":"sum(rate(pilot_xds_write_timeout{app=\"istiod\"}[1m]))","format":"time_series","intervalFactor":1,"legendFormat":"Push Timeouts","refId":"G"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Pilot Errors","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","description":"Shows the total time it takes to push a config update to a proxy","fill":1,"gridPos":{"h":8,"w":8,"x":16,"y":15},"id":624,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":2,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"histogram_quantile(0.5, sum(rate(pilot_proxy_convergence_time_bucket[1m])) by (le))","format":"time_series","intervalFactor":1,"legendFormat":"p50 ","refId":"A"},{"expr":"histogram_quantile(0.9, sum(rate(pilot_proxy_convergence_time_bucket[1m])) by (le))","format":"time_series","intervalFactor":1,"legendFormat":"p90","refId":"B"},{"expr":"histogram_quantile(0.99, sum(rate(pilot_proxy_convergence_time_bucket[1m])) by (le))","format":"time_series","intervalFactor":1,"legendFormat":"p99","refId":"C"},{"expr":"histogram_quantile(0.999, sum(rate(pilot_proxy_convergence_time_bucket[1m])) by (le))","format":"time_series","intervalFactor":1,"legendFormat":"p99.9","refId":"D"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Proxy Push Time","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"s","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":8,"w":12,"x":0,"y":23},"id":45,"legend":{"avg":false,"current":false,"hideEmpty":true,"hideZero":true,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null as zero","percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"pilot_conflict_inbound_listener{app=\"istiod\"}","format":"time_series","hide":false,"intervalFactor":1,"legendFormat":"Inbound Listeners","refId":"B"},{"expr":"pilot_conflict_outbound_listener_http_over_current_tcp{app=\"istiod\"}","format":"time_series","hide":false,"intervalFactor":1,"legendFormat":"Outbound Listeners (http over current tcp)","refId":"A"},{"expr":"pilot_conflict_outbound_listener_tcp_over_current_tcp{app=\"istiod\"}","format":"time_series","hide":false,"intervalFactor":1,"legendFormat":"Outbound Listeners (tcp over current tcp)","refId":"C"},{"expr":"pilot_conflict_outbound_listener_tcp_over_current_http{app=\"istiod\"}","format":"time_series","hide":false,"intervalFactor":1,"legendFormat":"Outbound Listeners (tcp over current http)","refId":"D"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Conflicts","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":false}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":8,"w":12,"x":12,"y":23},"id":47,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"avg(pilot_virt_services{app=\"istiod\"})","format":"time_series","intervalFactor":1,"legendFormat":"Virtual Services","refId":"A"},{"expr":"avg(pilot_services{app=\"istiod\"})","format":"time_series","intervalFactor":1,"legendFormat":"Services","refId":"B"},{"expr":"sum(pilot_xds{app=\"istiod\"}) by (pod)","format":"time_series","intervalFactor":1,"legendFormat":"Connected Endpoints {{pod}}","refId":"E"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"ADS Monitoring","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}},{"collapsed":false,"gridPos":{"h":1,"w":24,"x":0,"y":31},"id":64,"panels":[],"title":"Envoy Information","type":"row"},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","description":"Shows details about Envoy proxies in the mesh","fill":1,"gridPos":{"h":8,"w":8,"x":0,"y":32},"id":40,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"sum(irate(envoy_cluster_upstream_cx_total{cluster_name=\"xds-grpc\"}[1m]))","format":"time_series","hide":false,"intervalFactor":1,"legendFormat":"XDS Connections","refId":"C"},{"expr":"sum(irate(envoy_cluster_upstream_cx_connect_fail{cluster_name=\"xds-grpc\"}[1m]))","format":"time_series","hide":false,"intervalFactor":1,"legendFormat":"XDS Connection Failures","refId":"A"},{"expr":"sum(increase(envoy_server_hot_restart_epoch[1m]))","format":"time_series","intervalFactor":1,"legendFormat":"Envoy Restarts","refId":"B"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Envoy Details","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"ops","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"ops","label":null,"logBase":1,"max":null,"min":null,"show":false}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":8,"w":8,"x":8,"y":32},"id":41,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"sum(envoy_cluster_upstream_cx_active{cluster_name=\"xds-grpc\"})","format":"time_series","intervalFactor":2,"legendFormat":"XDS Active Connections","refId":"C","step":2}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"XDS Active Connections","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","description":"Shows the size of XDS requests and responses","fill":1,"gridPos":{"h":8,"w":8,"x":16,"y":32},"id":42,"legend":{"avg":false,"current":false,"hideEmpty":false,"hideZero":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"max(rate(envoy_cluster_upstream_cx_rx_bytes_total{cluster_name=\"xds-grpc\"}[1m]))","format":"time_series","hide":false,"intervalFactor":1,"legendFormat":"XDS Response Bytes Max","refId":"D"},{"expr":"quantile(0.5, rate(envoy_cluster_upstream_cx_rx_bytes_total{cluster_name=\"xds-grpc\"}[1m]))","format":"time_series","hide":false,"intervalFactor":1,"legendFormat":"XDS Response Bytes Average","refId":"B"},{"expr":"max(rate(envoy_cluster_upstream_cx_tx_bytes_total{cluster_name=\"xds-grpc\"}[1m]))","format":"time_series","intervalFactor":1,"legendFormat":"XDS Request Bytes Max","refId":"A"},{"expr":"quantile(.5, rate(envoy_cluster_upstream_cx_tx_bytes_total{cluster_name=\"xds-grpc\"}[1m]))","format":"time_series","intervalFactor":1,"legendFormat":"XDS Request Bytes Average","refId":"C"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"XDS Requests Size","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"Bps","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"ops","label":null,"logBase":1,"max":null,"min":null,"show":false}],"yaxis":{"align":false,"alignLevel":null}},{"collapsed":false,"datasource":null,"gridPos":{"h":1,"w":24,"x":0,"y":40},"id":626,"panels":[],"title":"Webhooks","type":"row"},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":null,"fill":1,"fillGradient":0,"gridPos":{"h":8,"w":12,"x":0,"y":41},"hiddenSeries":false,"id":629,"legend":{"avg":false,"current":false,"hideEmpty":false,"hideZero":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"nullPointMode":"null","options":{"dataLinks":[]},"percentage":false,"pointradius":2,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"sum(rate(galley_validation_passed[1m]))","interval":"","legendFormat":"Validations (Success)","refId":"A"},{"expr":"sum(rate(galley_validation_failed[1m]))","interval":"","legendFormat":"Validation (Failure)","refId":"B"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Configuration Validation","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":null,"description":"","fill":1,"fillGradient":0,"gridPos":{"h":8,"w":12,"x":12,"y":41},"hiddenSeries":false,"id":630,"legend":{"avg":false,"current":false,"hideZero":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"nullPointMode":"null","options":{"dataLinks":[]},"percentage":false,"pointradius":2,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"sum(rate(sidecar_injection_success_total[1m]))","interval":"","legendFormat":"Injections (Success)","refId":"A"},{"expr":"sum(rate(sidecar_injection_failure_total[1m]))","interval":"","legendFormat":"Injections (Failure)","refId":"B"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Sidecar Injection","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}}],"refresh":"5s","schemaVersion":18,"style":"dark","tags":[],"templating":{"list":[{"current":{"selected":true,"text":"default","value":"default"},"hide":0,"includeAll":false,"label":null,"multi":false,"name":"datasource","options":[],"query":"prometheus","queryValue":"","refresh":1,"regex":"","skipUrlSync":false,"type":"datasource"}]},"time":{"from":"now-5m","to":"now"},"timepicker":{"refresh_intervals":["5s","10s","30s","1m","5m","15m","30m","1h","2h","1d"],"time_options":["5m","15m","1h","6h","12h","24h","2d","7d","30d"]},"timezone":"browser","title":"Istio Control Plane Dashboard","uid":"3--MLVZZk","version":11} +kind: ConfigMap +metadata: + creationTimestamp: null + name: istio-grafana-dashboards + namespace: istio-system + +--- + +apiVersion: v1 +data: + istio-extension-dashboard.json: | + {"annotations":{"list":[{"builtIn":1,"datasource":"-- Grafana --","enable":true,"hide":true,"iconColor":"rgba(0, 211, 255, 1)","name":"Annotations & Alerts","type":"dashboard"}]},"editable":false,"gnetId":null,"graphTooltip":0,"links":[],"panels":[{"collapsed":false,"datasource":"Prometheus","gridPos":{"h":1,"w":24,"x":0,"y":0},"id":3,"panels":[],"title":"Wasm VMs","type":"row"},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","description":"","fieldConfig":{"defaults":{"custom":{"align":null},"links":[],"mappings":[],"thresholds":{"mode":"absolute","steps":[{"color":"green","value":null},{"color":"red","value":80}]}},"overrides":[]},"fill":1,"fillGradient":0,"gridPos":{"h":8,"w":12,"x":0,"y":1},"hiddenSeries":false,"id":2,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"nullPointMode":"null","options":{"alertThreshold":true},"percentage":false,"pluginVersion":"7.2.1","pointradius":2,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"avg(envoy_wasm_envoy_wasm_runtime_null_active)","interval":"","legendFormat":"native","refId":"A"},{"expr":"avg(envoy_wasm_envoy_wasm_runtime_v8_active)","interval":"","legendFormat":"v8","refId":"B"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Active","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"$$hashKey":"object:123","format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"$$hashKey":"object:124","format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fieldConfig":{"defaults":{"custom":{},"links":[]},"overrides":[]},"fill":1,"fillGradient":0,"gridPos":{"h":8,"w":12,"x":12,"y":1},"hiddenSeries":false,"id":6,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"nullPointMode":"null","options":{"alertThreshold":true},"percentage":false,"pluginVersion":"7.2.1","pointradius":2,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"avg(envoy_wasm_envoy_wasm_runtime_null_created)","interval":"","legendFormat":"native","refId":"A"},{"expr":"avg(envoy_wasm_envoy_wasm_runtime_v8_created)","interval":"","legendFormat":"v8","refId":"B"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Created","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"$$hashKey":"object:68","format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"$$hashKey":"object:69","format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}},{"collapsed":false,"datasource":"Prometheus","gridPos":{"h":1,"w":24,"x":0,"y":9},"id":7,"panels":[],"title":"Wasm Module Remote Load","type":"row"},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fieldConfig":{"defaults":{"custom":{},"links":[]},"overrides":[]},"fill":1,"fillGradient":0,"gridPos":{"h":8,"w":8,"x":0,"y":10},"hiddenSeries":false,"id":11,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"nullPointMode":"null","options":{"alertThreshold":true},"percentage":false,"pluginVersion":"7.2.1","pointradius":2,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"avg(envoy_wasm_remote_load_cache_entries)","interval":"","legendFormat":"entries","refId":"A"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Cache Entry","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"$$hashKey":"object:178","format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"$$hashKey":"object:179","format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fieldConfig":{"defaults":{"custom":{},"links":[]},"overrides":[]},"fill":1,"fillGradient":0,"gridPos":{"h":8,"w":8,"x":8,"y":10},"hiddenSeries":false,"id":8,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"nullPointMode":"null","options":{"alertThreshold":true},"percentage":false,"pluginVersion":"7.2.1","pointradius":2,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"avg(envoy_wasm_remote_load_cache_hits)","interval":"","legendFormat":"hits","refId":"A"},{"expr":"avg(envoy_wasm_remote_load_cache_misses)","interval":"","legendFormat":"misses","refId":"B"},{"expr":"avg(envoy_wasm_remote_load_cache_negative_hits)","interval":"","legendFormat":"negative hits","refId":"C"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Cache Visit","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"$$hashKey":"object:233","format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"$$hashKey":"object:234","format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fieldConfig":{"defaults":{"custom":{},"links":[]},"overrides":[]},"fill":1,"fillGradient":0,"gridPos":{"h":8,"w":8,"x":16,"y":10},"hiddenSeries":false,"id":10,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"nullPointMode":"null","options":{"alertThreshold":true},"percentage":false,"pluginVersion":"7.2.1","pointradius":2,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"avg(envoy_wasm_remote_load_fetch_failures)","interval":"","legendFormat":"failures","refId":"A"},{"expr":"avg(envoy_wasm_remote_load_fetch_successes)","interval":"","legendFormat":"successes","refId":"B"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Remote Fetch","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"$$hashKey":"object:288","format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"$$hashKey":"object:289","format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}},{"collapsed":false,"datasource":"Prometheus","gridPos":{"h":1,"w":24,"x":0,"y":18},"id":71,"panels":[],"title":"Proxy Resource Usage","type":"row"},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fieldConfig":{"defaults":{"custom":{}},"overrides":[]},"fill":1,"fillGradient":0,"gridPos":{"h":8,"w":12,"x":0,"y":19},"hiddenSeries":false,"id":72,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","options":{"alertThreshold":true},"percentage":false,"pluginVersion":"7.2.1","pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"sum(container_memory_working_set_bytes{container=\"istio-proxy\"})","format":"time_series","hide":false,"intervalFactor":2,"legendFormat":"Total (k8s)","refId":"A","step":2}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Memory","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"$$hashKey":"object:396","format":"bytes","label":null,"logBase":1,"max":null,"min":null,"show":true},{"$$hashKey":"object:397","format":"short","label":null,"logBase":1,"max":null,"min":null,"show":false}],"yaxis":{"align":false,"alignLevel":null}},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fieldConfig":{"defaults":{"custom":{}},"overrides":[]},"fill":1,"fillGradient":0,"gridPos":{"h":8,"w":12,"x":12,"y":19},"hiddenSeries":false,"id":73,"legend":{"avg":false,"current":false,"max":false,"min":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","options":{"alertThreshold":true},"percentage":false,"pluginVersion":"7.2.1","pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"sum(rate(container_cpu_usage_seconds_total{container=\"istio-proxy\"}[1m]))","format":"time_series","hide":false,"intervalFactor":2,"legendFormat":"Total (k8s)","refId":"A","step":2}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"vCPU","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"$$hashKey":"object:447","format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"$$hashKey":"object:448","format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true}],"yaxis":{"align":false,"alignLevel":null}}],"refresh":false,"schemaVersion":26,"style":"dark","tags":[],"templating":{"list":[]},"time":{"from":"2020-10-22T23:11:45.783Z","to":"2020-10-23T00:04:19.481Z"},"timepicker":{"refresh_intervals":["10s","30s","1m","5m","15m","30m","1h","2h","1d"]},"timezone":"","title":"Istio Wasm Extension Dashboard","uid":"7PAV7ctGz","version":17} + istio-mesh-dashboard.json: | + {"annotations":{"list":[{"builtIn":1,"datasource":"-- Grafana --","enable":true,"hide":true,"iconColor":"rgba(0, 211, 255, 1)","name":"Annotations & Alerts","type":"dashboard"}]},"editable":false,"gnetId":null,"graphTooltip":0,"id":null,"links":[],"panels":[{"content":"
\n
\n Istio\n
\n
\n Istio is an open platform that provides a uniform way to secure,\n connect, and \n monitor microservices.\n
\n Need help? Join the Istio community.\n
\n
","gridPos":{"h":3,"w":24,"x":0,"y":0},"height":"50px","id":13,"links":[],"mode":"html","style":{"font-size":"18pt"},"title":"","transparent":true,"type":"text"},{"cacheTimeout":null,"colorBackground":false,"colorValue":false,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"datasource":"Prometheus","format":"ops","gauge":{"maxValue":100,"minValue":0,"show":false,"thresholdLabels":false,"thresholdMarkers":true},"gridPos":{"h":3,"w":6,"x":0,"y":3},"id":20,"interval":null,"links":[],"options":{"colorMode":"value","graphMode":"area","justifyMode":"auto","orientation":"horizontal","reduceOptions":{"calcs":["lastNotNull"],"fields":"","values":false},"textMode":"auto"},"mappingType":1,"mappingTypes":[{"name":"value to text","value":1},{"name":"range to text","value":2}],"maxDataPoints":100,"nullPointMode":"connected","nullText":null,"postfix":"","postfixFontSize":"50%","prefix":"","prefixFontSize":"50%","rangeMaps":[{"from":"null","text":"N/A","to":"null"}],"sparkline":{"fillColor":"rgba(31, 118, 189, 0.18)","full":true,"lineColor":"rgb(31, 120, 193)","show":true},"tableColumn":"","targets":[{"expr":"round(sum(irate(istio_requests_total{reporter=\"source\"}[1m])), 0.001)","intervalFactor":1,"refId":"A","step":4}],"thresholds":"","title":"Global Request Volume","type":"singlestat","valueFontSize":"80%","valueMaps":[{"op":"=","text":"N/A","value":"null"}],"valueName":"avg"},{"cacheTimeout":null,"colorBackground":false,"colorValue":false,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"datasource":"Prometheus","format":"percentunit","gauge":{"maxValue":100,"minValue":80,"show":false,"thresholdLabels":false,"thresholdMarkers":false},"gridPos":{"h":3,"w":6,"x":6,"y":3},"id":21,"interval":null,"links":[],"options":{"colorMode":"value","graphMode":"area","justifyMode":"auto","orientation":"horizontal","reduceOptions":{"calcs":["lastNotNull"],"fields":"","values":false},"textMode":"auto"},"mappingType":1,"mappingTypes":[{"name":"value to text","value":1},{"name":"range to text","value":2}],"maxDataPoints":100,"nullPointMode":"connected","nullText":null,"postfix":"","postfixFontSize":"50%","prefix":"","prefixFontSize":"50%","rangeMaps":[{"from":"null","text":"N/A","to":"null"}],"sparkline":{"fillColor":"rgba(31, 118, 189, 0.18)","full":true,"lineColor":"rgb(31, 120, 193)","show":true},"tableColumn":"","targets":[{"expr":"sum(rate(istio_requests_total{reporter=\"source\", response_code!~\"5.*\"}[1m])) / sum(rate(istio_requests_total{reporter=\"source\"}[1m]))","format":"time_series","intervalFactor":1,"refId":"A","step":4}],"thresholds":"95, 99, 99.5","title":"Global Success Rate (non-5xx responses)","type":"singlestat","valueFontSize":"80%","valueMaps":[{"op":"=","text":"N/A","value":"null"}],"valueName":"avg"},{"cacheTimeout":null,"colorBackground":false,"colorValue":false,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"datasource":"Prometheus","format":"ops","gauge":{"maxValue":100,"minValue":0,"show":false,"thresholdLabels":false,"thresholdMarkers":true},"gridPos":{"h":3,"w":6,"x":12,"y":3},"id":22,"interval":null,"links":[],"options":{"colorMode":"value","graphMode":"area","justifyMode":"auto","orientation":"horizontal","reduceOptions":{"calcs":["lastNotNull"],"fields":"","values":false},"textMode":"auto"},"mappingType":1,"mappingTypes":[{"name":"value to text","value":1},{"name":"range to text","value":2}],"maxDataPoints":100,"nullPointMode":"connected","nullText":null,"postfix":"","postfixFontSize":"50%","prefix":"","prefixFontSize":"50%","rangeMaps":[{"from":"null","text":"N/A","to":"null"}],"sparkline":{"fillColor":"rgba(31, 118, 189, 0.18)","full":true,"lineColor":"rgb(31, 120, 193)","show":true},"tableColumn":"","targets":[{"expr":"sum(irate(istio_requests_total{reporter=\"source\", response_code=~\"4.*\"}[1m]))","format":"time_series","intervalFactor":1,"refId":"A","step":4}],"thresholds":"","title":"4xxs","type":"singlestat","valueFontSize":"80%","valueMaps":[{"op":"=","text":"N/A","value":"null"}],"valueName":"avg"},{"cacheTimeout":null,"colorBackground":false,"colorValue":false,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"datasource":"Prometheus","format":"ops","gauge":{"maxValue":100,"minValue":0,"show":false,"thresholdLabels":false,"thresholdMarkers":true},"gridPos":{"h":3,"w":6,"x":18,"y":3},"id":23,"interval":null,"links":[],"options":{"colorMode":"value","graphMode":"area","justifyMode":"auto","orientation":"horizontal","reduceOptions":{"calcs":["lastNotNull"],"fields":"","values":false},"textMode":"auto"},"mappingType":1,"mappingTypes":[{"name":"value to text","value":1},{"name":"range to text","value":2}],"maxDataPoints":100,"nullPointMode":"connected","nullText":null,"postfix":"","postfixFontSize":"50%","prefix":"","prefixFontSize":"50%","rangeMaps":[{"from":"null","text":"N/A","to":"null"}],"sparkline":{"fillColor":"rgba(31, 118, 189, 0.18)","full":true,"lineColor":"rgb(31, 120, 193)","show":true},"tableColumn":"","targets":[{"expr":"sum(irate(istio_requests_total{reporter=\"source\", response_code=~\"5.*\"}[1m]))","format":"time_series","intervalFactor":1,"refId":"A","step":4}],"thresholds":"","title":"5xxs","type":"singlestat","valueFontSize":"80%","valueMaps":[{"op":"=","text":"N/A","value":"null"}],"valueName":"avg"},{"cacheTimeout":null,"colorBackground":false,"colorValue":false,"colors":["#299c46","rgba(237, 129, 40, 0.89)","#d44a3a"],"datasource":"Prometheus","format":"none","gauge":{"maxValue":100,"minValue":0,"show":false,"thresholdLabels":false,"thresholdMarkers":true},"gridPos":{"h":3,"w":6,"x":0,"y":6},"id":113,"interval":null,"links":[],"options":{"colorMode":"value","graphMode":"area","justifyMode":"auto","orientation":"horizontal","reduceOptions":{"calcs":["lastNotNull"],"fields":"","values":false},"textMode":"auto"},"mappingType":1,"mappingTypes":[{"name":"value to text","value":1},{"name":"range to text","value":2}],"maxDataPoints":100,"nullPointMode":"connected","nullText":null,"postfix":"","postfixFontSize":"50%","prefix":"","prefixFontSize":"50%","rangeMaps":[{"from":"null","text":"N/A","to":"null"}],"sparkline":{"fillColor":"rgba(31, 118, 189, 0.18)","full":false,"lineColor":"rgb(31, 120, 193)","show":true},"tableColumn":"","targets":[{"expr":"max(pilot_k8s_cfg_events{type=\"VirtualService\", event=\"add\"}) - (max(pilot_k8s_cfg_events{type=\"VirtualService\", event=\"delete\"}) or max(up * 0))","format":"time_series","intervalFactor":1,"refId":"A"}],"thresholds":"","timeFrom":null,"timeShift":null,"title":"Virtual Services","type":"singlestat","valueFontSize":"80%","valueMaps":[{"op":"=","text":"N/A","value":"null"}],"valueName":"current"},{"cacheTimeout":null,"colorBackground":false,"colorValue":false,"colors":["#299c46","rgba(237, 129, 40, 0.89)","#d44a3a"],"datasource":"Prometheus","format":"none","gauge":{"maxValue":100,"minValue":0,"show":false,"thresholdLabels":false,"thresholdMarkers":true},"gridPos":{"h":3,"w":6,"x":6,"y":6},"id":114,"interval":null,"links":[],"options":{"colorMode":"value","graphMode":"area","justifyMode":"auto","orientation":"horizontal","reduceOptions":{"calcs":["lastNotNull"],"fields":"","values":false},"textMode":"auto"},"mappingType":1,"mappingTypes":[{"name":"value to text","value":1},{"name":"range to text","value":2}],"maxDataPoints":100,"nullPointMode":"connected","nullText":null,"postfix":"","postfixFontSize":"50%","prefix":"","prefixFontSize":"50%","rangeMaps":[{"from":"null","text":"N/A","to":"null"}],"sparkline":{"fillColor":"rgba(31, 118, 189, 0.18)","full":false,"lineColor":"rgb(31, 120, 193)","show":true},"tableColumn":"","targets":[{"expr":"max(pilot_k8s_cfg_events{type=\"DestinationRule\", event=\"add\"}) - (max(pilot_k8s_cfg_events{type=\"DestinationRule\", event=\"delete\"}) or max(up * 0))","format":"time_series","intervalFactor":1,"refId":"A"}],"thresholds":"","timeFrom":null,"timeShift":null,"title":"Destination Rules","type":"singlestat","valueFontSize":"80%","valueMaps":[{"op":"=","text":"N/A","value":"null"}],"valueName":"current"},{"cacheTimeout":null,"colorBackground":false,"colorValue":false,"colors":["#299c46","rgba(237, 129, 40, 0.89)","#d44a3a"],"datasource":"Prometheus","format":"none","gauge":{"maxValue":100,"minValue":0,"show":false,"thresholdLabels":false,"thresholdMarkers":true},"gridPos":{"h":3,"w":6,"x":12,"y":6},"id":115,"interval":null,"links":[],"options":{"colorMode":"value","graphMode":"area","justifyMode":"auto","orientation":"horizontal","reduceOptions":{"calcs":["lastNotNull"],"fields":"","values":false},"textMode":"auto"},"mappingType":1,"mappingTypes":[{"name":"value to text","value":1},{"name":"range to text","value":2}],"maxDataPoints":100,"nullPointMode":"connected","nullText":null,"postfix":"","postfixFontSize":"50%","prefix":"","prefixFontSize":"50%","rangeMaps":[{"from":"null","text":"N/A","to":"null"}],"sparkline":{"fillColor":"rgba(31, 118, 189, 0.18)","full":false,"lineColor":"rgb(31, 120, 193)","show":true},"tableColumn":"","targets":[{"expr":"max(pilot_k8s_cfg_events{type=\"Gateway\", event=\"add\"}) - (max(pilot_k8s_cfg_events{type=\"Gateway\", event=\"delete\"}) or max(up * 0))","format":"time_series","intervalFactor":1,"refId":"A"}],"thresholds":"","timeFrom":null,"timeShift":null,"title":"Gateways","type":"singlestat","valueFontSize":"80%","valueMaps":[{"op":"=","text":"N/A","value":"null"}],"valueName":"current"},{"cacheTimeout":null,"colorBackground":false,"colorValue":false,"colors":["#299c46","rgba(237, 129, 40, 0.89)","#d44a3a"],"datasource":"Prometheus","format":"none","gauge":{"maxValue":100,"minValue":0,"show":false,"thresholdLabels":false,"thresholdMarkers":true},"gridPos":{"h":3,"w":6,"x":18,"y":6},"id":116,"interval":null,"links":[],"options":{"colorMode":"value","graphMode":"area","justifyMode":"auto","orientation":"horizontal","reduceOptions":{"calcs":["lastNotNull"],"fields":"","values":false},"textMode":"auto"},"mappingType":1,"mappingTypes":[{"name":"value to text","value":1},{"name":"range to text","value":2}],"maxDataPoints":100,"nullPointMode":"connected","nullText":null,"postfix":"","postfixFontSize":"50%","prefix":"","prefixFontSize":"50%","rangeMaps":[{"from":"null","text":"N/A","to":"null"}],"sparkline":{"fillColor":"rgba(31, 118, 189, 0.18)","full":false,"lineColor":"rgb(31, 120, 193)","show":true},"tableColumn":"","targets":[{"expr":"max(pilot_k8s_cfg_events{type=\"WorkloadEntry\", event=\"add\"}) - (max(pilot_k8s_cfg_events{type=\"WorkloadEntry\", event=\"delete\"}) or max(up * 0))","format":"time_series","intervalFactor":1,"refId":"A"}],"thresholds":"","timeFrom":null,"timeShift":null,"title":"Workload Entries","type":"singlestat","valueFontSize":"80%","valueMaps":[{"op":"=","text":"N/A","value":"null"}],"valueName":"current"},{"cacheTimeout":null,"colorBackground":false,"colorValue":false,"colors":["#299c46","rgba(237, 129, 40, 0.89)","#d44a3a"],"datasource":"Prometheus","format":"none","gauge":{"maxValue":100,"minValue":0,"show":false,"thresholdLabels":false,"thresholdMarkers":true},"gridPos":{"h":3,"w":6,"x":0,"y":6},"id":117,"interval":null,"links":[],"options":{"colorMode":"value","graphMode":"area","justifyMode":"auto","orientation":"horizontal","reduceOptions":{"calcs":["lastNotNull"],"fields":"","values":false},"textMode":"auto"},"mappingType":1,"mappingTypes":[{"name":"value to text","value":1},{"name":"range to text","value":2}],"maxDataPoints":100,"nullPointMode":"connected","nullText":null,"postfix":"","postfixFontSize":"50%","prefix":"","prefixFontSize":"50%","rangeMaps":[{"from":"null","text":"N/A","to":"null"}],"sparkline":{"fillColor":"rgba(31, 118, 189, 0.18)","full":false,"lineColor":"rgb(31, 120, 193)","show":true},"tableColumn":"","targets":[{"expr":"max(pilot_k8s_cfg_events{type=\"ServiceEntry\", event=\"add\"}) - (max(pilot_k8s_cfg_events{type=\"ServiceEntry\", event=\"delete\"}) or max(up * 0))","format":"time_series","intervalFactor":1,"refId":"A"}],"thresholds":"","timeFrom":null,"timeShift":null,"title":"Service Entries","type":"singlestat","valueFontSize":"80%","valueMaps":[{"op":"=","text":"N/A","value":"null"}],"valueName":"current"},{"cacheTimeout":null,"colorBackground":false,"colorValue":false,"colors":["#299c46","rgba(237, 129, 40, 0.89)","#d44a3a"],"datasource":"Prometheus","format":"none","gauge":{"maxValue":100,"minValue":0,"show":false,"thresholdLabels":false,"thresholdMarkers":true},"gridPos":{"h":3,"w":6,"x":6,"y":6},"id":90,"interval":null,"links":[],"options":{"colorMode":"value","graphMode":"area","justifyMode":"auto","orientation":"horizontal","reduceOptions":{"calcs":["lastNotNull"],"fields":"","values":false},"textMode":"auto"},"mappingType":1,"mappingTypes":[{"name":"value to text","value":1},{"name":"range to text","value":2}],"maxDataPoints":100,"nullPointMode":"connected","nullText":null,"postfix":"","postfixFontSize":"50%","prefix":"","prefixFontSize":"50%","rangeMaps":[{"from":"null","text":"N/A","to":"null"}],"sparkline":{"fillColor":"rgba(31, 118, 189, 0.18)","full":false,"lineColor":"rgb(31, 120, 193)","show":true},"tableColumn":"","targets":[{"expr":"max(pilot_k8s_cfg_events{type=\"PeerAuthentication\", event=\"add\"}) - (max(pilot_k8s_cfg_events{type=\"PeerAuthentication\", event=\"delete\"}) or max(up * 0))","format":"time_series","intervalFactor":1,"refId":"A"}],"thresholds":"","timeFrom":null,"timeShift":null,"title":"PeerAuthentication Policies","type":"singlestat","valueFontSize":"80%","valueMaps":[{"op":"=","text":"N/A","value":"null"}],"valueName":"current"},{"cacheTimeout":null,"colorBackground":false,"colorValue":false,"colors":["#299c46","rgba(237, 129, 40, 0.89)","#d44a3a"],"datasource":"Prometheus","format":"none","gauge":{"maxValue":100,"minValue":0,"show":false,"thresholdLabels":false,"thresholdMarkers":true},"gridPos":{"h":3,"w":6,"x":12,"y":6},"id":91,"interval":null,"links":[],"options":{"colorMode":"value","graphMode":"area","justifyMode":"auto","orientation":"horizontal","reduceOptions":{"calcs":["lastNotNull"],"fields":"","values":false},"textMode":"auto"},"mappingType":1,"mappingTypes":[{"name":"value to text","value":1},{"name":"range to text","value":2}],"maxDataPoints":100,"nullPointMode":"connected","nullText":null,"postfix":"","postfixFontSize":"50%","prefix":"","prefixFontSize":"50%","rangeMaps":[{"from":"null","text":"N/A","to":"null"}],"sparkline":{"fillColor":"rgba(31, 118, 189, 0.18)","full":false,"lineColor":"rgb(31, 120, 193)","show":true},"tableColumn":"","targets":[{"expr":"max(pilot_k8s_cfg_events{type=\"RequestAuthentication\", event=\"add\"}) - (max(pilot_k8s_cfg_events{type=\"RequestAuthentication\", event=\"delete\"}) or max(up * 0))","format":"time_series","intervalFactor":1,"refId":"A"}],"thresholds":"","timeFrom":null,"timeShift":null,"title":"RequestAuthentication Policies","type":"singlestat","valueFontSize":"80%","valueMaps":[{"op":"=","text":"N/A","value":"null"}],"valueName":"current"},{"cacheTimeout":null,"colorBackground":false,"colorValue":false,"colors":["#299c46","rgba(237, 129, 40, 0.89)","#d44a3a"],"datasource":"Prometheus","format":"none","gauge":{"maxValue":100,"minValue":0,"show":false,"thresholdLabels":false,"thresholdMarkers":true},"gridPos":{"h":3,"w":6,"x":18,"y":6},"id":92,"interval":null,"links":[],"options":{"colorMode":"value","graphMode":"area","justifyMode":"auto","orientation":"horizontal","reduceOptions":{"calcs":["lastNotNull"],"fields":"","values":false},"textMode":"auto"},"mappingType":1,"mappingTypes":[{"name":"value to text","value":1},{"name":"range to text","value":2}],"maxDataPoints":100,"nullPointMode":"connected","nullText":null,"postfix":"","postfixFontSize":"50%","prefix":"","prefixFontSize":"50%","rangeMaps":[{"from":"null","text":"N/A","to":"null"}],"sparkline":{"fillColor":"rgba(31, 118, 189, 0.18)","full":false,"lineColor":"rgb(31, 120, 193)","show":true},"tableColumn":"","targets":[{"expr":"max(pilot_k8s_cfg_events{type=\"AuthorizationPolicy\", event=\"add\"}) - (max(pilot_k8s_cfg_events{type=\"AuthorizationPolicy\", event=\"delete\"}) or max(up * 0))","format":"time_series","intervalFactor":1,"refId":"A"}],"thresholds":"","timeFrom":null,"timeShift":null,"title":"Authorization Policies","type":"singlestat","valueFontSize":"80%","valueMaps":[{"op":"=","text":"N/A","value":"null"}],"valueName":"current"},{"columns":[],"datasource":"Prometheus","fontSize":"100%","gridPos":{"h":21,"w":24,"x":0,"y":9},"hideTimeOverride":false,"id":73,"links":[],"pageSize":null,"repeat":null,"repeatDirection":"v","scroll":true,"showHeader":true,"sort":{"col":5,"desc":true},"styles":[{"alias":"Workload","colorMode":null,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"dateFormat":"YYYY-MM-DD HH:mm:ss","decimals":2,"link":false,"linkTargetBlank":false,"linkTooltip":"Workload dashboard","linkUrl":"/dashboard/db/istio-workload-dashboard?var-namespace=${__cell_3:raw}&var-workload=${__cell_2:raw}","pattern":"destination_workload","preserveFormat":false,"sanitize":false,"thresholds":[],"type":"hidden","unit":"short"},{"alias":"","colorMode":null,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"dateFormat":"YYYY-MM-DD HH:mm:ss","decimals":2,"pattern":"Time","thresholds":[],"type":"hidden","unit":"short"},{"alias":"Requests","colorMode":null,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"dateFormat":"YYYY-MM-DD HH:mm:ss","decimals":2,"pattern":"Value #A","thresholds":[],"type":"number","unit":"ops"},{"alias":"P50 Latency","colorMode":null,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"dateFormat":"YYYY-MM-DD HH:mm:ss","decimals":2,"pattern":"Value #B","thresholds":[],"type":"number","unit":"s"},{"alias":"P90 Latency","colorMode":null,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"dateFormat":"YYYY-MM-DD HH:mm:ss","decimals":2,"pattern":"Value #C","thresholds":[],"type":"number","unit":"s"},{"alias":"P99 Latency","colorMode":null,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"dateFormat":"YYYY-MM-DD HH:mm:ss","decimals":2,"pattern":"Value #D","thresholds":[],"type":"number","unit":"s"},{"alias":"Success Rate","colorMode":"cell","colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"dateFormat":"YYYY-MM-DD HH:mm:ss","decimals":2,"pattern":"Value #E","thresholds":[".95"," 1.00"],"type":"number","unit":"percentunit"},{"alias":"Workload","colorMode":null,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"dateFormat":"YYYY-MM-DD HH:mm:ss","decimals":2,"link":true,"linkTooltip":"$__cell dashboard","linkUrl":"/dashboard/db/istio-workload-dashboard?var-workload=${__cell_2:raw}&var-namespace=${__cell_3:raw}","pattern":"destination_workload_var","thresholds":[],"type":"number","unit":"short"},{"alias":"Service","colorMode":null,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"dateFormat":"YYYY-MM-DD HH:mm:ss","decimals":2,"link":true,"linkTooltip":"$__cell dashboard","linkUrl":"/dashboard/db/istio-service-dashboard?var-service=${__cell_1:raw}","pattern":"destination_service","thresholds":[],"type":"string","unit":"short"},{"alias":"","colorMode":null,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"dateFormat":"YYYY-MM-DD HH:mm:ss","decimals":2,"pattern":"destination_workload_namespace","thresholds":[],"type":"hidden","unit":"short"}],"targets":[{"expr":"label_join(sum(rate(istio_requests_total{reporter=\"source\", response_code=\"200\"}[1m])) by (destination_workload, destination_workload_namespace, destination_service), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")","format":"table","hide":false,"instant":true,"intervalFactor":1,"legendFormat":"{{ destination_workload}}.{{ destination_workload_namespace }}","refId":"A"},{"expr":"label_join((histogram_quantile(0.50, sum(rate(istio_request_duration_milliseconds_bucket{reporter=\"source\"}[1m])) by (le, destination_workload, destination_workload_namespace)) / 1000) or histogram_quantile(0.50, sum(rate(istio_request_duration_seconds_bucket{reporter=\"source\"}[1m])) by (le, destination_workload, destination_workload_namespace)), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")","format":"table","hide":false,"instant":true,"intervalFactor":1,"legendFormat":"{{ destination_workload}}.{{ destination_workload_namespace }}","refId":"B"},{"expr":"label_join((histogram_quantile(0.90, sum(rate(istio_request_duration_milliseconds_bucket{reporter=\"source\"}[1m])) by (le, destination_workload, destination_workload_namespace)) / 1000) or histogram_quantile(0.90, sum(rate(istio_request_duration_seconds_bucket{reporter=\"source\"}[1m])) by (le, destination_workload, destination_workload_namespace)), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")","format":"table","hide":false,"instant":true,"intervalFactor":1,"legendFormat":"{{ destination_workload }}.{{ destination_workload_namespace }}","refId":"C"},{"expr":"label_join((histogram_quantile(0.99, sum(rate(istio_request_duration_milliseconds_bucket{reporter=\"source\"}[1m])) by (le, destination_workload, destination_workload_namespace)) / 1000) or histogram_quantile(0.99, sum(rate(istio_request_duration_seconds_bucket{reporter=\"source\"}[1m])) by (le, destination_workload, destination_workload_namespace)), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")","format":"table","hide":false,"instant":true,"intervalFactor":1,"legendFormat":"{{ destination_workload }}.{{ destination_workload_namespace }}","refId":"D"},{"expr":"label_join((sum(rate(istio_requests_total{reporter=\"source\", response_code!~\"5.*\"}[1m])) by (destination_workload, destination_workload_namespace) / sum(rate(istio_requests_total{reporter=\"source\"}[1m])) by (destination_workload, destination_workload_namespace)), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")","format":"table","hide":false,"instant":true,"interval":"","intervalFactor":1,"legendFormat":"{{ destination_workload }}.{{ destination_workload_namespace }}","refId":"E"}],"timeFrom":null,"title":"HTTP/GRPC Workloads","transform":"table","type":"table"},{"columns":[],"datasource":"Prometheus","fontSize":"100%","gridPos":{"h":18,"w":24,"x":0,"y":30},"hideTimeOverride":false,"id":109,"links":[],"pageSize":null,"repeatDirection":"v","scroll":true,"showHeader":true,"sort":{"col":5,"desc":true},"styles":[{"alias":"Workload","colorMode":null,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"dateFormat":"YYYY-MM-DD HH:mm:ss","decimals":2,"link":false,"linkTargetBlank":false,"linkTooltip":"$__cell dashboard","linkUrl":"/dashboard/db/istio-workload-dashboard?var-namespace=${__cell_3:raw}&var-workload=${__cell_2:raw}","pattern":"destination_workload","preserveFormat":false,"sanitize":false,"thresholds":[],"type":"hidden","unit":"short"},{"alias":"Bytes Sent","colorMode":null,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"dateFormat":"YYYY-MM-DD HH:mm:ss","decimals":2,"pattern":"Value #A","thresholds":[""],"type":"number","unit":"Bps"},{"alias":"Bytes Received","colorMode":null,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"dateFormat":"YYYY-MM-DD HH:mm:ss","decimals":2,"pattern":"Value #B","thresholds":[],"type":"number","unit":"Bps"},{"alias":"","colorMode":null,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"dateFormat":"YYYY-MM-DD HH:mm:ss","decimals":2,"pattern":"Time","thresholds":[],"type":"hidden","unit":"short"},{"alias":"Workload","colorMode":null,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"dateFormat":"YYYY-MM-DD HH:mm:ss","decimals":2,"link":true,"linkTooltip":"$__cell dashboard","linkUrl":"/dashboard/db/istio-workload-dashboard?var-namespace=${__cell_3:raw}&var-workload=${__cell_2:raw}","pattern":"destination_workload_var","thresholds":[],"type":"string","unit":"short"},{"alias":"","colorMode":null,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"dateFormat":"YYYY-MM-DD HH:mm:ss","decimals":2,"pattern":"destination_workload_namespace","thresholds":[],"type":"hidden","unit":"short"},{"alias":"Service","colorMode":null,"colors":["rgba(245, 54, 54, 0.9)","rgba(237, 129, 40, 0.89)","rgba(50, 172, 45, 0.97)"],"dateFormat":"YYYY-MM-DD HH:mm:ss","decimals":2,"link":true,"linkTooltip":"$__cell dashboard","linkUrl":"/dashboard/db/istio-service-dashboard?var-service=${__cell_1:raw}","pattern":"destination_service","thresholds":[],"type":"number","unit":"short"}],"targets":[{"expr":"label_join(sum(rate(istio_tcp_received_bytes_total{reporter=\"source\"}[1m])) by (destination_workload, destination_workload_namespace, destination_service), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")","format":"table","hide":false,"instant":true,"intervalFactor":1,"legendFormat":"{{ destination_workload }}","refId":"A"},{"expr":"label_join(sum(rate(istio_tcp_sent_bytes_total{reporter=\"source\"}[1m])) by (destination_workload, destination_workload_namespace, destination_service), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")","format":"table","hide":false,"instant":true,"intervalFactor":1,"legendFormat":"{{ destination_workload }}","refId":"B"}],"timeFrom":null,"title":"TCP Workloads","transform":"table","type":"table"},{"aliasColors":{},"bars":false,"dashLength":10,"dashes":false,"datasource":"Prometheus","fill":1,"gridPos":{"h":9,"w":24,"x":0,"y":48},"id":111,"legend":{"alignAsTable":false,"avg":false,"current":false,"max":false,"min":false,"rightSide":false,"show":true,"total":false,"values":false},"lines":true,"linewidth":1,"links":[],"nullPointMode":"null","percentage":false,"pointradius":5,"points":false,"renderer":"flot","seriesOverrides":[],"spaceLength":10,"stack":false,"steppedLine":false,"targets":[{"expr":"sum(istio_build) by (component, tag)","format":"time_series","intervalFactor":1,"legendFormat":"{{ component }}: {{ tag }}","refId":"A"}],"thresholds":[],"timeFrom":null,"timeRegions":[],"timeShift":null,"title":"Istio Components by Version","tooltip":{"shared":true,"sort":0,"value_type":"individual"},"type":"graph","xaxis":{"buckets":null,"mode":"time","name":null,"show":true,"values":[]},"yaxes":[{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":true},{"format":"short","label":null,"logBase":1,"max":null,"min":null,"show":false}],"yaxis":{"align":false,"alignLevel":null}}],"refresh":"5s","schemaVersion":18,"style":"dark","tags":[],"templating":{"list":[{"current":{"selected":true,"text":"default","value":"default"},"hide":0,"includeAll":false,"label":null,"multi":false,"name":"datasource","options":[],"query":"prometheus","queryValue":"","refresh":1,"regex":"","skipUrlSync":false,"type":"datasource"}]},"time":{"from":"now-5m","to":"now"},"timepicker":{"refresh_intervals":["5s","10s","30s","1m","5m","15m","30m","1h","2h","1d"],"time_options":["5m","15m","1h","6h","12h","24h","2d","7d","30d"]},"timezone":"browser","title":"Istio Mesh Dashboard","uid":"G8wLrJIZk","version":5} + istio-service-dashboard.json: "{\"annotations\":{\"list\":[{\"builtIn\":1,\"datasource\":\"-- + Grafana --\",\"enable\":true,\"hide\":true,\"iconColor\":\"rgba(0, 211, 255, 1)\",\"name\":\"Annotations + & Alerts\",\"type\":\"dashboard\"}]},\"editable\":false,\"gnetId\":null,\"graphTooltip\":0,\"iteration\":1595591291797,\"links\":[],\"panels\":[{\"collapsed\":true,\"gridPos\":{\"h\":1,\"w\":24,\"x\":0,\"y\":0},\"id\":106,\"panels\":[{\"content\":\"
\\nSERVICE: $service\\n
\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"gridPos\":{\"h\":3,\"w\":24,\"x\":0,\"y\":1},\"id\":89,\"links\":[],\"mode\":\"html\",\"options\":{\"content\":\"
\\nSERVICE: $service\\n
\",\"mode\":\"html\"},\"pluginVersion\":\"7.1.0\",\"title\":\"\",\"transparent\":true,\"type\":\"text\"},{\"cacheTimeout\":null,\"colorBackground\":false,\"colorValue\":false,\"colors\":[\"rgba(245, + 54, 54, 0.9)\",\"rgba(237, 129, 40, 0.89)\",\"rgba(50, 172, 45, 0.97)\"],\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"format\":\"ops\",\"gauge\":{\"maxValue\":100,\"minValue\":0,\"show\":false,\"thresholdLabels\":false,\"thresholdMarkers\":true},\"gridPos\":{\"h\":4,\"w\":6,\"x\":0,\"y\":4},\"id\":12,\"interval\":null,\"links\":[],\"options\":{\"colorMode\":\"value\",\"graphMode\":\"area\",\"justifyMode\":\"auto\",\"orientation\":\"horizontal\",\"reduceOptions\":{\"calcs\":[\"lastNotNull\"],\"fields\":\"\",\"values\":false},\"textMode\":\"auto\"},\"mappingType\":1,\"mappingTypes\":[{\"name\":\"value + to text\",\"value\":1},{\"name\":\"range to text\",\"value\":2}],\"maxDataPoints\":100,\"nullPointMode\":\"connected\",\"nullText\":null,\"postfix\":\"\",\"postfixFontSize\":\"50%\",\"prefix\":\"\",\"prefixFontSize\":\"50%\",\"rangeMaps\":[{\"from\":\"null\",\"text\":\"N/A\",\"to\":\"null\"}],\"sparkline\":{\"fillColor\":\"rgba(31, + 118, 189, 0.18)\",\"full\":true,\"lineColor\":\"rgb(31, 120, 193)\",\"show\":true},\"tableColumn\":\"\",\"targets\":[{\"expr\":\"round(sum(irate(istio_requests_total{reporter=~\\\"$qrep\\\",destination_service=~\\\"$service\\\"}[5m])), + 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"refId\":\"A\",\"step\":4}],\"thresholds\":\"\",\"title\":\"Client + Request Volume\",\"type\":\"singlestat\",\"valueFontSize\":\"80%\",\"valueMaps\":[{\"op\":\"=\",\"text\":\"N/A\",\"value\":\"null\"}],\"valueName\":\"current\"},{\"cacheTimeout\":null,\"colorBackground\":false,\"colorValue\":false,\"colors\":[\"rgba(50, + 172, 45, 0.97)\",\"rgba(237, 129, 40, 0.89)\",\"rgba(245, 54, 54, 0.9)\"],\"datasource\":\"Prometheus\",\"decimals\":null,\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"format\":\"percentunit\",\"gauge\":{\"maxValue\":100,\"minValue\":80,\"show\":false,\"thresholdLabels\":false,\"thresholdMarkers\":false},\"gridPos\":{\"h\":4,\"w\":6,\"x\":6,\"y\":4},\"id\":14,\"interval\":null,\"links\":[],\"options\":{\"colorMode\":\"value\",\"graphMode\":\"area\",\"justifyMode\":\"auto\",\"orientation\":\"horizontal\",\"reduceOptions\":{\"calcs\":[\"lastNotNull\"],\"fields\":\"\",\"values\":false},\"textMode\":\"auto\"},\"mappingType\":1,\"mappingTypes\":[{\"name\":\"value + to text\",\"value\":1},{\"name\":\"range to text\",\"value\":2}],\"maxDataPoints\":100,\"nullPointMode\":\"connected\",\"nullText\":null,\"postfix\":\"\",\"postfixFontSize\":\"50%\",\"prefix\":\"\",\"prefixFontSize\":\"50%\",\"rangeMaps\":[{\"from\":\"null\",\"text\":\"N/A\",\"to\":\"null\"}],\"sparkline\":{\"fillColor\":\"rgba(31, + 118, 189, 0.18)\",\"full\":true,\"lineColor\":\"rgb(31, 120, 193)\",\"show\":true},\"tableColumn\":\"\",\"targets\":[{\"expr\":\"sum(irate(istio_requests_total{reporter=~\\\"$qrep\\\",destination_service=~\\\"$service\\\",response_code!~\\\"5.*\\\"}[5m])) + / sum(irate(istio_requests_total{reporter=~\\\"$qrep\\\",destination_service=~\\\"$service\\\"}[5m]))\",\"format\":\"time_series\",\"intervalFactor\":1,\"refId\":\"A\"}],\"thresholds\":\"95, + 99, 99.5\",\"title\":\"Client Success Rate (non-5xx responses)\",\"type\":\"singlestat\",\"valueFontSize\":\"80%\",\"valueMaps\":[{\"op\":\"=\",\"text\":\"N/A\",\"value\":\"null\"}],\"valueName\":\"avg\"},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":4,\"w\":6,\"x\":12,\"y\":4},\"hiddenSeries\":false,\"id\":87,\"legend\":{\"alignAsTable\":false,\"avg\":false,\"current\":false,\"hideEmpty\":false,\"hideZero\":false,\"max\":false,\"min\":false,\"rightSide\":true,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"(histogram_quantile(0.50, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\",destination_service=~\\\"$service\\\"}[1m])) + by (le)) / 1000) or histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\",destination_service=~\\\"$service\\\"}[1m])) + by (le))\",\"format\":\"time_series\",\"interval\":\"\",\"intervalFactor\":1,\"legendFormat\":\"P50\",\"refId\":\"A\"},{\"expr\":\"(histogram_quantile(0.90, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\",destination_service=~\\\"$service\\\"}[1m])) + by (le)) / 1000) or histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\",destination_service=~\\\"$service\\\"}[1m])) + by (le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"P90\",\"refId\":\"B\"},{\"expr\":\"(histogram_quantile(0.99, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\",destination_service=~\\\"$service\\\"}[1m])) + by (le)) / 1000) or histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\",destination_service=~\\\"$service\\\"}[1m])) + by (le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"P99\",\"refId\":\"C\"}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Client + Request Duration\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"s\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"cacheTimeout\":null,\"colorBackground\":false,\"colorValue\":false,\"colors\":[\"#299c46\",\"rgba(237, + 129, 40, 0.89)\",\"#d44a3a\"],\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"format\":\"Bps\",\"gauge\":{\"maxValue\":100,\"minValue\":0,\"show\":false,\"thresholdLabels\":false,\"thresholdMarkers\":true},\"gridPos\":{\"h\":4,\"w\":6,\"x\":18,\"y\":4},\"id\":84,\"interval\":null,\"links\":[],\"options\":{\"colorMode\":\"value\",\"graphMode\":\"area\",\"justifyMode\":\"auto\",\"orientation\":\"horizontal\",\"reduceOptions\":{\"calcs\":[\"lastNotNull\"],\"fields\":\"\",\"values\":false},\"textMode\":\"auto\"},\"mappingType\":1,\"mappingTypes\":[{\"name\":\"value + to text\",\"value\":1},{\"name\":\"range to text\",\"value\":2}],\"maxDataPoints\":100,\"nullPointMode\":\"connected\",\"nullText\":null,\"postfix\":\"\",\"postfixFontSize\":\"50%\",\"prefix\":\"\",\"prefixFontSize\":\"50%\",\"rangeMaps\":[{\"from\":\"null\",\"text\":\"N/A\",\"to\":\"null\"}],\"sparkline\":{\"fillColor\":\"rgba(31, + 118, 189, 0.18)\",\"full\":true,\"lineColor\":\"rgb(31, 120, 193)\",\"show\":true},\"tableColumn\":\"\",\"targets\":[{\"expr\":\"sum(irate(istio_tcp_received_bytes_total{reporter=~\\\"$qrep\\\", + destination_service=~\\\"$service\\\"}[1m]))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"\",\"refId\":\"A\"}],\"thresholds\":\"\",\"title\":\"TCP + Received Bytes\",\"type\":\"singlestat\",\"valueFontSize\":\"80%\",\"valueMaps\":[{\"op\":\"=\",\"text\":\"N/A\",\"value\":\"null\"}],\"valueName\":\"avg\"},{\"cacheTimeout\":null,\"colorBackground\":false,\"colorValue\":false,\"colors\":[\"rgba(245, + 54, 54, 0.9)\",\"rgba(237, 129, 40, 0.89)\",\"rgba(50, 172, 45, 0.97)\"],\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"format\":\"ops\",\"gauge\":{\"maxValue\":100,\"minValue\":0,\"show\":false,\"thresholdLabels\":false,\"thresholdMarkers\":true},\"gridPos\":{\"h\":4,\"w\":6,\"x\":0,\"y\":8},\"id\":97,\"interval\":null,\"links\":[],\"options\":{\"colorMode\":\"value\",\"graphMode\":\"area\",\"justifyMode\":\"auto\",\"orientation\":\"horizontal\",\"reduceOptions\":{\"calcs\":[\"lastNotNull\"],\"fields\":\"\",\"values\":false},\"textMode\":\"auto\"},\"mappingType\":1,\"mappingTypes\":[{\"name\":\"value + to text\",\"value\":1},{\"name\":\"range to text\",\"value\":2}],\"maxDataPoints\":100,\"nullPointMode\":\"connected\",\"nullText\":null,\"postfix\":\"\",\"postfixFontSize\":\"50%\",\"prefix\":\"\",\"prefixFontSize\":\"50%\",\"rangeMaps\":[{\"from\":\"null\",\"text\":\"N/A\",\"to\":\"null\"}],\"sparkline\":{\"fillColor\":\"rgba(31, + 118, 189, 0.18)\",\"full\":true,\"lineColor\":\"rgb(31, 120, 193)\",\"show\":true},\"tableColumn\":\"\",\"targets\":[{\"expr\":\"round(sum(irate(istio_requests_total{reporter=\\\"destination\\\",destination_service=~\\\"$service\\\"}[5m])), + 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"refId\":\"A\",\"step\":4}],\"thresholds\":\"\",\"title\":\"Server + Request Volume\",\"type\":\"singlestat\",\"valueFontSize\":\"80%\",\"valueMaps\":[{\"op\":\"=\",\"text\":\"N/A\",\"value\":\"null\"}],\"valueName\":\"current\"},{\"cacheTimeout\":null,\"colorBackground\":false,\"colorValue\":false,\"colors\":[\"rgba(50, + 172, 45, 0.97)\",\"rgba(237, 129, 40, 0.89)\",\"rgba(245, 54, 54, 0.9)\"],\"datasource\":\"Prometheus\",\"decimals\":null,\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"format\":\"percentunit\",\"gauge\":{\"maxValue\":100,\"minValue\":80,\"show\":false,\"thresholdLabels\":false,\"thresholdMarkers\":false},\"gridPos\":{\"h\":4,\"w\":6,\"x\":6,\"y\":8},\"id\":98,\"interval\":null,\"links\":[],\"options\":{\"colorMode\":\"value\",\"graphMode\":\"area\",\"justifyMode\":\"auto\",\"orientation\":\"horizontal\",\"reduceOptions\":{\"calcs\":[\"lastNotNull\"],\"fields\":\"\",\"values\":false},\"textMode\":\"auto\"},\"mappingType\":1,\"mappingTypes\":[{\"name\":\"value + to text\",\"value\":1},{\"name\":\"range to text\",\"value\":2}],\"maxDataPoints\":100,\"nullPointMode\":\"connected\",\"nullText\":null,\"postfix\":\"\",\"postfixFontSize\":\"50%\",\"prefix\":\"\",\"prefixFontSize\":\"50%\",\"rangeMaps\":[{\"from\":\"null\",\"text\":\"N/A\",\"to\":\"null\"}],\"sparkline\":{\"fillColor\":\"rgba(31, + 118, 189, 0.18)\",\"full\":true,\"lineColor\":\"rgb(31, 120, 193)\",\"show\":true},\"tableColumn\":\"\",\"targets\":[{\"expr\":\"sum(irate(istio_requests_total{reporter=\\\"destination\\\",destination_service=~\\\"$service\\\",response_code!~\\\"5.*\\\"}[5m])) + / sum(irate(istio_requests_total{reporter=\\\"destination\\\",destination_service=~\\\"$service\\\"}[5m]))\",\"format\":\"time_series\",\"intervalFactor\":1,\"refId\":\"A\"}],\"thresholds\":\"95, + 99, 99.5\",\"title\":\"Server Success Rate (non-5xx responses)\",\"type\":\"singlestat\",\"valueFontSize\":\"80%\",\"valueMaps\":[{\"op\":\"=\",\"text\":\"N/A\",\"value\":\"null\"}],\"valueName\":\"avg\"},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":4,\"w\":6,\"x\":12,\"y\":8},\"hiddenSeries\":false,\"id\":99,\"legend\":{\"alignAsTable\":false,\"avg\":false,\"current\":false,\"hideEmpty\":false,\"hideZero\":false,\"max\":false,\"min\":false,\"rightSide\":true,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"(histogram_quantile(0.50, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"destination\\\",destination_service=~\\\"$service\\\"}[1m])) + by (le)) / 1000) or histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"destination\\\",destination_service=~\\\"$service\\\"}[1m])) + by (le))\",\"format\":\"time_series\",\"interval\":\"\",\"intervalFactor\":1,\"legendFormat\":\"P50\",\"refId\":\"A\"},{\"expr\":\"(histogram_quantile(0.90, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"destination\\\",destination_service=~\\\"$service\\\"}[1m])) + by (le)) / 1000) or histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"destination\\\",destination_service=~\\\"$service\\\"}[1m])) + by (le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"P90\",\"refId\":\"B\"},{\"expr\":\"(histogram_quantile(0.99, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"destination\\\",destination_service=~\\\"$service\\\"}[1m])) + by (le)) / 1000) or histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"destination\\\",destination_service=~\\\"$service\\\"}[1m])) + by (le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"P99\",\"refId\":\"C\"}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Server + Request Duration\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"s\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"cacheTimeout\":null,\"colorBackground\":false,\"colorValue\":false,\"colors\":[\"#299c46\",\"rgba(237, + 129, 40, 0.89)\",\"#d44a3a\"],\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"format\":\"Bps\",\"gauge\":{\"maxValue\":100,\"minValue\":0,\"show\":false,\"thresholdLabels\":false,\"thresholdMarkers\":true},\"gridPos\":{\"h\":4,\"w\":6,\"x\":18,\"y\":8},\"id\":100,\"interval\":null,\"links\":[],\"options\":{\"colorMode\":\"value\",\"graphMode\":\"area\",\"justifyMode\":\"auto\",\"orientation\":\"horizontal\",\"reduceOptions\":{\"calcs\":[\"lastNotNull\"],\"fields\":\"\",\"values\":false},\"textMode\":\"auto\"},\"mappingType\":1,\"mappingTypes\":[{\"name\":\"value + to text\",\"value\":1},{\"name\":\"range to text\",\"value\":2}],\"maxDataPoints\":100,\"nullPointMode\":\"connected\",\"nullText\":null,\"postfix\":\"\",\"postfixFontSize\":\"50%\",\"prefix\":\"\",\"prefixFontSize\":\"50%\",\"rangeMaps\":[{\"from\":\"null\",\"text\":\"N/A\",\"to\":\"null\"}],\"sparkline\":{\"fillColor\":\"rgba(31, + 118, 189, 0.18)\",\"full\":true,\"lineColor\":\"rgb(31, 120, 193)\",\"show\":true},\"tableColumn\":\"\",\"targets\":[{\"expr\":\"sum(irate(istio_tcp_sent_bytes_total{reporter=~\\\"$qrep\\\", + destination_service=~\\\"$service\\\"}[1m]))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"\",\"refId\":\"A\"}],\"thresholds\":\"\",\"title\":\"TCP + Sent Bytes\",\"type\":\"singlestat\",\"valueFontSize\":\"80%\",\"valueMaps\":[{\"op\":\"=\",\"text\":\"N/A\",\"value\":\"null\"}],\"valueName\":\"avg\"}],\"title\":\"General\",\"type\":\"row\"},{\"collapsed\":true,\"gridPos\":{\"h\":1,\"w\":24,\"x\":0,\"y\":1},\"id\":104,\"panels\":[{\"content\":\"
\\nCLIENT WORKLOADS\\n
\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"gridPos\":{\"h\":3,\"w\":24,\"x\":0,\"y\":2},\"id\":45,\"links\":[],\"mode\":\"html\",\"options\":{\"content\":\"
\\nCLIENT WORKLOADS\\n
\",\"mode\":\"html\"},\"pluginVersion\":\"7.1.0\",\"title\":\"\",\"transparent\":true,\"type\":\"text\"},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":0,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":12,\"x\":0,\"y\":5},\"hiddenSeries\":false,\"id\":25,\"legend\":{\"avg\":false,\"current\":false,\"hideEmpty\":true,\"max\":false,\"min\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null + as zero\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"round(sum(irate(istio_requests_total{connection_security_policy=\\\"mutual_tls\\\",destination_service=~\\\"$service\\\",reporter=~\\\"$qrep\\\",source_workload=~\\\"$srcwl\\\",source_workload_namespace=~\\\"$srcns\\\"}[5m])) + by (source_workload, source_workload_namespace, response_code), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ + source_workload }}.{{ source_workload_namespace }} : {{ response_code }} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"round(sum(irate(istio_requests_total{connection_security_policy!=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", reporter=~\\\"$qrep\\\", source_workload=~\\\"$srcwl\\\", + source_workload_namespace=~\\\"$srcns\\\"}[5m])) by (source_workload, source_workload_namespace, + response_code), 0.001)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + source_workload }}.{{ source_workload_namespace }} : {{ response_code }}\",\"refId\":\"B\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Incoming + Requests By Source And Response Code\",\"tooltip\":{\"shared\":false,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[\"total\"]},\"yaxes\":[{\"format\":\"ops\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":12,\"x\":12,\"y\":5},\"hiddenSeries\":false,\"id\":26,\"legend\":{\"avg\":false,\"current\":false,\"hideEmpty\":true,\"hideZero\":false,\"max\":false,\"min\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"sum(irate(istio_requests_total{reporter=~\\\"$qrep\\\", + connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\",response_code!~\\\"5.*\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[5m])) + by (source_workload, source_workload_namespace) / sum(irate(istio_requests_total{reporter=~\\\"$qrep\\\", + connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[5m])) + by (source_workload, source_workload_namespace)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + source_workload }}.{{ source_workload_namespace }} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"sum(irate(istio_requests_total{reporter=~\\\"$qrep\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\",response_code!~\\\"5.*\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[5m])) + by (source_workload, source_workload_namespace) / sum(irate(istio_requests_total{reporter=~\\\"$qrep\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[5m])) + by (source_workload, source_workload_namespace)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + source_workload }}.{{ source_workload_namespace }}\",\"refId\":\"B\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Incoming + Success Rate (non-5xx responses) By Source\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"percentunit\",\"label\":null,\"logBase\":1,\"max\":\"1.01\",\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"description\":\"\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":8,\"x\":0,\"y\":11},\"hiddenSeries\":false,\"id\":27,\"legend\":{\"alignAsTable\":false,\"avg\":false,\"current\":false,\"hideEmpty\":true,\"hideZero\":false,\"max\":false,\"min\":false,\"rightSide\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"(histogram_quantile(0.50, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le)) / 1000) or histogram_quantile(0.50, + sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P50 (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"(histogram_quantile(0.90, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le)) / 1000) or histogram_quantile(0.90, + sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P90 (\U0001F510mTLS)\",\"refId\":\"B\",\"step\":2},{\"expr\":\"(histogram_quantile(0.95, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le)) / 1000) or histogram_quantile(0.95, + sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P95 (\U0001F510mTLS)\",\"refId\":\"C\",\"step\":2},{\"expr\":\"(histogram_quantile(0.99, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le)) / 1000) or histogram_quantile(0.99, + sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P99 (\U0001F510mTLS)\",\"refId\":\"D\",\"step\":2},{\"expr\":\"(histogram_quantile(0.50, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le)) / 1000) or histogram_quantile(0.50, + sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", connection_security_policy!=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P50\",\"refId\":\"E\",\"step\":2},{\"expr\":\"(histogram_quantile(0.90, sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le)) / 1000) or histogram_quantile(0.90, + sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", connection_security_policy!=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P90\",\"refId\":\"F\",\"step\":2},{\"expr\":\"(histogram_quantile(0.95, sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le)) / 1000) or histogram_quantile(0.95, + sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", connection_security_policy!=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P95\",\"refId\":\"G\",\"step\":2},{\"expr\":\"(histogram_quantile(0.99, sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le)) / 1000) or histogram_quantile(0.99, + sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", connection_security_policy!=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P99\",\"refId\":\"H\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Incoming + Request Duration By Source\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"s\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":8,\"x\":8,\"y\":11},\"hiddenSeries\":false,\"id\":28,\"legend\":{\"alignAsTable\":false,\"avg\":false,\"current\":false,\"hideEmpty\":true,\"max\":false,\"min\":false,\"rightSide\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"histogram_quantile(0.50, + sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P50 (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"histogram_quantile(0.90, + sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + \ P90 (\U0001F510mTLS)\",\"refId\":\"B\",\"step\":2},{\"expr\":\"histogram_quantile(0.95, + sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P95 (\U0001F510mTLS)\",\"refId\":\"C\",\"step\":2},{\"expr\":\"histogram_quantile(0.99, + sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + \ P99 (\U0001F510mTLS)\",\"refId\":\"D\",\"step\":2},{\"expr\":\"histogram_quantile(0.50, + sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy!=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P50\",\"refId\":\"E\",\"step\":2},{\"expr\":\"histogram_quantile(0.90, sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P90\",\"refId\":\"F\",\"step\":2},{\"expr\":\"histogram_quantile(0.95, sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P95\",\"refId\":\"G\",\"step\":2},{\"expr\":\"histogram_quantile(0.99, sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P99\",\"refId\":\"H\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Incoming + Request Size By Source\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"decbytes\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":8,\"x\":16,\"y\":11},\"hiddenSeries\":false,\"id\":68,\"legend\":{\"alignAsTable\":false,\"avg\":false,\"current\":false,\"hideEmpty\":true,\"max\":false,\"min\":false,\"rightSide\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"histogram_quantile(0.50, + sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P50 (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"histogram_quantile(0.90, + sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + \ P90 (\U0001F510mTLS)\",\"refId\":\"B\",\"step\":2},{\"expr\":\"histogram_quantile(0.95, + sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P95 (\U0001F510mTLS)\",\"refId\":\"C\",\"step\":2},{\"expr\":\"histogram_quantile(0.99, + sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + \ P99 (\U0001F510mTLS)\",\"refId\":\"D\",\"step\":2},{\"expr\":\"histogram_quantile(0.50, + sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy!=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P50\",\"refId\":\"E\",\"step\":2},{\"expr\":\"histogram_quantile(0.90, sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P90\",\"refId\":\"F\",\"step\":2},{\"expr\":\"histogram_quantile(0.95, sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P95\",\"refId\":\"G\",\"step\":2},{\"expr\":\"histogram_quantile(0.99, sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P99\",\"refId\":\"H\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Response + Size By Source\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"decbytes\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":12,\"x\":0,\"y\":17},\"hiddenSeries\":false,\"id\":80,\"legend\":{\"avg\":false,\"current\":false,\"max\":false,\"min\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"round(sum(irate(istio_tcp_received_bytes_total{reporter=~\\\"$qrep\\\", + connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace), 0.001)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + source_workload }}.{{ source_workload_namespace}} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"round(sum(irate(istio_tcp_received_bytes_total{reporter=~\\\"$qrep\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ + source_workload }}.{{ source_workload_namespace}}\",\"refId\":\"B\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Bytes + Received from Incoming TCP Connection\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"Bps\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":true}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":12,\"x\":12,\"y\":17},\"hiddenSeries\":false,\"id\":82,\"legend\":{\"avg\":false,\"current\":false,\"max\":false,\"min\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy=\\\"mutual_tls\\\", + reporter=~\\\"$qrep\\\", destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", + source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace), + 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ + source_workload }}.{{ source_workload_namespace}} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy!=\\\"mutual_tls\\\", + reporter=~\\\"$qrep\\\", destination_service=~\\\"$service\\\", source_workload=~\\\"$srcwl\\\", + source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace), + 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ + source_workload }}.{{ source_workload_namespace}}\",\"refId\":\"B\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Bytes + Sent to Incoming TCP Connection\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"Bps\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":true}],\"yaxis\":{\"align\":false,\"alignLevel\":null}}],\"title\":\"Client + Workloads\",\"type\":\"row\"},{\"collapsed\":true,\"gridPos\":{\"h\":1,\"w\":24,\"x\":0,\"y\":2},\"id\":102,\"panels\":[{\"content\":\"
\\nSERVICE WORKLOADS\\n
\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"gridPos\":{\"h\":3,\"w\":24,\"x\":0,\"y\":3},\"id\":69,\"links\":[],\"mode\":\"html\",\"options\":{\"content\":\"
\\nSERVICE WORKLOADS\\n
\",\"mode\":\"html\"},\"pluginVersion\":\"7.1.0\",\"title\":\"\",\"transparent\":true,\"type\":\"text\"},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":0,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":12,\"x\":0,\"y\":6},\"hiddenSeries\":false,\"id\":90,\"legend\":{\"avg\":false,\"current\":false,\"hideEmpty\":true,\"max\":false,\"min\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null + as zero\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"round(sum(irate(istio_requests_total{connection_security_policy=\\\"mutual_tls\\\",destination_service=~\\\"$service\\\",reporter=\\\"destination\\\",destination_workload=~\\\"$dstwl\\\",destination_workload_namespace=~\\\"$dstns\\\"}[5m])) + by (destination_workload, destination_workload_namespace, response_code), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace }} : {{ response_code + }} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"round(sum(irate(istio_requests_total{connection_security_policy!=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", reporter=\\\"destination\\\", destination_workload=~\\\"$dstwl\\\", + destination_workload_namespace=~\\\"$dstns\\\"}[5m])) by (destination_workload, + destination_workload_namespace, response_code), 0.001)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace }} : {{ response_code + }}\",\"refId\":\"B\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Incoming + Requests By Destination Workload And Response Code\",\"tooltip\":{\"shared\":false,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[\"total\"]},\"yaxes\":[{\"format\":\"ops\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":12,\"x\":12,\"y\":6},\"hiddenSeries\":false,\"id\":91,\"legend\":{\"avg\":false,\"current\":false,\"hideEmpty\":true,\"hideZero\":false,\"max\":false,\"min\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"sum(irate(istio_requests_total{reporter=\\\"destination\\\", + connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\",response_code!~\\\"5.*\\\", + destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[5m])) + by (destination_workload, destination_workload_namespace) / sum(irate(istio_requests_total{reporter=\\\"destination\\\", + connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[5m])) + by (destination_workload, destination_workload_namespace)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace }} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"sum(irate(istio_requests_total{reporter=\\\"destination\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\",response_code!~\\\"5.*\\\", + destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[5m])) + by (destination_workload, destination_workload_namespace) / sum(irate(istio_requests_total{reporter=\\\"destination\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[5m])) + by (destination_workload, destination_workload_namespace)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace }}\",\"refId\":\"B\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Incoming + Success Rate (non-5xx responses) By Destination Workload\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"percentunit\",\"label\":null,\"logBase\":1,\"max\":\"1.01\",\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"description\":\"\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":8,\"x\":0,\"y\":12},\"hiddenSeries\":false,\"id\":94,\"legend\":{\"alignAsTable\":false,\"avg\":false,\"current\":false,\"hideEmpty\":true,\"hideZero\":false,\"max\":false,\"min\":false,\"rightSide\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"(histogram_quantile(0.50, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"destination\\\", + connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le)) / 1000) or histogram_quantile(0.50, + sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"destination\\\", + connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace }} P50 (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"(histogram_quantile(0.90, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"destination\\\", + connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le)) / 1000) or histogram_quantile(0.90, + sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"destination\\\", + connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace }} P90 (\U0001F510mTLS)\",\"refId\":\"B\",\"step\":2},{\"expr\":\"(histogram_quantile(0.95, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"destination\\\", + connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le)) / 1000) or histogram_quantile(0.95, + sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"destination\\\", + connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace }} P95 (\U0001F510mTLS)\",\"refId\":\"C\",\"step\":2},{\"expr\":\"(histogram_quantile(0.99, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"destination\\\", + connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le)) / 1000) or histogram_quantile(0.99, + sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"destination\\\", + connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace }} P99 (\U0001F510mTLS)\",\"refId\":\"D\",\"step\":2},{\"expr\":\"(histogram_quantile(0.50, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"destination\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le)) / 1000) or histogram_quantile(0.50, + sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"destination\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace }} P50\",\"refId\":\"E\",\"step\":2},{\"expr\":\"(histogram_quantile(0.90, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"destination\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le)) / 1000) or histogram_quantile(0.90, + sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"destination\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace }} P90\",\"refId\":\"F\",\"step\":2},{\"expr\":\"(histogram_quantile(0.95, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"destination\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le)) / 1000) or histogram_quantile(0.95, + sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"destination\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace }} P95\",\"refId\":\"G\",\"step\":2},{\"expr\":\"(histogram_quantile(0.99, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"destination\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le)) / 1000) or histogram_quantile(0.99, + sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"destination\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace }} P99\",\"refId\":\"H\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Incoming + Request Duration By Service Workload\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"s\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":8,\"x\":8,\"y\":12},\"hiddenSeries\":false,\"id\":95,\"legend\":{\"alignAsTable\":false,\"avg\":false,\"current\":false,\"hideEmpty\":true,\"max\":false,\"min\":false,\"rightSide\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"histogram_quantile(0.50, + sum(irate(istio_request_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace }} P50 (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"histogram_quantile(0.90, + sum(irate(istio_request_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace }} P90 (\U0001F510mTLS)\",\"refId\":\"B\",\"step\":2},{\"expr\":\"histogram_quantile(0.95, + sum(irate(istio_request_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace }} P95 (\U0001F510mTLS)\",\"refId\":\"C\",\"step\":2},{\"expr\":\"histogram_quantile(0.99, + sum(irate(istio_request_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace }} P99 (\U0001F510mTLS)\",\"refId\":\"D\",\"step\":2},{\"expr\":\"histogram_quantile(0.50, + sum(irate(istio_request_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy!=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace }} P50\",\"refId\":\"E\",\"step\":2},{\"expr\":\"histogram_quantile(0.90, + sum(irate(istio_request_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy!=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace }} P90\",\"refId\":\"F\",\"step\":2},{\"expr\":\"histogram_quantile(0.95, + sum(irate(istio_request_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy!=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace }} P95\",\"refId\":\"G\",\"step\":2},{\"expr\":\"histogram_quantile(0.99, + sum(irate(istio_request_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy!=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace }} P99\",\"refId\":\"H\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Incoming + Request Size By Service Workload\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"decbytes\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":8,\"x\":16,\"y\":12},\"hiddenSeries\":false,\"id\":96,\"legend\":{\"alignAsTable\":false,\"avg\":false,\"current\":false,\"hideEmpty\":true,\"max\":false,\"min\":false,\"rightSide\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"histogram_quantile(0.50, + sum(irate(istio_response_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace }} P50 (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"histogram_quantile(0.90, + sum(irate(istio_response_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace }} P90 (\U0001F510mTLS)\",\"refId\":\"B\",\"step\":2},{\"expr\":\"histogram_quantile(0.95, + sum(irate(istio_response_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace }} P95 (\U0001F510mTLS)\",\"refId\":\"C\",\"step\":2},{\"expr\":\"histogram_quantile(0.99, + sum(irate(istio_response_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace }} P99 (\U0001F510mTLS)\",\"refId\":\"D\",\"step\":2},{\"expr\":\"histogram_quantile(0.50, + sum(irate(istio_response_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy!=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace }} P50\",\"refId\":\"E\",\"step\":2},{\"expr\":\"histogram_quantile(0.90, + sum(irate(istio_response_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy!=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace }} P90\",\"refId\":\"F\",\"step\":2},{\"expr\":\"histogram_quantile(0.95, + sum(irate(istio_response_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy!=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace }} P95\",\"refId\":\"G\",\"step\":2},{\"expr\":\"histogram_quantile(0.99, + sum(irate(istio_response_bytes_bucket{reporter=\\\"destination\\\", connection_security_policy!=\\\"mutual_tls\\\", + destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace }} P99\",\"refId\":\"H\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Response + Size By Service Workload\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"decbytes\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":12,\"x\":0,\"y\":18},\"hiddenSeries\":false,\"id\":92,\"legend\":{\"avg\":false,\"current\":false,\"max\":false,\"min\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"round(sum(irate(istio_tcp_received_bytes_total{reporter=\\\"destination\\\", + connection_security_policy=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace), 0.001)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace}} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"round(sum(irate(istio_tcp_received_bytes_total{reporter=\\\"destination\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_service=~\\\"$service\\\", + destination_workload=~\\\"$dstwl\\\", destination_workload_namespace=~\\\"$dstns\\\"}[1m])) + by (destination_workload, destination_workload_namespace), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{ destination_workload_namespace}}\",\"refId\":\"B\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Bytes + Received from Incoming TCP Connection\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"Bps\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":true}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":12,\"x\":12,\"y\":18},\"hiddenSeries\":false,\"id\":93,\"legend\":{\"avg\":false,\"current\":false,\"max\":false,\"min\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy=\\\"mutual_tls\\\", + reporter=\\\"destination\\\", destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", + destination_workload_namespace=~\\\"$dstns\\\"}[1m])) by (destination_workload, + destination_workload_namespace), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{destination_workload_namespace }} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy!=\\\"mutual_tls\\\", + reporter=\\\"destination\\\", destination_service=~\\\"$service\\\", destination_workload=~\\\"$dstwl\\\", + destination_workload_namespace=~\\\"$dstns\\\"}[1m])) by (destination_workload, + destination_workload_namespace), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_workload }}.{{destination_workload_namespace }}\",\"refId\":\"B\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Bytes + Sent to Incoming TCP Connection\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"Bps\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":true}],\"yaxis\":{\"align\":false,\"alignLevel\":null}}],\"title\":\"Service + Workloads\",\"type\":\"row\"}],\"refresh\":\"1m\",\"schemaVersion\":26,\"style\":\"dark\",\"tags\":[],\"templating\":{\"list\":[{\"current\":{\"selected\":true,\"text\":\"default\",\"value\":\"default\"},\"hide\":0,\"includeAll\":false,\"label\":null,\"multi\":false,\"name\":\"datasource\",\"options\":[],\"query\":\"prometheus\",\"queryValue\":\"\",\"refresh\":1,\"regex\":\"\",\"skipUrlSync\":false,\"type\":\"datasource\"},{\"allValue\":null,\"current\":{},\"datasource\":\"Prometheus\",\"definition\":\"\",\"hide\":0,\"includeAll\":false,\"label\":\"Service\",\"multi\":false,\"name\":\"service\",\"options\":[],\"query\":\"label_values(destination_service)\",\"refresh\":1,\"regex\":\"\",\"skipUrlSync\":false,\"sort\":0,\"tagValuesQuery\":\"\",\"tags\":[],\"tagsQuery\":\"\",\"type\":\"query\",\"useTags\":false},{\"allValue\":null,\"current\":{\"selected\":true,\"text\":\"destination\",\"value\":\"destination\"},\"datasource\":\"Prometheus\",\"definition\":\"\",\"hide\":0,\"includeAll\":false,\"label\":\"Reporter\",\"multi\":true,\"name\":\"qrep\",\"options\":[],\"query\":\"label_values(reporter)\",\"refresh\":1,\"regex\":\"\",\"skipUrlSync\":false,\"sort\":2,\"tagValuesQuery\":\"\",\"tags\":[],\"tagsQuery\":\"\",\"type\":\"query\",\"useTags\":false},{\"allValue\":null,\"current\":{},\"datasource\":\"Prometheus\",\"definition\":\"\",\"hide\":0,\"includeAll\":true,\"label\":\"Client + Workload Namespace\",\"multi\":true,\"name\":\"srcns\",\"options\":[],\"query\":\"query_result(sum(istio_requests_total{reporter=~\\\"$qrep\\\", + destination_service=\\\"$service\\\"}) by (source_workload_namespace) or sum(istio_tcp_sent_bytes_total{reporter=~\\\"$qrep\\\", + destination_service=~\\\"$service\\\"}) by (source_workload_namespace))\",\"refresh\":1,\"regex\":\"/.*namespace=\\\"([^\\\"]*).*/\",\"skipUrlSync\":false,\"sort\":2,\"tagValuesQuery\":\"\",\"tags\":[],\"tagsQuery\":\"\",\"type\":\"query\",\"useTags\":false},{\"allValue\":null,\"current\":{},\"datasource\":\"Prometheus\",\"definition\":\"\",\"hide\":0,\"includeAll\":true,\"label\":\"Client + Workload\",\"multi\":true,\"name\":\"srcwl\",\"options\":[],\"query\":\"query_result(sum(istio_requests_total{reporter=~\\\"$qrep\\\", + destination_service=~\\\"$service\\\", source_workload_namespace=~\\\"$srcns\\\"}) + by (source_workload) or sum(istio_tcp_sent_bytes_total{reporter=~\\\"$qrep\\\", + destination_service=~\\\"$service\\\", source_workload_namespace=~\\\"$srcns\\\"}) + by (source_workload))\",\"refresh\":1,\"regex\":\"/.*workload=\\\"([^\\\"]*).*/\",\"skipUrlSync\":false,\"sort\":3,\"tagValuesQuery\":\"\",\"tags\":[],\"tagsQuery\":\"\",\"type\":\"query\",\"useTags\":false},{\"allValue\":null,\"current\":{},\"datasource\":\"Prometheus\",\"definition\":\"\",\"hide\":0,\"includeAll\":true,\"label\":\"Service + Workload Namespace\",\"multi\":true,\"name\":\"dstns\",\"options\":[],\"query\":\"query_result(sum(istio_requests_total{reporter=\\\"destination\\\", + destination_service=\\\"$service\\\"}) by (destination_workload_namespace) or + sum(istio_tcp_sent_bytes_total{reporter=\\\"destination\\\", destination_service=~\\\"$service\\\"}) + by (destination_workload_namespace))\",\"refresh\":1,\"regex\":\"/.*namespace=\\\"([^\\\"]*).*/\",\"skipUrlSync\":false,\"sort\":2,\"tagValuesQuery\":\"\",\"tags\":[],\"tagsQuery\":\"\",\"type\":\"query\",\"useTags\":false},{\"allValue\":null,\"current\":{},\"datasource\":\"Prometheus\",\"definition\":\"\",\"hide\":0,\"includeAll\":true,\"label\":\"Service + Workload\",\"multi\":true,\"name\":\"dstwl\",\"options\":[],\"query\":\"query_result( + sum(istio_requests_total{reporter=\\\"destination\\\", destination_service=~\\\"$service\\\", + destination_workload_namespace=~\\\"$dstns\\\"}) by (destination_workload) or + sum(istio_tcp_sent_bytes_total{reporter=\\\"destination\\\", destination_service=~\\\"$service\\\", + destination_workload_namespace=~\\\"$dstns\\\"}) by (destination_workload))\",\"refresh\":1,\"regex\":\"/.*workload=\\\"([^\\\"]*).*/\",\"skipUrlSync\":false,\"sort\":3,\"tagValuesQuery\":\"\",\"tags\":[],\"tagsQuery\":\"\",\"type\":\"query\",\"useTags\":false}]},\"time\":{\"from\":\"now-5m\",\"to\":\"now\"},\"timepicker\":{\"refresh_intervals\":[\"5m\",\"15m\",\"30m\",\"1h\",\"2h\",\"1d\"],\"time_options\":[\"5m\",\"15m\",\"1h\",\"6h\",\"12h\",\"24h\",\"2d\",\"7d\",\"30d\"]},\"timezone\":\"\",\"title\":\"Istio + Service Dashboard\",\"uid\":\"LJ_uJAvmk\",\"version\":1}\n" + istio-workload-dashboard.json: "{\"annotations\":{\"list\":[{\"builtIn\":1,\"datasource\":\"-- + Grafana --\",\"enable\":true,\"hide\":true,\"iconColor\":\"rgba(0, 211, 255, 1)\",\"name\":\"Annotations + & Alerts\",\"type\":\"dashboard\"}]},\"editable\":false,\"gnetId\":null,\"graphTooltip\":0,\"iteration\":1531345461465,\"links\":[],\"panels\":[{\"collapsed\":true,\"gridPos\":{\"h\":1,\"w\":24,\"x\":0,\"y\":0},\"id\":95,\"panels\":[{\"content\":\"
\\nWORKLOAD: $workload.$namespace\\n
\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"gridPos\":{\"h\":3,\"w\":24,\"x\":0,\"y\":1},\"id\":89,\"links\":[],\"mode\":\"html\",\"options\":{\"content\":\"
\\nWORKLOAD: $workload.$namespace\\n
\",\"mode\":\"html\"},\"pluginVersion\":\"7.1.0\",\"title\":\"\",\"transparent\":true,\"type\":\"text\"},{\"cacheTimeout\":null,\"colorBackground\":false,\"colorValue\":false,\"colors\":[\"rgba(245, + 54, 54, 0.9)\",\"rgba(237, 129, 40, 0.89)\",\"rgba(50, 172, 45, 0.97)\"],\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"format\":\"ops\",\"gauge\":{\"maxValue\":100,\"minValue\":0,\"show\":false,\"thresholdLabels\":false,\"thresholdMarkers\":true},\"gridPos\":{\"h\":4,\"w\":8,\"x\":0,\"y\":4},\"id\":12,\"interval\":null,\"links\":[],\"options\":{\"colorMode\":\"value\",\"graphMode\":\"area\",\"justifyMode\":\"auto\",\"orientation\":\"horizontal\",\"reduceOptions\":{\"calcs\":[\"lastNotNull\"],\"fields\":\"\",\"values\":false},\"textMode\":\"auto\"},\"mappingType\":1,\"mappingTypes\":[{\"name\":\"value + to text\",\"value\":1},{\"name\":\"range to text\",\"value\":2}],\"maxDataPoints\":100,\"nullPointMode\":\"connected\",\"nullText\":null,\"postfix\":\"\",\"postfixFontSize\":\"50%\",\"prefix\":\"\",\"prefixFontSize\":\"50%\",\"rangeMaps\":[{\"from\":\"null\",\"text\":\"N/A\",\"to\":\"null\"}],\"sparkline\":{\"fillColor\":\"rgba(31, + 118, 189, 0.18)\",\"full\":true,\"lineColor\":\"rgb(31, 120, 193)\",\"show\":true},\"tableColumn\":\"\",\"targets\":[{\"expr\":\"round(sum(irate(istio_requests_total{reporter=~\\\"$qrep\\\",destination_workload_namespace=~\\\"$namespace\\\",destination_workload=~\\\"$workload\\\"}[5m])), + 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"refId\":\"A\",\"step\":4}],\"thresholds\":\"\",\"title\":\"Incoming + Request Volume\",\"type\":\"singlestat\",\"valueFontSize\":\"80%\",\"valueMaps\":[{\"op\":\"=\",\"text\":\"N/A\",\"value\":\"null\"}],\"valueName\":\"current\"},{\"cacheTimeout\":null,\"colorBackground\":false,\"colorValue\":false,\"colors\":[\"rgba(50, + 172, 45, 0.97)\",\"rgba(237, 129, 40, 0.89)\",\"rgba(245, 54, 54, 0.9)\"],\"datasource\":\"Prometheus\",\"decimals\":null,\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"format\":\"percentunit\",\"gauge\":{\"maxValue\":100,\"minValue\":80,\"show\":false,\"thresholdLabels\":false,\"thresholdMarkers\":false},\"gridPos\":{\"h\":4,\"w\":8,\"x\":8,\"y\":4},\"id\":14,\"interval\":null,\"links\":[],\"options\":{\"colorMode\":\"value\",\"graphMode\":\"area\",\"justifyMode\":\"auto\",\"orientation\":\"horizontal\",\"reduceOptions\":{\"calcs\":[\"lastNotNull\"],\"fields\":\"\",\"values\":false},\"textMode\":\"auto\"},\"mappingType\":1,\"mappingTypes\":[{\"name\":\"value + to text\",\"value\":1},{\"name\":\"range to text\",\"value\":2}],\"maxDataPoints\":100,\"nullPointMode\":\"connected\",\"nullText\":null,\"postfix\":\"\",\"postfixFontSize\":\"50%\",\"prefix\":\"\",\"prefixFontSize\":\"50%\",\"rangeMaps\":[{\"from\":\"null\",\"text\":\"N/A\",\"to\":\"null\"}],\"sparkline\":{\"fillColor\":\"rgba(31, + 118, 189, 0.18)\",\"full\":true,\"lineColor\":\"rgb(31, 120, 193)\",\"show\":true},\"tableColumn\":\"\",\"targets\":[{\"expr\":\"sum(irate(istio_requests_total{reporter=~\\\"$qrep\\\",destination_workload_namespace=~\\\"$namespace\\\",destination_workload=~\\\"$workload\\\",response_code!~\\\"5.*\\\"}[5m])) + / sum(irate(istio_requests_total{reporter=~\\\"$qrep\\\",destination_workload_namespace=~\\\"$namespace\\\",destination_workload=~\\\"$workload\\\"}[5m]))\",\"format\":\"time_series\",\"intervalFactor\":1,\"refId\":\"A\"}],\"thresholds\":\"95, + 99, 99.5\",\"title\":\"Incoming Success Rate (non-5xx responses)\",\"type\":\"singlestat\",\"valueFontSize\":\"80%\",\"valueMaps\":[{\"op\":\"=\",\"text\":\"N/A\",\"value\":\"null\"}],\"valueName\":\"avg\"},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":4,\"w\":8,\"x\":16,\"y\":4},\"hiddenSeries\":false,\"id\":87,\"legend\":{\"alignAsTable\":false,\"avg\":false,\"current\":false,\"hideEmpty\":false,\"hideZero\":false,\"max\":false,\"min\":false,\"rightSide\":true,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"(histogram_quantile(0.50, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\",destination_workload=~\\\"$workload\\\", + destination_workload_namespace=~\\\"$namespace\\\"}[1m])) by (le)) / 1000) or + histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\",destination_workload=~\\\"$workload\\\", + destination_workload_namespace=~\\\"$namespace\\\"}[1m])) by (le))\",\"format\":\"time_series\",\"interval\":\"\",\"intervalFactor\":1,\"legendFormat\":\"P50\",\"refId\":\"A\"},{\"expr\":\"(histogram_quantile(0.90, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\",destination_workload=~\\\"$workload\\\", + destination_workload_namespace=~\\\"$namespace\\\"}[1m])) by (le)) / 1000) or + histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\",destination_workload=~\\\"$workload\\\", + destination_workload_namespace=~\\\"$namespace\\\"}[1m])) by (le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"P90\",\"refId\":\"B\"},{\"expr\":\"(histogram_quantile(0.99, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\",destination_workload=~\\\"$workload\\\", + destination_workload_namespace=~\\\"$namespace\\\"}[1m])) by (le)) / 1000) or + histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\",destination_workload=~\\\"$workload\\\", + destination_workload_namespace=~\\\"$namespace\\\"}[1m])) by (le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"P99\",\"refId\":\"C\"}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Request + Duration\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"s\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"cacheTimeout\":null,\"colorBackground\":false,\"colorValue\":false,\"colors\":[\"#299c46\",\"rgba(237, + 129, 40, 0.89)\",\"#d44a3a\"],\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"format\":\"Bps\",\"gauge\":{\"maxValue\":100,\"minValue\":0,\"show\":false,\"thresholdLabels\":false,\"thresholdMarkers\":true},\"gridPos\":{\"h\":4,\"w\":12,\"x\":0,\"y\":8},\"id\":84,\"interval\":null,\"links\":[],\"options\":{\"colorMode\":\"value\",\"graphMode\":\"area\",\"justifyMode\":\"auto\",\"orientation\":\"horizontal\",\"reduceOptions\":{\"calcs\":[\"lastNotNull\"],\"fields\":\"\",\"values\":false},\"textMode\":\"auto\"},\"mappingType\":1,\"mappingTypes\":[{\"name\":\"value + to text\",\"value\":1},{\"name\":\"range to text\",\"value\":2}],\"maxDataPoints\":100,\"nullPointMode\":\"connected\",\"nullText\":null,\"postfix\":\"\",\"postfixFontSize\":\"50%\",\"prefix\":\"\",\"prefixFontSize\":\"50%\",\"rangeMaps\":[{\"from\":\"null\",\"text\":\"N/A\",\"to\":\"null\"}],\"sparkline\":{\"fillColor\":\"rgba(31, + 118, 189, 0.18)\",\"full\":true,\"lineColor\":\"rgb(31, 120, 193)\",\"show\":true},\"tableColumn\":\"\",\"targets\":[{\"expr\":\"sum(irate(istio_tcp_sent_bytes_total{reporter=~\\\"$qrep\\\", + destination_workload_namespace=~\\\"$namespace\\\", destination_workload=~\\\"$workload\\\"}[1m])) + + sum(irate(istio_tcp_received_bytes_total{reporter=~\\\"$qrep\\\", destination_workload_namespace=~\\\"$namespace\\\", + destination_workload=~\\\"$workload\\\"}[1m]))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"\",\"refId\":\"A\"}],\"thresholds\":\"\",\"title\":\"TCP + Server Traffic\",\"type\":\"singlestat\",\"valueFontSize\":\"80%\",\"valueMaps\":[{\"op\":\"=\",\"text\":\"N/A\",\"value\":\"null\"}],\"valueName\":\"avg\"},{\"cacheTimeout\":null,\"colorBackground\":false,\"colorValue\":false,\"colors\":[\"#299c46\",\"rgba(237, + 129, 40, 0.89)\",\"#d44a3a\"],\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"format\":\"Bps\",\"gauge\":{\"maxValue\":100,\"minValue\":0,\"show\":false,\"thresholdLabels\":false,\"thresholdMarkers\":true},\"gridPos\":{\"h\":4,\"w\":12,\"x\":12,\"y\":8},\"id\":85,\"interval\":null,\"links\":[],\"options\":{\"colorMode\":\"value\",\"graphMode\":\"area\",\"justifyMode\":\"auto\",\"orientation\":\"horizontal\",\"reduceOptions\":{\"calcs\":[\"lastNotNull\"],\"fields\":\"\",\"values\":false},\"textMode\":\"auto\"},\"mappingType\":1,\"mappingTypes\":[{\"name\":\"value + to text\",\"value\":1},{\"name\":\"range to text\",\"value\":2}],\"maxDataPoints\":100,\"nullPointMode\":\"connected\",\"nullText\":null,\"postfix\":\"\",\"postfixFontSize\":\"50%\",\"prefix\":\"\",\"prefixFontSize\":\"50%\",\"rangeMaps\":[{\"from\":\"null\",\"text\":\"N/A\",\"to\":\"null\"}],\"sparkline\":{\"fillColor\":\"rgba(31, + 118, 189, 0.18)\",\"full\":true,\"lineColor\":\"rgb(31, 120, 193)\",\"show\":true},\"tableColumn\":\"\",\"targets\":[{\"expr\":\"sum(irate(istio_tcp_sent_bytes_total{reporter=~\\\"$qrep\\\", + source_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$workload\\\"}[1m])) + + sum(irate(istio_tcp_received_bytes_total{reporter=~\\\"$qrep\\\", source_workload_namespace=~\\\"$namespace\\\", + source_workload=~\\\"$workload\\\"}[1m]))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"\",\"refId\":\"A\"}],\"thresholds\":\"\",\"title\":\"TCP + Client Traffic\",\"type\":\"singlestat\",\"valueFontSize\":\"80%\",\"valueMaps\":[{\"op\":\"=\",\"text\":\"N/A\",\"value\":\"null\"}],\"valueName\":\"avg\"}],\"title\":\"General\",\"type\":\"row\"},{\"collapsed\":true,\"gridPos\":{\"h\":1,\"w\":24,\"x\":0,\"y\":1},\"id\":93,\"panels\":[{\"content\":\"
\\nINBOUND WORKLOADS\\n
\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"gridPos\":{\"h\":3,\"w\":24,\"x\":0,\"y\":13},\"id\":45,\"links\":[],\"mode\":\"html\",\"options\":{\"content\":\"
\\nINBOUND WORKLOADS\\n
\",\"mode\":\"html\"},\"pluginVersion\":\"7.1.0\",\"title\":\"\",\"transparent\":true,\"type\":\"text\"},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":0,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":12,\"x\":0,\"y\":16},\"hiddenSeries\":false,\"id\":25,\"legend\":{\"avg\":false,\"current\":false,\"hideEmpty\":true,\"max\":false,\"min\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null + as zero\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"round(sum(irate(istio_requests_total{connection_security_policy=\\\"mutual_tls\\\", + destination_workload_namespace=~\\\"$namespace\\\", destination_workload=~\\\"$workload\\\", + reporter=~\\\"$qrep\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[5m])) + by (source_workload, source_workload_namespace, response_code), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ + source_workload }}.{{ source_workload_namespace }} : {{ response_code }} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"round(sum(irate(istio_requests_total{connection_security_policy!=\\\"mutual_tls\\\", + destination_workload_namespace=~\\\"$namespace\\\", destination_workload=~\\\"$workload\\\", + reporter=~\\\"$qrep\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[5m])) + by (source_workload, source_workload_namespace, response_code), 0.001)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + source_workload }}.{{ source_workload_namespace }} : {{ response_code }}\",\"refId\":\"B\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Incoming + Requests By Source And Response Code\",\"tooltip\":{\"shared\":false,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[\"total\"]},\"yaxes\":[{\"format\":\"ops\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":12,\"x\":12,\"y\":16},\"hiddenSeries\":false,\"id\":26,\"legend\":{\"avg\":false,\"current\":false,\"hideEmpty\":true,\"hideZero\":false,\"max\":false,\"min\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"sum(irate(istio_requests_total{reporter=~\\\"$qrep\\\", + connection_security_policy=\\\"mutual_tls\\\", destination_workload_namespace=~\\\"$namespace\\\", + destination_workload=~\\\"$workload\\\",response_code!~\\\"5.*\\\", source_workload=~\\\"$srcwl\\\", + source_workload_namespace=~\\\"$srcns\\\"}[5m])) by (source_workload, source_workload_namespace) + / sum(irate(istio_requests_total{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_workload_namespace=~\\\"$namespace\\\", destination_workload=~\\\"$workload\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[5m])) + by (source_workload, source_workload_namespace)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + source_workload }}.{{ source_workload_namespace }} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"sum(irate(istio_requests_total{reporter=~\\\"$qrep\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_workload_namespace=~\\\"$namespace\\\", + destination_workload=~\\\"$workload\\\",response_code!~\\\"5.*\\\", source_workload=~\\\"$srcwl\\\", + source_workload_namespace=~\\\"$srcns\\\"}[5m])) by (source_workload, source_workload_namespace) + / sum(irate(istio_requests_total{reporter=~\\\"$qrep\\\", connection_security_policy!=\\\"mutual_tls\\\", + destination_workload_namespace=~\\\"$namespace\\\", destination_workload=~\\\"$workload\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[5m])) + by (source_workload, source_workload_namespace)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + source_workload }}.{{ source_workload_namespace }}\",\"refId\":\"B\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Incoming + Success Rate (non-5xx responses) By Source\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"percentunit\",\"label\":null,\"logBase\":1,\"max\":\"1.01\",\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"description\":\"\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":8,\"x\":0,\"y\":22},\"hiddenSeries\":false,\"id\":27,\"legend\":{\"alignAsTable\":false,\"avg\":false,\"current\":false,\"hideEmpty\":true,\"hideZero\":false,\"max\":false,\"min\":false,\"rightSide\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"(histogram_quantile(0.50, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", + destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", + source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, + le)) / 1000) or histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", + destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", + source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, + le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P50 (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"(histogram_quantile(0.90, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", + destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", + source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, + le)) / 1000) or histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", + destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", + source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, + le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P90 (\U0001F510mTLS)\",\"refId\":\"B\",\"step\":2},{\"expr\":\"(histogram_quantile(0.95, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", + destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", + source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, + le)) / 1000) or histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", + destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", + source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, + le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P95 (\U0001F510mTLS)\",\"refId\":\"C\",\"step\":2},{\"expr\":\"(histogram_quantile(0.99, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", + destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", + source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, + le)) / 1000) or histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", + destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", + source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, + le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P99 (\U0001F510mTLS)\",\"refId\":\"D\",\"step\":2},{\"expr\":\"(histogram_quantile(0.50, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", + destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", + source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, + le)) / 1000) or histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", + destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", + source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, + le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P50\",\"refId\":\"E\",\"step\":2},{\"expr\":\"(histogram_quantile(0.90, sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", + destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", + source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, + le)) / 1000) or histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", + destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", + source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, + le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P90\",\"refId\":\"F\",\"step\":2},{\"expr\":\"(histogram_quantile(0.95, sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", + destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", + source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, + le)) / 1000) or histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", + destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", + source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, + le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P95\",\"refId\":\"G\",\"step\":2},{\"expr\":\"(histogram_quantile(0.99, sum(irate(istio_request_duration_milliseconds_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", + destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", + source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, + le)) / 1000) or histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", + destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", + source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, + le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P99\",\"refId\":\"H\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Incoming + Request Duration By Source\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"s\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":8,\"x\":8,\"y\":22},\"hiddenSeries\":false,\"id\":28,\"legend\":{\"alignAsTable\":false,\"avg\":false,\"current\":false,\"hideEmpty\":true,\"max\":false,\"min\":false,\"rightSide\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"histogram_quantile(0.50, + sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_workload=~\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P50 (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"histogram_quantile(0.90, + sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_workload=~\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + \ P90 (\U0001F510mTLS)\",\"refId\":\"B\",\"step\":2},{\"expr\":\"histogram_quantile(0.95, + sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_workload=~\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P95 (\U0001F510mTLS)\",\"refId\":\"C\",\"step\":2},{\"expr\":\"histogram_quantile(0.99, + sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_workload=~\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + \ P99 (\U0001F510mTLS)\",\"refId\":\"D\",\"step\":2},{\"expr\":\"histogram_quantile(0.50, + sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy!=\\\"mutual_tls\\\", + destination_workload=~\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P50\",\"refId\":\"E\",\"step\":2},{\"expr\":\"histogram_quantile(0.90, sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", + destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", + source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, + le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P90\",\"refId\":\"F\",\"step\":2},{\"expr\":\"histogram_quantile(0.95, sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", + destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", + source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, + le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P95\",\"refId\":\"G\",\"step\":2},{\"expr\":\"histogram_quantile(0.99, sum(irate(istio_request_bytes_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", + destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", + source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, + le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P99\",\"refId\":\"H\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Incoming + Request Size By Source\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"decbytes\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":8,\"x\":16,\"y\":22},\"hiddenSeries\":false,\"id\":68,\"legend\":{\"alignAsTable\":false,\"avg\":false,\"current\":false,\"hideEmpty\":true,\"max\":false,\"min\":false,\"rightSide\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"histogram_quantile(0.50, + sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_workload=~\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P50 (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"histogram_quantile(0.90, + sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_workload=~\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + \ P90 (\U0001F510mTLS)\",\"refId\":\"B\",\"step\":2},{\"expr\":\"histogram_quantile(0.95, + sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_workload=~\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P95 (\U0001F510mTLS)\",\"refId\":\"C\",\"step\":2},{\"expr\":\"histogram_quantile(0.99, + sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy=\\\"mutual_tls\\\", + destination_workload=~\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + \ P99 (\U0001F510mTLS)\",\"refId\":\"D\",\"step\":2},{\"expr\":\"histogram_quantile(0.50, + sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", connection_security_policy!=\\\"mutual_tls\\\", + destination_workload=~\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P50\",\"refId\":\"E\",\"step\":2},{\"expr\":\"histogram_quantile(0.90, sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", + destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", + source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, + le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P90\",\"refId\":\"F\",\"step\":2},{\"expr\":\"histogram_quantile(0.95, sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", + destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", + source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, + le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P95\",\"refId\":\"G\",\"step\":2},{\"expr\":\"histogram_quantile(0.99, sum(irate(istio_response_bytes_bucket{reporter=~\\\"$qrep\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_workload=~\\\"$workload\\\", + destination_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$srcwl\\\", + source_workload_namespace=~\\\"$srcns\\\"}[1m])) by (source_workload, source_workload_namespace, + le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{source_workload}}.{{source_workload_namespace}} + P99\",\"refId\":\"H\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Response + Size By Source\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"decbytes\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":12,\"x\":0,\"y\":28},\"hiddenSeries\":false,\"id\":80,\"legend\":{\"avg\":false,\"current\":false,\"max\":false,\"min\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"round(sum(irate(istio_tcp_received_bytes_total{reporter=~\\\"$qrep\\\", + connection_security_policy=\\\"mutual_tls\\\", destination_workload_namespace=~\\\"$namespace\\\", + destination_workload=~\\\"$workload\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace), 0.001)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + source_workload }}.{{ source_workload_namespace}} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"round(sum(irate(istio_tcp_received_bytes_total{reporter=~\\\"$qrep\\\", + connection_security_policy!=\\\"mutual_tls\\\", destination_workload_namespace=~\\\"$namespace\\\", + destination_workload=~\\\"$workload\\\", source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ + source_workload }}.{{ source_workload_namespace}}\",\"refId\":\"B\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Bytes + Received from Incoming TCP Connection\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"Bps\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":true}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":12,\"x\":12,\"y\":28},\"hiddenSeries\":false,\"id\":82,\"legend\":{\"avg\":false,\"current\":false,\"max\":false,\"min\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy=\\\"mutual_tls\\\", + reporter=~\\\"$qrep\\\", destination_workload_namespace=~\\\"$namespace\\\", destination_workload=~\\\"$workload\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ + source_workload }}.{{ source_workload_namespace}} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy!=\\\"mutual_tls\\\", + reporter=~\\\"$qrep\\\", destination_workload_namespace=~\\\"$namespace\\\", destination_workload=~\\\"$workload\\\", + source_workload=~\\\"$srcwl\\\", source_workload_namespace=~\\\"$srcns\\\"}[1m])) + by (source_workload, source_workload_namespace), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ + source_workload }}.{{ source_workload_namespace}}\",\"refId\":\"B\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Bytes + Sent to Incoming TCP Connection\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"Bps\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":true}],\"yaxis\":{\"align\":false,\"alignLevel\":null}}],\"title\":\"Inbound + Workloads\",\"type\":\"row\"},{\"collapsed\":true,\"gridPos\":{\"h\":1,\"w\":24,\"x\":0,\"y\":2},\"id\":91,\"panels\":[{\"content\":\"
\\nOUTBOUND SERVICES\\n
\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"gridPos\":{\"h\":3,\"w\":24,\"x\":0,\"y\":14},\"id\":69,\"links\":[],\"mode\":\"html\",\"options\":{\"content\":\"
\\nOUTBOUND SERVICES\\n
\",\"mode\":\"html\"},\"pluginVersion\":\"7.1.0\",\"title\":\"\",\"transparent\":true,\"type\":\"text\"},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":0,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":12,\"x\":0,\"y\":17},\"hiddenSeries\":false,\"id\":70,\"legend\":{\"avg\":false,\"current\":false,\"hideEmpty\":true,\"max\":false,\"min\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null + as zero\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"round(sum(irate(istio_requests_total{destination_principal=~\\\"spiffe.*\\\", + source_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$workload\\\", + reporter=\\\"source\\\", destination_service=~\\\"$dstsvc\\\"}[5m])) by (destination_service, + response_code), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} : {{ response_code }} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"round(sum(irate(istio_requests_total{destination_principal!~\\\"spiffe.*\\\", + source_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$workload\\\", + reporter=\\\"source\\\", destination_service=~\\\"$dstsvc\\\"}[5m])) by (destination_service, + response_code), 0.001)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} : {{ response_code }}\",\"refId\":\"B\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Outgoing + Requests By Destination And Response Code\",\"tooltip\":{\"shared\":false,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[\"total\"]},\"yaxes\":[{\"format\":\"ops\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":12,\"x\":12,\"y\":17},\"hiddenSeries\":false,\"id\":71,\"legend\":{\"avg\":false,\"current\":false,\"hideEmpty\":true,\"hideZero\":false,\"max\":false,\"min\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"sum(irate(istio_requests_total{reporter=\\\"source\\\", + connection_security_policy=\\\"mutual_tls\\\", source_workload_namespace=~\\\"$namespace\\\", + source_workload=~\\\"$workload\\\",response_code!~\\\"5.*\\\", destination_service=~\\\"$dstsvc\\\"}[5m])) + by (destination_service) / sum(irate(istio_requests_total{reporter=\\\"source\\\", + connection_security_policy=\\\"mutual_tls\\\", source_workload_namespace=~\\\"$namespace\\\", + source_workload=~\\\"$workload\\\", destination_service=~\\\"$dstsvc\\\"}[5m])) + by (destination_service)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"sum(irate(istio_requests_total{reporter=\\\"source\\\", + connection_security_policy!=\\\"mutual_tls\\\", source_workload_namespace=~\\\"$namespace\\\", + source_workload=~\\\"$workload\\\",response_code!~\\\"5.*\\\", destination_service=~\\\"$dstsvc\\\"}[5m])) + by (destination_service) / sum(irate(istio_requests_total{reporter=\\\"source\\\", + connection_security_policy!=\\\"mutual_tls\\\", source_workload_namespace=~\\\"$namespace\\\", + source_workload=~\\\"$workload\\\", destination_service=~\\\"$dstsvc\\\"}[5m])) + by (destination_service)\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }}\",\"refId\":\"B\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Outgoing + Success Rate (non-5xx responses) By Destination\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"percentunit\",\"label\":null,\"logBase\":1,\"max\":\"1.01\",\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"description\":\"\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":8,\"x\":0,\"y\":23},\"hiddenSeries\":false,\"id\":72,\"legend\":{\"alignAsTable\":false,\"avg\":false,\"current\":false,\"hideEmpty\":true,\"hideZero\":false,\"max\":false,\"min\":false,\"rightSide\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"(histogram_quantile(0.50, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"source\\\", + connection_security_policy=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\", + source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) + by (destination_service, le)) / 1000) or histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"source\\\", + connection_security_policy=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\", + source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) + by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} P50 (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"(histogram_quantile(0.90, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"source\\\", + connection_security_policy=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\", + source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) + by (destination_service, le)) / 1000) or histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"source\\\", + connection_security_policy=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\", + source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) + by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} P90 (\U0001F510mTLS)\",\"refId\":\"B\",\"step\":2},{\"expr\":\"(histogram_quantile(0.95, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"source\\\", + connection_security_policy=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\", + source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) + by (destination_service, le)) / 1000) or histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"source\\\", + connection_security_policy=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\", + source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) + by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} P95 (\U0001F510mTLS)\",\"refId\":\"C\",\"step\":2},{\"expr\":\"(histogram_quantile(0.99, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"source\\\", + connection_security_policy=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\", + source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) + by (destination_service, le)) / 1000) or histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"source\\\", + connection_security_policy=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\", + source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) + by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} P99 (\U0001F510mTLS)\",\"refId\":\"D\",\"step\":2},{\"expr\":\"(histogram_quantile(0.50, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"source\\\", + connection_security_policy!=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\", + source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) + by (destination_service, le)) / 1000) or histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"source\\\", + connection_security_policy!=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\", + source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) + by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} P50\",\"refId\":\"E\",\"step\":2},{\"expr\":\"(histogram_quantile(0.90, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"source\\\", + connection_security_policy!=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\", + source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) + by (destination_service, le)) / 1000) or histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"source\\\", + connection_security_policy!=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\", + source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) + by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} P90\",\"refId\":\"F\",\"step\":2},{\"expr\":\"(histogram_quantile(0.95, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"source\\\", + connection_security_policy!=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\", + source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) + by (destination_service, le)) / 1000) or histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"source\\\", + connection_security_policy!=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\", + source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) + by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} P95\",\"refId\":\"G\",\"step\":2},{\"expr\":\"(histogram_quantile(0.99, + sum(irate(istio_request_duration_milliseconds_bucket{reporter=\\\"source\\\", + connection_security_policy!=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\", + source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) + by (destination_service, le)) / 1000) or histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\\\"source\\\", + connection_security_policy!=\\\"mutual_tls\\\", source_workload=~\\\"$workload\\\", + source_workload_namespace=~\\\"$namespace\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) + by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} P99\",\"refId\":\"H\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Outgoing + Request Duration By Destination\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"s\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":8,\"x\":8,\"y\":23},\"hiddenSeries\":false,\"id\":73,\"legend\":{\"alignAsTable\":false,\"avg\":false,\"current\":false,\"hideEmpty\":true,\"max\":false,\"min\":false,\"rightSide\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"histogram_quantile(0.50, + sum(irate(istio_request_bytes_bucket{reporter=\\\"source\\\", connection_security_policy=\\\"mutual_tls\\\", + source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\", + destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} P50 (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"histogram_quantile(0.90, + sum(irate(istio_request_bytes_bucket{reporter=\\\"source\\\", connection_security_policy=\\\"mutual_tls\\\", + source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\", + destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} P90 (\U0001F510mTLS)\",\"refId\":\"B\",\"step\":2},{\"expr\":\"histogram_quantile(0.95, + sum(irate(istio_request_bytes_bucket{reporter=\\\"source\\\", connection_security_policy=\\\"mutual_tls\\\", + source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\", + destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} P95 (\U0001F510mTLS)\",\"refId\":\"C\",\"step\":2},{\"expr\":\"histogram_quantile(0.99, + sum(irate(istio_request_bytes_bucket{reporter=\\\"source\\\", connection_security_policy=\\\"mutual_tls\\\", + source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\", + destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} P99 (\U0001F510mTLS)\",\"refId\":\"D\",\"step\":2},{\"expr\":\"histogram_quantile(0.50, + sum(irate(istio_request_bytes_bucket{reporter=\\\"source\\\", connection_security_policy!=\\\"mutual_tls\\\", + source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\", + destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} P50\",\"refId\":\"E\",\"step\":2},{\"expr\":\"histogram_quantile(0.90, + sum(irate(istio_request_bytes_bucket{reporter=\\\"source\\\", connection_security_policy!=\\\"mutual_tls\\\", + source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\", + destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} P90\",\"refId\":\"F\",\"step\":2},{\"expr\":\"histogram_quantile(0.95, + sum(irate(istio_request_bytes_bucket{reporter=\\\"source\\\", connection_security_policy!=\\\"mutual_tls\\\", + source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\", + destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} P95\",\"refId\":\"G\",\"step\":2},{\"expr\":\"histogram_quantile(0.99, + sum(irate(istio_request_bytes_bucket{reporter=\\\"source\\\", connection_security_policy!=\\\"mutual_tls\\\", + source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\", + destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} P99\",\"refId\":\"H\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Outgoing + Request Size By Destination\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"decbytes\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":8,\"x\":16,\"y\":23},\"hiddenSeries\":false,\"id\":74,\"legend\":{\"alignAsTable\":false,\"avg\":false,\"current\":false,\"hideEmpty\":true,\"max\":false,\"min\":false,\"rightSide\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"histogram_quantile(0.50, + sum(irate(istio_response_bytes_bucket{reporter=\\\"source\\\", connection_security_policy=\\\"mutual_tls\\\", + source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\", + destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} P50 (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"histogram_quantile(0.90, + sum(irate(istio_response_bytes_bucket{reporter=\\\"source\\\", connection_security_policy=\\\"mutual_tls\\\", + source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\", + destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} P90 (\U0001F510mTLS)\",\"refId\":\"B\",\"step\":2},{\"expr\":\"histogram_quantile(0.95, + sum(irate(istio_response_bytes_bucket{reporter=\\\"source\\\", connection_security_policy=\\\"mutual_tls\\\", + source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\", + destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} P95 (\U0001F510mTLS)\",\"refId\":\"C\",\"step\":2},{\"expr\":\"histogram_quantile(0.99, + sum(irate(istio_response_bytes_bucket{reporter=\\\"source\\\", connection_security_policy=\\\"mutual_tls\\\", + source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\", + destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} P99 (\U0001F510mTLS)\",\"refId\":\"D\",\"step\":2},{\"expr\":\"histogram_quantile(0.50, + sum(irate(istio_response_bytes_bucket{reporter=\\\"source\\\", connection_security_policy!=\\\"mutual_tls\\\", + source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\", + destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} P50\",\"refId\":\"E\",\"step\":2},{\"expr\":\"histogram_quantile(0.90, + sum(irate(istio_response_bytes_bucket{reporter=\\\"source\\\", connection_security_policy!=\\\"mutual_tls\\\", + source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\", + destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} P90\",\"refId\":\"F\",\"step\":2},{\"expr\":\"histogram_quantile(0.95, + sum(irate(istio_response_bytes_bucket{reporter=\\\"source\\\", connection_security_policy!=\\\"mutual_tls\\\", + source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\", + destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} P95\",\"refId\":\"G\",\"step\":2},{\"expr\":\"histogram_quantile(0.99, + sum(irate(istio_response_bytes_bucket{reporter=\\\"source\\\", connection_security_policy!=\\\"mutual_tls\\\", + source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\", + destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service, le))\",\"format\":\"time_series\",\"hide\":false,\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} P99\",\"refId\":\"H\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Response + Size By Destination\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"decbytes\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":false}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":12,\"x\":0,\"y\":29},\"hiddenSeries\":false,\"id\":76,\"legend\":{\"avg\":false,\"current\":false,\"max\":false,\"min\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"round(sum(irate(istio_tcp_received_bytes_total{connection_security_policy=\\\"mutual_tls\\\", + reporter=\\\"source\\\", source_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$workload\\\", + destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"round(sum(irate(istio_tcp_received_bytes_total{connection_security_policy!=\\\"mutual_tls\\\", + reporter=\\\"source\\\", source_workload_namespace=~\\\"$namespace\\\", source_workload=~\\\"$workload\\\", + destination_service=~\\\"$dstsvc\\\"}[1m])) by (destination_service), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }}\",\"refId\":\"B\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Bytes + Sent on Outgoing TCP Connection\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"Bps\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":true}],\"yaxis\":{\"align\":false,\"alignLevel\":null}},{\"aliasColors\":{},\"bars\":false,\"dashLength\":10,\"dashes\":false,\"datasource\":\"Prometheus\",\"fieldConfig\":{\"defaults\":{\"custom\":{}},\"overrides\":[]},\"fill\":1,\"fillGradient\":0,\"gridPos\":{\"h\":6,\"w\":12,\"x\":12,\"y\":29},\"hiddenSeries\":false,\"id\":78,\"legend\":{\"avg\":false,\"current\":false,\"max\":false,\"min\":false,\"show\":true,\"total\":false,\"values\":false},\"lines\":true,\"linewidth\":1,\"links\":[],\"nullPointMode\":\"null\",\"percentage\":false,\"pluginVersion\":\"7.1.0\",\"pointradius\":5,\"points\":false,\"renderer\":\"flot\",\"seriesOverrides\":[],\"spaceLength\":10,\"stack\":false,\"steppedLine\":false,\"targets\":[{\"expr\":\"round(sum(irate(istio_tcp_sent_bytes_total{reporter=\\\"source\\\", + connection_security_policy=\\\"mutual_tls\\\", source_workload_namespace=~\\\"$namespace\\\", + source_workload=~\\\"$workload\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) + by (destination_service), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }} (\U0001F510mTLS)\",\"refId\":\"A\",\"step\":2},{\"expr\":\"round(sum(irate(istio_tcp_sent_bytes_total{reporter=\\\"source\\\", + connection_security_policy!=\\\"mutual_tls\\\", source_workload_namespace=~\\\"$namespace\\\", + source_workload=~\\\"$workload\\\", destination_service=~\\\"$dstsvc\\\"}[1m])) + by (destination_service), 0.001)\",\"format\":\"time_series\",\"intervalFactor\":1,\"legendFormat\":\"{{ + destination_service }}\",\"refId\":\"B\",\"step\":2}],\"thresholds\":[],\"timeFrom\":null,\"timeRegions\":[],\"timeShift\":null,\"title\":\"Bytes + Received from Outgoing TCP Connection\",\"tooltip\":{\"shared\":true,\"sort\":0,\"value_type\":\"individual\"},\"type\":\"graph\",\"xaxis\":{\"buckets\":null,\"mode\":\"time\",\"name\":null,\"show\":true,\"values\":[]},\"yaxes\":[{\"format\":\"Bps\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":\"0\",\"show\":true},{\"format\":\"short\",\"label\":null,\"logBase\":1,\"max\":null,\"min\":null,\"show\":true}],\"yaxis\":{\"align\":false,\"alignLevel\":null}}],\"title\":\"Outbound + Services\",\"type\":\"row\"}],\"refresh\":\"1m\",\"schemaVersion\":26,\"style\":\"dark\",\"tags\":[],\"templating\":{\"list\":[{\"current\":{\"selected\":true,\"text\":\"default\",\"value\":\"default\"},\"hide\":0,\"includeAll\":false,\"label\":null,\"multi\":false,\"name\":\"datasource\",\"options\":[],\"query\":\"prometheus\",\"queryValue\":\"\",\"refresh\":1,\"regex\":\"\",\"skipUrlSync\":false,\"type\":\"datasource\"},{\"allValue\":null,\"current\":{},\"datasource\":\"Prometheus\",\"definition\":\"\",\"hide\":0,\"includeAll\":false,\"label\":\"Namespace\",\"multi\":false,\"name\":\"namespace\",\"options\":[],\"query\":\"query_result(sum(istio_requests_total) + by (destination_workload_namespace) or sum(istio_tcp_sent_bytes_total) by (destination_workload_namespace))\",\"refresh\":1,\"regex\":\"/.*_namespace=\\\"([^\\\"]*).*/\",\"skipUrlSync\":false,\"sort\":0,\"tagValuesQuery\":\"\",\"tags\":[],\"tagsQuery\":\"\",\"type\":\"query\",\"useTags\":false},{\"allValue\":null,\"current\":{},\"datasource\":\"Prometheus\",\"definition\":\"\",\"hide\":0,\"includeAll\":false,\"label\":\"Workload\",\"multi\":false,\"name\":\"workload\",\"options\":[],\"query\":\"query_result((sum(istio_requests_total{destination_workload_namespace=~\\\"$namespace\\\"}) + by (destination_workload) or sum(istio_requests_total{source_workload_namespace=~\\\"$namespace\\\"}) + by (source_workload)) or (sum(istio_tcp_sent_bytes_total{destination_workload_namespace=~\\\"$namespace\\\"}) + by (destination_workload) or sum(istio_tcp_sent_bytes_total{source_workload_namespace=~\\\"$namespace\\\"}) + by (source_workload)))\",\"refresh\":1,\"regex\":\"/.*workload=\\\"([^\\\"]*).*/\",\"skipUrlSync\":false,\"sort\":1,\"tagValuesQuery\":\"\",\"tags\":[],\"tagsQuery\":\"\",\"type\":\"query\",\"useTags\":false},{\"allValue\":null,\"current\":{\"selected\":true,\"text\":\"destination\",\"value\":\"destination\"},\"datasource\":\"Prometheus\",\"definition\":\"\",\"hide\":0,\"includeAll\":false,\"label\":\"Reporter\",\"multi\":true,\"name\":\"qrep\",\"options\":[],\"query\":\"label_values(reporter)\",\"refresh\":1,\"regex\":\"\",\"skipUrlSync\":false,\"sort\":2,\"tagValuesQuery\":\"\",\"tags\":[],\"tagsQuery\":\"\",\"type\":\"query\",\"useTags\":false},{\"allValue\":null,\"current\":{},\"datasource\":\"Prometheus\",\"definition\":\"\",\"hide\":0,\"includeAll\":true,\"label\":\"Inbound + Workload Namespace\",\"multi\":true,\"name\":\"srcns\",\"options\":[],\"query\":\"query_result(sum(istio_requests_total{reporter=~\\\"$qrep\\\", + destination_workload=\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\"}) + by (source_workload_namespace) or sum(istio_tcp_sent_bytes_total{reporter=~\\\"$qrep\\\", + destination_workload=\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\"}) + by (source_workload_namespace))\",\"refresh\":1,\"regex\":\"/.*namespace=\\\"([^\\\"]*).*/\",\"skipUrlSync\":false,\"sort\":2,\"tagValuesQuery\":\"\",\"tags\":[],\"tagsQuery\":\"\",\"type\":\"query\",\"useTags\":false},{\"allValue\":null,\"current\":{},\"datasource\":\"Prometheus\",\"definition\":\"\",\"hide\":0,\"includeAll\":true,\"label\":\"Inbound + Workload\",\"multi\":true,\"name\":\"srcwl\",\"options\":[],\"query\":\"query_result(sum(istio_requests_total{reporter=~\\\"$qrep\\\", + destination_workload=\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\", + source_workload_namespace=~\\\"$srcns\\\"}) by (source_workload) or sum(istio_tcp_sent_bytes_total{reporter=~\\\"$qrep\\\", + destination_workload=\\\"$workload\\\", destination_workload_namespace=~\\\"$namespace\\\", + source_workload_namespace=~\\\"$srcns\\\"}) by (source_workload))\",\"refresh\":1,\"regex\":\"/.*workload=\\\"([^\\\"]*).*/\",\"skipUrlSync\":false,\"sort\":3,\"tagValuesQuery\":\"\",\"tags\":[],\"tagsQuery\":\"\",\"type\":\"query\",\"useTags\":false},{\"allValue\":null,\"current\":{},\"datasource\":\"Prometheus\",\"definition\":\"\",\"hide\":0,\"includeAll\":true,\"label\":\"Destination + Service\",\"multi\":true,\"name\":\"dstsvc\",\"options\":[],\"query\":\"query_result(sum(istio_requests_total{reporter=\\\"source\\\", + source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\"}) + by (destination_service) or sum(istio_tcp_sent_bytes_total{reporter=\\\"source\\\", + source_workload=~\\\"$workload\\\", source_workload_namespace=~\\\"$namespace\\\"}) + by (destination_service))\",\"refresh\":1,\"regex\":\"/.*destination_service=\\\"([^\\\"]*).*/\",\"skipUrlSync\":false,\"sort\":4,\"tagValuesQuery\":\"\",\"tags\":[],\"tagsQuery\":\"\",\"type\":\"query\",\"useTags\":false}]},\"time\":{\"from\":\"now-5m\",\"to\":\"now\"},\"timepicker\":{\"refresh_intervals\":[\"5m\",\"15m\",\"30m\",\"1h\",\"2h\",\"1d\"],\"time_options\":[\"5m\",\"15m\",\"1h\",\"6h\",\"12h\",\"24h\",\"2d\",\"7d\",\"30d\"]},\"timezone\":\"\",\"title\":\"Istio + Workload Dashboard\",\"uid\":\"UbsSZTDik\",\"version\":1}\n" +kind: ConfigMap +metadata: + creationTimestamp: null + name: istio-services-grafana-dashboards + namespace: istio-system diff --git a/terraform-modules/aws/istio/istio-1.11.0/samples/addons/jaeger.yaml b/terraform-modules/aws/istio/istio-1.11.0/samples/addons/jaeger.yaml new file mode 100644 index 000000000..d97c07641 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/samples/addons/jaeger.yaml @@ -0,0 +1,117 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: jaeger + namespace: istio-system + labels: + app: jaeger +spec: + selector: + matchLabels: + app: jaeger + template: + metadata: + labels: + app: jaeger + annotations: + sidecar.istio.io/inject: "false" + prometheus.io/scrape: "true" + prometheus.io/port: "14269" + spec: + containers: + - name: jaeger + image: "docker.io/jaegertracing/all-in-one:1.23" + env: + - name: BADGER_EPHEMERAL + value: "false" + - name: SPAN_STORAGE_TYPE + value: "badger" + - name: BADGER_DIRECTORY_VALUE + value: "/badger/data" + - name: BADGER_DIRECTORY_KEY + value: "/badger/key" + - name: COLLECTOR_ZIPKIN_HOST_PORT + value: ":9411" + - name: MEMORY_MAX_TRACES + value: "50000" + - name: QUERY_BASE_PATH + value: /jaeger + livenessProbe: + httpGet: + path: / + port: 14269 + readinessProbe: + httpGet: + path: / + port: 14269 + volumeMounts: + - name: data + mountPath: /badger + resources: + requests: + cpu: 10m + volumes: + - name: data + emptyDir: {} +--- +apiVersion: v1 +kind: Service +metadata: + name: tracing + namespace: istio-system + labels: + app: jaeger +spec: + type: ClusterIP + ports: + - name: http-query + port: 80 + protocol: TCP + targetPort: 16686 + # Note: Change port name if you add '--query.grpc.tls.enabled=true' + - name: grpc-query + port: 16685 + protocol: TCP + targetPort: 16685 + selector: + app: jaeger +--- +# Jaeger implements the Zipkin API. To support swapping out the tracing backend, we use a Service named Zipkin. +apiVersion: v1 +kind: Service +metadata: + labels: + name: zipkin + name: zipkin + namespace: istio-system +spec: + ports: + - port: 9411 + targetPort: 9411 + name: http-query + selector: + app: jaeger +--- +apiVersion: v1 +kind: Service +metadata: + name: jaeger-collector + namespace: istio-system + labels: + app: jaeger +spec: + type: ClusterIP + ports: + - name: jaeger-collector-http + port: 14268 + targetPort: 14268 + protocol: TCP + - name: jaeger-collector-grpc + port: 14250 + targetPort: 14250 + protocol: TCP + - port: 9411 + targetPort: 9411 + name: http-zipkin + selector: + app: jaeger diff --git a/terraform-modules/aws/istio/istio-1.11.0/samples/addons/kiali.yaml b/terraform-modules/aws/istio/istio-1.11.0/samples/addons/kiali.yaml new file mode 100644 index 000000000..4e5986e7e --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/samples/addons/kiali.yaml @@ -0,0 +1,515 @@ +--- +# Source: kiali-server/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: kiali + namespace: istio-system + labels: + helm.sh/chart: kiali-server-1.38.0 + app: kiali + app.kubernetes.io/name: kiali + app.kubernetes.io/instance: kiali + version: "v1.38.0" + app.kubernetes.io/version: "v1.38.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: "kiali" +... +--- +# Source: kiali-server/templates/configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: kiali + namespace: istio-system + labels: + helm.sh/chart: kiali-server-1.38.0 + app: kiali + app.kubernetes.io/name: kiali + app.kubernetes.io/instance: kiali + version: "v1.38.0" + app.kubernetes.io/version: "v1.38.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: "kiali" +data: + config.yaml: | + auth: + openid: {} + openshift: + client_id_prefix: kiali + strategy: anonymous + deployment: + accessible_namespaces: + - '**' + additional_service_yaml: {} + affinity: + node: {} + pod: {} + pod_anti: {} + hpa: + api_version: autoscaling/v2beta2 + spec: {} + image_name: quay.io/kiali/kiali + image_pull_policy: Always + image_pull_secrets: [] + image_version: v1.38 + ingress_enabled: false + instance_name: kiali + logger: + log_format: text + log_level: info + sampler_rate: "1" + time_field_format: 2006-01-02T15:04:05Z07:00 + namespace: istio-system + node_selector: {} + override_ingress_yaml: + metadata: {} + pod_annotations: + sidecar.istio.io/inject: "false" + pod_labels: {} + priority_class_name: "" + replicas: 1 + resources: {} + secret_name: kiali + service_annotations: {} + service_type: "" + tolerations: [] + version_label: v1.38.0 + view_only_mode: false + external_services: + custom_dashboards: + enabled: true + identity: + cert_file: "" + private_key_file: "" + istio_namespace: istio-system + login_token: + signing_key: CHANGEME + server: + metrics_enabled: true + metrics_port: 9090 + port: 20001 + web_root: /kiali +... +--- +# Source: kiali-server/templates/role-viewer.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kiali-viewer + labels: + helm.sh/chart: kiali-server-1.38.0 + app: kiali + app.kubernetes.io/name: kiali + app.kubernetes.io/instance: kiali + version: "v1.38.0" + app.kubernetes.io/version: "v1.38.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: "kiali" +rules: +- apiGroups: [""] + resources: + - configmaps + - endpoints + - pods/log + verbs: + - get + - list + - watch +- apiGroups: [""] + resources: + - namespaces + - pods + - replicationcontrollers + - services + verbs: + - get + - list + - watch +- apiGroups: [""] + resources: + - pods/portforward + verbs: + - create + - post +- apiGroups: ["extensions", "apps"] + resources: + - daemonsets + - deployments + - replicasets + - statefulsets + verbs: + - get + - list + - watch +- apiGroups: ["batch"] + resources: + - cronjobs + - jobs + verbs: + - get + - list + - watch +- apiGroups: + - networking.istio.io + - security.istio.io + resources: ["*"] + verbs: + - get + - list + - watch +- apiGroups: ["apps.openshift.io"] + resources: + - deploymentconfigs + verbs: + - get + - list + - watch +- apiGroups: ["project.openshift.io"] + resources: + - projects + verbs: + - get +- apiGroups: ["route.openshift.io"] + resources: + - routes + verbs: + - get +- apiGroups: ["iter8.tools"] + resources: + - experiments + verbs: + - get + - list + - watch +- apiGroups: ["authentication.k8s.io"] + resources: + - tokenreviews + verbs: + - create +... +--- +# Source: kiali-server/templates/role.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kiali + labels: + helm.sh/chart: kiali-server-1.38.0 + app: kiali + app.kubernetes.io/name: kiali + app.kubernetes.io/instance: kiali + version: "v1.38.0" + app.kubernetes.io/version: "v1.38.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: "kiali" +rules: +- apiGroups: [""] + resources: + - configmaps + - endpoints + - pods/log + verbs: + - get + - list + - watch +- apiGroups: [""] + resources: + - namespaces + - pods + - replicationcontrollers + - services + verbs: + - get + - list + - watch + - patch +- apiGroups: [""] + resources: + - pods/portforward + verbs: + - create + - post +- apiGroups: ["extensions", "apps"] + resources: + - daemonsets + - deployments + - replicasets + - statefulsets + verbs: + - get + - list + - watch + - patch +- apiGroups: ["batch"] + resources: + - cronjobs + - jobs + verbs: + - get + - list + - watch + - patch +- apiGroups: + - networking.istio.io + - security.istio.io + resources: ["*"] + verbs: + - get + - list + - watch + - create + - delete + - patch +- apiGroups: ["apps.openshift.io"] + resources: + - deploymentconfigs + verbs: + - get + - list + - watch + - patch +- apiGroups: ["project.openshift.io"] + resources: + - projects + verbs: + - get +- apiGroups: ["route.openshift.io"] + resources: + - routes + verbs: + - get +- apiGroups: ["iter8.tools"] + resources: + - experiments + verbs: + - get + - list + - watch + - create + - delete + - patch +- apiGroups: ["authentication.k8s.io"] + resources: + - tokenreviews + verbs: + - create +... +--- +# Source: kiali-server/templates/rolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kiali + labels: + helm.sh/chart: kiali-server-1.38.0 + app: kiali + app.kubernetes.io/name: kiali + app.kubernetes.io/instance: kiali + version: "v1.38.0" + app.kubernetes.io/version: "v1.38.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: "kiali" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kiali +subjects: +- kind: ServiceAccount + name: kiali + namespace: istio-system +... +--- +# Source: kiali-server/templates/role-controlplane.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: kiali-controlplane + namespace: istio-system + labels: + helm.sh/chart: kiali-server-1.38.0 + app: kiali + app.kubernetes.io/name: kiali + app.kubernetes.io/instance: kiali + version: "v1.38.0" + app.kubernetes.io/version: "v1.38.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: "kiali" +rules: +- apiGroups: [""] + resources: + - secrets + verbs: + - list +... +--- +# Source: kiali-server/templates/rolebinding-controlplane.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: kiali-controlplane + namespace: istio-system + labels: + helm.sh/chart: kiali-server-1.38.0 + app: kiali + app.kubernetes.io/name: kiali + app.kubernetes.io/instance: kiali + version: "v1.38.0" + app.kubernetes.io/version: "v1.38.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: "kiali" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: kiali-controlplane +subjects: +- kind: ServiceAccount + name: kiali + namespace: istio-system +... +--- +# Source: kiali-server/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: kiali + namespace: istio-system + labels: + helm.sh/chart: kiali-server-1.38.0 + app: kiali + app.kubernetes.io/name: kiali + app.kubernetes.io/instance: kiali + version: "v1.38.0" + app.kubernetes.io/version: "v1.38.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: "kiali" + annotations: +spec: + ports: + - name: http + protocol: TCP + port: 20001 + - name: http-metrics + protocol: TCP + port: 9090 + selector: + app.kubernetes.io/name: kiali + app.kubernetes.io/instance: kiali +... +--- +# Source: kiali-server/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: kiali + namespace: istio-system + labels: + helm.sh/chart: kiali-server-1.38.0 + app: kiali + app.kubernetes.io/name: kiali + app.kubernetes.io/instance: kiali + version: "v1.38.0" + app.kubernetes.io/version: "v1.38.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: "kiali" +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: kiali + app.kubernetes.io/instance: kiali + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 1 + type: RollingUpdate + template: + metadata: + name: kiali + labels: + helm.sh/chart: kiali-server-1.38.0 + app: kiali + app.kubernetes.io/name: kiali + app.kubernetes.io/instance: kiali + version: "v1.38.0" + app.kubernetes.io/version: "v1.38.0" + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: "kiali" + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "9090" + kiali.io/dashboards: go,kiali + sidecar.istio.io/inject: "false" + spec: + serviceAccountName: kiali + containers: + - image: "quay.io/kiali/kiali:v1.38" + imagePullPolicy: Always + name: kiali + command: + - "/opt/kiali/kiali" + - "-config" + - "/kiali-configuration/config.yaml" + securityContext: + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + ports: + - name: api-port + containerPort: 20001 + - name: http-metrics + containerPort: 9090 + readinessProbe: + httpGet: + path: /kiali/healthz + port: api-port + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 30 + livenessProbe: + httpGet: + path: /kiali/healthz + port: api-port + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 30 + env: + - name: ACTIVE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: LOG_LEVEL + value: "info" + - name: LOG_FORMAT + value: "text" + - name: LOG_TIME_FIELD_FORMAT + value: "2006-01-02T15:04:05Z07:00" + - name: LOG_SAMPLER_RATE + value: "1" + volumeMounts: + - name: kiali-configuration + mountPath: "/kiali-configuration" + - name: kiali-cert + mountPath: "/kiali-cert" + - name: kiali-secret + mountPath: "/kiali-secret" + - name: kiali-cabundle + mountPath: "/kiali-cabundle" + volumes: + - name: kiali-configuration + configMap: + name: kiali + - name: kiali-cert + secret: + secretName: istio.kiali-service-account + optional: true + - name: kiali-secret + secret: + secretName: kiali + optional: true + - name: kiali-cabundle + configMap: + name: kiali-cabundle + optional: true +... diff --git a/terraform-modules/aws/istio/istio-1.11.0/samples/addons/prometheus.yaml b/terraform-modules/aws/istio/istio-1.11.0/samples/addons/prometheus.yaml new file mode 100644 index 000000000..0ff518aa0 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/samples/addons/prometheus.yaml @@ -0,0 +1,487 @@ +--- +# Source: prometheus/templates/server/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-14.3.0 + heritage: Helm + name: prometheus + namespace: istio-system + annotations: + {} +--- +# Source: prometheus/templates/server/cm.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-14.3.0 + heritage: Helm + name: prometheus + namespace: istio-system +data: + alerting_rules.yml: | + {} + alerts: | + {} + prometheus.yml: | + global: + evaluation_interval: 1m + scrape_interval: 15s + scrape_timeout: 10s + rule_files: + - /etc/config/recording_rules.yml + - /etc/config/alerting_rules.yml + - /etc/config/rules + - /etc/config/alerts + scrape_configs: + - job_name: prometheus + static_configs: + - targets: + - localhost:9090 + - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + job_name: kubernetes-apiservers + kubernetes_sd_configs: + - role: endpoints + relabel_configs: + - action: keep + regex: default;kubernetes;https + source_labels: + - __meta_kubernetes_namespace + - __meta_kubernetes_service_name + - __meta_kubernetes_endpoint_port_name + scheme: https + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + insecure_skip_verify: true + - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + job_name: kubernetes-nodes + kubernetes_sd_configs: + - role: node + relabel_configs: + - action: labelmap + regex: __meta_kubernetes_node_label_(.+) + - replacement: kubernetes.default.svc:443 + target_label: __address__ + - regex: (.+) + replacement: /api/v1/nodes/$1/proxy/metrics + source_labels: + - __meta_kubernetes_node_name + target_label: __metrics_path__ + scheme: https + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + insecure_skip_verify: true + - bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + job_name: kubernetes-nodes-cadvisor + kubernetes_sd_configs: + - role: node + relabel_configs: + - action: labelmap + regex: __meta_kubernetes_node_label_(.+) + - replacement: kubernetes.default.svc:443 + target_label: __address__ + - regex: (.+) + replacement: /api/v1/nodes/$1/proxy/metrics/cadvisor + source_labels: + - __meta_kubernetes_node_name + target_label: __metrics_path__ + scheme: https + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + insecure_skip_verify: true + - job_name: kubernetes-service-endpoints + kubernetes_sd_configs: + - role: endpoints + relabel_configs: + - action: keep + regex: true + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_scrape + - action: replace + regex: (https?) + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_scheme + target_label: __scheme__ + - action: replace + regex: (.+) + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_path + target_label: __metrics_path__ + - action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + source_labels: + - __address__ + - __meta_kubernetes_service_annotation_prometheus_io_port + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_service_label_(.+) + - action: replace + source_labels: + - __meta_kubernetes_namespace + target_label: kubernetes_namespace + - action: replace + source_labels: + - __meta_kubernetes_service_name + target_label: kubernetes_name + - action: replace + source_labels: + - __meta_kubernetes_pod_node_name + target_label: kubernetes_node + - job_name: kubernetes-service-endpoints-slow + kubernetes_sd_configs: + - role: endpoints + relabel_configs: + - action: keep + regex: true + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_scrape_slow + - action: replace + regex: (https?) + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_scheme + target_label: __scheme__ + - action: replace + regex: (.+) + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_path + target_label: __metrics_path__ + - action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + source_labels: + - __address__ + - __meta_kubernetes_service_annotation_prometheus_io_port + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_service_label_(.+) + - action: replace + source_labels: + - __meta_kubernetes_namespace + target_label: kubernetes_namespace + - action: replace + source_labels: + - __meta_kubernetes_service_name + target_label: kubernetes_name + - action: replace + source_labels: + - __meta_kubernetes_pod_node_name + target_label: kubernetes_node + scrape_interval: 5m + scrape_timeout: 30s + - honor_labels: true + job_name: prometheus-pushgateway + kubernetes_sd_configs: + - role: service + relabel_configs: + - action: keep + regex: pushgateway + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_probe + - job_name: kubernetes-services + kubernetes_sd_configs: + - role: service + metrics_path: /probe + params: + module: + - http_2xx + relabel_configs: + - action: keep + regex: true + source_labels: + - __meta_kubernetes_service_annotation_prometheus_io_probe + - source_labels: + - __address__ + target_label: __param_target + - replacement: blackbox + target_label: __address__ + - source_labels: + - __param_target + target_label: instance + - action: labelmap + regex: __meta_kubernetes_service_label_(.+) + - source_labels: + - __meta_kubernetes_namespace + target_label: kubernetes_namespace + - source_labels: + - __meta_kubernetes_service_name + target_label: kubernetes_name + - job_name: kubernetes-pods + kubernetes_sd_configs: + - role: pod + relabel_configs: + - action: keep + regex: true + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_scrape + - action: replace + regex: (https?) + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_scheme + target_label: __scheme__ + - action: replace + regex: (.+) + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_path + target_label: __metrics_path__ + - action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + source_labels: + - __address__ + - __meta_kubernetes_pod_annotation_prometheus_io_port + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_pod_label_(.+) + - action: replace + source_labels: + - __meta_kubernetes_namespace + target_label: kubernetes_namespace + - action: replace + source_labels: + - __meta_kubernetes_pod_name + target_label: kubernetes_pod_name + - action: drop + regex: Pending|Succeeded|Failed + source_labels: + - __meta_kubernetes_pod_phase + - job_name: kubernetes-pods-slow + kubernetes_sd_configs: + - role: pod + relabel_configs: + - action: keep + regex: true + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_scrape_slow + - action: replace + regex: (https?) + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_scheme + target_label: __scheme__ + - action: replace + regex: (.+) + source_labels: + - __meta_kubernetes_pod_annotation_prometheus_io_path + target_label: __metrics_path__ + - action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + source_labels: + - __address__ + - __meta_kubernetes_pod_annotation_prometheus_io_port + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_pod_label_(.+) + - action: replace + source_labels: + - __meta_kubernetes_namespace + target_label: kubernetes_namespace + - action: replace + source_labels: + - __meta_kubernetes_pod_name + target_label: kubernetes_pod_name + - action: drop + regex: Pending|Succeeded|Failed + source_labels: + - __meta_kubernetes_pod_phase + scrape_interval: 5m + scrape_timeout: 30s + recording_rules.yml: | + {} + rules: | + {} +--- +# Source: prometheus/templates/server/clusterrole.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-14.3.0 + heritage: Helm + name: prometheus +rules: + - apiGroups: + - "" + resources: + - nodes + - nodes/proxy + - nodes/metrics + - services + - endpoints + - pods + - ingresses + - configmaps + verbs: + - get + - list + - watch + - apiGroups: + - "extensions" + - "networking.k8s.io" + resources: + - ingresses/status + - ingresses + verbs: + - get + - list + - watch + - nonResourceURLs: + - "/metrics" + verbs: + - get +--- +# Source: prometheus/templates/server/clusterrolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-14.3.0 + heritage: Helm + name: prometheus +subjects: + - kind: ServiceAccount + name: prometheus + namespace: istio-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: prometheus +--- +# Source: prometheus/templates/server/service.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-14.3.0 + heritage: Helm + name: prometheus + namespace: istio-system +spec: + ports: + - name: http + port: 9090 + protocol: TCP + targetPort: 9090 + selector: + component: "server" + app: prometheus + release: prometheus + sessionAffinity: None + type: "ClusterIP" +--- +# Source: prometheus/templates/server/deploy.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-14.3.0 + heritage: Helm + name: prometheus + namespace: istio-system +spec: + selector: + matchLabels: + component: "server" + app: prometheus + release: prometheus + replicas: 1 + template: + metadata: + annotations: + + sidecar.istio.io/inject: "false" + labels: + component: "server" + app: prometheus + release: prometheus + chart: prometheus-14.3.0 + heritage: Helm + spec: + serviceAccountName: prometheus + containers: + - name: prometheus-server-configmap-reload + image: "jimmidyson/configmap-reload:v0.5.0" + imagePullPolicy: "IfNotPresent" + args: + - --volume-dir=/etc/config + - --webhook-url=http://127.0.0.1:9090/-/reload + resources: + {} + volumeMounts: + - name: config-volume + mountPath: /etc/config + readOnly: true + + - name: prometheus-server + image: "prom/prometheus:v2.26.0" + imagePullPolicy: "IfNotPresent" + args: + - --storage.tsdb.retention.time=15d + - --config.file=/etc/config/prometheus.yml + - --storage.tsdb.path=/data + - --web.console.libraries=/etc/prometheus/console_libraries + - --web.console.templates=/etc/prometheus/consoles + - --web.enable-lifecycle + ports: + - containerPort: 9090 + readinessProbe: + httpGet: + path: /-/ready + port: 9090 + initialDelaySeconds: 0 + periodSeconds: 5 + timeoutSeconds: 4 + failureThreshold: 3 + successThreshold: 1 + livenessProbe: + httpGet: + path: /-/healthy + port: 9090 + initialDelaySeconds: 30 + periodSeconds: 15 + timeoutSeconds: 10 + failureThreshold: 3 + successThreshold: 1 + resources: + {} + volumeMounts: + - name: config-volume + mountPath: /etc/config + - name: storage-volume + mountPath: /data + subPath: "" + hostNetwork: false + dnsPolicy: ClusterFirst + securityContext: + fsGroup: 65534 + runAsGroup: 65534 + runAsNonRoot: true + runAsUser: 65534 + terminationGracePeriodSeconds: 300 + volumes: + - name: config-volume + configMap: + name: prometheus + - name: storage-volume + emptyDir: + {} diff --git a/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/README.md b/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/README.md new file mode 100644 index 000000000..7683b21b0 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/README.md @@ -0,0 +1,100 @@ +# Bookinfo Sample + +See . + +**Note**: We need the owner of the PR to perform the appropriate testing with built/pushed images to their own docker repository before we would build/push images to the official Istio repository. + +## Build docker images + +```bash +cd samples/bookinfo +src/build-services.sh +``` + +Where `` is the tag and `` is the docker registry to tag the images. + +For example: + +```bash +$ src/build-services.sh 1.16.3 docker.io/shamsher31 +Sending build context to Docker daemon 1.218MB +Step 1/16 : FROM python:3.7.7-slim +3.7.7-slim: Pulling from library/python +8559a31e96f4: Pull complete +... +Successfully built 1b293582cc2e +Successfully tagged shamsher31/examples-bookinfo-ratings-v2:1.16.3 +Successfully tagged shamsher31/examples-bookinfo-ratings-v2:latest +``` + +The bookinfo versions are different from Istio versions since the sample should work with any version of Istio. + +## Push docker images to docker hub + +After the local build is successful, you need to update the YAML file with the latest tag that you used during the build eg: `1.16.3`. + +Run the following script to build the docker images, push them to docker hub, and to update the YAML files in one step. + +```bash +./build_push_update_images.sh +``` + +For example: + +```bash +$ ./build_push_update_images.sh 1.16.3 --prefix=shamsher31 +... +1.16.3: digest: sha256:70634d3847a190b9826975c8 size: 3883 +Pushing: shamsher31/examples-bookinfo-reviews-v2:1.16.3 +The push refers to a repository [docker.io/shamsher31/examples-bookinfo-reviews-v2] +... +``` + +Verify that expected tag eg: `1.16.3` is updated in `platform/kube/bookinfo*.yaml` files. + +## Tests + +Test that the bookinfo samples work with the latest tag eg: `1.16.3` that you pushed. + +```bash +$ cd ../../ +$ kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml +serviceaccount/bookinfo-details created +deployment.apps/details-v1 created +serviceaccount/bookinfo-ratings created +... +``` + +Wait for all the pods to be in `Running` start. + +```bash +$ kubectl get pods +NAME READY STATUS RESTARTS AGE +details-v1-7f556f5c6b-485l2 2/2 Running 0 10m +productpage-v1-84c8f95c8d-tlml2 2/2 Running 0 10m +ratings-v1-66777f856b-2ls78 2/2 Running 0 10m +reviews-v1-64c47f4f44-rx642 2/2 Running 0 10m +reviews-v2-66b6b95f44-s5nt6 2/2 Running 0 10m +reviews-v3-7f69dd7fd4-zjvc8 2/2 Running 0 10m +``` + +Once all the pods are in the `Running` state. Test if the bookinfo works through cli. + +```bash +$ kubectl exec -it "$(kubectl get pod -l app=ratings -o jsonpath='{.items[0].metadata.name}')" -c ratings -- curl productpage:9080/productpage | grep -o ".*" +Simple Bookstore App +``` + +You can also test it by hitting productpage in the browser. + +```bash +http://192.168.39.116:31395/productpage +``` + +You should see the following in the browser. + +![star](https://user-images.githubusercontent.com/2920003/86032538-212ff900-ba55-11ea-9492-d4bc90656a02.png) + +**Note**: If everything works as mentioned above, request a new official set of images be built and pushed from the reviewer, and add another commit to the original PR with the version changes. + +Bookinfo is tested by istio.io integration tests. You can find them under [tests](https://github.com/istio/istio.io/tree/master/tests) in the [istio/istio.io](https://github.com/istio/istio.io) repository. diff --git a/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/build_push_update_images.sh b/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/build_push_update_images.sh new file mode 100755 index 000000000..470b2e5a6 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/build_push_update_images.sh @@ -0,0 +1,120 @@ +#!/bin/bash +# +# Copyright 2018 Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -o errexit + +display_usage() { + echo + echo "USAGE: ./build_push_update_images.sh [-h|--help] [--prefix=value] [--scan-images]" + echo " version : Version of the sample app images (Required)" + echo " -h|--help : Prints usage information" + echo " --prefix: Use the value as the prefix for image names. By default, 'istio' is used" + echo -e " --scan-images : Enable security vulnerability scans for docker images \n\t\t\trelated to bookinfo sample apps. By default, this feature \n\t\t\tis disabled." + exit 1 +} + +# Check if there is atleast one input argument +if [[ -z "$1" ]] ; then + echo "Missing version parameter" + display_usage +else + VERSION="$1" + shift +fi + +# Process the input arguments. By default, image scanning is disabled. +PREFIX=istio +ENABLE_IMAGE_SCAN=false +echo "$@" +for i in "$@" +do + case "$i" in + --prefix=* ) + PREFIX="${i#--prefix=}" ;; + --scan-images ) + ENABLE_IMAGE_SCAN=true ;; + -h|--help ) + echo + echo "Build the docker images for bookinfo sample apps, push them to docker hub and update the yaml files." + display_usage ;; + * ) + echo "Unknown argument: $i" + display_usage ;; + esac +done + +#Build docker images +src/build-services.sh "${VERSION}" "${PREFIX}" + +#get all the new image names and tags +for v in ${VERSION} "latest" +do + IMAGES+=$(docker images -f reference="${PREFIX}/examples-bookinfo*:$v" --format "{{.Repository}}:$v") + IMAGES+=" " +done + +# check that $IMAGES contains the images we've just built +if [[ "${IMAGES}" =~ ^\ +$ ]] ; then + echo "Found no images matching prefix \"${PREFIX}/examples-bookinfo\"." + echo "Try running the script without specifying the image registry in --prefix (e.g. --prefix=/foo instead of --prefix=docker.io/foo)." + exit 1 +fi + +# +# Run security vulnerability scanning on bookinfo sample app images using +# the ImageScanner tool. If the reuqest is handled successfully, it gives +# the output in JSON format which has the following format: +# { +# "Progress": "Scan completed: OK", +# "Results": { +# "ID": "94be3d24-cd0b-402c-837c-99d453ec8797", +# "Scan_Time": 1559143715, +# "Status": "OK", +# "Vulnerabilities": [], +# "Configuration_Issues": [] +# } +# } +# +function run_vulnerability_scanning() { + RESULT_DIR="vulnerability_scan_results" + CURL_RESPONSE=$(curl -s --create-dirs -o "$RESULT_DIR/$1_$VERSION" -w "%{http_code}" http://imagescanner.cloud.ibm.com/scan?image="$2") + if [ "$CURL_RESPONSE" -eq 200 ]; then + mv "$RESULT_DIR/$1_$VERSION" "$RESULT_DIR/$1_$VERSION.json" + fi +} + +# Push images. Scan images if ENABLE_IMAGE_SCAN is true. +for IMAGE in ${IMAGES}; +do + echo "Pushing: ${IMAGE}" + docker push "${IMAGE}"; + + # $IMAGE has the following format: istio/examples-bookinfo*:"$v". + # We want to get the sample app name from $IMAGE (the examples-bookinfo* portion) + # to create the file to store the results of the scan for that image. The first + # part of the $IMAGE_NAME gets examples-bookinfo*:"$v", and the second part gets + # 'examples-bookinfo*'. + if [[ "$ENABLE_IMAGE_SCAN" == "true" ]]; then + echo "Scanning ${IMAGE} for security vulnerabilities" + IMAGE_NAME=${IMAGE#*/} + IMAGE_NAME=${IMAGE_NAME%:*} + run_vulnerability_scanning "${IMAGE_NAME}" "${IMAGE}" + fi +done + +#Update image references in the yaml files +find . -name "*bookinfo*.yaml" -exec sed -i.bak "s/image:.*\\(\\/examples-bookinfo-.*\\):.*/image: ${PREFIX//\//\\\/}\\1:$VERSION/g" {} + + diff --git a/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/networking/bookinfo-gateway.yaml b/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/networking/bookinfo-gateway.yaml new file mode 100644 index 000000000..951f069f3 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/networking/bookinfo-gateway.yaml @@ -0,0 +1,41 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: bookinfo-gateway +spec: + selector: + istio: ingressgateway # use istio default controller + servers: + - port: + number: 80 + name: http + protocol: HTTP + hosts: + - "*" +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: bookinfo +spec: + hosts: + - "*" + gateways: + - bookinfo-gateway + http: + - match: + - uri: + exact: /productpage + - uri: + prefix: /static + - uri: + exact: /login + - uri: + exact: /logout + - uri: + prefix: /api/v1/products + route: + - destination: + host: productpage + port: + number: 9080 diff --git a/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/networking/certmanager-gateway.yaml b/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/networking/certmanager-gateway.yaml new file mode 100644 index 000000000..3fa653780 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/networking/certmanager-gateway.yaml @@ -0,0 +1,35 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: cert-manager-gateway + namespace: istio-system +spec: + selector: + istio: ingressgateway + servers: + - port: + number: 80 + name: http + protocol: HTTP + hosts: + - "*" +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: cert-manager + namespace: istio-system +spec: + hosts: + - "*" + gateways: + - cert-manager-gateway + http: + - match: + - uri: + prefix: /.well-known/acme-challenge/ + route: + - destination: + host: cert-manager-resolver + port: + number: 8089 diff --git a/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/networking/destination-rule-all-mtls.yaml b/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/networking/destination-rule-all-mtls.yaml new file mode 100644 index 000000000..2a19c3fb4 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/networking/destination-rule-all-mtls.yaml @@ -0,0 +1,74 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: productpage +spec: + host: productpage + trafficPolicy: + tls: + mode: ISTIO_MUTUAL + subsets: + - name: v1 + labels: + version: v1 +--- +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: reviews +spec: + host: reviews + trafficPolicy: + tls: + mode: ISTIO_MUTUAL + subsets: + - name: v1 + labels: + version: v1 + - name: v2 + labels: + version: v2 + - name: v3 + labels: + version: v3 +--- +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: ratings +spec: + host: ratings + trafficPolicy: + tls: + mode: ISTIO_MUTUAL + subsets: + - name: v1 + labels: + version: v1 + - name: v2 + labels: + version: v2 + - name: v2-mysql + labels: + version: v2-mysql + - name: v2-mysql-vm + labels: + version: v2-mysql-vm +--- +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: details +spec: + host: details + trafficPolicy: + tls: + mode: ISTIO_MUTUAL + subsets: + - name: v1 + labels: + version: v1 + - name: v2 + labels: + version: v2 +--- diff --git a/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/networking/destination-rule-all.yaml b/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/networking/destination-rule-all.yaml new file mode 100644 index 000000000..96be6993a --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/networking/destination-rule-all.yaml @@ -0,0 +1,62 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: productpage +spec: + host: productpage + subsets: + - name: v1 + labels: + version: v1 +--- +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: reviews +spec: + host: reviews + subsets: + - name: v1 + labels: + version: v1 + - name: v2 + labels: + version: v2 + - name: v3 + labels: + version: v3 +--- +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: ratings +spec: + host: ratings + subsets: + - name: v1 + labels: + version: v1 + - name: v2 + labels: + version: v2 + - name: v2-mysql + labels: + version: v2-mysql + - name: v2-mysql-vm + labels: + version: v2-mysql-vm +--- +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: details +spec: + host: details + subsets: + - name: v1 + labels: + version: v1 + - name: v2 + labels: + version: v2 +--- diff --git a/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/networking/destination-rule-reviews.yaml b/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/networking/destination-rule-reviews.yaml new file mode 100644 index 000000000..69f30f1d9 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/networking/destination-rule-reviews.yaml @@ -0,0 +1,19 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: reviews +spec: + host: reviews + trafficPolicy: + loadBalancer: + simple: RANDOM + subsets: + - name: v1 + labels: + version: v1 + - name: v2 + labels: + version: v2 + - name: v3 + labels: + version: v3 diff --git a/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/networking/egress-rule-google-apis.yaml b/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/networking/egress-rule-google-apis.yaml new file mode 100644 index 000000000..d35e3ac1d --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/networking/egress-rule-google-apis.yaml @@ -0,0 +1,46 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: ServiceEntry +metadata: + name: googleapis +spec: + hosts: + - www.googleapis.com + ports: + - number: 80 + name: http + protocol: HTTP + - number: 443 + name: https + protocol: HTTPS + resolution: DNS +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: rewrite-port-for-googleapis +spec: + hosts: + - www.googleapis.com + http: + - match: + - port: 80 + route: + - destination: + host: www.googleapis.com + port: + number: 443 +--- +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: originate-tls-for-googleapis +spec: + host: www.googleapis.com + trafficPolicy: + loadBalancer: + simple: ROUND_ROBIN + portLevelSettings: + - port: + number: 443 + tls: + mode: SIMPLE # initiates HTTPS when accessing www.googleapis.com diff --git a/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/networking/fault-injection-details-v1.yaml b/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/networking/fault-injection-details-v1.yaml new file mode 100644 index 000000000..c45509256 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/networking/fault-injection-details-v1.yaml @@ -0,0 +1,32 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: details +spec: + hosts: + - details + http: + - fault: + abort: + httpStatus: 555 + percentage: + value: 100 + route: + - destination: + host: details + subset: v1 + - route: + - destination: + host: details + subset: v1 +--- +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: details +spec: + host: details + subsets: + - name: v1 + labels: + version: v1 \ No newline at end of file diff --git a/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/networking/virtual-service-all-v1.yaml b/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/networking/virtual-service-all-v1.yaml new file mode 100644 index 000000000..6811e31d9 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/networking/virtual-service-all-v1.yaml @@ -0,0 +1,52 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: productpage +spec: + hosts: + - productpage + http: + - route: + - destination: + host: productpage + subset: v1 +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: reviews +spec: + hosts: + - reviews + http: + - route: + - destination: + host: reviews + subset: v1 +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: ratings +spec: + hosts: + - ratings + http: + - route: + - destination: + host: ratings + subset: v1 +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: details +spec: + hosts: + - details + http: + - route: + - destination: + host: details + subset: v1 +--- diff --git a/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/networking/virtual-service-details-v2.yaml b/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/networking/virtual-service-details-v2.yaml new file mode 100644 index 000000000..5f21fa530 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/networking/virtual-service-details-v2.yaml @@ -0,0 +1,12 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: details +spec: + hosts: + - details + http: + - route: + - destination: + host: details + subset: v2 diff --git a/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/networking/virtual-service-ratings-db.yaml b/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/networking/virtual-service-ratings-db.yaml new file mode 100644 index 000000000..1698ec247 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/networking/virtual-service-ratings-db.yaml @@ -0,0 +1,26 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: reviews +spec: + hosts: + - reviews + http: + - route: + - destination: + host: reviews + subset: v3 +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: ratings +spec: + hosts: + - ratings + http: + - route: + - destination: + host: ratings + subset: v2 +--- diff --git a/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/networking/virtual-service-ratings-mysql-vm.yaml b/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/networking/virtual-service-ratings-mysql-vm.yaml new file mode 100644 index 000000000..fdf882702 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/networking/virtual-service-ratings-mysql-vm.yaml @@ -0,0 +1,26 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: reviews +spec: + hosts: + - reviews + http: + - route: + - destination: + host: reviews + subset: v3 +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: ratings +spec: + hosts: + - ratings + http: + - route: + - destination: + host: ratings + subset: v2-mysql-vm +--- diff --git a/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/networking/virtual-service-ratings-mysql.yaml b/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/networking/virtual-service-ratings-mysql.yaml new file mode 100644 index 000000000..03a700ead --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/networking/virtual-service-ratings-mysql.yaml @@ -0,0 +1,26 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: reviews +spec: + hosts: + - reviews + http: + - route: + - destination: + host: reviews + subset: v3 +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: ratings +spec: + hosts: + - ratings + http: + - route: + - destination: + host: ratings + subset: v2-mysql +--- diff --git a/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/networking/virtual-service-ratings-test-abort.yaml b/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/networking/virtual-service-ratings-test-abort.yaml new file mode 100644 index 000000000..51c6fe9c6 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/networking/virtual-service-ratings-test-abort.yaml @@ -0,0 +1,25 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: ratings +spec: + hosts: + - ratings + http: + - match: + - headers: + end-user: + exact: jason + fault: + abort: + percentage: + value: 100.0 + httpStatus: 500 + route: + - destination: + host: ratings + subset: v1 + - route: + - destination: + host: ratings + subset: v1 diff --git a/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/networking/virtual-service-ratings-test-delay.yaml b/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/networking/virtual-service-ratings-test-delay.yaml new file mode 100644 index 000000000..6c4e19dad --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/networking/virtual-service-ratings-test-delay.yaml @@ -0,0 +1,25 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: ratings +spec: + hosts: + - ratings + http: + - match: + - headers: + end-user: + exact: jason + fault: + delay: + percentage: + value: 100.0 + fixedDelay: 7s + route: + - destination: + host: ratings + subset: v1 + - route: + - destination: + host: ratings + subset: v1 diff --git a/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/networking/virtual-service-reviews-50-v3.yaml b/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/networking/virtual-service-reviews-50-v3.yaml new file mode 100644 index 000000000..aad8c3175 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/networking/virtual-service-reviews-50-v3.yaml @@ -0,0 +1,17 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: reviews +spec: + hosts: + - reviews + http: + - route: + - destination: + host: reviews + subset: v1 + weight: 50 + - destination: + host: reviews + subset: v3 + weight: 50 diff --git a/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/networking/virtual-service-reviews-80-20.yaml b/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/networking/virtual-service-reviews-80-20.yaml new file mode 100644 index 000000000..7304d867d --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/networking/virtual-service-reviews-80-20.yaml @@ -0,0 +1,17 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: reviews +spec: + hosts: + - reviews + http: + - route: + - destination: + host: reviews + subset: v1 + weight: 80 + - destination: + host: reviews + subset: v2 + weight: 20 diff --git a/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/networking/virtual-service-reviews-90-10.yaml b/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/networking/virtual-service-reviews-90-10.yaml new file mode 100644 index 000000000..d211dd16a --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/networking/virtual-service-reviews-90-10.yaml @@ -0,0 +1,17 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: reviews +spec: + hosts: + - reviews + http: + - route: + - destination: + host: reviews + subset: v1 + weight: 90 + - destination: + host: reviews + subset: v2 + weight: 10 diff --git a/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/networking/virtual-service-reviews-jason-v2-v3.yaml b/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/networking/virtual-service-reviews-jason-v2-v3.yaml new file mode 100644 index 000000000..fb3571368 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/networking/virtual-service-reviews-jason-v2-v3.yaml @@ -0,0 +1,20 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: reviews +spec: + hosts: + - reviews + http: + - match: + - headers: + end-user: + exact: jason + route: + - destination: + host: reviews + subset: v2 + - route: + - destination: + host: reviews + subset: v3 diff --git a/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/networking/virtual-service-reviews-test-v2.yaml b/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/networking/virtual-service-reviews-test-v2.yaml new file mode 100644 index 000000000..ea07efb29 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/networking/virtual-service-reviews-test-v2.yaml @@ -0,0 +1,20 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: reviews +spec: + hosts: + - reviews + http: + - match: + - headers: + end-user: + exact: jason + route: + - destination: + host: reviews + subset: v2 + - route: + - destination: + host: reviews + subset: v1 diff --git a/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/networking/virtual-service-reviews-v2-v3.yaml b/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/networking/virtual-service-reviews-v2-v3.yaml new file mode 100644 index 000000000..7ae7b8042 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/networking/virtual-service-reviews-v2-v3.yaml @@ -0,0 +1,17 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: reviews +spec: + hosts: + - reviews + http: + - route: + - destination: + host: reviews + subset: v2 + weight: 50 + - destination: + host: reviews + subset: v3 + weight: 50 diff --git a/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/networking/virtual-service-reviews-v3.yaml b/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/networking/virtual-service-reviews-v3.yaml new file mode 100644 index 000000000..5da999d4f --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/networking/virtual-service-reviews-v3.yaml @@ -0,0 +1,12 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: reviews +spec: + hosts: + - reviews + http: + - route: + - destination: + host: reviews + subset: v3 diff --git a/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/platform/kube/README.md b/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/platform/kube/README.md new file mode 100644 index 000000000..d1189bec3 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/platform/kube/README.md @@ -0,0 +1,2 @@ +See the [Bookinfo guide](https://istio.io/docs/guides/bookinfo.html) in Istio +docs for instructions on how to run this demo application. diff --git a/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/platform/kube/bookinfo-certificate.yaml b/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/platform/kube/bookinfo-certificate.yaml new file mode 100644 index 000000000..bce874dcd --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/platform/kube/bookinfo-certificate.yaml @@ -0,0 +1,37 @@ +--- +apiVersion: certmanager.k8s.io/v1alpha1 +kind: ClusterIssuer +metadata: + name: letsencrypt-staging + namespace: istio-system +spec: + acme: + # The ACME server URL + server: https://acme-staging-v02.api.letsencrypt.org/directory + # Email address used for ACME registration + email: stage@istio.io + # Name of a secret used to store the ACME account private key + privateKeySecretRef: + name: letsencrypt-staging + # Enable the HTTP-01 challenge provider + http01: {} +--- +apiVersion: certmanager.k8s.io/v1alpha1 +kind: Certificate +metadata: + name: istio-ingressgateway-certs + namespace: istio-system +spec: + secretName: istio-ingressgateway-certs + issuerRef: + name: letsencrypt-staging + kind: ClusterIssuer + commonName: bookinfo.example.com + dnsNames: + - bookinfo.example.com + acme: + config: + - http01: + ingressClass: none + domains: + - bookinfo.example.com diff --git a/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/platform/kube/bookinfo-db.yaml b/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/platform/kube/bookinfo-db.yaml new file mode 100644 index 000000000..98d6ebf4c --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/platform/kube/bookinfo-db.yaml @@ -0,0 +1,60 @@ +# Copyright Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: Service +metadata: + name: mongodb + labels: + app: mongodb + service: mongodb +spec: + ports: + - port: 27017 + name: mongo + selector: + app: mongodb +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: mongodb-v1 + labels: + app: mongodb + version: v1 +spec: + replicas: 1 + selector: + matchLabels: + app: mongodb + version: v1 + template: + metadata: + labels: + app: mongodb + version: v1 + spec: + containers: + - name: mongodb + image: docker.io/istio/examples-bookinfo-mongodb:1.16.2 + imagePullPolicy: IfNotPresent + ports: + - containerPort: 27017 + volumeMounts: + - name: data-db + mountPath: /data/db + volumes: + - name: data-db + emptyDir: {} +--- diff --git a/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/platform/kube/bookinfo-details-v2.yaml b/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/platform/kube/bookinfo-details-v2.yaml new file mode 100644 index 000000000..a7a7bda31 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/platform/kube/bookinfo-details-v2.yaml @@ -0,0 +1,48 @@ +# Copyright Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################################################## +# Details service v2 +################################################################################################## +apiVersion: apps/v1 +kind: Deployment +metadata: + name: details-v2 + labels: + app: details + version: v2 +spec: + replicas: 1 + selector: + matchLabels: + app: details + version: v2 + template: + metadata: + labels: + app: details + version: v2 + spec: + containers: + - name: details + image: docker.io/istio/examples-bookinfo-details-v2:1.16.2 + imagePullPolicy: IfNotPresent + ports: + - containerPort: 9080 + env: + - name: DO_NOT_ENCRYPT + value: "true" + securityContext: + runAsUser: 1000 +--- diff --git a/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/platform/kube/bookinfo-details.yaml b/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/platform/kube/bookinfo-details.yaml new file mode 100644 index 000000000..a13b0737f --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/platform/kube/bookinfo-details.yaml @@ -0,0 +1,59 @@ +# Copyright Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################################################## +# Details service +################################################################################################## +apiVersion: v1 +kind: Service +metadata: + name: details + labels: + app: details + service: details +spec: + ports: + - port: 9080 + name: http + selector: + app: details +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: details-v1 + labels: + app: details + version: v1 +spec: + replicas: 1 + selector: + matchLabels: + app: details + version: v1 + template: + metadata: + labels: + app: details + version: v1 + spec: + containers: + - name: details + image: docker.io/istio/examples-bookinfo-details-v1:1.16.2 + imagePullPolicy: IfNotPresent + ports: + - containerPort: 9080 + securityContext: + runAsUser: 1000 +--- diff --git a/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/platform/kube/bookinfo-ingress.yaml b/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/platform/kube/bookinfo-ingress.yaml new file mode 100644 index 000000000..0a2bb9da9 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/platform/kube/bookinfo-ingress.yaml @@ -0,0 +1,48 @@ +# Copyright Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +########################################################################### +# Ingress resource (gateway) +########################################################################## +apiVersion: networking.k8s.io/v1beta1 +kind: Ingress +metadata: + name: gateway + annotations: + kubernetes.io/ingress.class: "istio" +spec: + rules: + - http: + paths: + - path: /productpage + backend: + serviceName: productpage + servicePort: 9080 + - path: /static/* + backend: + serviceName: productpage + servicePort: 9080 + - path: /login + backend: + serviceName: productpage + servicePort: 9080 + - path: /logout + backend: + serviceName: productpage + servicePort: 9080 + - path: /api/v1/products.* + backend: + serviceName: productpage + servicePort: 9080 +--- diff --git a/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/platform/kube/bookinfo-mysql.yaml b/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/platform/kube/bookinfo-mysql.yaml new file mode 100644 index 000000000..f4ad41e44 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/platform/kube/bookinfo-mysql.yaml @@ -0,0 +1,79 @@ +# Copyright Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################################################## +# Mysql db services +# credentials: root/password +################################################################################################## +apiVersion: v1 +kind: Secret +metadata: + name: mysql-credentials +type: Opaque +data: + rootpasswd: cGFzc3dvcmQ= +--- +apiVersion: v1 +kind: Service +metadata: + name: mysqldb + labels: + app: mysqldb + service: mysqldb +spec: + ports: + - port: 3306 + name: tcp + selector: + app: mysqldb +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: mysqldb-v1 + labels: + app: mysqldb + version: v1 +spec: + replicas: 1 + selector: + matchLabels: + app: mysqldb + version: v1 + template: + metadata: + labels: + app: mysqldb + version: v1 + spec: + containers: + - name: mysqldb + image: docker.io/istio/examples-bookinfo-mysqldb:1.16.2 + imagePullPolicy: IfNotPresent + ports: + - containerPort: 3306 + env: + - name: MYSQL_ROOT_PASSWORD + valueFrom: + secretKeyRef: + name: mysql-credentials + key: rootpasswd + args: ["--default-authentication-plugin","mysql_native_password"] + volumeMounts: + - name: var-lib-mysql + mountPath: /var/lib/mysql + volumes: + - name: var-lib-mysql + emptyDir: {} +--- diff --git a/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/platform/kube/bookinfo-ratings-discovery.yaml b/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/platform/kube/bookinfo-ratings-discovery.yaml new file mode 100644 index 000000000..61c4b7f10 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/platform/kube/bookinfo-ratings-discovery.yaml @@ -0,0 +1,31 @@ +# Copyright Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################################################## +# Ratings service +################################################################################################## +apiVersion: v1 +kind: Service +metadata: + name: ratings + labels: + app: ratings + service: ratings +spec: + ports: + - port: 9080 + name: http + selector: + app: ratings +--- diff --git a/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/platform/kube/bookinfo-ratings-v2-mysql-vm.yaml b/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/platform/kube/bookinfo-ratings-v2-mysql-vm.yaml new file mode 100644 index 000000000..c97d701f8 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/platform/kube/bookinfo-ratings-v2-mysql-vm.yaml @@ -0,0 +1,55 @@ +# Copyright Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: ratings-v2-mysql-vm + labels: + app: ratings + version: v2-mysql-vm +spec: + replicas: 1 + selector: + matchLabels: + app: ratings + version: v2-mysql-vm + template: + metadata: + labels: + app: ratings + version: v2-mysql-vm + spec: + containers: + - name: ratings + image: docker.io/istio/examples-bookinfo-ratings-v2:1.16.2 + imagePullPolicy: IfNotPresent + env: + # This assumes you registered your mysql vm as + # istioctl register -n vm mysqldb 1.2.3.4 3306 + - name: DB_TYPE + value: "mysql" + - name: MYSQL_DB_HOST + value: mysqldb.vm.svc.cluster.local + - name: MYSQL_DB_PORT + value: "3306" + - name: MYSQL_DB_USER + value: root + - name: MYSQL_DB_PASSWORD + value: password + ports: + - containerPort: 9080 + securityContext: + runAsUser: 1000 +--- diff --git a/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/platform/kube/bookinfo-ratings-v2-mysql.yaml b/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/platform/kube/bookinfo-ratings-v2-mysql.yaml new file mode 100644 index 000000000..bdf1afd7a --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/platform/kube/bookinfo-ratings-v2-mysql.yaml @@ -0,0 +1,58 @@ +# Copyright Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: ratings-v2-mysql + labels: + app: ratings + version: v2-mysql +spec: + replicas: 1 + selector: + matchLabels: + app: ratings + version: v2-mysql + template: + metadata: + labels: + app: ratings + version: v2-mysql + spec: + containers: + - name: ratings + image: docker.io/istio/examples-bookinfo-ratings-v2:1.16.2 + imagePullPolicy: IfNotPresent + env: + # ratings-v2 will use mongodb as the default db backend. + # if you would like to use mysqldb then you can use this file + # which sets DB_TYPE = 'mysql' and the rest of the parameters shown + # here and also create the # mysqldb service using bookinfo-mysql.yaml + # NOTE: This file is mutually exclusive to bookinfo-ratings-v2.yaml + - name: DB_TYPE + value: "mysql" + - name: MYSQL_DB_HOST + value: mysqldb + - name: MYSQL_DB_PORT + value: "3306" + - name: MYSQL_DB_USER + value: root + - name: MYSQL_DB_PASSWORD + value: password + ports: + - containerPort: 9080 + securityContext: + runAsUser: 1000 +--- diff --git a/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/platform/kube/bookinfo-ratings-v2.yaml b/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/platform/kube/bookinfo-ratings-v2.yaml new file mode 100644 index 000000000..99cc79ff6 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/platform/kube/bookinfo-ratings-v2.yaml @@ -0,0 +1,65 @@ +# Copyright Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: bookinfo-ratings-v2 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: ratings-v2 + labels: + app: ratings + version: v2 +spec: + replicas: 1 + selector: + matchLabels: + app: ratings + version: v2 + template: + metadata: + labels: + app: ratings + version: v2 + spec: + serviceAccountName: bookinfo-ratings-v2 + containers: + - name: ratings + image: docker.io/istio/examples-bookinfo-ratings-v2:1.16.2 + imagePullPolicy: IfNotPresent + env: + # ratings-v2 will use mongodb as the default db backend. + # if you would like to use mysqldb then set DB_TYPE = 'mysql', set + # the rest of the parameters shown here and also create the + # mysqldb service using bookinfo-mysql.yaml + # - name: DB_TYPE #default to + # value: "mysql" + # - name: MYSQL_DB_HOST + # value: mysqldb + # - name: MYSQL_DB_PORT + # value: "3306" + # - name: MYSQL_DB_USER + # value: root + # - name: MYSQL_DB_PASSWORD + # value: password + - name: MONGO_DB_URL + value: mongodb://mongodb:27017/test + ports: + - containerPort: 9080 + securityContext: + runAsUser: 1000 +--- diff --git a/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/platform/kube/bookinfo-ratings.yaml b/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/platform/kube/bookinfo-ratings.yaml new file mode 100644 index 000000000..af37eaec3 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/platform/kube/bookinfo-ratings.yaml @@ -0,0 +1,59 @@ +# Copyright Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################################################## +# Ratings service +################################################################################################## +apiVersion: v1 +kind: Service +metadata: + name: ratings + labels: + app: ratings + service: ratings +spec: + ports: + - port: 9080 + name: http + selector: + app: ratings +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: ratings-v1 + labels: + app: ratings + version: v1 +spec: + replicas: 1 + selector: + matchLabels: + app: ratings + version: v1 + template: + metadata: + labels: + app: ratings + version: v1 + spec: + containers: + - name: ratings + image: docker.io/istio/examples-bookinfo-ratings-v1:1.16.2 + imagePullPolicy: IfNotPresent + ports: + - containerPort: 9080 + securityContext: + runAsUser: 1000 +--- diff --git a/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/platform/kube/bookinfo-reviews-v2.yaml b/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/platform/kube/bookinfo-reviews-v2.yaml new file mode 100644 index 000000000..6cd00ffb1 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/platform/kube/bookinfo-reviews-v2.yaml @@ -0,0 +1,58 @@ +# Copyright Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################################################## +# Reviews service v2 +################################################################################################## +apiVersion: apps/v1 +kind: Deployment +metadata: + name: reviews-v2 + labels: + app: reviews + version: v2 +spec: + replicas: 1 + selector: + matchLabels: + app: reviews + version: v2 + template: + metadata: + labels: + app: reviews + version: v2 + spec: + containers: + - name: reviews + image: docker.io/istio/examples-bookinfo-reviews-v2:1.16.2 + imagePullPolicy: IfNotPresent + env: + - name: LOG_DIR + value: "/tmp/logs" + ports: + - containerPort: 9080 + volumeMounts: + - name: tmp + mountPath: /tmp + - name: wlp-output + mountPath: /opt/ibm/wlp/output + securityContext: + runAsUser: 1000 + volumes: + - name: wlp-output + emptyDir: {} + - name: tmp + emptyDir: {} +--- diff --git a/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/platform/kube/bookinfo.yaml b/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/platform/kube/bookinfo.yaml new file mode 100644 index 000000000..f14a58b19 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/platform/kube/bookinfo.yaml @@ -0,0 +1,343 @@ +# Copyright Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################################################## +# This file defines the services, service accounts, and deployments for the Bookinfo sample. +# +# To apply all 4 Bookinfo services, their corresponding service accounts, and deployments: +# +# kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml +# +# Alternatively, you can deploy any resource separately: +# +# kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml -l service=reviews # reviews Service +# kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml -l account=reviews # reviews ServiceAccount +# kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml -l app=reviews,version=v3 # reviews-v3 Deployment +################################################################################################## + +################################################################################################## +# Details service +################################################################################################## +apiVersion: v1 +kind: Service +metadata: + name: details + labels: + app: details + service: details +spec: + ports: + - port: 9080 + name: http + selector: + app: details +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: bookinfo-details + labels: + account: details +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: details-v1 + labels: + app: details + version: v1 +spec: + replicas: 1 + selector: + matchLabels: + app: details + version: v1 + template: + metadata: + labels: + app: details + version: v1 + spec: + serviceAccountName: bookinfo-details + containers: + - name: details + image: docker.io/istio/examples-bookinfo-details-v1:1.16.2 + imagePullPolicy: IfNotPresent + ports: + - containerPort: 9080 + securityContext: + runAsUser: 1000 +--- +################################################################################################## +# Ratings service +################################################################################################## +apiVersion: v1 +kind: Service +metadata: + name: ratings + labels: + app: ratings + service: ratings +spec: + ports: + - port: 9080 + name: http + selector: + app: ratings +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: bookinfo-ratings + labels: + account: ratings +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: ratings-v1 + labels: + app: ratings + version: v1 +spec: + replicas: 1 + selector: + matchLabels: + app: ratings + version: v1 + template: + metadata: + labels: + app: ratings + version: v1 + spec: + serviceAccountName: bookinfo-ratings + containers: + - name: ratings + image: docker.io/istio/examples-bookinfo-ratings-v1:1.16.2 + imagePullPolicy: IfNotPresent + ports: + - containerPort: 9080 + securityContext: + runAsUser: 1000 +--- +################################################################################################## +# Reviews service +################################################################################################## +apiVersion: v1 +kind: Service +metadata: + name: reviews + labels: + app: reviews + service: reviews +spec: + ports: + - port: 9080 + name: http + selector: + app: reviews +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: bookinfo-reviews + labels: + account: reviews +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: reviews-v1 + labels: + app: reviews + version: v1 +spec: + replicas: 1 + selector: + matchLabels: + app: reviews + version: v1 + template: + metadata: + labels: + app: reviews + version: v1 + spec: + serviceAccountName: bookinfo-reviews + containers: + - name: reviews + image: docker.io/istio/examples-bookinfo-reviews-v1:1.16.2 + imagePullPolicy: IfNotPresent + env: + - name: LOG_DIR + value: "/tmp/logs" + ports: + - containerPort: 9080 + volumeMounts: + - name: tmp + mountPath: /tmp + - name: wlp-output + mountPath: /opt/ibm/wlp/output + securityContext: + runAsUser: 1000 + volumes: + - name: wlp-output + emptyDir: {} + - name: tmp + emptyDir: {} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: reviews-v2 + labels: + app: reviews + version: v2 +spec: + replicas: 1 + selector: + matchLabels: + app: reviews + version: v2 + template: + metadata: + labels: + app: reviews + version: v2 + spec: + serviceAccountName: bookinfo-reviews + containers: + - name: reviews + image: docker.io/istio/examples-bookinfo-reviews-v2:1.16.2 + imagePullPolicy: IfNotPresent + env: + - name: LOG_DIR + value: "/tmp/logs" + ports: + - containerPort: 9080 + volumeMounts: + - name: tmp + mountPath: /tmp + - name: wlp-output + mountPath: /opt/ibm/wlp/output + securityContext: + runAsUser: 1000 + volumes: + - name: wlp-output + emptyDir: {} + - name: tmp + emptyDir: {} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: reviews-v3 + labels: + app: reviews + version: v3 +spec: + replicas: 1 + selector: + matchLabels: + app: reviews + version: v3 + template: + metadata: + labels: + app: reviews + version: v3 + spec: + serviceAccountName: bookinfo-reviews + containers: + - name: reviews + image: docker.io/istio/examples-bookinfo-reviews-v3:1.16.2 + imagePullPolicy: IfNotPresent + env: + - name: LOG_DIR + value: "/tmp/logs" + ports: + - containerPort: 9080 + volumeMounts: + - name: tmp + mountPath: /tmp + - name: wlp-output + mountPath: /opt/ibm/wlp/output + securityContext: + runAsUser: 1000 + volumes: + - name: wlp-output + emptyDir: {} + - name: tmp + emptyDir: {} +--- +################################################################################################## +# Productpage services +################################################################################################## +apiVersion: v1 +kind: Service +metadata: + name: productpage + labels: + app: productpage + service: productpage +spec: + ports: + - port: 9080 + name: http + selector: + app: productpage +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: bookinfo-productpage + labels: + account: productpage +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: productpage-v1 + labels: + app: productpage + version: v1 +spec: + replicas: 1 + selector: + matchLabels: + app: productpage + version: v1 + template: + metadata: + labels: + app: productpage + version: v1 + spec: + serviceAccountName: bookinfo-productpage + containers: + - name: productpage + image: docker.io/istio/examples-bookinfo-productpage-v1:1.16.2 + imagePullPolicy: IfNotPresent + ports: + - containerPort: 9080 + volumeMounts: + - name: tmp + mountPath: /tmp + securityContext: + runAsUser: 1000 + volumes: + - name: tmp + emptyDir: {} +--- diff --git a/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/platform/kube/cleanup.sh b/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/platform/kube/cleanup.sh new file mode 100755 index 000000000..18aaa8559 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/platform/kube/cleanup.sh @@ -0,0 +1,73 @@ +#!/bin/bash +# +# Copyright Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +SCRIPTDIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) + +# only ask if in interactive mode +if [[ -t 0 && -z ${NAMESPACE} ]];then + echo -n "namespace ? [default] " + read -r NAMESPACE +fi + +# verify if the namespace exists, otherwise use default namespace +if [[ -n ${NAMESPACE} ]];then + ns=$(kubectl get namespace "${NAMESPACE}" --no-headers --output=go-template="{{.metadata.name}}" 2>/dev/null) + if [[ -z ${ns} ]];then + echo "NAMESPACE ${NAMESPACE} not found." + NAMESPACE=default + fi +fi + +# if no namespace is provided, use default namespace +if [[ -z ${NAMESPACE} ]];then + NAMESPACE=default +fi + +echo "using NAMESPACE=${NAMESPACE}" + +protos=( destinationrules virtualservices gateways ) +for proto in "${protos[@]}"; do + for resource in $(kubectl get -n ${NAMESPACE} "$proto" -o name); do + kubectl delete -n ${NAMESPACE} "$resource"; + done +done + +OUTPUT=$(mktemp) +export OUTPUT +echo "Application cleanup may take up to one minute" +kubectl delete -n ${NAMESPACE} -f "$SCRIPTDIR/bookinfo.yaml" > "${OUTPUT}" 2>&1 +ret=$? +function cleanup() { + rm -f "${OUTPUT}" +} + +trap cleanup EXIT + +if [[ ${ret} -eq 0 ]];then + cat "${OUTPUT}" +else + # ignore NotFound errors + OUT2=$(grep -v NotFound "${OUTPUT}") + if [[ -n ${OUT2} ]];then + cat "${OUTPUT}" + exit ${ret} + fi +fi + +# wait for 30 sec for bookinfo to clean up +sleep 30 + +echo "Application cleanup successful" diff --git a/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/platform/kube/productpage-nodeport.yaml b/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/platform/kube/productpage-nodeport.yaml new file mode 100644 index 000000000..aadba2e0c --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/platform/kube/productpage-nodeport.yaml @@ -0,0 +1,32 @@ +# Copyright Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################################################## +# Productpage services +################################################################################################## +apiVersion: v1 +kind: Service +metadata: + name: productpage + labels: + app: productpage + service: productpage +spec: + type: NodePort + ports: + - port: 9080 + name: http + selector: + app: productpage +--- diff --git a/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/policy/productpage_envoy_ratelimit.yaml b/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/policy/productpage_envoy_ratelimit.yaml new file mode 100644 index 000000000..ef96dc56b --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/policy/productpage_envoy_ratelimit.yaml @@ -0,0 +1,88 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: filter-ratelimit + namespace: istio-system +spec: + workloadSelector: + # select by label in the same namespace + labels: + istio: ingressgateway + configPatches: + # The Envoy config you want to modify + - applyTo: HTTP_FILTER + match: + context: GATEWAY + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: envoy.ratelimit + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.ratelimit.v3.RateLimit + # domain can be anything! Match it to the ratelimter service config + domain: productpage-ratelimit + failure_mode_deny: true + rate_limit_service: + grpc_service: + envoy_grpc: + cluster_name: rate_limit_cluster + timeout: 10s + - applyTo: CLUSTER + match: + cluster: + service: ratelimit.default.svc.cluster.local + patch: + operation: ADD + value: + name: rate_limit_cluster + type: STRICT_DNS + connect_timeout: 10s + lb_policy: ROUND_ROBIN + http2_protocol_options: {} + load_assignment: + cluster_name: rate_limit_cluster + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: ratelimit.default.svc.cluster.local + port_value: 8081 +--- +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: filter-ratelimit-svc + namespace: istio-system +spec: + workloadSelector: + labels: + istio: ingressgateway + configPatches: + - applyTo: VIRTUAL_HOST + match: + context: GATEWAY + routeConfiguration: + vhost: + name: "" + route: + action: ANY + patch: + operation: MERGE + value: + rate_limits: + - actions: # any actions in here + # Multiple actions nest the descriptors + # - generic_key: + # descriptor_value: "test" + - request_headers: + header_name: ":path" + descriptor_key: "PATH" + # - remote_address: {} + # - destination_cluster: {} \ No newline at end of file diff --git a/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/src/build-services.sh b/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/src/build-services.sh new file mode 100755 index 000000000..e9f595546 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/src/build-services.sh @@ -0,0 +1,73 @@ +#!/bin/bash +# +# Copyright Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -o errexit + +if [ "$#" -ne 2 ]; then + echo "Incorrect parameters" + echo "Usage: build-services.sh " + exit 1 +fi + +VERSION=$1 +PREFIX=$2 +SCRIPTDIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) + +pushd "$SCRIPTDIR/productpage" + docker build --pull -t "${PREFIX}/examples-bookinfo-productpage-v1:${VERSION}" -t "${PREFIX}/examples-bookinfo-productpage-v1:latest" . + #flooding + docker build --pull -t "${PREFIX}/examples-bookinfo-productpage-v-flooding:${VERSION}" -t "${PREFIX}/examples-bookinfo-productpage-v-flooding:latest" --build-arg flood_factor=100 . +popd + +pushd "$SCRIPTDIR/details" + #plain build -- no calling external book service to fetch topics + docker build --pull -t "${PREFIX}/examples-bookinfo-details-v1:${VERSION}" -t "${PREFIX}/examples-bookinfo-details-v1:latest" --build-arg service_version=v1 . + #with calling external book service to fetch topic for the book + docker build --pull -t "${PREFIX}/examples-bookinfo-details-v2:${VERSION}" -t "${PREFIX}/examples-bookinfo-details-v2:latest" --build-arg service_version=v2 \ + --build-arg enable_external_book_service=true . +popd + +pushd "$SCRIPTDIR/reviews" + #java build the app. + docker run --rm -u root -v "$(pwd)":/home/gradle/project -w /home/gradle/project gradle:4.8.1 gradle clean build + pushd reviews-wlpcfg + #plain build -- no ratings + docker build --pull -t "${PREFIX}/examples-bookinfo-reviews-v1:${VERSION}" -t "${PREFIX}/examples-bookinfo-reviews-v1:latest" --build-arg service_version=v1 . + #with ratings black stars + docker build --pull -t "${PREFIX}/examples-bookinfo-reviews-v2:${VERSION}" -t "${PREFIX}/examples-bookinfo-reviews-v2:latest" --build-arg service_version=v2 \ + --build-arg enable_ratings=true . + #with ratings red stars + docker build --pull -t "${PREFIX}/examples-bookinfo-reviews-v3:${VERSION}" -t "${PREFIX}/examples-bookinfo-reviews-v3:latest" --build-arg service_version=v3 \ + --build-arg enable_ratings=true --build-arg star_color=red . + popd +popd + +pushd "$SCRIPTDIR/ratings" + docker build --pull -t "${PREFIX}/examples-bookinfo-ratings-v1:${VERSION}" -t "${PREFIX}/examples-bookinfo-ratings-v1:latest" --build-arg service_version=v1 . + docker build --pull -t "${PREFIX}/examples-bookinfo-ratings-v2:${VERSION}" -t "${PREFIX}/examples-bookinfo-ratings-v2:latest" --build-arg service_version=v2 . + docker build --pull -t "${PREFIX}/examples-bookinfo-ratings-v-faulty:${VERSION}" -t "${PREFIX}/examples-bookinfo-ratings-v-faulty:latest" --build-arg service_version=v-faulty . + docker build --pull -t "${PREFIX}/examples-bookinfo-ratings-v-delayed:${VERSION}" -t "${PREFIX}/examples-bookinfo-ratings-v-delayed:latest" --build-arg service_version=v-delayed . + docker build --pull -t "${PREFIX}/examples-bookinfo-ratings-v-unavailable:${VERSION}" -t "${PREFIX}/examples-bookinfo-ratings-v-unavailable:latest" --build-arg service_version=v-unavailable . + docker build --pull -t "${PREFIX}/examples-bookinfo-ratings-v-unhealthy:${VERSION}" -t "${PREFIX}/examples-bookinfo-ratings-v-unhealthy:latest" --build-arg service_version=v-unhealthy . +popd + +pushd "$SCRIPTDIR/mysql" + docker build --pull -t "${PREFIX}/examples-bookinfo-mysqldb:${VERSION}" -t "${PREFIX}/examples-bookinfo-mysqldb:latest" . +popd + +pushd "$SCRIPTDIR/mongodb" + docker build --pull -t "${PREFIX}/examples-bookinfo-mongodb:${VERSION}" -t "${PREFIX}/examples-bookinfo-mongodb:latest" . +popd diff --git a/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/src/mongodb/ratings_data.json b/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/src/mongodb/ratings_data.json new file mode 100644 index 000000000..b4563b50c --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/src/mongodb/ratings_data.json @@ -0,0 +1,2 @@ +{rating: 5} +{rating: 4} diff --git a/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/src/mongodb/script.sh b/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/src/mongodb/script.sh new file mode 100644 index 000000000..7e230ee5a --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/src/mongodb/script.sh @@ -0,0 +1,18 @@ +#!/bin/sh + +# Copyright Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -e +mongoimport --host localhost --db test --collection ratings --drop --file /app/data/ratings_data.json diff --git a/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/src/productpage/requirements.txt b/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/src/productpage/requirements.txt new file mode 100644 index 000000000..37f99e866 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/src/productpage/requirements.txt @@ -0,0 +1,31 @@ +certifi==2019.3.9 +chardet==3.0.4 +Click==7.0 +contextlib2==0.5.5 +dominate==2.3.5 +Flask==1.0.2 +Flask-Bootstrap==3.3.7.1 +Flask-JSON==0.3.3 +future==0.17.1 +futures==3.1.1 +gevent==1.4.0 +greenlet==0.4.15 +idna==2.8 +itsdangerous==1.1.0 +jaeger-client==3.13.0 +Jinja2==2.11.3 +json2html==1.2.1 +MarkupSafe==0.23 +nose==1.3.7 +opentracing==1.2.2 +opentracing-instrumentation==2.4.3 +requests==2.21.0 +simplejson==3.16.0 +six==1.12.0 +threadloop==1.0.2 +thrift==0.11.0 +tornado==4.5.3 +urllib3==1.26.5 +visitor==0.1.3 +Werkzeug==0.15.5 +wrapt==1.11.1 diff --git a/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/src/productpage/test-requirements.txt b/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/src/productpage/test-requirements.txt new file mode 100644 index 000000000..f756640f2 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/src/productpage/test-requirements.txt @@ -0,0 +1 @@ +requests-mock==1.5.2 diff --git a/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/src/ratings/package.json b/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/src/ratings/package.json new file mode 100644 index 000000000..9417ace34 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/src/ratings/package.json @@ -0,0 +1,10 @@ +{ + "scripts": { + "start": "node ratings.js" + }, + "dependencies": { + "httpdispatcher": "1.0.0", + "mongodb": "^3.6.0", + "mysql": "^2.15.0" + } +} diff --git a/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/swagger.yaml b/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/swagger.yaml new file mode 100644 index 000000000..6782e732f --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/samples/bookinfo/swagger.yaml @@ -0,0 +1,248 @@ +swagger: "2.0" +info: + description: "This is the API of the Istio BookInfo sample application." + version: "1.0.0" + title: "BookInfo API" + termsOfService: "https://istio.io/" + license: + name: "Apache 2.0" + url: "http://www.apache.org/licenses/LICENSE-2.0.html" +basePath: "/api/v1" +tags: +- name: "product" + description: "Information about a product (in this case a book)" +- name: "review" + description: "Review information for a product" +- name: "rating" + description: "Rating information for a product" +externalDocs: + description: "Learn more about the Istio BookInfo application" + url: "https://istio.io/docs/samples/bookinfo.html" +paths: + /products: + get: + tags: + - "product" + summary: "List all products" + description: "List all products available in the application with a minimum amount of information." + operationId: "getProducts" + consumes: + - "application/json" + produces: + - "application/json" + responses: + 200: + description: "successful operation" + schema: + type: "array" + items: + $ref: "#/definitions/Product" + /products/{id}: + get: + tags: + - "product" + summary: "Get individual product" + description: "Get detailed information about an individual product with the given id." + operationId: "getProduct" + consumes: + - "application/json" + produces: + - "application/json" + parameters: + - name: "id" + in: "path" + description: "Product id" + required: true + type: "integer" + format: "int32" + responses: + 200: + description: "successful operation" + schema: + $ref: "#/definitions/ProductDetails" + 400: + description: "Invalid product id" + /products/{id}/reviews: + get: + tags: + - "review" + summary: "Get reviews for a product" + description: "Get reviews for a product, including review text and possibly ratings information." + operationId: "getProductReviews" + consumes: + - "application/json" + produces: + - "application/json" + parameters: + - name: "id" + in: "path" + description: "Product id" + required: true + type: "integer" + format: "int32" + responses: + 200: + description: "successful operation" + schema: + $ref: "#/definitions/ProductReviews" + 400: + description: "Invalid product id" + /products/{id}/ratings: + get: + tags: + - "rating" + summary: "Get ratings for a product" + description: "Get ratings for a product, including stars and their color." + operationId: "getProductRatings" + consumes: + - "application/json" + produces: + - "application/json" + parameters: + - name: "id" + in: "path" + description: "Product id" + required: true + type: "integer" + format: "int32" + responses: + 200: + description: "successful operation" + schema: + $ref: "#/definitions/ProductRatings" + 400: + description: "Invalid product id" + + +definitions: + Product: + type: "object" + description: "Basic information about a product" + properties: + id: + type: "integer" + format: "int32" + description: "Product id" + title: + type: "string" + description: "Title of the book" + descriptionHtml: + type: "string" + description: "Description of the book - may contain HTML tags" + required: + - "id" + - "title" + - "descriptionHtml" + ProductDetails: + type: "object" + description: "Detailed information about a product" + properties: + id: + type: "integer" + format: "int32" + description: "Product id" + publisher: + type: "string" + description: "Publisher of the book" + language: + type: "string" + description: "Language of the book" + author: + type: "string" + description: "Author of the book" + ISBN-10: + type: "string" + description: "ISBN-10 of the book" + ISBN-13: + type: "string" + description: "ISBN-13 of the book" + year: + type: "integer" + format: "int32" + description: "Year the book was first published in" + type: + type: "string" + enum: + - "paperback" + - "hardcover" + description: "Type of the book" + pages: + type: "integer" + format: "int32" + description: "Number of pages of the book" + required: + - "id" + - "publisher" + - "language" + - "author" + - "ISBN-10" + - "ISBN-13" + - "year" + - "type" + - "pages" + ProductReviews: + type: "object" + description: "Object containing reviews for a product" + properties: + id: + type: "integer" + format: "int32" + description: "Product id" + reviews: + type: "array" + description: "List of reviews" + items: + $ref: "#/definitions/Review" + required: + - "id" + - "reviews" + Review: + type: "object" + description: "Review of a product" + properties: + reviewer: + type: "string" + description: "Name of the reviewer" + text: + type: "string" + description: "Review text" + rating: + $ref: "#/definitions/Rating" + required: + - "reviewer" + - "text" + Rating: + type: "object" + description: "Rating of a product" + properties: + stars: + type: "integer" + format: "int32" + minimum: 1 + maximum: 5 + description: "Number of stars" + color: + type: "string" + enum: + - "red" + - "black" + description: "Color in which stars should be displayed" + required: + - "stars" + - "color" + ProductRatings: + type: "object" + description: "Object containing ratings of a product" + properties: + id: + type: "integer" + format: "int32" + description: "Product id" + ratings: + type: "object" + description: "A hashmap where keys are reviewer names, values are number of stars" + additionalProperties: + type: "string" + required: + - "id" + - "ratings" \ No newline at end of file diff --git a/terraform-modules/aws/istio/istio-1.11.0/samples/certs/README.md b/terraform-modules/aws/istio/istio-1.11.0/samples/certs/README.md new file mode 100644 index 000000000..c0cc63343 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/samples/certs/README.md @@ -0,0 +1,30 @@ +# Istio plugin CA sample certificates + +This directory contains sample pre-generated certificate and keys to demonstrate how an operator could configure Citadel with an existing root certificate, signing certificates and keys. In such +a deployment, Citadel acts as an intermediate certificate authority (CA), under the given root CA. +Instructions are available [here](https://istio.io/docs/tasks/security/cert-management/plugin-ca-cert/). + +The included sample files are: + +- `root-cert.pem`: root CA certificate. +- `root-cert-alt.pem`: alterative CA certificate. +- `ca-[cert|key].pem`: Citadel intermediate certificate and corresponding private key. +- `ca-[cert-alt|key-alt].pem`: alternative intermediate certificate and corresponding private key. +- `cert-chain.pem`: certificate trust chain. +- `cert-chain-alt.pem`: alternative certificate chain. +- `workload-foo-[cert|key].pem`: workload certificate and key for URI SAN `spiffe://trust-domain-foo/ns/foo/sa/foo` signed by `ca-cert.key`. +- `workload-bar-[cert|key].pem`: workload certificate and key for URI SAN `spiffe://trust-domain-bar/ns/bar/sa/bar` signed by `ca-cert.key`. + +The workload cert and key are generated by: + +```shell script + ./generate-workload.sh foo + ./generate-workload.sh bar +``` + +To generate certs signed by the alternative root `root-cert-alt.pem` + +```shell script +./generate-workload.sh name namespace serviceAccount tmpDir use-alternative-root +./generate-workload.sh name namespace serviceAccount tmpDir use-alternative-root +``` diff --git a/terraform-modules/aws/istio/istio-1.11.0/samples/certs/ca-cert-alt.pem b/terraform-modules/aws/istio/istio-1.11.0/samples/certs/ca-cert-alt.pem new file mode 100644 index 000000000..d6987e71f --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/samples/certs/ca-cert-alt.pem @@ -0,0 +1,31 @@ +-----BEGIN CERTIFICATE----- +MIIFSjCCAzKgAwIBAgIJAJkMLmH6fFjlMA0GCSqGSIb3DQEBBQUAMCIxDjAMBgNV +BAoMBUlzdGlvMRAwDgYDVQQDDAdSb290IENBMB4XDTIxMDIxNzIyNDA1OFoXDTIz +MDIxNzIyNDA1OFowPDEOMAwGA1UECgwFSXN0aW8xGDAWBgNVBAMMD0ludGVybWVk +aWF0ZSBDQTEQMA4GA1UEBwwHY2x1c3RlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIP +ADCCAgoCggIBAM1l51P3R1JTdCuxcvMJbcAMJAZno9GUSxFS5e+lcZKEZ1CXvQxW +kR72ZwgzWEF2j1+mjZUZNRaAS7tJehTvHKdoyea2Ekq+R9X1kCyfSJt/nYCYSvsf +oHKLL8B+Ez4RoTgX0UU92mejFJL8kPVHz4ZM9HhTyT4CUsj5xUEKjF6ORcyZ6jP/ +nv5NRsjNiXgOAXjsApZE9h8fDb0YGbm/ee941FEglq4KlqKeakIISSqRu9UbI2UI +aP6T8azd5gPSeaTm6T7JepoDXne+Xm8l8rrdbRT/PV9AZNi8pMLf7SP838zMb/X+ +8XoGV/agSKtIa0qQgItBflOXlVmftTfBxl8+UGXlsIj6rpYF+c+lavAEF4Fzj4lE +I+HkUh/TRe2nzSbdjKYKAgjyVDPu3QjbDX03ICgFb3RnDCL//F6pKeE9Zi8gPS9E +H9ZfHHhBJpKgOGsr0/1zbf1zLj0gf0ZQDWu+PK2AJPVoQbR+QdB7QsomnQWwWEa1 +2yfQTze5TVY2tmVJFsqQOoK6wQtIUnEuISreiA5qoYOBGAJG9AikhNRbeWKiD0KV +MwGgGyRj2C/0GgnBWScytyFjoNadixzjiXu2ndaJYmNE54251235TUEJ1k5XLzLT +prvVx5bYodwemBXkEzZAlN8iVeh0gvZXY8ywkKwM1VkmOs4mFBcISGnrAgMBAAGj +aTBnMB0GA1UdDgQWBBTS42W73B9SNZh27ZgDt6SdUGthJzASBgNVHRMBAf8ECDAG +AQH/AgEAMA4GA1UdDwEB/wQEAwIC5DAiBgNVHREEGzAZghdpc3Rpb2QuaXN0aW8t +c3lzdGVtLnN2YzANBgkqhkiG9w0BAQUFAAOCAgEARYVy9jfWvEyJ1mhx0Xhf+cpO +bEs3zzrddrdsid9OA64pNgvhQqHM2XKSoX8/hBxlyh2XEbsF0/sujmeoQ4ry+Q1B +nhvpDlXJnEkNwgOLRKi7Qqx8E2nIFgyA2CmON/IcCmKY7A3aGyhuhVj3b7fdNaaj +7hXfz9hSZ+ZFyBnJ0zGN57ZAZbYQvYGpc+seUeBf9WEhL0wMbAxLAeoWJdgm5UTA +KeswXL6+zmuuEuoZ1loiUqiJohMNwiLU9wrePxFiEserJdgdQPraBIBO6s4BapEb +R1JEYhTjVkoLs9SZl/wyWDRt6Qn8uPjsN+5/cpaY7hKHE1IYQB9DeZ+X3rRUjd/g +abzVkE7oiHGgFj4/MeXmn15iIaruMj0ZKYyc3KQU4ok2o3GJ6z2pilzZYnyIck37 +3HrYyk7Y1O5BakmvEfDb3V84Ze3Ghgnjc+eeNi1wIUALFE8tQ/YWyJK+LDtVd2WS +Q1CeQgUY5RfUiqTFkrnFFmapx9I7Anyb+gwOxa1ECu0L5odvMwaCWo5tjAPqTl1m +lHknG3oLujcZr9ShVoK2JIrKMqdOHLfjSgTyPrCZfuFanKxjqG9guw5OBWA1EqTS +IiKkyqQzqD5Y1mQghc1+KaG1x7Siubv8poAvQU7VzAfbtGttqkaY55bwk9Wwg9r5 +G+v+5tJpvLfGniCmbQg= +-----END CERTIFICATE----- diff --git a/terraform-modules/aws/istio/istio-1.11.0/samples/certs/ca-cert.pem b/terraform-modules/aws/istio/istio-1.11.0/samples/certs/ca-cert.pem new file mode 100644 index 000000000..a460e036b --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/samples/certs/ca-cert.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDnzCCAoegAwIBAgIJAON1ifrBZ2/BMA0GCSqGSIb3DQEBCwUAMIGLMQswCQYD +VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJU3Vubnl2YWxl +MQ4wDAYDVQQKDAVJc3RpbzENMAsGA1UECwwEVGVzdDEQMA4GA1UEAwwHUm9vdCBD +QTEiMCAGCSqGSIb3DQEJARYTdGVzdHJvb3RjYUBpc3Rpby5pbzAgFw0xODAxMjQx +OTE1NTFaGA8yMTE3MTIzMTE5MTU1MVowWTELMAkGA1UEBhMCVVMxEzARBgNVBAgT +CkNhbGlmb3JuaWExEjAQBgNVBAcTCVN1bm55dmFsZTEOMAwGA1UEChMFSXN0aW8x +ETAPBgNVBAMTCElzdGlvIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC +AQEAyzCxr/xu0zy5rVBiso9ffgl00bRKvB/HF4AX9/ytmZ6Hqsy13XIQk8/u/By9 +iCvVwXIMvyT0CbiJq/aPEj5mJUy0lzbrUs13oneXqrPXf7ir3HzdRw+SBhXlsh9z +APZJXcF93DJU3GabPKwBvGJ0IVMJPIFCuDIPwW4kFAI7R/8A5LSdPrFx6EyMXl7K +M8jekC0y9DnTj83/fY72WcWX7YTpgZeBHAeeQOPTZ2KYbFal2gLsar69PgFS0Tom +ESO9M14Yit7mzB1WDK2z9g3r+zLxENdJ5JG/ZskKe+TO4Diqi5OJt/h8yspS1ck8 +LJtCole9919umByg5oruflqIlQIDAQABozUwMzALBgNVHQ8EBAMCAgQwDAYDVR0T +BAUwAwEB/zAWBgNVHREEDzANggtjYS5pc3Rpby5pbzANBgkqhkiG9w0BAQsFAAOC +AQEAltHEhhyAsve4K4bLgBXtHwWzo6SpFzdAfXpLShpOJNtQNERb3qg6iUGQdY+w +A2BpmSkKr3Rw/6ClP5+cCG7fGocPaZh+c+4Nxm9suMuZBZCtNOeYOMIfvCPcCS+8 +PQ/0hC4/0J3WJKzGBssaaMufJxzgFPPtDJ998kY8rlROghdSaVt423/jXIAYnP3Y +05n8TGERBj7TLdtIVbtUIx3JHAo3PWJywA6mEDovFMJhJERp9sDHIr1BbhXK1TFN +Z6HNH6gInkSSMtvC4Ptejb749PTaePRPF7ID//eq/3AH8UK50F3TQcLjEqWUsJUn +aFKltOc+RAjzDklcUPeG4Y6eMA== +-----END CERTIFICATE----- diff --git a/terraform-modules/aws/istio/istio-1.11.0/samples/certs/ca-key-alt.pem b/terraform-modules/aws/istio/istio-1.11.0/samples/certs/ca-key-alt.pem new file mode 100644 index 000000000..c3669a2d0 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/samples/certs/ca-key-alt.pem @@ -0,0 +1,51 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIJKAIBAAKCAgEAzWXnU/dHUlN0K7Fy8wltwAwkBmej0ZRLEVLl76VxkoRnUJe9 +DFaRHvZnCDNYQXaPX6aNlRk1FoBLu0l6FO8cp2jJ5rYSSr5H1fWQLJ9Im3+dgJhK ++x+gcosvwH4TPhGhOBfRRT3aZ6MUkvyQ9UfPhkz0eFPJPgJSyPnFQQqMXo5FzJnq +M/+e/k1GyM2JeA4BeOwClkT2Hx8NvRgZub9573jUUSCWrgqWop5qQghJKpG71Rsj +ZQho/pPxrN3mA9J5pObpPsl6mgNed75ebyXyut1tFP89X0Bk2Lykwt/tI/zfzMxv +9f7xegZX9qBIq0hrSpCAi0F+U5eVWZ+1N8HGXz5QZeWwiPqulgX5z6Vq8AQXgXOP +iUQj4eRSH9NF7afNJt2MpgoCCPJUM+7dCNsNfTcgKAVvdGcMIv/8Xqkp4T1mLyA9 +L0Qf1l8ceEEmkqA4ayvT/XNt/XMuPSB/RlANa748rYAk9WhBtH5B0HtCyiadBbBY +RrXbJ9BPN7lNVja2ZUkWypA6grrBC0hScS4hKt6IDmqhg4EYAkb0CKSE1Ft5YqIP +QpUzAaAbJGPYL/QaCcFZJzK3IWOg1p2LHOOJe7ad1oliY0TnjbnXbflNQQnWTlcv +MtOmu9XHltih3B6YFeQTNkCU3yJV6HSC9ldjzLCQrAzVWSY6ziYUFwhIaesCAwEA +AQKCAgBROdRSaz6kOuZ9BO6dWAQz51kzwzaQgeFx12Og8r9IHt4wi+EyCOXY5b53 +Cr8DHFy0icwBw3cwD8pjJTqHHswpFBKMD0KKllcYMMU0MEVpYP0rRo6YYrhzs8FN +kU4QxK4J3blfdYdyZpaTThgRN7XEuZgQIao6wHZ2jffIseAy4HaP4+ovaA47KNou +PMH5XSiN5l9bh6gBRKmNNwOtZiBVaGYmMwoDh6JsatNAi8BLelhafSHxKXNEAcOY +BiSZLFn4sWxZ7Rlz4JMyLXFw6QPli/1ASXO+wFthLrDFdAJ2seDbP5mjIY/jHrEY +kehK/BeZ5C1BZMQNUKu6RqNGinXkrH5I+dtfQOvRasp6KIC5F1ploxwYiyVDYN+G +ggaoCmjMNzq5OrKJWyoKzLzg5x7MrWoBmKoObKhlnzoFOPpJrPREa/xxFDY/KofY +yhJFUFCN4ujD9lTomoBYaGpleCguoJMyNdHp5DIxKdBxvsXFJ+6E46K7vb6VBp7T +2MjKp5NQ+vgfOqKe9QiYVRac3gBVtvfTRGv4EEjnJV5/rLFCWOT8ay60cT9FAuBM +EqR2hcVaiRwTVpEa07XCeHx1QwzmEiooMk2UrYcQAra4VHtC5mGlt3jlRRBmhNnM +Bl0OF/TVCd3ROk7E9poW5tkgDS9YFtNvrTyDF51AQY03byV+cQKCAQEA9308Zpcc +4wsu5S1s9sPHt3ebmi22L5AgXsZZKHkZj/FcP9nfGBF9JKzA4+D32EhKtKdd6HNp +HkMFp/JIs+q2s+kdIh8myBLyz/ID5VDBcbcctyOyPfFSVBu1pVH/deResHK21PVU +DXy5gtxfBFcFhfq/xmyLGyeN4MFiYpgYpseM6vZdlRg/u2KjKNF38j4UnRYFqBtR +bJjUJc/5t4zNUqQUFcF3CYIqM+8poV98+qIQ751JgfpShXte8VHqZUaiG+PEkxaU +XeP7RGsgHrGsPHg2oz8Ggawer4d6k/ynn/KTOKVfrb1+YYhmwbDGXWjO8uJRKfcG +wrSOQdpcxwJgGQKCAQEA1HYemZkC31Ck7UH1x+vXSqn7qfjMa6GR1LJk32Ws1q/r +IhHf/aCTaYATyOBfeqspZntJ2Ede1SY4DAi866kMauhlw0b8QmksIf9daeaEOATE +QKWEvFGVJjv1Bu2lVjAiqyv96Kxl8G9yKobN9QEp8iNMFfWTwMRYpGp5+9tI9RxE +ZamOQF42olNM8+JtYSxfTtqgcG2spldW17Qp1yjaPNiIoxcqUpIrMZqcMPfGIACy +I80v4FLnz40cvICnqETz6HZEIt3Pe+65kRBA5v0PdPyKInuyr9H7Lrjs9lqfvxvq +D/cvvP1Lszr00E5AjFWOle2WRiq+A8lXEQao+a5KowKCAQEAv8QFckSy+GYo7yF0 +pfxrmwiNxDiZS191BZrRaN/046kUXtFV4VNj0XAegjRGNwtE/5gT1tLeZ7ls/4Zn +uSksalk93ruelDbCeEhBpoUdbxyAnpOFQCPmNA/IfxH7TQEoMbahXn+9ojm7kN9q +rHU1bWwu/vQKEX9jmvydXGIX79r9oO5G8wj4ER1L6YvtUgGyfUmcFnccb3Y4JBhz +mTr7uYYznevrba2zP8yYSFcyAw5i6xfH5nPtT0qZ9YkQg2ron42sOoCrc9j8UDZl +jAMFv1EynOlwBDg3CrGCVHrX88LFOoZBjeEftTk4zepIugZFHMQqOccUMPgwpmwp +qXZ4uQKCAQBFVWK5B0j7rWqVDqBxpJI2iHBbUJkNSsW3XpwylxCnYvNdw+2P7DYP +CL/sHuSpuG+jRPqdPPVCo91IeBWG5jzqKnsDFgg+d+nyEk7ev15Ila2h1yIQ/qKo +vopAv47kKIM3zvxmUNRXeVcNb76IhN+2aDRtOh4Em06+IQ071pzheF8Nuh50/Qnh +QUPslujQ/FUB+7C939ymz/vEGsRItck6cANvDaE/Hvo/jtAH3uPmD7QSoORN1WBW +yBsnnOiZrh7WrrmfkzkhnY8rOt2jQ9Qmfj9p72opnGHXJnwWDQ7yo95nZWhLyXFJ +xSSdUdwYr9b/MHCI52vo+mySXtUH3gv3AoIBADybsXoUscd81dHetrGWLMLTMx+Y +rZg9f6VKHgKnJNp9KkUzvzE9kmYL3/BKV8g2JgFymJiqI7gZ44o6gUgk7CmN9lrs +8Y8CEUyoi1QoNeYy/c2RyT/ufaNA1hBMwZOmY2xQLLAw0dCwbIEYvPeCCjaNaQdm +OwvQfCKAqITLmihOBp5mx0IKbc4FKOkD5uPghdSsSj6g00tKxiHaxnmTogUC3SLD +agJTmiOxjpYCs+iYqg903fJ7B+GWPsiuyrF5mFUFiBNv+owFBVhnA1RhJIky0mzf +bpQ0ykE66UzVfT8GW/dB/lurWEyExLxut64KdAMknCcPtdhPG5qDXIRNz20= +-----END RSA PRIVATE KEY----- diff --git a/terraform-modules/aws/istio/istio-1.11.0/samples/certs/ca-key.pem b/terraform-modules/aws/istio/istio-1.11.0/samples/certs/ca-key.pem new file mode 100644 index 000000000..faa77f388 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/samples/certs/ca-key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAyzCxr/xu0zy5rVBiso9ffgl00bRKvB/HF4AX9/ytmZ6Hqsy1 +3XIQk8/u/By9iCvVwXIMvyT0CbiJq/aPEj5mJUy0lzbrUs13oneXqrPXf7ir3Hzd +Rw+SBhXlsh9zAPZJXcF93DJU3GabPKwBvGJ0IVMJPIFCuDIPwW4kFAI7R/8A5LSd +PrFx6EyMXl7KM8jekC0y9DnTj83/fY72WcWX7YTpgZeBHAeeQOPTZ2KYbFal2gLs +ar69PgFS0TomESO9M14Yit7mzB1WDK2z9g3r+zLxENdJ5JG/ZskKe+TO4Diqi5OJ +t/h8yspS1ck8LJtCole9919umByg5oruflqIlQIDAQABAoIBAGZI8fnUinmd5R6B +C941XG3XFs6GAuUm3hNPcUFuGnntmv/5I0gBpqSyFO0nDqYg4u8Jma8TTCIkmnFN +ogIeFU+LiJFinR3GvwWzTE8rTz1FWoaY+M9P4ENd/I4pVLxUPuSKhfA2ChAVOupU +8F7D9Q/dfBXQQCT3VoUaC+FiqjL4HvIhji1zIqaqpK7fChGPraC/4WHwLMNzI0Zg +oDdAanwVygettvm6KD7AeKzhK94gX1PcnsOi3KuzQYvkenQE1M6/K7YtEc5qXCYf +QETj0UCzB55btgdF36BGoZXf0LwHqxys9ubfHuhwKBpY0xg2z4/4RXZNhfIDih3w +J3mihcECgYEA6FtQ0cfh0Zm03OPDpBGc6sdKxTw6aBDtE3KztfI2hl26xHQoeFqp +FmV/TbnExnppw+gWJtwx7IfvowUD8uRR2P0M2wGctWrMpnaEYTiLAPhXsj69HSM/ +CYrh54KM0YWyjwNhtUzwbOTrh1jWtT9HV5e7ay9Atk3UWljuR74CFMUCgYEA392e +DVoDLE0XtbysmdlfSffhiQLP9sT8+bf/zYnr8Eq/4LWQoOtjEARbuCj3Oq7bP8IE +Vz45gT1mEE3IacC9neGwuEa6icBiuQi86NW8ilY/ZbOWrRPLOhk3zLiZ+yqkt+sN +cqWx0JkIh7IMKWI4dVQgk4I0jcFP7vNG/So4AZECgYEA426eSPgxHQwqcBuwn6Nt +yJCRq0UsljgbFfIr3Wfb3uFXsntQMZ3r67QlS1sONIgVhmBhbmARrcfQ0+xQ1SqO +wqnOL4AAd8K11iojoVXLGYP7ssieKysYxKpgPE8Yru0CveE9fkx0+OGJeM2IO5hY +qHAoTt3NpaPAuz5Y3XgqaVECgYA0TONS/TeGjxA9/jFY1Cbl8gp35vdNEKKFeM5D +Z7h+cAg56FE8tyFyqYIAGVoBFL7WO26mLzxiDEUfA/0Rb90c2JBfzO5hpleqIPd5 +cg3VR+cRzI4kK16sWR3nLy2SN1k6OqjuovVS5Z3PjfI3bOIBz0C5FY9Pmt0g1yc7 +mDRzcQKBgQCXWCZStbdjewaLd5u5Hhbw8tIWImMVfcfs3H1FN669LLpbARM8RtAa +8dYwDVHmWmevb/WX03LiSE+GCjCBO79fa1qc5RKAalqH/1OYxTuvYOeTUebSrg8+ +lQFlP2OC4GGolKrN6HVWdxtf+F+SdjwX6qGCfYkXJRLYXIFSFjFeuw== +-----END RSA PRIVATE KEY----- diff --git a/terraform-modules/aws/istio/istio-1.11.0/samples/certs/cert-chain-alt.pem b/terraform-modules/aws/istio/istio-1.11.0/samples/certs/cert-chain-alt.pem new file mode 100644 index 000000000..9c972c4b0 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/samples/certs/cert-chain-alt.pem @@ -0,0 +1,60 @@ +-----BEGIN CERTIFICATE----- +MIIFSjCCAzKgAwIBAgIJAJkMLmH6fFjlMA0GCSqGSIb3DQEBBQUAMCIxDjAMBgNV +BAoMBUlzdGlvMRAwDgYDVQQDDAdSb290IENBMB4XDTIxMDIxNzIyNDA1OFoXDTIz +MDIxNzIyNDA1OFowPDEOMAwGA1UECgwFSXN0aW8xGDAWBgNVBAMMD0ludGVybWVk +aWF0ZSBDQTEQMA4GA1UEBwwHY2x1c3RlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIP +ADCCAgoCggIBAM1l51P3R1JTdCuxcvMJbcAMJAZno9GUSxFS5e+lcZKEZ1CXvQxW +kR72ZwgzWEF2j1+mjZUZNRaAS7tJehTvHKdoyea2Ekq+R9X1kCyfSJt/nYCYSvsf +oHKLL8B+Ez4RoTgX0UU92mejFJL8kPVHz4ZM9HhTyT4CUsj5xUEKjF6ORcyZ6jP/ +nv5NRsjNiXgOAXjsApZE9h8fDb0YGbm/ee941FEglq4KlqKeakIISSqRu9UbI2UI +aP6T8azd5gPSeaTm6T7JepoDXne+Xm8l8rrdbRT/PV9AZNi8pMLf7SP838zMb/X+ +8XoGV/agSKtIa0qQgItBflOXlVmftTfBxl8+UGXlsIj6rpYF+c+lavAEF4Fzj4lE +I+HkUh/TRe2nzSbdjKYKAgjyVDPu3QjbDX03ICgFb3RnDCL//F6pKeE9Zi8gPS9E +H9ZfHHhBJpKgOGsr0/1zbf1zLj0gf0ZQDWu+PK2AJPVoQbR+QdB7QsomnQWwWEa1 +2yfQTze5TVY2tmVJFsqQOoK6wQtIUnEuISreiA5qoYOBGAJG9AikhNRbeWKiD0KV +MwGgGyRj2C/0GgnBWScytyFjoNadixzjiXu2ndaJYmNE54251235TUEJ1k5XLzLT +prvVx5bYodwemBXkEzZAlN8iVeh0gvZXY8ywkKwM1VkmOs4mFBcISGnrAgMBAAGj +aTBnMB0GA1UdDgQWBBTS42W73B9SNZh27ZgDt6SdUGthJzASBgNVHRMBAf8ECDAG +AQH/AgEAMA4GA1UdDwEB/wQEAwIC5DAiBgNVHREEGzAZghdpc3Rpb2QuaXN0aW8t +c3lzdGVtLnN2YzANBgkqhkiG9w0BAQUFAAOCAgEARYVy9jfWvEyJ1mhx0Xhf+cpO +bEs3zzrddrdsid9OA64pNgvhQqHM2XKSoX8/hBxlyh2XEbsF0/sujmeoQ4ry+Q1B +nhvpDlXJnEkNwgOLRKi7Qqx8E2nIFgyA2CmON/IcCmKY7A3aGyhuhVj3b7fdNaaj +7hXfz9hSZ+ZFyBnJ0zGN57ZAZbYQvYGpc+seUeBf9WEhL0wMbAxLAeoWJdgm5UTA +KeswXL6+zmuuEuoZ1loiUqiJohMNwiLU9wrePxFiEserJdgdQPraBIBO6s4BapEb +R1JEYhTjVkoLs9SZl/wyWDRt6Qn8uPjsN+5/cpaY7hKHE1IYQB9DeZ+X3rRUjd/g +abzVkE7oiHGgFj4/MeXmn15iIaruMj0ZKYyc3KQU4ok2o3GJ6z2pilzZYnyIck37 +3HrYyk7Y1O5BakmvEfDb3V84Ze3Ghgnjc+eeNi1wIUALFE8tQ/YWyJK+LDtVd2WS +Q1CeQgUY5RfUiqTFkrnFFmapx9I7Anyb+gwOxa1ECu0L5odvMwaCWo5tjAPqTl1m +lHknG3oLujcZr9ShVoK2JIrKMqdOHLfjSgTyPrCZfuFanKxjqG9guw5OBWA1EqTS +IiKkyqQzqD5Y1mQghc1+KaG1x7Siubv8poAvQU7VzAfbtGttqkaY55bwk9Wwg9r5 +G+v+5tJpvLfGniCmbQg= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIFCTCCAvGgAwIBAgIJAL4uxHfykeWSMA0GCSqGSIb3DQEBBQUAMCIxDjAMBgNV +BAoMBUlzdGlvMRAwDgYDVQQDDAdSb290IENBMB4XDTIxMDIxNzIyNDA1N1oXDTMx +MDIxNTIyNDA1N1owIjEOMAwGA1UECgwFSXN0aW8xEDAOBgNVBAMMB1Jvb3QgQ0Ew +ggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCkESA1E1psP/v9wkdimcqZ +X832eMRKomDxFFwbk9ayMF/XrGMAUmsvqeN9a73m5UD3MpArBiRc97XXzW1K1hnW +sCtcN42C25NDXgHGjzyhplNogR6/SsKYg2oZx2iBRJUxwroi3/iTv7KPousQwGpF +a/leoNxfr0+twbA5Y9nS17zO8CfJLlJz+c8MIbSdCTckcRxvVSXWsUlH1BJS/Bfh +TnlaVqk/YGWBxhtm8BowB0hzaxFrQnwuxsRXgnFmlAV0iZ35jvrhM6vmU2RqvUUo +BEgTTPuToC/2VRmyhFw/9cWcjzxgkvkjLsmVg5icuNvKQ4PgJL07zguRjk0XFchz +SZuqimjDYSRQv3I0TOn+eT0b2KX8neg1pqh7w81YotyqFcJ7SdpQaau7CeMbus92 +P7XsCpCSVe82Y8BRcdtPgDEzn7AOA2IlgxDC1hex80+10aL8naWGdxxUEom8wQwS +gvRHrdDsRigVvcygvVhfcoMak4RUxFeaQK5c1ruMlNvuuwZ20C4mUvZTvlaz7RmN +yazzjqQYT4GHbR2e1kwBqe6YtlOrHY1Fpg5V6+S1rQkbbZrfQVQOXz7VQ7jOsmEr +kNkrtgS8ZjAwgnOrf878Rr1g8Ac+I4q7Mpei2humdAydO3cEaGskcoozsxjPAKvd +8be76nUjjkBv6eURp1ziEQIDAQABo0IwQDAdBgNVHQ4EFgQUPyNoAnWNHwP+2NFi +zWLW0hz3Cw0wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAuQwDQYJKoZI +hvcNAQEFBQADggIBAIQx3aCt5GFuWxLLYlL2wbrO8tFoQnN4Poa/uli65YF47abb +zZkDm6OomYIsWVce4tdoJZy1TLlyKZPb+MDDnelOzNhpljjpw2ZdhEtnv703513q +o1zCgVrO1YWvk6Xv1gt3wVhQvJhq87BqrYFcCo899k09haXU4ddtP+YMPjyIngVb +ucxML2xqjzS1Cfs+CD/OpwntISzWOEi5r/3IkbPlMT15hFa2oAVKBhOkyk0QQP8t +bV9i4AC32gvshwIiGjbXUmnlRwBxUi8GBq5ZyR66nqoV9wBHPoqJZ3z+j6DNZSYm +QGaO0wwWgSePRNPodzPAw6vofDjBe/hcyCk2d2uRrOLJICWbAdx76+j6h3zX2sPS +FVSK1eVZaPUylL9rE+AyVGgl8/FqLNTwOHdSSovgIVVID7eXSpebnFtQEtlCSnik +naaVSrG+sTH77WD9mQO9LmYS8JVceLE+ErSEAXkFKim131317sS5Z310U/L021M4 +xGH6zZHK9W9dx1X4gZKfoqGwSAHhs4rjEZCU7CKR1ouJBPWQ/cGrrk8n8ZdmKxmz +OHNB4GteIEKJKrJTKQil8hsdSIqSUX4H4tw4GXlpyBSmZNt9iOjo4tWUGoUlQRIp +QDpfEx1ep9pVDwQNGXVf+m9iqbc3DAiSN+1CGSZI5Kv0RzZSih5zIaxB2gJ7 +-----END CERTIFICATE----- diff --git a/terraform-modules/aws/istio/istio-1.11.0/samples/certs/cert-chain.pem b/terraform-modules/aws/istio/istio-1.11.0/samples/certs/cert-chain.pem new file mode 100644 index 000000000..a460e036b --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/samples/certs/cert-chain.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDnzCCAoegAwIBAgIJAON1ifrBZ2/BMA0GCSqGSIb3DQEBCwUAMIGLMQswCQYD +VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJU3Vubnl2YWxl +MQ4wDAYDVQQKDAVJc3RpbzENMAsGA1UECwwEVGVzdDEQMA4GA1UEAwwHUm9vdCBD +QTEiMCAGCSqGSIb3DQEJARYTdGVzdHJvb3RjYUBpc3Rpby5pbzAgFw0xODAxMjQx +OTE1NTFaGA8yMTE3MTIzMTE5MTU1MVowWTELMAkGA1UEBhMCVVMxEzARBgNVBAgT +CkNhbGlmb3JuaWExEjAQBgNVBAcTCVN1bm55dmFsZTEOMAwGA1UEChMFSXN0aW8x +ETAPBgNVBAMTCElzdGlvIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC +AQEAyzCxr/xu0zy5rVBiso9ffgl00bRKvB/HF4AX9/ytmZ6Hqsy13XIQk8/u/By9 +iCvVwXIMvyT0CbiJq/aPEj5mJUy0lzbrUs13oneXqrPXf7ir3HzdRw+SBhXlsh9z +APZJXcF93DJU3GabPKwBvGJ0IVMJPIFCuDIPwW4kFAI7R/8A5LSdPrFx6EyMXl7K +M8jekC0y9DnTj83/fY72WcWX7YTpgZeBHAeeQOPTZ2KYbFal2gLsar69PgFS0Tom +ESO9M14Yit7mzB1WDK2z9g3r+zLxENdJ5JG/ZskKe+TO4Diqi5OJt/h8yspS1ck8 +LJtCole9919umByg5oruflqIlQIDAQABozUwMzALBgNVHQ8EBAMCAgQwDAYDVR0T +BAUwAwEB/zAWBgNVHREEDzANggtjYS5pc3Rpby5pbzANBgkqhkiG9w0BAQsFAAOC +AQEAltHEhhyAsve4K4bLgBXtHwWzo6SpFzdAfXpLShpOJNtQNERb3qg6iUGQdY+w +A2BpmSkKr3Rw/6ClP5+cCG7fGocPaZh+c+4Nxm9suMuZBZCtNOeYOMIfvCPcCS+8 +PQ/0hC4/0J3WJKzGBssaaMufJxzgFPPtDJ998kY8rlROghdSaVt423/jXIAYnP3Y +05n8TGERBj7TLdtIVbtUIx3JHAo3PWJywA6mEDovFMJhJERp9sDHIr1BbhXK1TFN +Z6HNH6gInkSSMtvC4Ptejb749PTaePRPF7ID//eq/3AH8UK50F3TQcLjEqWUsJUn +aFKltOc+RAjzDklcUPeG4Y6eMA== +-----END CERTIFICATE----- diff --git a/terraform-modules/aws/istio/istio-1.11.0/samples/certs/generate-workload.sh b/terraform-modules/aws/istio/istio-1.11.0/samples/certs/generate-workload.sh new file mode 100755 index 000000000..800e83a0a --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/samples/certs/generate-workload.sh @@ -0,0 +1,108 @@ +#!/bin/bash +# +# Copyright Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -euo pipefail + +name=${1:-foo} +ns=${2:-$name} +sa=${3:-$name} +tmp=${4:-""} +rootselect=${5:-""} +san="spiffe://trust-domain-$name/ns/$ns/sa/$sa" + +DIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) + +FINAL_DIR=$DIR +if [ -n "$tmp" ]; then + if [ -d "$tmp" ]; then + FINAL_DIR=$tmp + cp "$DIR"/root-cert.pem "$FINAL_DIR" + cp "$DIR"/ca-cert.pem "$FINAL_DIR" + cp "$DIR"/ca-key.pem "$FINAL_DIR" + cp "$DIR"/cert-chain.pem "$FINAL_DIR" + + cp "$DIR"/root-cert-alt.pem "$FINAL_DIR" + cp "$DIR"/ca-cert-alt.pem "$FINAL_DIR" + cp "$DIR"/ca-key-alt.pem "$FINAL_DIR" + cp "$DIR"/cert-chain-alt.pem "$FINAL_DIR" + + else + echo "tmp argument is not a directory: $tmp" + exit 1 + fi +fi + +function cleanup() { + if [ -f "$FINAL_DIR"/.srl ]; then + rm "$FINAL_DIR"/.srl + fi + if [ -f "$FINAL_DIR"/ca-cert.srl ]; then + rm "$FINAL_DIR"/ca-cert.srl + fi + if [ -f "$FINAL_DIR"/ca-cert-alt.srl ]; then + rm "$FINAL_DIR"/ca-cert-alt.srl + fi + if [ -f "$FINAL_DIR"/workload.cfg ]; then + rm "$FINAL_DIR"/workload.cfg + fi + if [ -f "$FINAL_DIR"/workload.csr ]; then + rm "$FINAL_DIR"/workload.csr + fi +} + +trap cleanup EXIT + +openssl genrsa -out "$FINAL_DIR/workload-$sa-key.pem" 2048 + +cat > "$FINAL_DIR"/workload.cfg <> "$FINAL_DIR/workload-$sa-cert.pem" + +echo "Generated workload-$sa-[cert|key].pem with URI SAN $san" +openssl verify -CAfile <(cat "$certchain" "$rootcert") "$FINAL_DIR/workload-$sa-cert.pem" + diff --git a/terraform-modules/aws/istio/istio-1.11.0/samples/certs/root-cert-alt.pem b/terraform-modules/aws/istio/istio-1.11.0/samples/certs/root-cert-alt.pem new file mode 100644 index 000000000..618ca0b90 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/samples/certs/root-cert-alt.pem @@ -0,0 +1,29 @@ +-----BEGIN CERTIFICATE----- +MIIFCTCCAvGgAwIBAgIJAL4uxHfykeWSMA0GCSqGSIb3DQEBBQUAMCIxDjAMBgNV +BAoMBUlzdGlvMRAwDgYDVQQDDAdSb290IENBMB4XDTIxMDIxNzIyNDA1N1oXDTMx +MDIxNTIyNDA1N1owIjEOMAwGA1UECgwFSXN0aW8xEDAOBgNVBAMMB1Jvb3QgQ0Ew +ggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCkESA1E1psP/v9wkdimcqZ +X832eMRKomDxFFwbk9ayMF/XrGMAUmsvqeN9a73m5UD3MpArBiRc97XXzW1K1hnW +sCtcN42C25NDXgHGjzyhplNogR6/SsKYg2oZx2iBRJUxwroi3/iTv7KPousQwGpF +a/leoNxfr0+twbA5Y9nS17zO8CfJLlJz+c8MIbSdCTckcRxvVSXWsUlH1BJS/Bfh +TnlaVqk/YGWBxhtm8BowB0hzaxFrQnwuxsRXgnFmlAV0iZ35jvrhM6vmU2RqvUUo +BEgTTPuToC/2VRmyhFw/9cWcjzxgkvkjLsmVg5icuNvKQ4PgJL07zguRjk0XFchz +SZuqimjDYSRQv3I0TOn+eT0b2KX8neg1pqh7w81YotyqFcJ7SdpQaau7CeMbus92 +P7XsCpCSVe82Y8BRcdtPgDEzn7AOA2IlgxDC1hex80+10aL8naWGdxxUEom8wQwS +gvRHrdDsRigVvcygvVhfcoMak4RUxFeaQK5c1ruMlNvuuwZ20C4mUvZTvlaz7RmN +yazzjqQYT4GHbR2e1kwBqe6YtlOrHY1Fpg5V6+S1rQkbbZrfQVQOXz7VQ7jOsmEr +kNkrtgS8ZjAwgnOrf878Rr1g8Ac+I4q7Mpei2humdAydO3cEaGskcoozsxjPAKvd +8be76nUjjkBv6eURp1ziEQIDAQABo0IwQDAdBgNVHQ4EFgQUPyNoAnWNHwP+2NFi +zWLW0hz3Cw0wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAuQwDQYJKoZI +hvcNAQEFBQADggIBAIQx3aCt5GFuWxLLYlL2wbrO8tFoQnN4Poa/uli65YF47abb +zZkDm6OomYIsWVce4tdoJZy1TLlyKZPb+MDDnelOzNhpljjpw2ZdhEtnv703513q +o1zCgVrO1YWvk6Xv1gt3wVhQvJhq87BqrYFcCo899k09haXU4ddtP+YMPjyIngVb +ucxML2xqjzS1Cfs+CD/OpwntISzWOEi5r/3IkbPlMT15hFa2oAVKBhOkyk0QQP8t +bV9i4AC32gvshwIiGjbXUmnlRwBxUi8GBq5ZyR66nqoV9wBHPoqJZ3z+j6DNZSYm +QGaO0wwWgSePRNPodzPAw6vofDjBe/hcyCk2d2uRrOLJICWbAdx76+j6h3zX2sPS +FVSK1eVZaPUylL9rE+AyVGgl8/FqLNTwOHdSSovgIVVID7eXSpebnFtQEtlCSnik +naaVSrG+sTH77WD9mQO9LmYS8JVceLE+ErSEAXkFKim131317sS5Z310U/L021M4 +xGH6zZHK9W9dx1X4gZKfoqGwSAHhs4rjEZCU7CKR1ouJBPWQ/cGrrk8n8ZdmKxmz +OHNB4GteIEKJKrJTKQil8hsdSIqSUX4H4tw4GXlpyBSmZNt9iOjo4tWUGoUlQRIp +QDpfEx1ep9pVDwQNGXVf+m9iqbc3DAiSN+1CGSZI5Kv0RzZSih5zIaxB2gJ7 +-----END CERTIFICATE----- diff --git a/terraform-modules/aws/istio/istio-1.11.0/samples/certs/root-cert.pem b/terraform-modules/aws/istio/istio-1.11.0/samples/certs/root-cert.pem new file mode 100644 index 000000000..64c3fd50c --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/samples/certs/root-cert.pem @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIID7TCCAtWgAwIBAgIJAOIRDhOcxsx6MA0GCSqGSIb3DQEBCwUAMIGLMQswCQYD +VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJU3Vubnl2YWxl +MQ4wDAYDVQQKDAVJc3RpbzENMAsGA1UECwwEVGVzdDEQMA4GA1UEAwwHUm9vdCBD +QTEiMCAGCSqGSIb3DQEJARYTdGVzdHJvb3RjYUBpc3Rpby5pbzAgFw0xODAxMjQx +OTE1NTFaGA8yMTE3MTIzMTE5MTU1MVowgYsxCzAJBgNVBAYTAlVTMRMwEQYDVQQI +DApDYWxpZm9ybmlhMRIwEAYDVQQHDAlTdW5ueXZhbGUxDjAMBgNVBAoMBUlzdGlv +MQ0wCwYDVQQLDARUZXN0MRAwDgYDVQQDDAdSb290IENBMSIwIAYJKoZIhvcNAQkB +FhN0ZXN0cm9vdGNhQGlzdGlvLmlvMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB +CgKCAQEA38uEfAatzQYqbaLou1nxJ348VyNzumYMmDDt5pbLYRrCo2pS3ki1ZVDN +8yxIENJFkpKw9UctTGdbNGuGCiSDP7uqF6BiVn+XKAU/3pnPFBbTd0S33NqbDEQu +IYraHSl/tSk5rARbC1DrQRdZ6nYD2KrapC4g0XbjY6Pu5l4y7KnFwSunnp9uqpZw +uERv/BgumJ5QlSeSeCmhnDhLxooG8w5tC2yVr1yDpsOHGimP/mc8Cds4V0zfIhQv +YzfIHphhE9DKjmnjBYLOdj4aycv44jHnOGc+wvA1Jqsl60t3wgms+zJTiWwABLdw +zgMAa7yxLyoV0+PiVQud6k+8ZoIFcwIDAQABo1AwTjAdBgNVHQ4EFgQUOUYGtUyh +euxO4lGe4Op1y8NVoagwHwYDVR0jBBgwFoAUOUYGtUyheuxO4lGe4Op1y8NVoagw +DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEANXLyfAs7J9rmBamGJvPZ +ltx390WxzzLFQsBRAaH6rgeipBq3dR9qEjAwb6BTF+ROmtQzX+fjstCRrJxCto9W +tC8KvXTdRfIjfCCZjhtIOBKqRxE4KJV/RBfv9xD5lyjtCPCQl3Ia6MSf42N+abAK +WCdU6KCojA8WB9YhSCzza3aQbPTzd26OC/JblJpVgtus5f8ILzCsz+pbMimgTkhy +AuhYRppJaQ24APijsEC9+GIaVKPg5IwWroiPoj+QXNpshuvqVQQXvGaRiq4zoSnx +xAJz+w8tjrDWcf826VN14IL+/Cmqlg/rIfB5CHdwVIfWwpuGB66q/UiPegZMNs8a +3g== +-----END CERTIFICATE----- diff --git a/terraform-modules/aws/istio/istio-1.11.0/samples/certs/workload-bar-cert.pem b/terraform-modules/aws/istio/istio-1.11.0/samples/certs/workload-bar-cert.pem new file mode 100644 index 000000000..c614ffc38 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/samples/certs/workload-bar-cert.pem @@ -0,0 +1,43 @@ +-----BEGIN CERTIFICATE----- +MIIDXTCCAkWgAwIBAgIUBn+v5JAoezzNx9s3Euvzlny0LWcwDQYJKoZIhvcNAQEL +BQAwWTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEjAQBgNVBAcT +CVN1bm55dmFsZTEOMAwGA1UEChMFSXN0aW8xETAPBgNVBAMTCElzdGlvIENBMB4X +DTIwMDgxNDIyMTA1M1oXDTMwMDgxMjIyMTA1M1owADCCASIwDQYJKoZIhvcNAQEB +BQADggEPADCCAQoCggEBAMD18u/U1ouLwc2VblyFQCDN7XdGODoLV2eYA3NQrzMv +0873zS5wbvte2eRc+MX9jnwg8rW+Won7KUaEzD62a9QZv5ilO1137YUBZrTgQIkO +bhOnmpJRmR3Cxck8ZTEBMFsM+xyGAGc8ptdGJjEuxifFJHT3IB0ibXsnYuHnzpj1 +totq3sIPTRSkjsSOnKpyaOfBFiAyDQ0Rnm4+O32cJ654l0Co6iRABTnO9vIq1Tjn +fQm6+F99w3Wvv9Ik8HxB4HBLZ3+qgXQIJOD+d5+z88OnsiEMYKO4XHy2D/OAh9ND +7i9lzr+wXLYb5H1+TcEJuHFTHQcsm5YCl/zFt4YHgX0CAwEAAaN2MHQwDgYDVR0P +AQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMB +Af8EAjAAMDUGA1UdEQEB/wQrMCmGJ3NwaWZmZTovL3RydXN0LWRvbWFpbi1iYXIv +bnMvYmFyL3NhL2JhcjANBgkqhkiG9w0BAQsFAAOCAQEAGAWE6bLO4L8fDFg2hVCJ +G+8uTVVeO2H8wFiDOqB0xq9OCrzSp39cZsBZLj9KFBWx/V0PEAlcmGlgHozdGkVG +Z1/B+ukeRgALYBmHgOegoC2zHOz5qacqiRnV8Kijxa6nFyU0qbJCFVWs76DSZZDm +872SMmoURs2VrAQTWInbtWxR4tAyEdmecYOdHEIXQDc13LQSwu7TINLs7JnjKlv7 +xIv6TsOyAyx305DSK0htxYfgrvo4cc33JmDOtL81bHfyUfx2B8HKeDYTaDh+V01G +OesJNzqECzW6IMMFJey0f/4W7hbldpZmgXs8qa/g1CR8pCRs2eTWKTS336glXLCG +MA== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDnzCCAoegAwIBAgIJAON1ifrBZ2/BMA0GCSqGSIb3DQEBCwUAMIGLMQswCQYD +VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJU3Vubnl2YWxl +MQ4wDAYDVQQKDAVJc3RpbzENMAsGA1UECwwEVGVzdDEQMA4GA1UEAwwHUm9vdCBD +QTEiMCAGCSqGSIb3DQEJARYTdGVzdHJvb3RjYUBpc3Rpby5pbzAgFw0xODAxMjQx +OTE1NTFaGA8yMTE3MTIzMTE5MTU1MVowWTELMAkGA1UEBhMCVVMxEzARBgNVBAgT +CkNhbGlmb3JuaWExEjAQBgNVBAcTCVN1bm55dmFsZTEOMAwGA1UEChMFSXN0aW8x +ETAPBgNVBAMTCElzdGlvIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC +AQEAyzCxr/xu0zy5rVBiso9ffgl00bRKvB/HF4AX9/ytmZ6Hqsy13XIQk8/u/By9 +iCvVwXIMvyT0CbiJq/aPEj5mJUy0lzbrUs13oneXqrPXf7ir3HzdRw+SBhXlsh9z +APZJXcF93DJU3GabPKwBvGJ0IVMJPIFCuDIPwW4kFAI7R/8A5LSdPrFx6EyMXl7K +M8jekC0y9DnTj83/fY72WcWX7YTpgZeBHAeeQOPTZ2KYbFal2gLsar69PgFS0Tom +ESO9M14Yit7mzB1WDK2z9g3r+zLxENdJ5JG/ZskKe+TO4Diqi5OJt/h8yspS1ck8 +LJtCole9919umByg5oruflqIlQIDAQABozUwMzALBgNVHQ8EBAMCAgQwDAYDVR0T +BAUwAwEB/zAWBgNVHREEDzANggtjYS5pc3Rpby5pbzANBgkqhkiG9w0BAQsFAAOC +AQEAltHEhhyAsve4K4bLgBXtHwWzo6SpFzdAfXpLShpOJNtQNERb3qg6iUGQdY+w +A2BpmSkKr3Rw/6ClP5+cCG7fGocPaZh+c+4Nxm9suMuZBZCtNOeYOMIfvCPcCS+8 +PQ/0hC4/0J3WJKzGBssaaMufJxzgFPPtDJ998kY8rlROghdSaVt423/jXIAYnP3Y +05n8TGERBj7TLdtIVbtUIx3JHAo3PWJywA6mEDovFMJhJERp9sDHIr1BbhXK1TFN +Z6HNH6gInkSSMtvC4Ptejb749PTaePRPF7ID//eq/3AH8UK50F3TQcLjEqWUsJUn +aFKltOc+RAjzDklcUPeG4Y6eMA== +-----END CERTIFICATE----- diff --git a/terraform-modules/aws/istio/istio-1.11.0/samples/certs/workload-bar-key.pem b/terraform-modules/aws/istio/istio-1.11.0/samples/certs/workload-bar-key.pem new file mode 100644 index 000000000..bc11603b9 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/samples/certs/workload-bar-key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAwPXy79TWi4vBzZVuXIVAIM3td0Y4OgtXZ5gDc1CvMy/TzvfN +LnBu+17Z5Fz4xf2OfCDytb5aifspRoTMPrZr1Bm/mKU7XXfthQFmtOBAiQ5uE6ea +klGZHcLFyTxlMQEwWwz7HIYAZzym10YmMS7GJ8UkdPcgHSJteydi4efOmPW2i2re +wg9NFKSOxI6cqnJo58EWIDINDRGebj47fZwnrniXQKjqJEAFOc728irVOOd9Cbr4 +X33Dda+/0iTwfEHgcEtnf6qBdAgk4P53n7Pzw6eyIQxgo7hcfLYP84CH00PuL2XO +v7BcthvkfX5NwQm4cVMdByyblgKX/MW3hgeBfQIDAQABAoIBAQCKn6bZ2YQQWGTw +tsvEOA5sAsT4jT/To1Y1nCXOcEaNdWyrIacMF8YDXI8Y2hn200PLtTfojUoqGn/6 +o2jAHPm2NJFKrlnJumCuzuTkSL7UN8Oo5x3KxEhF8yl4eqUP4ZTFtLuqMDKV+CK8 +QS8q4jmFVMHuLaOqipMwiIknVgs8IvmQSZf3LBPOLRX9vcTtT0YnOAhFQjb3048s +Da+pDSsKesVkcsTx9aw4pUHWcLFuDHxZ1f0hAXcOfkzjzuBkQ0uoUxSIE+kcA2i0 +9vZB7fSqL/5zKrKooDSjW189WHd8wMEtmGZW6VDeH0fMuC+KWEVZnyjMrrlCMesJ +MismTSABAoGBAPD2XAf01iMy4Y84XtI4vku0uO+pseyhZ2nyqLJW2q3M0bXKFMiD +jiE7GlxBjynZFfU5R/H7QJ3rDwH4PpKyd13mgnlUImyLTUVaSbC3Bu0rJ+NFLtsQ +7OCxi4F3pOvOAWUL5WJc0gyqmSBywoGFuCT1x0wch2si1/XGUH973EwBAoGBAM0A +te01yywQ+X17fApIh/R+LLPkORecpDJgC3vTcMvuvC9Rq1HEC4S4b7X0SfrUzvCw +BO+J3KUMBJXHC2S4VsWBn/jHA8vJ1RD11gDVUV776WLxhXiBekwneFyFlNUukkTa +2bcnM3vtXZBl8z8Fhddfo5i9MR0Wh6jXF3HpemV9AoGAW1k6CHYkHBH0+sOnBtEm +KzMnDQxq/EcwGjU5COruWgcU1XL3sBBXeHecha8A5B99OIrvoGfc1kE/XkLLDfgE +Up/JhM+FgVrJ/2m8F/c68/xxUbJvkfL3qjMErR87cX2Wf8Ujv8dqhgzCok9/N3UH +G1PlqxABsnbyIiV9bOb63AECgYEAqbsd5YF1b026k3dK8uSsk/RnpKWf03ngxMia +mXIt4NsPugnfU3qCoudlrnvNSL0rfUHvRDibk5dIsI21VDX/udUiEwMLlI3OOBWi +ktwLXB4sVLxtaqGhFS5UzB3ZZUwC1LlyKt9tE/0qS2Ttqc8zymcn900lPdUqitNT +WQAbU60CgYBsR9gyXA4SXFjKmk5WKFhHlvTf87UfaOrPeeDE7zeEo2iVgjq9gSHw +7zBaiVvrwcSn3COszrPgtOUM+Vl/T7Z2QmPTteP2R8mKxOJk4BWQ5q/bhoc3sEH7 +EjR9twDPRg3V9xEKtcTiJhzm4TitKGYBH8FQ22B4X6mouVE8KfXkyA== +-----END RSA PRIVATE KEY----- diff --git a/terraform-modules/aws/istio/istio-1.11.0/samples/certs/workload-foo-cert.pem b/terraform-modules/aws/istio/istio-1.11.0/samples/certs/workload-foo-cert.pem new file mode 100644 index 000000000..e3697421b --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/samples/certs/workload-foo-cert.pem @@ -0,0 +1,43 @@ +-----BEGIN CERTIFICATE----- +MIIDXTCCAkWgAwIBAgIUKR+dap3TpKhxmpwtNLchLa7E4JEwDQYJKoZIhvcNAQEL +BQAwWTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEjAQBgNVBAcT +CVN1bm55dmFsZTEOMAwGA1UEChMFSXN0aW8xETAPBgNVBAMTCElzdGlvIENBMB4X +DTIwMDgxNDIyMTA0OVoXDTMwMDgxMjIyMTA0OVowADCCASIwDQYJKoZIhvcNAQEB +BQADggEPADCCAQoCggEBAM3y5xVP1qYDsy4DSEG7eXhQEGL/XUbXOR1kTEXTAhAk +/Wo0YclowxRQuIyeXpLM+nRN2z0xDttkMRpI0m6Qb1vK43XtPkBieVm/tBSUyis+ +iBV6KBOhw7ionoAlyq6tOkwL2V3siMK5LvkpeeC7lJPJamaRN19LJcnWS214bcur +lq6g6+owQGb4BS4STqfiRkIciw7MHTN5vWQcNmWNT3ME19KNQGKLXPkJGJoNlq4P +98pIuO58k0mow8xESpmrJ1zOtMtUUDicXV67m8BV2xkn7YLDehfAyKsqMJjsdWB3 +LUlk/kFia9n/AwFz+3mMSPWe4OnRQGdtwUMuanknfSUCAwEAAaN2MHQwDgYDVR0P +AQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMB +Af8EAjAAMDUGA1UdEQEB/wQrMCmGJ3NwaWZmZTovL3RydXN0LWRvbWFpbi1mb28v +bnMvZm9vL3NhL2ZvbzANBgkqhkiG9w0BAQsFAAOCAQEAO3Rcr/CEnEieuKujrQ/j +ZrM5cjQckt/+NcpkXsTQaqpkARmUL23D/g3Cg3P9rfJVIfSIfN2509meX+ouDzIm +JWoFW3XVFLiev18aBBO6rmLaMMMKiVOZYAYzeM8Zt/3qH8mLxNq2CQYUL8EtAd7V +P1FVx6vauFqlyqPn2BWZO3CgdGyPwPRQkBUTrItcUI8OTgAFYd/Q5vQuLt82QIAl +givsPvGaKEWV02tpf8PfAZDgXrFkJLeFhFd0pgf7RSIdvShNdPyyz4r9/2CqEVmc +BRDyTw09OLceF0Mhi4HqcnzgVeLWvWT+yUo3FYf6kzeavK93CEdSU8c9OvQbyi9D +cQ== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDnzCCAoegAwIBAgIJAON1ifrBZ2/BMA0GCSqGSIb3DQEBCwUAMIGLMQswCQYD +VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJU3Vubnl2YWxl +MQ4wDAYDVQQKDAVJc3RpbzENMAsGA1UECwwEVGVzdDEQMA4GA1UEAwwHUm9vdCBD +QTEiMCAGCSqGSIb3DQEJARYTdGVzdHJvb3RjYUBpc3Rpby5pbzAgFw0xODAxMjQx +OTE1NTFaGA8yMTE3MTIzMTE5MTU1MVowWTELMAkGA1UEBhMCVVMxEzARBgNVBAgT +CkNhbGlmb3JuaWExEjAQBgNVBAcTCVN1bm55dmFsZTEOMAwGA1UEChMFSXN0aW8x +ETAPBgNVBAMTCElzdGlvIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC +AQEAyzCxr/xu0zy5rVBiso9ffgl00bRKvB/HF4AX9/ytmZ6Hqsy13XIQk8/u/By9 +iCvVwXIMvyT0CbiJq/aPEj5mJUy0lzbrUs13oneXqrPXf7ir3HzdRw+SBhXlsh9z +APZJXcF93DJU3GabPKwBvGJ0IVMJPIFCuDIPwW4kFAI7R/8A5LSdPrFx6EyMXl7K +M8jekC0y9DnTj83/fY72WcWX7YTpgZeBHAeeQOPTZ2KYbFal2gLsar69PgFS0Tom +ESO9M14Yit7mzB1WDK2z9g3r+zLxENdJ5JG/ZskKe+TO4Diqi5OJt/h8yspS1ck8 +LJtCole9919umByg5oruflqIlQIDAQABozUwMzALBgNVHQ8EBAMCAgQwDAYDVR0T +BAUwAwEB/zAWBgNVHREEDzANggtjYS5pc3Rpby5pbzANBgkqhkiG9w0BAQsFAAOC +AQEAltHEhhyAsve4K4bLgBXtHwWzo6SpFzdAfXpLShpOJNtQNERb3qg6iUGQdY+w +A2BpmSkKr3Rw/6ClP5+cCG7fGocPaZh+c+4Nxm9suMuZBZCtNOeYOMIfvCPcCS+8 +PQ/0hC4/0J3WJKzGBssaaMufJxzgFPPtDJ998kY8rlROghdSaVt423/jXIAYnP3Y +05n8TGERBj7TLdtIVbtUIx3JHAo3PWJywA6mEDovFMJhJERp9sDHIr1BbhXK1TFN +Z6HNH6gInkSSMtvC4Ptejb749PTaePRPF7ID//eq/3AH8UK50F3TQcLjEqWUsJUn +aFKltOc+RAjzDklcUPeG4Y6eMA== +-----END CERTIFICATE----- diff --git a/terraform-modules/aws/istio/istio-1.11.0/samples/certs/workload-foo-key.pem b/terraform-modules/aws/istio/istio-1.11.0/samples/certs/workload-foo-key.pem new file mode 100644 index 000000000..bfad4d4cd --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/samples/certs/workload-foo-key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAzfLnFU/WpgOzLgNIQbt5eFAQYv9dRtc5HWRMRdMCECT9ajRh +yWjDFFC4jJ5eksz6dE3bPTEO22QxGkjSbpBvW8rjde0+QGJ5Wb+0FJTKKz6IFXoo +E6HDuKiegCXKrq06TAvZXeyIwrku+Sl54LuUk8lqZpE3X0slydZLbXhty6uWrqDr +6jBAZvgFLhJOp+JGQhyLDswdM3m9ZBw2ZY1PcwTX0o1AYotc+QkYmg2Wrg/3yki4 +7nyTSajDzERKmasnXM60y1RQOJxdXrubwFXbGSftgsN6F8DIqyowmOx1YHctSWT+ +QWJr2f8DAXP7eYxI9Z7g6dFAZ23BQy5qeSd9JQIDAQABAoIBAQDLs7PpGnze284A +dvKjQYFWBSsQIDDsfrhZX/kpHxptSYj14TXPdzVtBKJlQ8ebP++B1fhBwCJH0gPX +UawB/A6JJlZxL+Vg3YXVxY2ixcBpoYIMbDTzpg7muLF9YuPkfiapTRcElY53u57A +h8urAx5kRtZc+MliEfwgdTtJ3dILnbXxGanKfi+nz9P5YuLkKzqIolbqu9ZxlJFD +/V4DKITA0IootE0OhCKP0GfeA6L9z3tH2OuEn/LXl2S8FbbFCeY4ji8FQBr2icSB +pXdee0gYIrvrU8G0eoE0ZV9bAGXkRhA3057HF9RqlAqhRc012s4ojbl/q4uINdWp +R+UiUecJAoGBAP4Pzo+NwS054kOgSYu+NMSi63j2OJD9aeHYJT6QwVYZurTMChxx +x283Da4qsCBGI37YjU5Ygd6DYc0T57GXfeka8tZQb5+v/ZvV1oIY+pVN5cp0xben +Ttm0qskF2H57TmPcH5atWkW7b5CjrSo7DYFtd6jKzzoAJ9uPH4DCM5ufAoGBAM+F +IRkSmzAPpiyPA1P7OlWy0vQLsNrFwZ59HOmovpQTgDLVW5Xbq+etEiAXmSvuxBU0 +OKiHMgGK2Pmg/vsM3mUVskrx+bDk+6GGM52feqa8N1rtxDTjamI5EHx29896jX/U +HGSW+8YYVZ/jbSSneY71AO1E2INsNEi1Ei5qWTC7AoGABOdnNEwnK2lPncCNSt48 +BIOkiewuwVWy4oIaje+bW78ZZH3/v/bOQ65LXE5EogrYio1BhP6eWx4sGBpHQZ1L +9+DmSQ66aNmryoNBJbe3toQPaG4Clv3qvrcHCORM/nwA0lqgXXcxI+FvUNpn8EW9 +h/8F7UMk5tiz7EAB+qlE978CgYAJBj8UOgzpoCSX13hLlKdKxsYJuuBsAyGSZNp3 +BtGS2u4+R6z97Vmib5JUNvKASJfaXDUCjy6LhqA86tVr0XlyZ+ki/TbgjHSs54sj +FaZdzd2SZLidnC4qK1UeNIY+TZQNtQmvDinQyYofs+IxL99HajwqFU5dGL2FU+qA +fjt2tQKBgQDrnpSRmAhhGcazmNVnzF8PVJGPwY4clGKB2jo6ru57tL0QRc/N+5pJ +8boLB7CqRpC0mHpijJLKkLoJ0oVoC9jsn3e8tfVuVqbO3AfwdB+nkABQVHRxRRGt +AlUeHXbjlY7OpemfK3smhLGBoOZKJVL7cKwyJc5MTPjcUgMwlwbW5w== +-----END RSA PRIVATE KEY----- diff --git a/terraform-modules/aws/istio/istio-1.11.0/samples/custom-bootstrap/README.md b/terraform-modules/aws/istio/istio-1.11.0/samples/custom-bootstrap/README.md new file mode 100644 index 000000000..814e7dcc2 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/samples/custom-bootstrap/README.md @@ -0,0 +1,52 @@ +# Custom Envoy Bootstrap Configuration + +This sample creates a simple helloworld service that bootstraps the Envoy proxy with a custom configuration file. + +## Starting the service + +First, we need to create a `ConfigMap` resource with our bootstrap configuration. + +```bash +kubectl apply -f custom-bootstrap.yaml +``` + +Next, we can create a service that uses this bootstrap configuration. + +To do this, we need to add an annotation, `sidecar.istio.io/bootstrapOverride`, with the name of our ConfigMap as the value. + +We can create our helloworld app, using the custom config, with: + +```bash +kubectl apply -f example-app.yaml +``` + +If you don't have [automatic sidecar injection](https://istio.io/docs/setup/additional-setup/sidecar-injection/#automatic-sidecar-injection) +set in your cluster you will need to manually inject it to the services instead: + +```bash +istioctl kube-inject -f example-app.yaml -o example-app-istio.yaml +kubectl apply -f example-app-istio.yaml +``` + +## Checking the Bootstrap Configuration + +To see what bootstrap configuration a pod is using: + +```bash +istioctl proxy-config bootstrap +``` + +## Customizing the Bootstrap + +The configuration provided will be passed to envoy using the [`--config-yaml`](https://www.envoyproxy.io/docs/envoy/v1.7.1/operations/cli#cmdoption-config-yaml) flag. + +This will merge the passed in configuration with the default configuration. Singular values will replace the default values, while repeated values will be appended. + +For reference, [the default bootstrap configuration](../../tools/packaging/common/envoy_bootstrap.json) and Envoy's [configuration reference](https://www.envoyproxy.io/docs/envoy/latest/configuration/configuration#config) may be useful + +## Cleanup + +```bash +kubectl delete -f custom-bootstrap.yaml +kubectl delete -f example-app.yaml +``` diff --git a/terraform-modules/aws/istio/istio-1.11.0/samples/custom-bootstrap/custom-bootstrap.yaml b/terraform-modules/aws/istio/istio-1.11.0/samples/custom-bootstrap/custom-bootstrap.yaml new file mode 100644 index 000000000..7ef8d1d61 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/samples/custom-bootstrap/custom-bootstrap.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-custom-bootstrap-config + namespace: default +data: + custom_bootstrap.json: | + { + "tracing": { + "http": { + "name": "envoy.zipkin", + "config": { + "collector_cluster": "zipkin", + "collector_endpoint": "/api/v1/spans/custom", + "trace_id_128bit": "true" + } + } + } + } diff --git a/terraform-modules/aws/istio/istio-1.11.0/samples/custom-bootstrap/example-app.yaml b/terraform-modules/aws/istio/istio-1.11.0/samples/custom-bootstrap/example-app.yaml new file mode 100644 index 000000000..3a351a318 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/samples/custom-bootstrap/example-app.yaml @@ -0,0 +1,30 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: helloworld-v1 + labels: + app: helloworld + version: v1 +spec: + replicas: 1 + selector: + matchLabels: + app: helloworld + version: v1 + template: + metadata: + annotations: + sidecar.istio.io/bootstrapOverride: "istio-custom-bootstrap-config" + labels: + app: helloworld + version: v1 + spec: + containers: + - name: helloworld + image: docker.io/istio/examples-helloworld-v1 + resources: + requests: + cpu: "100m" + imagePullPolicy: IfNotPresent + ports: + - containerPort: 5000 diff --git a/terraform-modules/aws/istio/istio-1.11.0/samples/extauthz/README.md b/terraform-modules/aws/istio/istio-1.11.0/samples/extauthz/README.md new file mode 100644 index 000000000..a0ec73caa --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/samples/extauthz/README.md @@ -0,0 +1,99 @@ +# Ext Authz Service + +[Ext Authz server](src/) implements the external server for the [Envoy ext_authz filter](https://www.envoyproxy.io/docs/envoy/v1.16.0/intro/arch_overview/security/ext_authz_filter) +as an example of integrating custom authorization system into Istio. + +The Ext Authz server supports authorization check request using either HTTP (port 8000) or gRPC v2/v3 (port 9000) API and +will allow the request if it includes the header `x-ext-authz: allow` or if the service account of the source workload is `a`. +Note that `a` is just a default value for testing. It can be changed with the flag `-allow_service_account` when running the ext authz server. + +## Usage + +1. Deploy the Ext Authz service in a dedicated pod: + + ```console + $ kubectl apply -f ext-authz.yaml + service/ext-authz created + deployment.extensions/ext-authz created + ``` + + Note, you can also deploy the Ext Authz service locally with the application container in the same pod, see the example in `local-ext-authz.yaml`. + +1. Verify the Ext Authz server is up and running: + + Deploy a sleep pod to send the request: + + ```console + $ kubectl apply -f ../sleep/sleep.yaml + ``` + + Send a check request with header `x-ext-authz: allow` to the Ext Authz server: + + ```console + $ kubectl exec -it $(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name}) -c sleep -- curl -v ext-authz:8000 -H "x-ext-authz: allow" + * Trying 10.97.88.183:8000... + * Connected to ext-authz-server (10.97.88.183) port 8000 (#0) + > GET / HTTP/1.1 + > Host: ext-authz-server:8000 + > User-Agent: curl/7.73.0-DEV + > Accept: */* + > x-ext-authz: allow + > + * Mark bundle as not supporting multiuse + < HTTP/1.1 200 OK + < x-ext-authz-result: allowed + < date: Tue, 03 Nov 2020 03:06:11 GMT + < content-length: 0 + < x-envoy-upstream-service-time: 19 + < server: envoy + < + * Connection #0 to host ext-authz-server left intact + ``` + + As you observe, the check request with header `x-ext-authz: allow` is allowed by the Ext Authz server. + + Send another check request with `x-ext-authz: blabla` to the Ext Authz server: + + ```console + $ kubectl exec -it $(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name}) -c sleep -- curl -v ext-authz:8000 -H "x-ext-authz: bla" + > GET / HTTP/1.1 + > Host: ext-authz-server:8000 + > User-Agent: curl/7.73.0-DEV + > Accept: */* + > x-ext-authz: allowx + > + * Mark bundle as not supporting multiuse + < HTTP/1.1 403 Forbidden + < x-ext-authz-check-result: denied + < date: Tue, 03 Nov 2020 03:14:02 GMT + < content-length: 76 + < content-type: text/plain; charset=utf-8 + < x-envoy-upstream-service-time: 44 + < server: envoy + < + * Connection #0 to host ext-authz-server left intact + denied by ext_authz for not found header `x-ext-authz: allow` in the request + ``` + + As you observe, the check request with header `x-ext-authz: bla` is denied by the Ext Authz server. + +1. To clean up, execute the following commands: + + ```console + $ kubectl delete -f ../sleep/sleep.yaml + $ kubectl delete -f ext-authz.yaml + ``` + +## Advanced features + +The Ext Authz server supports the following advanced features that are useful for testing: + +- The ext authz server will add the `x-ext-authz-check-received` header to the user request. The content is the dump of + the check request it received from the ext-authz filter. This header is useful in verifying the ext-authz filter sending + the expected request to the ext authz server. + +- The ext authz server will add (or override if it already exists) the header `x-ext-authz-additional-header-override` to + the user request. The value of the header depends on the type of ext-authz server. + The ext authz HTTP server will set it to the value of the same `x-ext-authz-additional-header-override` header in the + check request. The ext authz gRPC server will set it to the constant value `grpc-additional-header-override-value`. + This header is useful in verifying the header override behavior in the ext-authz filter. diff --git a/terraform-modules/aws/istio/istio-1.11.0/samples/extauthz/ext-authz.yaml b/terraform-modules/aws/istio/istio-1.11.0/samples/extauthz/ext-authz.yaml new file mode 100644 index 000000000..e01acc7d4 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/samples/extauthz/ext-authz.yaml @@ -0,0 +1,55 @@ +# Copyright Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Example configurations for deploying ext-authz server separately in the mesh. + +apiVersion: v1 +kind: Service +metadata: + name: ext-authz + labels: + app: ext-authz +spec: + ports: + - name: http + port: 8000 + targetPort: 8000 + - name: grpc + port: 9000 + targetPort: 9000 + selector: + app: ext-authz +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: ext-authz +spec: + replicas: 1 + selector: + matchLabels: + app: ext-authz + template: + metadata: + labels: + app: ext-authz + spec: + containers: + - image: gcr.io/istio-testing/ext-authz:0.7 + imagePullPolicy: IfNotPresent + name: ext-authz + ports: + - containerPort: 8000 + - containerPort: 9000 +--- diff --git a/terraform-modules/aws/istio/istio-1.11.0/samples/extauthz/local-ext-authz.yaml b/terraform-modules/aws/istio/istio-1.11.0/samples/extauthz/local-ext-authz.yaml new file mode 100644 index 000000000..a0f22dc35 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/samples/extauthz/local-ext-authz.yaml @@ -0,0 +1,99 @@ +# Copyright Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Example configurations for deploying ext-authz server locally with the application container in the same pod. + +# Define the service entry for the local ext-authz service on port 8000. +apiVersion: networking.istio.io/v1alpha3 +kind: ServiceEntry +metadata: + name: httpbin-ext-authz-http +spec: + hosts: + - "ext-authz-http.local" + endpoints: + - address: "127.0.0.1" + ports: + - name: http + number: 8000 + protocol: HTTP + resolution: STATIC +--- +# Define the service entry for the local ext-authz service on port 9000. +apiVersion: networking.istio.io/v1alpha3 +kind: ServiceEntry +metadata: + name: httpbin-ext-authz-grpc +spec: + hosts: + - "ext-authz-grpc.local" + endpoints: + - address: "127.0.0.1" + ports: + - name: grpc + number: 9000 + protocol: GRPC + resolution: STATIC +--- +# Deploy the ext-authz server locally with the application container in the same pod. +apiVersion: apps/v1 +kind: Deployment +metadata: + name: httpbin +spec: + replicas: 1 + selector: + matchLabels: + app: httpbin + version: v1 + template: + metadata: + labels: + app: httpbin + version: v1 + spec: + serviceAccountName: httpbin + containers: + - image: docker.io/kennethreitz/httpbin + imagePullPolicy: IfNotPresent + name: httpbin + ports: + - containerPort: 80 + - image: gcr.io/istio-testing/ext-authz:0.7 + imagePullPolicy: IfNotPresent + name: ext-authz + ports: + - containerPort: 8000 + - containerPort: 9000 +--- +apiVersion: v1 +kind: Service +metadata: + name: httpbin + labels: + app: httpbin + service: httpbin +spec: + ports: + - name: http + port: 8000 + targetPort: 80 + selector: + app: httpbin +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: httpbin +--- diff --git a/terraform-modules/aws/istio/istio-1.11.0/samples/extauthz/src/Makefile b/terraform-modules/aws/istio/istio-1.11.0/samples/extauthz/src/Makefile new file mode 100644 index 000000000..8ec3ec980 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/samples/extauthz/src/Makefile @@ -0,0 +1,22 @@ +# Copyright Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +HUB ?= gcr.io/istio-testing/ext-authz +TAG ?= 0.7 + +build: main.go go.mod go.sum Dockerfile + docker build . -t $(HUB):$(TAG) + +push: build + docker push $(HUB):$(TAG) diff --git a/terraform-modules/aws/istio/istio-1.11.0/samples/external/README.md b/terraform-modules/aws/istio/istio-1.11.0/samples/external/README.md new file mode 100644 index 000000000..e17198b8d --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/samples/external/README.md @@ -0,0 +1,34 @@ +# External Services + +By default Istio-enabled services are unable to access services and URLs outside of the cluster. Pods use iptables to transparently redirect all outbound traffic to the sidecar proxy, which only handles intra-cluster destinations. + +See [the Egress Task](https://istio.io/docs/tasks/traffic-management/egress/) for +information on configuring Istio to contact external services. + +This directory contains samples showing how to enable pods to contact a few well +known services. + +If Istio is not configured to allow pods to contact external services, the pods will +see errors such as 404s, HTTPS connection problems, and TCP connection problems. If +ServiceEntries are misconfigured pods may see problems with server names. + +## Try it out + +After an operator runs `kubectl create -f aptget.yaml` pods will be able to +succeed with `apt-get update` and `apt-get install`. + +After an operator runs `kubectl create -f github.yaml` pods will be able to +succeed with `git clone https://github.com/fortio/fortio.git`. + +Running `kubectl create -f pypi.yaml` allows pods to update Python libraries using `pip`. + +It is not a best practice to enable pods to update libraries dynamically. +We are providing these samples +because they have proven to be helpful with interactive troubleshooting. Security minded clusters should only allow traffic to service dependencies such as cloud +services. + +### Enable communication by default + +Note that [this note](https://istio.io/docs/tasks/traffic-management/egress/#install-istio-with-access-to-all-external-services-by-default) shows how to configure Istio to contact services by default. The technique +discussed there does not allow HTTP on port 80 or SSH on port 22. These examples will +allow external communication for ports 80 and 22. diff --git a/terraform-modules/aws/istio/istio-1.11.0/samples/external/aptget.yaml b/terraform-modules/aws/istio/istio-1.11.0/samples/external/aptget.yaml new file mode 100644 index 000000000..fa24fa451 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/samples/external/aptget.yaml @@ -0,0 +1,20 @@ +# This ServiceEntry exposes the hosts needed for installing packages with apt-get. +# After applying this file, Istio-enabled pods (configured apt-get) be able to execute +# `apt-get upgrade` and `apt-get install`. If this is not installed you may get +# "404 Not Found" + +apiVersion: networking.istio.io/v1alpha3 +kind: ServiceEntry +metadata: + name: make-aptget-work +spec: + hosts: + - deb.debian.org + - cdn-fastly.deb.debian.org + - security.debian.org + - archive.ubuntu.com + - security.ubuntu.com + ports: + - number: 80 + name: http + protocol: HTTP diff --git a/terraform-modules/aws/istio/istio-1.11.0/samples/external/github.yaml b/terraform-modules/aws/istio/istio-1.11.0/samples/external/github.yaml new file mode 100644 index 000000000..832cbc379 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/samples/external/github.yaml @@ -0,0 +1,53 @@ +# This ServiceEntry exposes the hosts needed for github.com. +# After applying this file, Istio-enabled pods will be able to execute +# `git clone https://github.com/istio/api.git` and (with local identification +# config and certificate) `git clone git@github.com:istio/api.git` + +# HTTP and TLS, the host must be specified +# See https://istio.io/docs/tasks/traffic-management/egress/ +apiVersion: networking.istio.io/v1alpha3 +kind: ServiceEntry +metadata: + name: github-https +spec: + hosts: + - github.com + ports: + - number: 443 + name: https + protocol: HTTPS +--- +# For TCP services the IP ranges SHOULD be specified to avoid problems +# if multiple SEs use the same port number. +# See https://istio.io/blog/2018/egress-tcp/#mesh-external-service-entry-for-an-external-mysql-instance +apiVersion: networking.istio.io/v1alpha3 +kind: ServiceEntry +metadata: + name: github-tcp +spec: + hosts: + - dummy.github.com # not used + addresses: # from https://help.github.com/articles/about-github-s-ip-addresses/ + - "13.229.188.59/32" + - "13.250.177.223/32" + - "140.82.112.0/20" + - "18.194.104.89/32" + - "18.195.85.27/32" + - "185.199.108.0/22" + - "185.199.108.153/32" + - "185.199.109.153/32" + - "185.199.110.153/32" + - "185.199.111.153/32" + - "192.30.252.0/22" + - "192.30.252.153/32" + - "192.30.252.154/32" + - "23.20.92.3/32" + - "35.159.8.160/32" + - "52.74.223.119/32" + - "54.166.52.62/32" + - "54.87.5.173/32" + ports: + - name: tcp + number: 22 + protocol: tcp + location: MESH_EXTERNAL diff --git a/terraform-modules/aws/istio/istio-1.11.0/samples/external/pypi.yaml b/terraform-modules/aws/istio/istio-1.11.0/samples/external/pypi.yaml new file mode 100644 index 000000000..7f457a5af --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/samples/external/pypi.yaml @@ -0,0 +1,44 @@ +# This ServiceEntry exposes the hosts needed for Python `pip`. +# After applying this file, Istio-enabled pods will be able to execute +# `pip search istio`. + +# HTTP and TLS, the host must be specified +# See https://istio.io/docs/tasks/traffic-management/egress/ + +apiVersion: networking.istio.io/v1alpha3 +kind: ServiceEntry +metadata: + name: python-https +spec: + hosts: + - pypi.python.org + ports: + - number: 443 + name: https + protocol: HTTPS +--- +# pypi.python.org may 301 redirect to pypi.org, so we need this too. +apiVersion: networking.istio.io/v1alpha3 +kind: ServiceEntry +metadata: + name: pypi-https +spec: + hosts: + - pypi.org + ports: + - number: 443 + name: https + protocol: HTTPS +--- +# pip install may fetch files from files.pythonhosted.org +apiVersion: networking.istio.io/v1alpha3 +kind: ServiceEntry +metadata: + name: pythonhosted-https +spec: + hosts: + - files.pythonhosted.org + ports: + - number: 443 + name: https + protocol: HTTPS diff --git a/terraform-modules/aws/istio/istio-1.11.0/samples/health-check/liveness-command.yaml b/terraform-modules/aws/istio/istio-1.11.0/samples/health-check/liveness-command.yaml new file mode 100644 index 000000000..5cab97cb1 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/samples/health-check/liveness-command.yaml @@ -0,0 +1,58 @@ +# Copyright Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################################################## +# Liveness service +################################################################################################## +apiVersion: v1 +kind: Service +metadata: + name: liveness + labels: + app: liveness + service: liveness +spec: + ports: + - port: 80 + name: http + selector: + app: liveness +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: liveness +spec: + selector: + matchLabels: + app: liveness + template: + metadata: + labels: + app: liveness + spec: + containers: + - name: liveness + image: k8s.gcr.io/busybox + args: + - /bin/sh + - -c + - touch /tmp/healthy; sleep 3600 + livenessProbe: + exec: + command: + - cat + - /tmp/healthy + initialDelaySeconds: 5 + periodSeconds: 5 diff --git a/terraform-modules/aws/istio/istio-1.11.0/samples/health-check/liveness-http-same-port.yaml b/terraform-modules/aws/istio/istio-1.11.0/samples/health-check/liveness-http-same-port.yaml new file mode 100644 index 000000000..a39a3ff11 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/samples/health-check/liveness-http-same-port.yaml @@ -0,0 +1,40 @@ +apiVersion: v1 +kind: Service +metadata: + name: liveness-http + labels: + app: liveness-http + service: liveness-http +spec: + ports: + - name: http + port: 8001 + selector: + app: liveness-http +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: liveness-http +spec: + selector: + matchLabels: + app: liveness-http + version: v1 + template: + metadata: + labels: + app: liveness-http + version: v1 + spec: + containers: + - name: liveness-http + image: docker.io/istio/health:example + ports: + - containerPort: 8001 + livenessProbe: + httpGet: + path: /foo + port: 8001 + initialDelaySeconds: 5 + periodSeconds: 5 diff --git a/terraform-modules/aws/istio/istio-1.11.0/samples/helloworld/README.md b/terraform-modules/aws/istio/istio-1.11.0/samples/helloworld/README.md new file mode 100644 index 000000000..dd09fa137 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/samples/helloworld/README.md @@ -0,0 +1,107 @@ +# Helloworld service + +This sample includes two versions of a simple helloworld service that returns its version +and instance (hostname) when called. +It can be used as a test service when experimenting with version routing. + +This service is also used to demonstrate canary deployments working in conjunction with autoscaling. +See [Canary deployments using Istio](https://istio.io/blog/2017/0.1-canary). + +## Start the helloworld service + +The following commands assume you have +[automatic sidecar injection](https://istio.io/docs/setup/additional-setup/sidecar-injection/#automatic-sidecar-injection) +enabled in your cluster. +If not, you'll need to modify them to include +[manual sidecar injection](https://istio.io/docs/setup/additional-setup/sidecar-injection/#manual-sidecar-injection). + +To run both versions of the helloworld service, use the following command: + +```bash +kubectl apply -f helloworld.yaml +``` + +Alternatively, you can run just one version at a time by first defining the service: + +```bash +kubectl apply -f helloworld.yaml -l service=helloworld +``` + +and then deploying version v1, v2, or both: + +```bash +kubectl apply -f helloworld.yaml -l version=v1 +kubectl apply -f helloworld.yaml -l version=v2 +``` + +For even more flexibility, there is also a script, `gen-helloworld.sh`, that will +generate YAML for the helloworld service. This script takes the following +arguments: + +Argument | Default | Description +-------- | ------- | ----------- +`--version` | `v1` | Specifies the version that will be returned by the helloworld service. +`--includeService` | `true` | If `true` the service will be included in the YAML. +`--includeDeployment` | `true` | If `true` the deployment will be included in the YAML. + +You can use this script to deploy a custom version: + +```bash +./gen-helloworld.sh --version customversion | \ + kubectl apply -f - +``` + +## Configure the helloworld gateway + +Apply the helloworld gateway configuration: + +```bash +kubectl apply -f helloworld-gateway.yaml +``` + +Follow [these instructions](https://istio.io/docs/tasks/traffic-management/ingress/ingress-control/#determining-the-ingress-ip-and-ports) +to set the INGRESS_HOST and INGRESS_PORT variables and then confirm the sample is running using curl: + +```bash +export GATEWAY_URL=$INGRESS_HOST:$INGRESS_PORT +curl http://$GATEWAY_URL/hello +``` + +## Autoscale the services + +Note that a Kubernetes [Horizontal Pod Autoscaler](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) +only works if all containers in the pods request cpu. In this sample the deployment +containers in `helloworld.yaml` are configured with the request. +The injected istio-proxy containers also include cpu requests, +making the helloworld service ready for autoscaling. + +Enable autoscaling on both versions of the service: + +```bash +kubectl autoscale deployment helloworld-v1 --cpu-percent=50 --min=1 --max=10 +kubectl autoscale deployment helloworld-v2 --cpu-percent=50 --min=1 --max=10 +kubectl get hpa +``` + +## Generate load + +```bash +./loadgen.sh & +./loadgen.sh & # run it twice to generate lots of load +``` + +Wait for about 2 minutes and then check the number of replicas: + +```bash +kubectl get hpa +``` + +If the autoscaler is functioning correctly, the `REPLICAS` column should have a value > 1. + +## Cleanup + +```bash +kubectl delete -f helloworld.yaml +kubectl delete -f helloworld-gateway.yaml +kubectl delete hpa helloworld-v1 helloworld-v2 +``` diff --git a/terraform-modules/aws/istio/istio-1.11.0/samples/helloworld/gen-helloworld.sh b/terraform-modules/aws/istio/istio-1.11.0/samples/helloworld/gen-helloworld.sh new file mode 100755 index 000000000..b2134e29b --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/samples/helloworld/gen-helloworld.sh @@ -0,0 +1,116 @@ +#!/bin/bash +# +# Copyright Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -euo pipefail + +INCLUDE_SERVICE=${INCLUDE_SERVICE:-"true"} +INCLUDE_DEPLOYMENT=${INCLUDE_DEPLOYMENT:-"true"} +SERVICE_VERSION=${SERVICE_VERSION:-"v1"} +while (( "$#" )); do + case "$1" in + --version) + SERVICE_VERSION=$2 + shift 2 + ;; + + --includeService) + INCLUDE_SERVICE=$2 + shift 2 + ;; + + --includeDeployment) + INCLUDE_DEPLOYMENT=$2 + shift 2 + ;; + + *) + echo "Error: Unsupported flag $1" >&2 + exit 1 + ;; + esac +done + +SERVICE_YAML=$(cat <&2 + exit 1 + ;; + esac +done + + +# single-cluster installations may need this gateway to allow VMs to get discovery +# for non-single cluster, we add additional topology information +SINGLE_CLUSTER="${SINGLE_CLUSTER:-0}" +if [[ "${SINGLE_CLUSTER}" -eq 0 ]]; then + if [[ -z "${CLUSTER:-}" ]] || [[ -z "${NETWORK:-}" ]] || [[ -z "${MESH:-}" ]]; then + echo "Must specify either --single-cluster or --mesh, --cluster, and --network." + exit 1 + fi +fi + +# base +IOP=$(cat < with your browser + +- The `WebSocket status` should show a green `open` status which means that a websocket connection to the server has been established. +To see the websocket in action see the instructions in the _REST API examples_ section of the demo app webpage for updating the server-side data and getting the updated data through the open websocket to the table in the webpage (without refreshing). + +## Cleanup + +```command +kubectl delete -f samples/websockets/route.yaml +kubectl delete -f samples/websockets/app.yaml +``` diff --git a/terraform-modules/aws/istio/istio-1.11.0/samples/websockets/app.yaml b/terraform-modules/aws/istio/istio-1.11.0/samples/websockets/app.yaml new file mode 100644 index 000000000..4f44ea7d7 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/samples/websockets/app.yaml @@ -0,0 +1,37 @@ +apiVersion: v1 +kind: Service +metadata: + name: tornado + labels: + app: tornado + service: tornado +spec: + ports: + - port: 8888 + name: http + selector: + app: tornado +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: tornado +spec: + replicas: 1 + selector: + matchLabels: + app: tornado + version: v1 + template: + metadata: + labels: + app: tornado + version: v1 + spec: + containers: + - name: tornado + image: hiroakis/tornado-websocket-example + imagePullPolicy: IfNotPresent + ports: + - containerPort: 8888 +--- diff --git a/terraform-modules/aws/istio/istio-1.11.0/samples/websockets/route.yaml b/terraform-modules/aws/istio/istio-1.11.0/samples/websockets/route.yaml new file mode 100644 index 000000000..ef580b2cd --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/samples/websockets/route.yaml @@ -0,0 +1,32 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: tornado-gateway +spec: + selector: + istio: ingressgateway + servers: + - port: + number: 80 + name: http + protocol: HTTP + hosts: + - "*" +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: tornado +spec: + hosts: + - "*" + gateways: + - tornado-gateway + http: + - match: + - uri: + prefix: / + route: + - destination: + host: tornado + weight: 100 diff --git a/terraform-modules/aws/istio/istio-1.11.0/tools/_istioctl b/terraform-modules/aws/istio/istio-1.11.0/tools/_istioctl new file mode 100644 index 000000000..20326214b --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/tools/_istioctl @@ -0,0 +1,177 @@ +#compdef _istioctl istioctl + +# zsh completion for istioctl -*- shell-script -*- + +__istioctl_debug() +{ + local file="$BASH_COMP_DEBUG_FILE" + if [[ -n ${file} ]]; then + echo "$*" >> "${file}" + fi +} + +_istioctl() +{ + local shellCompDirectiveError=1 + local shellCompDirectiveNoSpace=2 + local shellCompDirectiveNoFileComp=4 + local shellCompDirectiveFilterFileExt=8 + local shellCompDirectiveFilterDirs=16 + + local lastParam lastChar flagPrefix requestComp out directive comp lastComp noSpace + local -a completions + + __istioctl_debug "\n========= starting completion logic ==========" + __istioctl_debug "CURRENT: ${CURRENT}, words[*]: ${words[*]}" + + # The user could have moved the cursor backwards on the command-line. + # We need to trigger completion from the $CURRENT location, so we need + # to truncate the command-line ($words) up to the $CURRENT location. + # (We cannot use $CURSOR as its value does not work when a command is an alias.) + words=("${=words[1,CURRENT]}") + __istioctl_debug "Truncated words[*]: ${words[*]}," + + lastParam=${words[-1]} + lastChar=${lastParam[-1]} + __istioctl_debug "lastParam: ${lastParam}, lastChar: ${lastChar}" + + # For zsh, when completing a flag with an = (e.g., istioctl -n=) + # completions must be prefixed with the flag + setopt local_options BASH_REMATCH + if [[ "${lastParam}" =~ '-.*=' ]]; then + # We are dealing with a flag with an = + flagPrefix="-P ${BASH_REMATCH}" + fi + + # Prepare the command to obtain completions + requestComp="${words[1]} __complete ${words[2,-1]}" + if [ "${lastChar}" = "" ]; then + # If the last parameter is complete (there is a space following it) + # We add an extra empty parameter so we can indicate this to the go completion code. + __istioctl_debug "Adding extra empty parameter" + requestComp="${requestComp} \"\"" + fi + + __istioctl_debug "About to call: eval ${requestComp}" + + # Use eval to handle any environment variables and such + out=$(eval ${requestComp} 2>/dev/null) + __istioctl_debug "completion output: ${out}" + + # Extract the directive integer following a : from the last line + local lastLine + while IFS='\n' read -r line; do + lastLine=${line} + done < <(printf "%s\n" "${out[@]}") + __istioctl_debug "last line: ${lastLine}" + + if [ "${lastLine[1]}" = : ]; then + directive=${lastLine[2,-1]} + # Remove the directive including the : and the newline + local suffix + (( suffix=${#lastLine}+2)) + out=${out[1,-$suffix]} + else + # There is no directive specified. Leave $out as is. + __istioctl_debug "No directive found. Setting do default" + directive=0 + fi + + __istioctl_debug "directive: ${directive}" + __istioctl_debug "completions: ${out}" + __istioctl_debug "flagPrefix: ${flagPrefix}" + + if [ $((directive & shellCompDirectiveError)) -ne 0 ]; then + __istioctl_debug "Completion received error. Ignoring completions." + return + fi + + while IFS='\n' read -r comp; do + if [ -n "$comp" ]; then + # If requested, completions are returned with a description. + # The description is preceded by a TAB character. + # For zsh's _describe, we need to use a : instead of a TAB. + # We first need to escape any : as part of the completion itself. + comp=${comp//:/\\:} + + local tab=$(printf '\t') + comp=${comp//$tab/:} + + __istioctl_debug "Adding completion: ${comp}" + completions+=${comp} + lastComp=$comp + fi + done < <(printf "%s\n" "${out[@]}") + + if [ $((directive & shellCompDirectiveNoSpace)) -ne 0 ]; then + __istioctl_debug "Activating nospace." + noSpace="-S ''" + fi + + if [ $((directive & shellCompDirectiveFilterFileExt)) -ne 0 ]; then + # File extension filtering + local filteringCmd + filteringCmd='_files' + for filter in ${completions[@]}; do + if [ ${filter[1]} != '*' ]; then + # zsh requires a glob pattern to do file filtering + filter="\*.$filter" + fi + filteringCmd+=" -g $filter" + done + filteringCmd+=" ${flagPrefix}" + + __istioctl_debug "File filtering command: $filteringCmd" + _arguments '*:filename:'"$filteringCmd" + elif [ $((directive & shellCompDirectiveFilterDirs)) -ne 0 ]; then + # File completion for directories only + local subDir + subdir="${completions[1]}" + if [ -n "$subdir" ]; then + __istioctl_debug "Listing directories in $subdir" + pushd "${subdir}" >/dev/null 2>&1 + else + __istioctl_debug "Listing directories in ." + fi + + local result + _arguments '*:dirname:_files -/'" ${flagPrefix}" + result=$? + if [ -n "$subdir" ]; then + popd >/dev/null 2>&1 + fi + return $result + else + __istioctl_debug "Calling _describe" + if eval _describe "completions" completions $flagPrefix $noSpace; then + __istioctl_debug "_describe found some completions" + + # Return the success of having called _describe + return 0 + else + __istioctl_debug "_describe did not find completions." + __istioctl_debug "Checking if we should do file completion." + if [ $((directive & shellCompDirectiveNoFileComp)) -ne 0 ]; then + __istioctl_debug "deactivating file completion" + + # We must return an error code here to let zsh know that there were no + # completions found by _describe; this is what will trigger other + # matching algorithms to attempt to find completions. + # For example zsh can match letters in the middle of words. + return 1 + else + # Perform file completion + __istioctl_debug "Activating file completion" + + # We must return the result of this command, so it must be the + # last command, or else we must store its result to return it. + _arguments '*:filename:_files'" ${flagPrefix}" + fi + fi + fi +} + +# don't run the completion function when being source-ed or eval-ed +if [ "$funcstack[1]" = "_istioctl" ]; then + _istioctl +fi diff --git a/terraform-modules/aws/istio/istio-1.11.0/tools/certs/Makefile.k8s.mk b/terraform-modules/aws/istio/istio-1.11.0/tools/certs/Makefile.k8s.mk new file mode 100644 index 000000000..da1170348 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/tools/certs/Makefile.k8s.mk @@ -0,0 +1,93 @@ +.SUFFIXES: .csr .pem .conf +.PRECIOUS: %/ca-key.pem %/ca-cert.pem %/cert-chain.pem +.PRECIOUS: %/workload-cert.pem %/key.pem %/workload-cert-chain.pem +.SECONDARY: root-cert.csr root-ca.conf %/cluster-ca.csr %/intermediate.conf + +.DEFAULT_GOAL := help + +SELF_DIR := $(dir $(lastword $(MAKEFILE_LIST))) + +include $(SELF_DIR)common.mk + +#------------------------------------------------------------------------ +##help: print this help message +.PHONY: help + +help: + @fgrep -h "##" $(MAKEFILE_LIST) | fgrep -v fgrep | sed -e 's/##//' + +#------------------------------------------------------------------------ +##fetch-root-ca: fetch root CA and key from a k8s cluster. +.PHONY: fetch-root-ca +rawcluster := $(shell kubectl config current-context) +cluster := $(subst /,-,$(rawcluster)) +pwd := $(shell pwd) +export KUBECONFIG + +fetch-root-ca: + @echo "fetching root ca from k8s cluster: "$(cluster)"" + @mkdir -p $(pwd)/$(cluster) + @res=$(shell kubectl get secret istio-ca-secret -n $(ISTIO-NAMESPACE) >/dev/null 2>&1; echo $$?) +ifeq ($(res), 1) + @kubectl get secret cacerts -n $(ISTIO_NAMESPACE) -o "jsonpath={.data['ca-cert\.pem']}" | base64 -d > $(cluster)/k8s-root-cert.pem + @kubectl get secret cacerts -n $(ISTIO_NAMESPACE) -o "jsonpath={.data['ca-key\.pem']}" | base64 -d > $(cluster)/k8s-root-key.pem +else + @kubectl get secret istio-ca-secret -n $(ISTIO_NAMESPACE) -o "jsonpath={.data['ca-cert\.pem']}" | base64 -d > $(cluster)/k8s-root-cert.pem + @kubectl get secret istio-ca-secret -n $(ISTIO_NAMESPACE) -o "jsonpath={.data['ca-key\.pem']}" | base64 -d > $(cluster)/k8s-root-key.pem +endif + +k8s-root-cert.pem: + @cat $(cluster)/k8s-root-cert.pem > $@ + +k8s-root-key.pem: + @cat $(cluster)/k8s-root-key.pem > $@ +#------------------------------------------------------------------------ +##-cacerts: generate intermediate certificates for a cluster or VM with signed with istio root cert from the specified k8s cluster and store them under directory +.PHONY: %-cacerts + +%-cacerts: %/cert-chain.pem + @echo "done" + +%/cert-chain.pem: %/ca-cert.pem k8s-root-cert.pem + @echo "generating $@" + @cat $^ > $@ + @echo "Intermediate certs stored in $(dir $<)" + @cp k8s-root-cert.pem $(dir $<)/root-cert.pem + +%/ca-cert.pem: %/cluster-ca.csr root-key.pem k8s-root-cert.pem + @echo "generating $@" + @openssl x509 -req -days $(INTERMEDIATE_DAYS) \ + -CA k8s-root-cert.pem -CAkey root-key.pem -CAcreateserial\ + -extensions req_ext -extfile $(dir $<)/intermediate.conf \ + -in $< -out $@ + +%/cluster-ca.csr: L=$(dir $@) +%/cluster-ca.csr: %/ca-key.pem %/intermediate.conf + @echo "generating $@" + @openssl req -new -config $(L)/intermediate.conf -key $< -out $@ + +%/ca-key.pem: fetch-root-ca + @echo "generating $@" + @mkdir -p $(dir $@) + @openssl genrsa -out $@ 4096 + +#------------------------------------------------------------------------ +##-certs: generate intermediate certificates and sign certificates for a virtual machine connected to the namespace ` using serviceAccount `$SERVICE_ACCOUNT` using root cert from k8s cluster. +.PHONY: %-certs + +%-certs: %/workload-cert-chain.pem k8s-root-cert.pem + @echo "done" + +%/workload-cert-chain.pem: k8s-root-cert.pem %/ca-cert.pem %/workload-cert.pem + @echo "generating $@" + @cat $^ > $@ + @echo "Intermediate and workload certs stored in $(dir $<)" + @cp k8s-root-cert.pem $(dir $@)/root-cert.pem + +%/workload-cert.pem: %/workload.csr + @echo "generating $@" + @openssl x509 -req -days $(WORKLOAD_DAYS) \ + -CA $(dir $<)/ca-cert.pem -CAkey $(dir $<)/ca-key.pem -CAcreateserial\ + -extensions req_ext -extfile $(dir $<)/workload.conf \ + -in $< -out $@ + diff --git a/terraform-modules/aws/istio/istio-1.11.0/tools/certs/Makefile.selfsigned.mk b/terraform-modules/aws/istio/istio-1.11.0/tools/certs/Makefile.selfsigned.mk new file mode 100644 index 000000000..f21a3d1ec --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/tools/certs/Makefile.selfsigned.mk @@ -0,0 +1,98 @@ +.SUFFIXES: .csr .pem .conf +.PRECIOUS: %/ca-key.pem %/ca-cert.pem %/cert-chain.pem +.PRECIOUS: %/workload-cert.pem %/key.pem %/workload-cert-chain.pem +.SECONDARY: root-cert.csr root-ca.conf %/cluster-ca.csr %/intermediate.conf + +.DEFAULT_GOAL := help + +SELF_DIR := $(dir $(lastword $(MAKEFILE_LIST))) + +include $(SELF_DIR)common.mk + +#------------------------------------------------------------------------ +##help: print this help message +.PHONY: help + +help: + @fgrep -h "##" $(MAKEFILE_LIST) | fgrep -v fgrep | sed -e 's/##//' + +#------------------------------------------------------------------------ +##root-ca: generate root CA files (key and certifcate) in current directory. +.PHONY: root-ca + +root-ca: root-key.pem root-cert.pem + +root-cert.pem: root-cert.csr root-key.pem + @echo "generating $@" + @openssl x509 -req -days $(ROOTCA_DAYS) -signkey root-key.pem \ + -extensions req_ext -extfile root-ca.conf \ + -in $< -out $@ + +root-cert.csr: root-key.pem root-ca.conf + @echo "generating $@" + @openssl req -new -key $< -config root-ca.conf -out $@ + +root-key.pem: + @echo "generating $@" + @openssl genrsa -out $@ 4096 +#------------------------------------------------------------------------ +##-cacerts: generate self signed intermediate certificates for and store them under directory. +.PHONY: %-cacerts + +%-cacerts: %/cert-chain.pem + @echo "done" + +%/cert-chain.pem: %/ca-cert.pem root-cert.pem + @echo "generating $@" + @cat $^ > $@ + @echo "Intermediate inputs stored in $(dir $<)" + @cp root-cert.pem $(dir $<) + + +%/ca-cert.pem: %/cluster-ca.csr root-key.pem root-cert.pem + @echo "generating $@" + @openssl x509 -req -days $(INTERMEDIATE_DAYS) \ + -CA root-cert.pem -CAkey root-key.pem -CAcreateserial\ + -extensions req_ext -extfile $(dir $<)/intermediate.conf \ + -in $< -out $@ + +%/cluster-ca.csr: L=$(dir $@) +%/cluster-ca.csr: %/ca-key.pem %/intermediate.conf + @echo "generating $@" + @openssl req -new -config $(L)/intermediate.conf -key $< -out $@ + +%/ca-key.pem: + @echo "generating $@" + @mkdir -p $(dir $@) + @openssl genrsa -out $@ 4096 + +#------------------------------------------------------------------------ +##-certs: generate intermediate certificates and sign certificates for a virtual machine connected to the namespace ` using serviceAccount `$SERVICE_ACCOUNT` using self signed root certs. +.PHONY: %-certs + +%-certs: %/ca-cert.pem %/workload-cert-chain.pem root-cert.pem + @echo "done" + +%/workload-cert-chain.pem: %/workload-cert.pem %/ca-cert.pem root-cert.pem + @echo "generating $@" + @cat $^ > $@ + @echo "Intermediate and workload certs stored in $(dir $<)" + @cp root-cert.pem $(dir $@)/root-cert.pem + + +%/workload-cert.pem: %/workload.csr + @echo "generating $@" + @openssl x509 -req -days $(WORKLOAD_DAYS) \ + -CA $(dir $<)/ca-cert.pem -CAkey $(dir $<)/ca-key.pem -CAcreateserial\ + -extensions req_ext -extfile $(dir $<)/workload.conf \ + -in $< -out $@ + +%/workload.csr: L=$(dir $@) +%/workload.csr: %/key.pem %/workload.conf + @echo "generating $@" + @openssl req -new -config $(L)/workload.conf -key $< -out $@ + +%/key.pem: + @echo "generating $@" + @mkdir -p $(dir $@) + @openssl genrsa -out $@ 4096 diff --git a/terraform-modules/aws/istio/istio-1.11.0/tools/certs/README.md b/terraform-modules/aws/istio/istio-1.11.0/tools/certs/README.md new file mode 100644 index 000000000..f197e2a8f --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/tools/certs/README.md @@ -0,0 +1,26 @@ +# Generating Certificates for Bootstrapping Multicluster / Mesh Expansion Chain of Trust + +The directory contains two Makefiles for generating new root, intermediate certificates and workload certificates: +- `Makefile.k8s.mk`: Creates certificates based on a root-ca from a k8s cluster. The current context in the default +`kubeconfig` is used for accessing the cluster. +- `Makefile.selfsigned.mk`: Creates certificates based on a generated self-signed root. + +The table below describes the targets supported by both Makefiles. + +Make Target | Makefile | Description +------ | -------- | ----------- +`root-ca` | `Makefile.selfsigned.mk` | Generates a self-signed root CA key and certificate. +`fetch-root-ca` | `Makefile.k8s.mk` | Fetches the Istio CA from the Kubernetes cluster, using the current context in the default `kubeconfig`. +`$NAME-cacerts` | Both | Generates intermediate certificates signed by the root CA for a cluster or VM with `$NAME` (e.g., `us-east`, `cluster01`, etc.). They are stored under `$NAME` directory. To differentiate between clusters, we include a `Location` (`L`) designation in the certificates `Subject` field, with the cluster's name. +`$NAMESPACE-certs` | Both | Generates intermediate certificates and sign certificates for a virtual machine connected to the namespace `$NAMESPACE` using serviceAccount `$SERVICE_ACCOUNT` using the root cert and store them under `$NAMESPACE` directory. +`clean` | Both | Removes any generated root certificates, keys, and intermediate files. + +For example: + +```bash +make -f Makefile.selfsigned.mk root-ca +``` + +Note that the Makefile generates long-lived intermediate certificates. While this might be +acceptable for demonstration purposes, a more realistic and secure deployment would use +short-lived and automatically renewed certificates for the intermediate CAs. diff --git a/terraform-modules/aws/istio/istio-1.11.0/tools/certs/common.mk b/terraform-modules/aws/istio/istio-1.11.0/tools/certs/common.mk new file mode 100644 index 000000000..2bec2cd84 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/tools/certs/common.mk @@ -0,0 +1,101 @@ +#------------------------------------------------------------------------ +# variables: root CA +ROOTCA_DAYS ?= 3650 +ROOTCA_KEYSZ ?= 4096 +ROOTCA_ORG ?= Istio +ROOTCA_CN ?= Root CA +KUBECONFIG ?= $(HOME)/.kube/config +ISTIO_NAMESPACE ?= istio-system +# Additional variables are defined in root-ca.conf target below. + +#------------------------------------------------------------------------ +# variables: intermediate CA +INTERMEDIATE_DAYS ?= 730 +INTERMEDIATE_KEYSZ ?= 4096 +INTERMEDIATE_ORG ?= Istio +INTERMEDIATE_CN ?= Intermediate CA +INTERMEDIATE_SAN_DNS ?= istiod.istio-system.svc +# Additional variables are defined in %/intermediate.conf target below. + +#------------------------------------------------------------------------ +# variables: workload certs: eg VM +WORKLOAD_DAYS ?= 1 +SERVICE_ACCOUNT ?= default +WORKLOAD_CN ?= Workload + +#------------------------------------------------------------------------ +# variables: files to clean +FILES_TO_CLEAN+=k8s-root-cert.pem \ + k8s-root-cert.srl \ + k8s-root-key.pem root-ca.conf root-cert.csr root-cert.pem root-cert.srl root-key.pem +#------------------------------------------------------------------------ +# clean +.PHONY: clean + +clean: ## Cleans all the intermediate files and folders previously generated. + @rm -f $(FILES_TO_CLEAN) + +root-ca.conf: + @echo "[ req ]" > $@ + @echo "encrypt_key = no" >> $@ + @echo "prompt = no" >> $@ + @echo "utf8 = yes" >> $@ + @echo "default_md = sha256" >> $@ + @echo "default_bits = $(ROOTCA_KEYSZ)" >> $@ + @echo "req_extensions = req_ext" >> $@ + @echo "x509_extensions = req_ext" >> $@ + @echo "distinguished_name = req_dn" >> $@ + @echo "[ req_ext ]" >> $@ + @echo "subjectKeyIdentifier = hash" >> $@ + @echo "basicConstraints = critical, CA:true" >> $@ + @echo "keyUsage = critical, digitalSignature, nonRepudiation, keyEncipherment, keyCertSign" >> $@ + @echo "[ req_dn ]" >> $@ + @echo "O = $(ROOTCA_ORG)" >> $@ + @echo "CN = $(ROOTCA_CN)" >> $@ + +%/intermediate.conf: L=$(dir $@) +%/intermediate.conf: + @echo "[ req ]" > $@ + @echo "encrypt_key = no" >> $@ + @echo "prompt = no" >> $@ + @echo "utf8 = yes" >> $@ + @echo "default_md = sha256" >> $@ + @echo "default_bits = $(INTERMEDIATE_KEYSZ)" >> $@ + @echo "req_extensions = req_ext" >> $@ + @echo "x509_extensions = req_ext" >> $@ + @echo "distinguished_name = req_dn" >> $@ + @echo "[ req_ext ]" >> $@ + @echo "subjectKeyIdentifier = hash" >> $@ + @echo "basicConstraints = critical, CA:true, pathlen:0" >> $@ + @echo "keyUsage = critical, digitalSignature, nonRepudiation, keyEncipherment, keyCertSign" >> $@ + @echo "subjectAltName=@san" >> $@ + @echo "[ san ]" >> $@ + @echo "DNS.1 = $(INTERMEDIATE_SAN_DNS)" >> $@ + @echo "[ req_dn ]" >> $@ + @echo "O = $(INTERMEDIATE_ORG)" >> $@ + @echo "CN = $(INTERMEDIATE_CN)" >> $@ + @echo "L = $(L:/=)" >> $@ + +%/workload.conf: L=$(dir $@) +%/workload.conf: + @echo "[ req ]" > $@ + @echo "encrypt_key = no" >> $@ + @echo "prompt = no" >> $@ + @echo "utf8 = yes" >> $@ + @echo "default_md = sha256" >> $@ + @echo "default_bits = $(INTERMEDIATE_KEYSZ)" >> $@ + @echo "req_extensions = req_ext" >> $@ + @echo "x509_extensions = req_ext" >> $@ + @echo "distinguished_name = req_dn" >> $@ + @echo "[ req_ext ]" >> $@ + @echo "subjectKeyIdentifier = hash" >> $@ + @echo "basicConstraints = critical, CA:false" >> $@ + @echo "keyUsage = digitalSignature, keyEncipherment" >> $@ + @echo "extendedKeyUsage = serverAuth, clientAuth" >> $@ + @echo "subjectAltName=@san" >> $@ + @echo "[ san ]" >> $@ + @echo "URI.1 = spiffe://cluster.local/ns/$(L)sa/$(SERVICE_ACCOUNT)" >> $@ + @echo "[ req_dn ]" >> $@ + @echo "O = $(INTERMEDIATE_ORG)" >> $@ + @echo "CN = $(WORKLOAD_CN)" >> $@ + @echo "L = $(L:/=)" >> $@ diff --git a/terraform-modules/aws/istio/istio-1.11.0/tools/istioctl.bash b/terraform-modules/aws/istio/istio-1.11.0/tools/istioctl.bash new file mode 100644 index 000000000..2717a6721 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.11.0/tools/istioctl.bash @@ -0,0 +1,259 @@ +# bash completion V2 for istioctl -*- shell-script -*- + +__istioctl_debug() +{ + if [[ -n ${BASH_COMP_DEBUG_FILE:-} ]]; then + echo "$*" >> "${BASH_COMP_DEBUG_FILE}" + fi +} + +# Macs have bash3 for which the bash-completion package doesn't include +# _init_completion. This is a minimal version of that function. +__istioctl_init_completion() +{ + COMPREPLY=() + _get_comp_words_by_ref "$@" cur prev words cword +} + +# This function calls the istioctl program to obtain the completion +# results and the directive. It fills the 'out' and 'directive' vars. +__istioctl_get_completion_results() { + local requestComp lastParam lastChar args + + # Prepare the command to request completions for the program. + # Calling ${words[0]} instead of directly istioctl allows to handle aliases + args=("${words[@]:1}") + requestComp="${words[0]} __complete ${args[*]}" + + lastParam=${words[$((${#words[@]}-1))]} + lastChar=${lastParam:$((${#lastParam}-1)):1} + __istioctl_debug "lastParam ${lastParam}, lastChar ${lastChar}" + + if [ -z "${cur}" ] && [ "${lastChar}" != "=" ]; then + # If the last parameter is complete (there is a space following it) + # We add an extra empty parameter so we can indicate this to the go method. + __istioctl_debug "Adding extra empty parameter" + requestComp="${requestComp} ''" + fi + + # When completing a flag with an = (e.g., istioctl -n=) + # bash focuses on the part after the =, so we need to remove + # the flag part from $cur + if [[ "${cur}" == -*=* ]]; then + cur="${cur#*=}" + fi + + __istioctl_debug "Calling ${requestComp}" + # Use eval to handle any environment variables and such + out=$(eval "${requestComp}" 2>/dev/null) + + # Extract the directive integer at the very end of the output following a colon (:) + directive=${out##*:} + # Remove the directive + out=${out%:*} + if [ "${directive}" = "${out}" ]; then + # There is not directive specified + directive=0 + fi + __istioctl_debug "The completion directive is: ${directive}" + __istioctl_debug "The completions are: ${out[*]}" +} + +__istioctl_process_completion_results() { + local shellCompDirectiveError=1 + local shellCompDirectiveNoSpace=2 + local shellCompDirectiveNoFileComp=4 + local shellCompDirectiveFilterFileExt=8 + local shellCompDirectiveFilterDirs=16 + + if [ $((directive & shellCompDirectiveError)) -ne 0 ]; then + # Error code. No completion. + __istioctl_debug "Received error from custom completion go code" + return + else + if [ $((directive & shellCompDirectiveNoSpace)) -ne 0 ]; then + if [[ $(type -t compopt) = "builtin" ]]; then + __istioctl_debug "Activating no space" + compopt -o nospace + else + __istioctl_debug "No space directive not supported in this version of bash" + fi + fi + if [ $((directive & shellCompDirectiveNoFileComp)) -ne 0 ]; then + if [[ $(type -t compopt) = "builtin" ]]; then + __istioctl_debug "Activating no file completion" + compopt +o default + else + __istioctl_debug "No file completion directive not supported in this version of bash" + fi + fi + fi + + if [ $((directive & shellCompDirectiveFilterFileExt)) -ne 0 ]; then + # File extension filtering + local fullFilter filter filteringCmd + + # Do not use quotes around the $out variable or else newline + # characters will be kept. + for filter in ${out[*]}; do + fullFilter+="$filter|" + done + + filteringCmd="_filedir $fullFilter" + __istioctl_debug "File filtering command: $filteringCmd" + $filteringCmd + elif [ $((directive & shellCompDirectiveFilterDirs)) -ne 0 ]; then + # File completion for directories only + + # Use printf to strip any trailing newline + local subdir + subdir=$(printf "%s" "${out[0]}") + if [ -n "$subdir" ]; then + __istioctl_debug "Listing directories in $subdir" + pushd "$subdir" >/dev/null 2>&1 && _filedir -d && popd >/dev/null 2>&1 || return + else + __istioctl_debug "Listing directories in ." + _filedir -d + fi + else + __istioctl_handle_standard_completion_case + fi + + __istioctl_handle_special_char "$cur" : + __istioctl_handle_special_char "$cur" = +} + +__istioctl_handle_standard_completion_case() { + local tab comp + tab=$(printf '\t') + + local longest=0 + # Look for the longest completion so that we can format things nicely + while IFS='' read -r comp; do + # Strip any description before checking the length + comp=${comp%%$tab*} + # Only consider the completions that match + comp=$(compgen -W "$comp" -- "$cur") + if ((${#comp}>longest)); then + longest=${#comp} + fi + done < <(printf "%s\n" "${out[@]}") + + local completions=() + while IFS='' read -r comp; do + if [ -z "$comp" ]; then + continue + fi + + __istioctl_debug "Original comp: $comp" + comp="$(__istioctl_format_comp_descriptions "$comp" "$longest")" + __istioctl_debug "Final comp: $comp" + completions+=("$comp") + done < <(printf "%s\n" "${out[@]}") + + while IFS='' read -r comp; do + COMPREPLY+=("$comp") + done < <(compgen -W "${completions[*]}" -- "$cur") + + # If there is a single completion left, remove the description text + if [ ${#COMPREPLY[*]} -eq 1 ]; then + __istioctl_debug "COMPREPLY[0]: ${COMPREPLY[0]}" + comp="${COMPREPLY[0]%% *}" + __istioctl_debug "Removed description from single completion, which is now: ${comp}" + COMPREPLY=() + COMPREPLY+=("$comp") + fi +} + +__istioctl_handle_special_char() +{ + local comp="$1" + local char=$2 + if [[ "$comp" == *${char}* && "$COMP_WORDBREAKS" == *${char}* ]]; then + local word=${comp%"${comp##*${char}}"} + local idx=${#COMPREPLY[*]} + while [[ $((--idx)) -ge 0 ]]; do + COMPREPLY[$idx]=${COMPREPLY[$idx]#"$word"} + done + fi +} + +__istioctl_format_comp_descriptions() +{ + local tab + tab=$(printf '\t') + local comp="$1" + local longest=$2 + + # Properly format the description string which follows a tab character if there is one + if [[ "$comp" == *$tab* ]]; then + desc=${comp#*$tab} + comp=${comp%%$tab*} + + # $COLUMNS stores the current shell width. + # Remove an extra 4 because we add 2 spaces and 2 parentheses. + maxdesclength=$(( COLUMNS - longest - 4 )) + + # Make sure we can fit a description of at least 8 characters + # if we are to align the descriptions. + if [[ $maxdesclength -gt 8 ]]; then + # Add the proper number of spaces to align the descriptions + for ((i = ${#comp} ; i < longest ; i++)); do + comp+=" " + done + else + # Don't pad the descriptions so we can fit more text after the completion + maxdesclength=$(( COLUMNS - ${#comp} - 4 )) + fi + + # If there is enough space for any description text, + # truncate the descriptions that are too long for the shell width + if [ $maxdesclength -gt 0 ]; then + if [ ${#desc} -gt $maxdesclength ]; then + desc=${desc:0:$(( maxdesclength - 1 ))} + desc+="…" + fi + comp+=" ($desc)" + fi + fi + + # Must use printf to escape all special characters + printf "%q" "${comp}" +} + +__start_istioctl() +{ + local cur prev words cword split + + COMPREPLY=() + + # Call _init_completion from the bash-completion package + # to prepare the arguments properly + if declare -F _init_completion >/dev/null 2>&1; then + _init_completion -n "=:" || return + else + __istioctl_init_completion -n "=:" || return + fi + + __istioctl_debug + __istioctl_debug "========= starting completion logic ==========" + __istioctl_debug "cur is ${cur}, words[*] is ${words[*]}, #words[@] is ${#words[@]}, cword is $cword" + + # The user could have moved the cursor backwards on the command-line. + # We need to trigger completion from the $cword location, so we need + # to truncate the command-line ($words) up to the $cword location. + words=("${words[@]:0:$cword+1}") + __istioctl_debug "Truncated words[*]: ${words[*]}," + + local out directive + __istioctl_get_completion_results + __istioctl_process_completion_results +} + +if [[ $(type -t compopt) = "builtin" ]]; then + complete -o default -F __start_istioctl istioctl +else + complete -o default -o nospace -F __start_istioctl istioctl +fi + +# ex: ts=4 sw=4 et filetype=sh diff --git a/terraform-modules/aws/istio/istio-1.12.6/LICENSE b/terraform-modules/aws/istio/istio-1.12.6/LICENSE new file mode 100644 index 000000000..56e48aa37 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/LICENSE @@ -0,0 +1,202 @@ + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "{}" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright 2016-2020 Istio Authors + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/terraform-modules/aws/istio/istio-1.12.6/README.md b/terraform-modules/aws/istio/istio-1.12.6/README.md new file mode 100644 index 000000000..b32f0697d --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/README.md @@ -0,0 +1,109 @@ +# Istio + +[![Go Report Card](https://goreportcard.com/badge/github.com/istio/istio)](https://goreportcard.com/report/github.com/istio/istio) +[![GoDoc](https://godoc.org/istio.io/istio?status.svg)](https://godoc.org/istio.io/istio) + + + Istio logo + + +--- + +An open platform to connect, manage, and secure microservices. + +- For in-depth information about how to use Istio, visit [istio.io](https://istio.io) +- To ask questions and get assistance from our community, visit [discuss.istio.io](https://discuss.istio.io) +- To learn how to participate in our overall community, visit [our community page](https://istio.io/about/community) + +In this README: + +- [Introduction](#introduction) +- [Repositories](#repositories) +- [Issue management](#issue-management) + +In addition, here are some other documents you may wish to read: + +- [Istio Community](https://github.com/istio/community#istio-community) - describes how to get involved and contribute to the Istio project +- [Istio Developer's Guide](https://github.com/istio/istio/wiki/Preparing-for-Development) - explains how to set up and use an Istio development environment +- [Project Conventions](https://github.com/istio/istio/wiki/Development-Conventions) - describes the conventions we use within the code base +- [Creating Fast and Lean Code](https://github.com/istio/istio/wiki/Writing-Fast-and-Lean-Code) - performance-oriented advice and guidelines for the code base + +You'll find many other useful documents on our [Wiki](https://github.com/istio/istio/wiki). + +## Introduction + +[Istio](https://istio.io/latest/docs/concepts/what-is-istio/) is an open platform for providing a uniform way to [integrate +microservices](https://istio.io/latest/docs/examples/microservices-istio/), manage [traffic flow](https://istio.io/latest/docs/concepts/traffic-management/) across microservices, enforce policies +and aggregate telemetry data. Istio's control plane provides an abstraction +layer over the underlying cluster management platform, such as Kubernetes. + +Istio is composed of these components: + +- **Envoy** - Sidecar proxies per microservice to handle ingress/egress traffic + between services in the cluster and from a service to external + services. The proxies form a _secure microservice mesh_ providing a rich + set of functions like discovery, rich layer-7 routing, circuit breakers, + policy enforcement and telemetry recording/reporting + functions. + + > Note: The service mesh is not an overlay network. It + > simplifies and enhances how microservices in an application talk to each + > other over the network provided by the underlying platform. + +- **Istiod** - The Istio control plane. It provides service discovery, configuration and certificate management. It consists of the following sub-components: + + - **Pilot** - Responsible for configuring the proxies at runtime. + + - **Citadel** - Responsible for certificate issuance and rotation. + + - **Galley** - Responsible for validating, ingesting, aggregating, transforming and distributing config within Istio. + +- **Operator** - The component provides user friendly options to operate the Istio service mesh. + +## Repositories + +The Istio project is divided across a few GitHub repositories: + +- [istio/api](https://github.com/istio/api). This repository defines +component-level APIs and common configuration formats for the Istio platform. + +- [istio/community](https://github.com/istio/community). This repository contains +information on the Istio community, including the various documents that govern +the Istio open source project. + +- [istio/istio](README.md). This is the main code repository. It hosts Istio's +core components, install artifacts, and sample programs. It includes: + + - [istioctl](istioctl/). This directory contains code for the +[_istioctl_](https://istio.io/latest/docs/reference/commands/istioctl/) command line utility. + + - [operator](operator/). This directory contains code for the +[Istio Operator](https://istio.io/latest/docs/setup/install/operator/). + + - [pilot](pilot/). This directory +contains platform-specific code to populate the +[abstract service model](https://istio.io/docs/concepts/traffic-management/#pilot), dynamically reconfigure the proxies +when the application topology changes, as well as translate +[routing rules](https://istio.io/latest/docs/reference/config/networking/) into proxy specific configuration. + + - [security](security/). This directory contains [security](https://istio.io/latest/docs/concepts/security/) related code, +including Citadel (acting as Certificate Authority), citadel agent, etc. + +- [istio/proxy](https://github.com/istio/proxy). The Istio proxy contains +extensions to the [Envoy proxy](https://github.com/envoyproxy/envoy) (in the form of +Envoy filters) that support authentication, authorization, and telemetry collection. + +## Issue management + +We use GitHub to track all of our bugs and feature requests. Each issue we track has a variety of metadata: + +- **Epic**. An epic represents a feature area for Istio as a whole. Epics are fairly broad in scope and are basically product-level things. +Each issue is ultimately part of an epic. + +- **Milestone**. Each issue is assigned a milestone. This is 0.1, 0.2, ..., or 'Nebulous Future'. The milestone indicates when we +think the issue should get addressed. + +- **Priority**. Each issue has a priority which is represented by the column in the [Prioritization](https://github.com/orgs/istio/projects/6) project. Priority can be one of +P0, P1, P2, or >P2. The priority indicates how important it is to address the issue within the milestone. P0 says that the +milestone cannot be considered achieved if the issue isn't resolved. diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifest.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifest.yaml new file mode 100644 index 000000000..dbed329d2 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifest.yaml @@ -0,0 +1,29 @@ +dashboards: + istio-extension-dashboard: 13277 + istio-mesh-dashboard: 7639 + istio-performance-dashboard: 11829 + istio-service-dashboard: 7636 + istio-workload-dashboard: 7630 + pilot-dashboard: 7645 +dependencies: + api: + sha: 8c47cbbea14489898e46ccec60cccc2fad216334 + client-go: + goversionenabled: true + sha: 30b642d5ba34bb1b7b59516a3a2918e61e8f59ac + envoy: + sha: 473c1dbfe0ad677930d11da58479efb5af59e4d3 + gogo-genproto: + sha: 919a86433764c856c54571dc360b9aeca901579c + istio: + sha: a0c7a3355331ef20354e3e1682dc13b7e6bcf4c1 + pkg: + sha: 7fbb2b738306a8334a8cf626c2594871463547cd + proxy: + sha: 8e01cb8916baa28e4f56cd10c2bac54813f8daf9 + test-infra: + sha: 7e94d049fb47cdca80f5a9332ca5fe368a6e2a4a + tools: + sha: 6b3024543df2e5ac4a5a4cfc2b03f360f6e52ab2 +docker: docker.io/istio +version: 1.12.6 diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/README-helm3.md b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/README-helm3.md new file mode 100644 index 000000000..ad3361792 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/README-helm3.md @@ -0,0 +1,66 @@ +# Helm v3 support + +## Install + +The Helm charts are supported both by Helm v2 and Helm v3. Please do not introduce Helm v3 specific changes as many +users are still using Helm v2 and the operator is currently using the Helm v2 code to generate. + +To install with Helm v3, you must first create the namespace that you wish to install in if the namespace does not exist already. The default namespace used is `istio-system` and can be created as follows: + +```console +kubectl create namespace istio-system +``` + +The charts are as follows: + +- `base` creates cluster-wide CRDs, cluster bindings and cluster resources. It is possible to change the namespace from `istio-system` but it is not recommended. + +```console +helm install istio-base -n istio-system manifests/charts/base +``` + +- `istio-control/istio-discovery` installs a revision of istiod. You can install it multiple times, with different revisions. + +```console + helm install -n istio-system istio-17 manifests/charts/istio-control/istio-discovery + + helm install -n istio-system istio-canary manifests/charts/istio-control/istio-discovery \ + --set revision=canary + + helm install -n istio-system istio-mytest manifests/charts/istio-control/istio-discovery \ + --set revision=mytest +``` + +- `gateways` install a load balancer with `ingress` and `egress`. You can install it multiple times with different revisions but they must be installed in separate namespaces. + +Ingress secrets and access should be separated from the control plane. + +```console +helm install -n istio-system istio-ingress manifests/charts/gateways/istio-ingress + +kubectl create ns istio-ingress-canary +helm install -n istio-ingress-canary istio-ingress-canary manifests/charts/gateways/istio-ingress \ + --set revision=canary +``` + +Egress secrets and access should be separated from the control plane. + +```console +helm install -n istio-system istio-egress manifests/charts/gateways/istio-egress + +kubectl create ns istio-egress-canary +helm install -n istio-egress-canary istio-egress-canary manifests/charts/gateways/istio-egress \ + --set revision=canary +``` + +This is an optional step. [More details](install-OpenShift.md) + +- `istio-cni` installs the CNI plugin. This should be installed after the `base` chart and prior to `istiod`. Need to add `--set istio_cni.enabled=true` to the `istiod` install to enable its usage. + +```console +helm install istio-cni -n kube-system manifests/charts/istio-cni +``` + +## Namespaces + +One of the changes in Helm v3 is that the namespace is no longer created on the fly when installing a chart. This means that the namespace being used needs to be created prior to installing the charts if it does not exist already. If the default `istio-system` namespace is not being used then you need to add the setting `--set global.istioNamespace=` to the installs, to match the control plane namespace. diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/README.md b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/README.md new file mode 100644 index 000000000..6575a50c7 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/README.md @@ -0,0 +1,136 @@ +# Istio Installer + +Note: If making any changes to the charts or values.yaml in this dir, first read [UPDATING-CHARTS.md](UPDATING-CHARTS.md) + +Istio installer is a modular, 'a-la-carte' installer for Istio. It is based on a +fork of the Istio helm templates, refactored to increase modularity and isolation. + +Goals: +- Improve upgrade experience: users should be able to gradually roll upgrades, with proper +canary deployments for Istio components. It should be possible to deploy a new version while keeping the +stable version in place and gradually migrate apps to the new version. + +- More flexibility: the new installer allows multiple 'environments', allowing applications to select +a set of control plane settings and components. While the entire mesh respects the same APIs and config, +apps may target different 'environments' which contain different instances and variants of Istio. + +- Better security: separate Istio components reside in different namespaces, allowing different teams or +roles to manage different parts of Istio. For example, a security team would maintain the +root CA and policy, a telemetry team may only have access to Prometheus, +and a different team may maintain the control plane components (which are highly security sensitive). + +The install is organized in 'environments' - each environment consists of a set of components +in different namespaces that are configured to work together. Regardless of 'environment', +workloads can talk with each other and obey the Istio configuration resources, but each environment +can use different Istio versions and different configuration defaults. + +`istioctl kube-inject` or the automatic sidecar injector are used to select the environment. +In the case of the sidecar injector, the namespace label `istio-env: ` is used instead +of the conventional `istio-injected: true`. The name of the environment is defined as the namespace +where the corresponding control plane components (config, discovery, auto-injection) are running. +In the examples below, by default this is the `istio-control` namespace. Pod annotations can also +be used to select a different 'environment'. + +## Installing + +The new installer is intended to be modular and very explicit about what is installed. It has +far more steps than the Istio installer - but each step is smaller and focused on a specific +feature, and can be performed by different people/teams at different times. + +It is strongly recommended that different namespaces are used, with different service accounts. +In particular access to the security-critical production components (root CA, policy, control) +should be locked down and restricted. The new installer allows multiple instances of +policy/control/telemetry - so testing/staging of new settings and versions can be performed +by a different role than the prod version. + +The intended users of this repo are users running Istio in production who want to select, tune +and understand each binary that gets deployed, and select which combination to use. + +Note: each component can be installed in parallel with an existing Istio 1.0 or 1.1 install in +`istio-system`. The new components will not interfere with existing apps, but can interoperate +and it is possible to gradually move apps from Istio 1.0/1.1 to the new environments and +across environments ( for example canary -> prod ) + +Note: there are still some cluster roles that may need to be fixed, most likely cluster permissions +will need to move to the security component. + +## Everything is Optional + +Each component in the new installer is optional. Users can install the component defined in the new installer, +use the equivalent component in `istio-system`, configured with the official installer, or use a different +version or implementation. + +For example you may use your own Prometheus and Grafana installs, or you may use a specialized/custom +certificate provisioning tool, or use components that are centrally managed and running in a different cluster. + +This is a work in progress - building on top of the multi-cluster installer. + +As an extreme, the goal is to be possible to run Istio workloads in a cluster without installing any Istio component +in that cluster. Currently the minimum we require is the security provider (node agent or citadel). + +### Install Istio CRDs + +This is the first step of the install. Please do not remove or edit any CRD - config currently requires +all CRDs to be present. On each upgrade it is recommended to reapply the file, to make sure +you get all CRDs. CRDs are separated by release and by component type in the CRD directory. + +Istio has strong integration with certmanager. Some operators may want to keep their current certmanager +CRDs in place and not have Istio modify them. In this case, it is necessary to apply CRD files individually. + +```bash +kubectl apply -k github.com/istio/installer/base +``` + +or + +```bash +kubectl apply -f base/files +``` + +### Install Istio-CNI + +This is an optional step - CNI must run in a dedicated namespace, it is a 'singleton' and extremely +security sensitive. Access to the CNI namespace must be highly restricted. + +**NOTE:** The environment variable `ISTIO_CLUSTER_ISGKE` is assumed to be set to `true` if the cluster +is a GKE cluster. + +```bash +ISTIO_CNI_ARGS= +# TODO: What k8s data can we use for this check for whether GKE? +if [[ "${ISTIO_CLUSTER_ISGKE}" == "true" ]]; then + ISTIO_CNI_ARGS="--set cni.cniBinDir=/home/kubernetes/bin" +fi +iop kube-system istio-cni $IBASE/istio-cni/ ${ISTIO_CNI_ARGS} +``` + +TODO. It is possible to add Istio-CNI later, and gradually migrate. + +### Install Control plane + +This can run in any cluster. A mesh should have at least one cluster should run Pilot or equivalent XDS server, +and it is recommended to have Pilot running in each region and in multiple availability zones for multi cluster. + +```bash +iop istio-control istio-discovery $IBASE/istio-control/istio-discovery \ + --set global.istioNamespace=istio-system + +# Second istio-discovery, using master version of istio +TAG=latest HUB=gcr.io/istio-testing iop istio-master istio-discovery-master $IBASE/istio-control/istio-discovery \ + --set policy.enable=false \ + --set global.istioNamespace=istio-master +``` + +### Gateways + +A cluster may use multiple Gateways, each with a different load balancer IP, domains and certificates. + +Since the domain certificates are stored in the gateway namespace, it is recommended to keep each +gateway in a dedicated namespace and restrict access. + +For large-scale gateways it is optionally possible to use a dedicated pilot in the gateway namespace. + +### Additional test templates + +A number of helm test setups are general-purpose and should be installable in any cluster, to confirm +Istio works properly and allow testing the specific install. diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/UPDATING-CHARTS.md b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/UPDATING-CHARTS.md new file mode 100644 index 000000000..33f7e5559 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/UPDATING-CHARTS.md @@ -0,0 +1,60 @@ +# Upating charts and values.yaml + +The charts in the `manifests` directory are used in istioctl to generate an installation manifest. The configuration +settings contained in values.yaml files and passed through the CLI are validated against a +[schema](../../operator/pkg/apis/istio/v1alpha1/values_types.proto). +Whenever making changes in the charts, it's important to follow the below steps. + +## Step 0. Check that any schema change really belongs in values.yaml + +Is this a new parameter being added? If not, go to the next step. +Dynamic, runtime config that is used to configure Istio components should go into the +[MeshConfig API](https://github.com/istio/api/blob/master/mesh/v1alpha1/config.proto). Values.yaml is being deprecated and adding +to it is discouraged. MeshConfig is the official API which follows API management practices and is dynamic +(does not require component restarts). +Exceptions to this rule are configuration items that affect K8s level settings (resources, mounts etc.) + +## Step 1. Make changes in charts and values.yaml in `manifests` directory + +## Step 2. Make corresponding values changes in [../profiles/default.yaml](../profiles/default.yaml) + +The values.yaml in `manifests` are only used for direct Helm based installations, which is being deprecated. +If any values.yaml changes are being made, the same changes must be made in the `manifests/profiles/default.yaml` +file, which must be in sync with the Helm values in `manifests`. + +## Step 3. Update the validation schema + +Istioctl uses a [schema](../../operator/pkg/apis/istio/v1alpha1/values_types.proto) to validate the values. Any changes to +the schema must be added here, otherwise istioctl users will see errors. +Once the schema file is updated, run: + +```bash +$ make operator-proto +``` + +This will regenerate the Go structs used for schema validation. + +## Step 4. Update the generated manifests + +Tests of istioctl use the auto-generated manifests to ensure that the istioctl binary has the correct version of the charts. +These manifests can be found in [gen-istio.yaml](../charts/istio-control/istio-discovery/files/gen-istio.yaml). +To regenerate the manifests, run: + +```bash +$ make gen +``` + +## Step 5. Update golden files + +The new charts/values will likely produce different installation manifests. Unit tests that expect a certain command +output will fail for this reason. To update the golden output files, run: + +```bash +$ make refresh-goldens +``` + +This will generate git diffs in the golden output files. Check that the changes are what you expect. + +## Step 6. Create a PR using outputs from Steps 1 to 5 + +Your PR should pass all the checks if you followed these steps. diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/base/Chart.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/base/Chart.yaml new file mode 100644 index 000000000..c6a4a5622 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/base/Chart.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +name: base +# This version is never actually shipped. istio/release-builder will replace it at build-time +# with the appropriate version +version: 1.12.6 +appVersion: 1.12.6 +tillerVersion: ">=2.7.2" +description: Helm chart for deploying Istio cluster resources and CRDs +keywords: + - istio +sources: + - http://github.com/istio/istio +engine: gotpl +icon: https://istio.io/latest/favicons/android-192x192.png diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/base/README.md b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/base/README.md new file mode 100644 index 000000000..68bf667ac --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/base/README.md @@ -0,0 +1,21 @@ +# Istio base Helm Chart + +This chart installs resources shared by all Istio revisions. This includes Istio CRDs. + +## Setup Repo Info + +```console +helm repo add istio https://istio-release.storage.googleapis.com/charts +helm repo update +``` + +_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ + +## Installing the Chart + +To install the chart with the release name `istio-base`: + +```console +kubectl create namespace istio-system +helm install istio-base istio/base -n istio-system +``` diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/base/crds/crd-all.gen.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/base/crds/crd-all.gen.yaml new file mode 100644 index 000000000..c2999ea16 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/base/crds/crd-all.gen.yaml @@ -0,0 +1,5941 @@ +# DO NOT EDIT - Generated by Cue OpenAPI generator based on Istio APIs. +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: wasmplugins.extensions.istio.io +spec: + group: extensions.istio.io + names: + categories: + - istio-io + - extensions-istio-io + kind: WasmPlugin + listKind: WasmPluginList + plural: wasmplugins + singular: wasmplugin + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Extend the functionality provided by the Istio proxy through + WebAssembly filters. See more details at: https://istio.io/docs/reference/config/proxy_extensions/wasm-plugin.html' + properties: + imagePullPolicy: + description: The pull behaviour to be applied when fetching an OCI + image. + enum: + - UNSPECIFIED_POLICY + - IfNotPresent + - Always + type: string + imagePullSecret: + description: Credentials to use for OCI image pulling. + type: string + phase: + description: Determines where in the filter chain this `WasmPlugin` + is to be injected. + enum: + - UNSPECIFIED_PHASE + - AUTHN + - AUTHZ + - STATS + type: string + pluginConfig: + description: The configuration that will be passed on to the plugin. + type: object + x-kubernetes-preserve-unknown-fields: true + pluginName: + type: string + priority: + description: Determines ordering of `WasmPlugins` in the same `phase`. + nullable: true + type: integer + selector: + properties: + matchLabels: + additionalProperties: + type: string + type: object + type: object + sha256: + description: SHA256 checksum that will be used to verify Wasm module + or OCI container. + type: string + url: + description: URL of a Wasm module or OCI container. + type: string + verificationKey: + type: string + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: destinationrules.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: DestinationRule + listKind: DestinationRuleList + plural: destinationrules + shortNames: + - dr + singular: destinationrule + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The name of a service from the service registry + jsonPath: .spec.host + name: Host + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting load balancing, outlier detection, + etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html' + properties: + exportTo: + description: A list of namespaces to which this destination rule is + exported. + items: + type: string + type: array + host: + description: The name of a service from the service registry. + type: string + subsets: + items: + properties: + labels: + additionalProperties: + type: string + type: object + name: + description: Name of the subset. + type: string + trafficPolicy: + description: Traffic policies that apply to this subset. + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should + be upgraded to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP requests + to a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will + be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the + socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query + parameter. + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to + traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this + is DestinationRule-level and will override mesh + wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered list + of labels used to sort endpoints to do priority + based load balancing. + items: + type: string + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host + is ejected from the connection pool. + nullable: true + type: integer + consecutiveLocalOriginFailures: + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local + origin failures from external errors. + type: boolean + type: object + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection + should be upgraded to http2 for the associated + destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP + requests to a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to + a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream + connection pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per + connection to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol + will be preserved while initiating connection + to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and + TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP + connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE + on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between + keep-alive probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer + algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP + header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP + query parameter. + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' + separated, e.g. + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities + to traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, + this is DestinationRule-level and will override + mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered + list of labels used to sort endpoints to + do priority based load balancing. + items: + type: string + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host + is ejected from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a + host is ejected from the connection pool. + nullable: true + type: integer + consecutiveLocalOriginFailures: + nullable: true + type: integer + interval: + description: Time interval between ejection sweep + analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish + local origin failures from external errors. + type: boolean + type: object + port: + properties: + number: + type: integer + type: object + tls: + description: TLS related settings for connections + to the upstream service. + properties: + caCertificates: + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + type: string + insecureSkipVerify: + nullable: true + type: boolean + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server + during TLS handshake. + type: string + subjectAltNames: + items: + type: string + type: array + type: object + type: object + type: array + tls: + description: TLS related settings for connections to the + upstream service. + properties: + caCertificates: + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + type: string + insecureSkipVerify: + nullable: true + type: boolean + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during + TLS handshake. + type: string + subjectAltNames: + items: + type: string + type: array + type: object + type: object + type: object + type: array + trafficPolicy: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should be upgraded + to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP requests to + a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved + while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket + to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query parameter. + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, failover + or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to traffic + distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this is DestinationRule-level + and will override mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, failover + or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered list of labels + used to sort endpoints to do priority based load balancing. + items: + type: string + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host is ejected + from the connection pool. + nullable: true + type: integer + consecutiveLocalOriginFailures: + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local origin + failures from external errors. + type: boolean + type: object + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should + be upgraded to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP requests + to a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will + be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the + socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query + parameter. + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to + traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this + is DestinationRule-level and will override mesh + wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered list + of labels used to sort endpoints to do priority + based load balancing. + items: + type: string + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host + is ejected from the connection pool. + nullable: true + type: integer + consecutiveLocalOriginFailures: + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local + origin failures from external errors. + type: boolean + type: object + port: + properties: + number: + type: integer + type: object + tls: + description: TLS related settings for connections to the + upstream service. + properties: + caCertificates: + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + type: string + insecureSkipVerify: + nullable: true + type: boolean + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during + TLS handshake. + type: string + subjectAltNames: + items: + type: string + type: array + type: object + type: object + type: array + tls: + description: TLS related settings for connections to the upstream + service. + properties: + caCertificates: + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + type: string + insecureSkipVerify: + nullable: true + type: boolean + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during TLS + handshake. + type: string + subjectAltNames: + items: + type: string + type: array + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: The name of a service from the service registry + jsonPath: .spec.host + name: Host + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting load balancing, outlier detection, + etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html' + properties: + exportTo: + description: A list of namespaces to which this destination rule is + exported. + items: + type: string + type: array + host: + description: The name of a service from the service registry. + type: string + subsets: + items: + properties: + labels: + additionalProperties: + type: string + type: object + name: + description: Name of the subset. + type: string + trafficPolicy: + description: Traffic policies that apply to this subset. + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should + be upgraded to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP requests + to a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will + be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the + socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query + parameter. + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to + traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this + is DestinationRule-level and will override mesh + wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered list + of labels used to sort endpoints to do priority + based load balancing. + items: + type: string + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host + is ejected from the connection pool. + nullable: true + type: integer + consecutiveLocalOriginFailures: + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local + origin failures from external errors. + type: boolean + type: object + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection + should be upgraded to http2 for the associated + destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP + requests to a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to + a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream + connection pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per + connection to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol + will be preserved while initiating connection + to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and + TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP + connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE + on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between + keep-alive probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer + algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP + header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP + query parameter. + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' + separated, e.g. + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities + to traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, + this is DestinationRule-level and will override + mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered + list of labels used to sort endpoints to + do priority based load balancing. + items: + type: string + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host + is ejected from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a + host is ejected from the connection pool. + nullable: true + type: integer + consecutiveLocalOriginFailures: + nullable: true + type: integer + interval: + description: Time interval between ejection sweep + analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish + local origin failures from external errors. + type: boolean + type: object + port: + properties: + number: + type: integer + type: object + tls: + description: TLS related settings for connections + to the upstream service. + properties: + caCertificates: + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + type: string + insecureSkipVerify: + nullable: true + type: boolean + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server + during TLS handshake. + type: string + subjectAltNames: + items: + type: string + type: array + type: object + type: object + type: array + tls: + description: TLS related settings for connections to the + upstream service. + properties: + caCertificates: + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + type: string + insecureSkipVerify: + nullable: true + type: boolean + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during + TLS handshake. + type: string + subjectAltNames: + items: + type: string + type: array + type: object + type: object + type: object + type: array + trafficPolicy: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should be upgraded + to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP requests to + a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved + while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket + to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query parameter. + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, failover + or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to traffic + distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this is DestinationRule-level + and will override mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, failover + or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered list of labels + used to sort endpoints to do priority based load balancing. + items: + type: string + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host is ejected + from the connection pool. + nullable: true + type: integer + consecutiveLocalOriginFailures: + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local origin + failures from external errors. + type: boolean + type: object + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should + be upgraded to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP requests + to a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will + be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the + socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query + parameter. + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to + traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this + is DestinationRule-level and will override mesh + wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered list + of labels used to sort endpoints to do priority + based load balancing. + items: + type: string + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host + is ejected from the connection pool. + nullable: true + type: integer + consecutiveLocalOriginFailures: + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local + origin failures from external errors. + type: boolean + type: object + port: + properties: + number: + type: integer + type: object + tls: + description: TLS related settings for connections to the + upstream service. + properties: + caCertificates: + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + type: string + insecureSkipVerify: + nullable: true + type: boolean + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during + TLS handshake. + type: string + subjectAltNames: + items: + type: string + type: array + type: object + type: object + type: array + tls: + description: TLS related settings for connections to the upstream + service. + properties: + caCertificates: + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + type: string + insecureSkipVerify: + nullable: true + type: boolean + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during TLS + handshake. + type: string + subjectAltNames: + items: + type: string + type: array + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: envoyfilters.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: EnvoyFilter + listKind: EnvoyFilterList + plural: envoyfilters + singular: envoyfilter + scope: Namespaced + versions: + - name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Customizing Envoy configuration generated by Istio. See + more details at: https://istio.io/docs/reference/config/networking/envoy-filter.html' + properties: + configPatches: + description: One or more patches with match conditions. + items: + properties: + applyTo: + enum: + - INVALID + - LISTENER + - FILTER_CHAIN + - NETWORK_FILTER + - HTTP_FILTER + - ROUTE_CONFIGURATION + - VIRTUAL_HOST + - HTTP_ROUTE + - CLUSTER + - EXTENSION_CONFIG + - BOOTSTRAP + type: string + match: + description: Match on listener/route configuration/cluster. + oneOf: + - not: + anyOf: + - required: + - listener + - required: + - routeConfiguration + - required: + - cluster + - required: + - listener + - required: + - routeConfiguration + - required: + - cluster + properties: + cluster: + description: Match on envoy cluster attributes. + properties: + name: + description: The exact name of the cluster to match. + type: string + portNumber: + description: The service port for which this cluster + was generated. + type: integer + service: + description: The fully qualified service name for this + cluster. + type: string + subset: + description: The subset associated with the service. + type: string + type: object + context: + description: The specific config generation context to match + on. + enum: + - ANY + - SIDECAR_INBOUND + - SIDECAR_OUTBOUND + - GATEWAY + type: string + listener: + description: Match on envoy listener attributes. + properties: + filterChain: + description: Match a specific filter chain in a listener. + properties: + applicationProtocols: + description: Applies only to sidecars. + type: string + destinationPort: + description: The destination_port value used by + a filter chain's match condition. + type: integer + filter: + description: The name of a specific filter to apply + the patch to. + properties: + name: + description: The filter name to match on. + type: string + subFilter: + properties: + name: + description: The filter name to match on. + type: string + type: object + type: object + name: + description: The name assigned to the filter chain. + type: string + sni: + description: The SNI value used by a filter chain's + match condition. + type: string + transportProtocol: + description: Applies only to `SIDECAR_INBOUND` context. + type: string + type: object + name: + description: Match a specific listener by its name. + type: string + portName: + type: string + portNumber: + type: integer + type: object + proxy: + description: Match on properties associated with a proxy. + properties: + metadata: + additionalProperties: + type: string + type: object + proxyVersion: + type: string + type: object + routeConfiguration: + description: Match on envoy HTTP route configuration attributes. + properties: + gateway: + type: string + name: + description: Route configuration name to match on. + type: string + portName: + description: Applicable only for GATEWAY context. + type: string + portNumber: + type: integer + vhost: + properties: + name: + type: string + route: + description: Match a specific route within the virtual + host. + properties: + action: + description: Match a route with specific action + type. + enum: + - ANY + - ROUTE + - REDIRECT + - DIRECT_RESPONSE + type: string + name: + type: string + type: object + type: object + type: object + type: object + patch: + description: The patch to apply along with the operation. + properties: + filterClass: + description: Determines the filter insertion order. + enum: + - UNSPECIFIED + - AUTHN + - AUTHZ + - STATS + type: string + operation: + description: Determines how the patch should be applied. + enum: + - INVALID + - MERGE + - ADD + - REMOVE + - INSERT_BEFORE + - INSERT_AFTER + - INSERT_FIRST + - REPLACE + type: string + value: + description: The JSON config of the object being patched. + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + priority: + description: Priority defines the order in which patch sets are applied + within a context. + format: int32 + type: integer + workloadSelector: + properties: + labels: + additionalProperties: + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: gateways.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: Gateway + listKind: GatewayList + plural: gateways + shortNames: + - gw + singular: gateway + scope: Namespaced + versions: + - name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting edge load balancer. See more details + at: https://istio.io/docs/reference/config/networking/gateway.html' + properties: + selector: + additionalProperties: + type: string + type: object + servers: + description: A list of server specifications. + items: + properties: + bind: + type: string + defaultEndpoint: + type: string + hosts: + description: One or more hosts exposed by this gateway. + items: + type: string + type: array + name: + description: An optional name of the server, when set must be + unique across all servers. + type: string + port: + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + type: integer + type: object + tls: + description: Set of TLS related options that govern the server's + behavior. + properties: + caCertificates: + description: REQUIRED if mode is `MUTUAL`. + type: string + cipherSuites: + description: 'Optional: If specified, only support the specified + cipher list.' + items: + type: string + type: array + credentialName: + type: string + httpsRedirect: + type: boolean + maxProtocolVersion: + description: 'Optional: Maximum TLS protocol version.' + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + minProtocolVersion: + description: 'Optional: Minimum TLS protocol version.' + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + mode: + enum: + - PASSTHROUGH + - SIMPLE + - MUTUAL + - AUTO_PASSTHROUGH + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + serverCertificate: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + subjectAltNames: + items: + type: string + type: array + verifyCertificateHash: + items: + type: string + type: array + verifyCertificateSpki: + items: + type: string + type: array + type: object + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting edge load balancer. See more details + at: https://istio.io/docs/reference/config/networking/gateway.html' + properties: + selector: + additionalProperties: + type: string + type: object + servers: + description: A list of server specifications. + items: + properties: + bind: + type: string + defaultEndpoint: + type: string + hosts: + description: One or more hosts exposed by this gateway. + items: + type: string + type: array + name: + description: An optional name of the server, when set must be + unique across all servers. + type: string + port: + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + type: integer + type: object + tls: + description: Set of TLS related options that govern the server's + behavior. + properties: + caCertificates: + description: REQUIRED if mode is `MUTUAL`. + type: string + cipherSuites: + description: 'Optional: If specified, only support the specified + cipher list.' + items: + type: string + type: array + credentialName: + type: string + httpsRedirect: + type: boolean + maxProtocolVersion: + description: 'Optional: Maximum TLS protocol version.' + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + minProtocolVersion: + description: 'Optional: Minimum TLS protocol version.' + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + mode: + enum: + - PASSTHROUGH + - SIMPLE + - MUTUAL + - AUTO_PASSTHROUGH + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + serverCertificate: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + subjectAltNames: + items: + type: string + type: array + verifyCertificateHash: + items: + type: string + type: array + verifyCertificateSpki: + items: + type: string + type: array + type: object + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: serviceentries.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: ServiceEntry + listKind: ServiceEntryList + plural: serviceentries + shortNames: + - se + singular: serviceentry + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The hosts associated with the ServiceEntry + jsonPath: .spec.hosts + name: Hosts + type: string + - description: Whether the service is external to the mesh or part of the mesh + (MESH_EXTERNAL or MESH_INTERNAL) + jsonPath: .spec.location + name: Location + type: string + - description: Service discovery mode for the hosts (NONE, STATIC, or DNS) + jsonPath: .spec.resolution + name: Resolution + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting service registry. See more details + at: https://istio.io/docs/reference/config/networking/service-entry.html' + properties: + addresses: + description: The virtual IP addresses associated with the service. + items: + type: string + type: array + endpoints: + description: One or more endpoints associated with the service. + items: + properties: + address: + type: string + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + type: string + network: + type: string + ports: + additionalProperties: + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + type: string + weight: + description: The load balancing weight associated with the endpoint. + type: integer + type: object + type: array + exportTo: + description: A list of namespaces to which this service is exported. + items: + type: string + type: array + hosts: + description: The hosts associated with the ServiceEntry. + items: + type: string + type: array + location: + enum: + - MESH_EXTERNAL + - MESH_INTERNAL + type: string + ports: + description: The ports associated with the external service. + items: + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + type: integer + type: object + type: array + resolution: + description: Service discovery mode for the hosts. + enum: + - NONE + - STATIC + - DNS + - DNS_ROUND_ROBIN + type: string + subjectAltNames: + items: + type: string + type: array + workloadSelector: + description: Applicable only for MESH_INTERNAL services. + properties: + labels: + additionalProperties: + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: The hosts associated with the ServiceEntry + jsonPath: .spec.hosts + name: Hosts + type: string + - description: Whether the service is external to the mesh or part of the mesh + (MESH_EXTERNAL or MESH_INTERNAL) + jsonPath: .spec.location + name: Location + type: string + - description: Service discovery mode for the hosts (NONE, STATIC, or DNS) + jsonPath: .spec.resolution + name: Resolution + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting service registry. See more details + at: https://istio.io/docs/reference/config/networking/service-entry.html' + properties: + addresses: + description: The virtual IP addresses associated with the service. + items: + type: string + type: array + endpoints: + description: One or more endpoints associated with the service. + items: + properties: + address: + type: string + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + type: string + network: + type: string + ports: + additionalProperties: + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + type: string + weight: + description: The load balancing weight associated with the endpoint. + type: integer + type: object + type: array + exportTo: + description: A list of namespaces to which this service is exported. + items: + type: string + type: array + hosts: + description: The hosts associated with the ServiceEntry. + items: + type: string + type: array + location: + enum: + - MESH_EXTERNAL + - MESH_INTERNAL + type: string + ports: + description: The ports associated with the external service. + items: + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + type: integer + type: object + type: array + resolution: + description: Service discovery mode for the hosts. + enum: + - NONE + - STATIC + - DNS + - DNS_ROUND_ROBIN + type: string + subjectAltNames: + items: + type: string + type: array + workloadSelector: + description: Applicable only for MESH_INTERNAL services. + properties: + labels: + additionalProperties: + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: sidecars.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: Sidecar + listKind: SidecarList + plural: sidecars + singular: sidecar + scope: Namespaced + versions: + - name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting network reachability of a sidecar. + See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' + properties: + egress: + items: + properties: + bind: + type: string + captureMode: + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + hosts: + items: + type: string + type: array + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + type: integer + type: object + type: object + type: array + ingress: + items: + properties: + bind: + description: The IP to which the listener should be bound. + type: string + captureMode: + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + defaultEndpoint: + type: string + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + type: integer + type: object + type: object + type: array + outboundTrafficPolicy: + description: Configuration for the outbound traffic policy. + properties: + egressProxy: + properties: + host: + description: The name of a service from the service registry. + type: string + port: + description: Specifies the port on the host that is being + addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + type: object + mode: + enum: + - REGISTRY_ONLY + - ALLOW_ANY + type: string + type: object + workloadSelector: + properties: + labels: + additionalProperties: + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting network reachability of a sidecar. + See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' + properties: + egress: + items: + properties: + bind: + type: string + captureMode: + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + hosts: + items: + type: string + type: array + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + type: integer + type: object + type: object + type: array + ingress: + items: + properties: + bind: + description: The IP to which the listener should be bound. + type: string + captureMode: + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + defaultEndpoint: + type: string + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + type: integer + type: object + type: object + type: array + outboundTrafficPolicy: + description: Configuration for the outbound traffic policy. + properties: + egressProxy: + properties: + host: + description: The name of a service from the service registry. + type: string + port: + description: Specifies the port on the host that is being + addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + type: object + mode: + enum: + - REGISTRY_ONLY + - ALLOW_ANY + type: string + type: object + workloadSelector: + properties: + labels: + additionalProperties: + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: virtualservices.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: VirtualService + listKind: VirtualServiceList + plural: virtualservices + shortNames: + - vs + singular: virtualservice + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The names of gateways and sidecars that should apply these routes + jsonPath: .spec.gateways + name: Gateways + type: string + - description: The destination hosts to which traffic is being sent + jsonPath: .spec.hosts + name: Hosts + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting label/content routing, sni routing, + etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html' + properties: + exportTo: + description: A list of namespaces to which this virtual service is + exported. + items: + type: string + type: array + gateways: + description: The names of gateways and sidecars that should apply + these routes. + items: + type: string + type: array + hosts: + description: The destination hosts to which traffic is being sent. + items: + type: string + type: array + http: + description: An ordered list of route rules for HTTP traffic. + items: + properties: + corsPolicy: + description: Cross-Origin Resource Sharing policy (CORS). + properties: + allowCredentials: + nullable: true + type: boolean + allowHeaders: + items: + type: string + type: array + allowMethods: + description: List of HTTP methods allowed to access the + resource. + items: + type: string + type: array + allowOrigin: + description: The list of origins that are allowed to perform + CORS requests. + items: + type: string + type: array + allowOrigins: + description: String patterns that match allowed origins. + items: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + type: array + exposeHeaders: + items: + type: string + type: array + maxAge: + type: string + type: object + delegate: + properties: + name: + description: Name specifies the name of the delegate VirtualService. + type: string + namespace: + description: Namespace specifies the namespace where the + delegate VirtualService resides. + type: string + type: object + fault: + description: Fault injection policy to apply on HTTP traffic + at the client side. + properties: + abort: + oneOf: + - not: + anyOf: + - required: + - httpStatus + - required: + - grpcStatus + - required: + - http2Error + - required: + - httpStatus + - required: + - grpcStatus + - required: + - http2Error + properties: + grpcStatus: + type: string + http2Error: + type: string + httpStatus: + description: HTTP status code to use to abort the Http + request. + format: int32 + type: integer + percentage: + description: Percentage of requests to be aborted with + the error code provided. + properties: + value: + format: double + type: number + type: object + type: object + delay: + oneOf: + - not: + anyOf: + - required: + - fixedDelay + - required: + - exponentialDelay + - required: + - fixedDelay + - required: + - exponentialDelay + properties: + exponentialDelay: + type: string + fixedDelay: + description: Add a fixed delay before forwarding the + request. + type: string + percent: + description: Percentage of requests on which the delay + will be injected (0-100). + format: int32 + type: integer + percentage: + description: Percentage of requests on which the delay + will be injected. + properties: + value: + format: double + type: number + type: object + type: object + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + type: object + match: + items: + properties: + authority: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + gateways: + description: Names of gateways where the rule should be + applied. + items: + type: string + type: array + headers: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + type: object + ignoreUriCase: + description: Flag to specify whether the URI matching + should be case-insensitive. + type: boolean + method: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + name: + description: The name assigned to a match. + type: string + port: + description: Specifies the ports on the host that is being + addressed. + type: integer + queryParams: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + description: Query parameters for matching. + type: object + scheme: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + sourceLabels: + additionalProperties: + type: string + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + type: string + uri: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + withoutHeaders: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + description: withoutHeader has the same syntax with the + header, but has opposite meaning. + type: object + type: object + type: array + mirror: + properties: + host: + description: The name of a service from the service registry. + type: string + port: + description: Specifies the port on the host that is being + addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + type: object + mirror_percent: + description: Percentage of the traffic to be mirrored by the + `mirror` field. + nullable: true + type: integer + mirrorPercent: + description: Percentage of the traffic to be mirrored by the + `mirror` field. + nullable: true + type: integer + mirrorPercentage: + description: Percentage of the traffic to be mirrored by the + `mirror` field. + properties: + value: + format: double + type: number + type: object + name: + description: The name assigned to the route for debugging purposes. + type: string + redirect: + description: A HTTP rule can either redirect or forward (default) + traffic. + oneOf: + - not: + anyOf: + - required: + - port + - required: + - derivePort + - required: + - port + - required: + - derivePort + properties: + authority: + type: string + derivePort: + enum: + - FROM_PROTOCOL_DEFAULT + - FROM_REQUEST_PORT + type: string + port: + description: On a redirect, overwrite the port portion of + the URL with this value. + type: integer + redirectCode: + type: integer + scheme: + description: On a redirect, overwrite the scheme portion + of the URL with this value. + type: string + uri: + type: string + type: object + retries: + description: Retry policy for HTTP requests. + properties: + attempts: + description: Number of retries to be allowed for a given + request. + format: int32 + type: integer + perTryTimeout: + description: Timeout per attempt for a given request, including + the initial call and any retries. + type: string + retryOn: + description: Specifies the conditions under which retry + takes place. + type: string + retryRemoteLocalities: + description: Flag to specify whether the retries should + retry to other localities. + nullable: true + type: boolean + type: object + rewrite: + description: Rewrite HTTP URIs and Authority headers. + properties: + authority: + description: rewrite the Authority/Host header with this + value. + type: string + uri: + type: string + type: object + route: + description: A HTTP rule can either redirect or forward (default) + traffic. + items: + properties: + destination: + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + type: object + weight: + format: int32 + type: integer + type: object + type: array + timeout: + description: Timeout for HTTP requests, default is disabled. + type: string + type: object + type: array + tcp: + description: An ordered list of route rules for opaque TCP traffic. + items: + properties: + match: + items: + properties: + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination + with optional subnet. + items: + type: string + type: array + gateways: + description: Names of gateways where the rule should be + applied. + items: + type: string + type: array + port: + description: Specifies the port on the host that is being + addressed. + type: integer + sourceLabels: + additionalProperties: + type: string + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + type: string + sourceSubnet: + description: IPv4 or IPv6 ip address of source with optional + subnet. + type: string + type: object + type: array + route: + description: The destination to which the connection should + be forwarded to. + items: + properties: + destination: + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + type: object + weight: + format: int32 + type: integer + type: object + type: array + type: object + type: array + tls: + items: + properties: + match: + items: + properties: + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination + with optional subnet. + items: + type: string + type: array + gateways: + description: Names of gateways where the rule should be + applied. + items: + type: string + type: array + port: + description: Specifies the port on the host that is being + addressed. + type: integer + sniHosts: + description: SNI (server name indicator) to match on. + items: + type: string + type: array + sourceLabels: + additionalProperties: + type: string + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + type: string + type: object + type: array + route: + description: The destination to which the connection should + be forwarded to. + items: + properties: + destination: + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + type: object + weight: + format: int32 + type: integer + type: object + type: array + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: The names of gateways and sidecars that should apply these routes + jsonPath: .spec.gateways + name: Gateways + type: string + - description: The destination hosts to which traffic is being sent + jsonPath: .spec.hosts + name: Hosts + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting label/content routing, sni routing, + etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html' + properties: + exportTo: + description: A list of namespaces to which this virtual service is + exported. + items: + type: string + type: array + gateways: + description: The names of gateways and sidecars that should apply + these routes. + items: + type: string + type: array + hosts: + description: The destination hosts to which traffic is being sent. + items: + type: string + type: array + http: + description: An ordered list of route rules for HTTP traffic. + items: + properties: + corsPolicy: + description: Cross-Origin Resource Sharing policy (CORS). + properties: + allowCredentials: + nullable: true + type: boolean + allowHeaders: + items: + type: string + type: array + allowMethods: + description: List of HTTP methods allowed to access the + resource. + items: + type: string + type: array + allowOrigin: + description: The list of origins that are allowed to perform + CORS requests. + items: + type: string + type: array + allowOrigins: + description: String patterns that match allowed origins. + items: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + type: array + exposeHeaders: + items: + type: string + type: array + maxAge: + type: string + type: object + delegate: + properties: + name: + description: Name specifies the name of the delegate VirtualService. + type: string + namespace: + description: Namespace specifies the namespace where the + delegate VirtualService resides. + type: string + type: object + fault: + description: Fault injection policy to apply on HTTP traffic + at the client side. + properties: + abort: + oneOf: + - not: + anyOf: + - required: + - httpStatus + - required: + - grpcStatus + - required: + - http2Error + - required: + - httpStatus + - required: + - grpcStatus + - required: + - http2Error + properties: + grpcStatus: + type: string + http2Error: + type: string + httpStatus: + description: HTTP status code to use to abort the Http + request. + format: int32 + type: integer + percentage: + description: Percentage of requests to be aborted with + the error code provided. + properties: + value: + format: double + type: number + type: object + type: object + delay: + oneOf: + - not: + anyOf: + - required: + - fixedDelay + - required: + - exponentialDelay + - required: + - fixedDelay + - required: + - exponentialDelay + properties: + exponentialDelay: + type: string + fixedDelay: + description: Add a fixed delay before forwarding the + request. + type: string + percent: + description: Percentage of requests on which the delay + will be injected (0-100). + format: int32 + type: integer + percentage: + description: Percentage of requests on which the delay + will be injected. + properties: + value: + format: double + type: number + type: object + type: object + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + type: object + match: + items: + properties: + authority: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + gateways: + description: Names of gateways where the rule should be + applied. + items: + type: string + type: array + headers: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + type: object + ignoreUriCase: + description: Flag to specify whether the URI matching + should be case-insensitive. + type: boolean + method: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + name: + description: The name assigned to a match. + type: string + port: + description: Specifies the ports on the host that is being + addressed. + type: integer + queryParams: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + description: Query parameters for matching. + type: object + scheme: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + sourceLabels: + additionalProperties: + type: string + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + type: string + uri: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + withoutHeaders: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + description: withoutHeader has the same syntax with the + header, but has opposite meaning. + type: object + type: object + type: array + mirror: + properties: + host: + description: The name of a service from the service registry. + type: string + port: + description: Specifies the port on the host that is being + addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + type: object + mirror_percent: + description: Percentage of the traffic to be mirrored by the + `mirror` field. + nullable: true + type: integer + mirrorPercent: + description: Percentage of the traffic to be mirrored by the + `mirror` field. + nullable: true + type: integer + mirrorPercentage: + description: Percentage of the traffic to be mirrored by the + `mirror` field. + properties: + value: + format: double + type: number + type: object + name: + description: The name assigned to the route for debugging purposes. + type: string + redirect: + description: A HTTP rule can either redirect or forward (default) + traffic. + oneOf: + - not: + anyOf: + - required: + - port + - required: + - derivePort + - required: + - port + - required: + - derivePort + properties: + authority: + type: string + derivePort: + enum: + - FROM_PROTOCOL_DEFAULT + - FROM_REQUEST_PORT + type: string + port: + description: On a redirect, overwrite the port portion of + the URL with this value. + type: integer + redirectCode: + type: integer + scheme: + description: On a redirect, overwrite the scheme portion + of the URL with this value. + type: string + uri: + type: string + type: object + retries: + description: Retry policy for HTTP requests. + properties: + attempts: + description: Number of retries to be allowed for a given + request. + format: int32 + type: integer + perTryTimeout: + description: Timeout per attempt for a given request, including + the initial call and any retries. + type: string + retryOn: + description: Specifies the conditions under which retry + takes place. + type: string + retryRemoteLocalities: + description: Flag to specify whether the retries should + retry to other localities. + nullable: true + type: boolean + type: object + rewrite: + description: Rewrite HTTP URIs and Authority headers. + properties: + authority: + description: rewrite the Authority/Host header with this + value. + type: string + uri: + type: string + type: object + route: + description: A HTTP rule can either redirect or forward (default) + traffic. + items: + properties: + destination: + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + type: object + weight: + format: int32 + type: integer + type: object + type: array + timeout: + description: Timeout for HTTP requests, default is disabled. + type: string + type: object + type: array + tcp: + description: An ordered list of route rules for opaque TCP traffic. + items: + properties: + match: + items: + properties: + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination + with optional subnet. + items: + type: string + type: array + gateways: + description: Names of gateways where the rule should be + applied. + items: + type: string + type: array + port: + description: Specifies the port on the host that is being + addressed. + type: integer + sourceLabels: + additionalProperties: + type: string + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + type: string + sourceSubnet: + description: IPv4 or IPv6 ip address of source with optional + subnet. + type: string + type: object + type: array + route: + description: The destination to which the connection should + be forwarded to. + items: + properties: + destination: + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + type: object + weight: + format: int32 + type: integer + type: object + type: array + type: object + type: array + tls: + items: + properties: + match: + items: + properties: + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination + with optional subnet. + items: + type: string + type: array + gateways: + description: Names of gateways where the rule should be + applied. + items: + type: string + type: array + port: + description: Specifies the port on the host that is being + addressed. + type: integer + sniHosts: + description: SNI (server name indicator) to match on. + items: + type: string + type: array + sourceLabels: + additionalProperties: + type: string + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + type: string + type: object + type: array + route: + description: The destination to which the connection should + be forwarded to. + items: + properties: + destination: + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + type: object + weight: + format: int32 + type: integer + type: object + type: array + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: workloadentries.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: WorkloadEntry + listKind: WorkloadEntryList + plural: workloadentries + shortNames: + - we + singular: workloadentry + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: Address associated with the network endpoint. + jsonPath: .spec.address + name: Address + type: string + name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting VMs onboarded into the mesh. See + more details at: https://istio.io/docs/reference/config/networking/workload-entry.html' + properties: + address: + type: string + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + type: string + network: + type: string + ports: + additionalProperties: + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + type: string + weight: + description: The load balancing weight associated with the endpoint. + type: integer + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: Address associated with the network endpoint. + jsonPath: .spec.address + name: Address + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting VMs onboarded into the mesh. See + more details at: https://istio.io/docs/reference/config/networking/workload-entry.html' + properties: + address: + type: string + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + type: string + network: + type: string + ports: + additionalProperties: + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + type: string + weight: + description: The load balancing weight associated with the endpoint. + type: integer + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: workloadgroups.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: WorkloadGroup + listKind: WorkloadGroupList + plural: workloadgroups + shortNames: + - wg + singular: workloadgroup + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Describes a collection of workload instances. See more details + at: https://istio.io/docs/reference/config/networking/workload-group.html' + properties: + metadata: + description: Metadata that will be used for all corresponding `WorkloadEntries`. + properties: + annotations: + additionalProperties: + type: string + type: object + labels: + additionalProperties: + type: string + type: object + type: object + probe: + description: '`ReadinessProbe` describes the configuration the user + must provide for healthchecking on their workload.' + oneOf: + - not: + anyOf: + - required: + - httpGet + - required: + - tcpSocket + - required: + - exec + - required: + - httpGet + - required: + - tcpSocket + - required: + - exec + properties: + exec: + description: Health is determined by how the command that is executed + exited. + properties: + command: + description: Command to run. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for the probe to be + considered failed after having succeeded. + format: int32 + type: integer + httpGet: + properties: + host: + description: Host name to connect to, defaults to the pod + IP. + type: string + httpHeaders: + description: Headers the proxy will pass on to make the request. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + description: Port on which the endpoint lives. + type: integer + scheme: + type: string + type: object + initialDelaySeconds: + description: Number of seconds after the container has started + before readiness probes are initiated. + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform the probe. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for the probe to be + considered successful after having failed. + format: int32 + type: integer + tcpSocket: + description: Health is determined by if the proxy is able to connect. + properties: + host: + type: string + port: + type: integer + type: object + timeoutSeconds: + description: Number of seconds after which the probe times out. + format: int32 + type: integer + type: object + template: + description: Template to be used for the generation of `WorkloadEntry` + resources that belong to this `WorkloadGroup`. + properties: + address: + type: string + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + type: string + network: + type: string + ports: + additionalProperties: + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + type: string + weight: + description: The load balancing weight associated with the endpoint. + type: integer + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + istio: security + release: istio + name: authorizationpolicies.security.istio.io +spec: + group: security.istio.io + names: + categories: + - istio-io + - security-istio-io + kind: AuthorizationPolicy + listKind: AuthorizationPolicyList + plural: authorizationpolicies + singular: authorizationpolicy + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration for access control on workloads. See more + details at: https://istio.io/docs/reference/config/security/authorization-policy.html' + oneOf: + - not: + anyOf: + - required: + - provider + - required: + - provider + properties: + action: + description: Optional. + enum: + - ALLOW + - DENY + - AUDIT + - CUSTOM + type: string + provider: + description: Specifies detailed configuration of the CUSTOM action. + properties: + name: + description: Specifies the name of the extension provider. + type: string + type: object + rules: + description: Optional. + items: + properties: + from: + description: Optional. + items: + properties: + source: + description: Source specifies the source of a request. + properties: + ipBlocks: + description: Optional. + items: + type: string + type: array + namespaces: + description: Optional. + items: + type: string + type: array + notIpBlocks: + description: Optional. + items: + type: string + type: array + notNamespaces: + description: Optional. + items: + type: string + type: array + notPrincipals: + description: Optional. + items: + type: string + type: array + notRemoteIpBlocks: + description: Optional. + items: + type: string + type: array + notRequestPrincipals: + description: Optional. + items: + type: string + type: array + principals: + description: Optional. + items: + type: string + type: array + remoteIpBlocks: + description: Optional. + items: + type: string + type: array + requestPrincipals: + description: Optional. + items: + type: string + type: array + type: object + type: object + type: array + to: + description: Optional. + items: + properties: + operation: + description: Operation specifies the operation of a request. + properties: + hosts: + description: Optional. + items: + type: string + type: array + methods: + description: Optional. + items: + type: string + type: array + notHosts: + description: Optional. + items: + type: string + type: array + notMethods: + description: Optional. + items: + type: string + type: array + notPaths: + description: Optional. + items: + type: string + type: array + notPorts: + description: Optional. + items: + type: string + type: array + paths: + description: Optional. + items: + type: string + type: array + ports: + description: Optional. + items: + type: string + type: array + type: object + type: object + type: array + when: + description: Optional. + items: + properties: + key: + description: The name of an Istio attribute. + type: string + notValues: + description: Optional. + items: + type: string + type: array + values: + description: Optional. + items: + type: string + type: array + type: object + type: array + type: object + type: array + selector: + description: Optional. + properties: + matchLabels: + additionalProperties: + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + istio: security + release: istio + name: peerauthentications.security.istio.io +spec: + group: security.istio.io + names: + categories: + - istio-io + - security-istio-io + kind: PeerAuthentication + listKind: PeerAuthenticationList + plural: peerauthentications + shortNames: + - pa + singular: peerauthentication + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Defines the mTLS mode used for peer authentication. + jsonPath: .spec.mtls.mode + name: Mode + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: PeerAuthentication defines how traffic will be tunneled (or + not) to the sidecar. + properties: + mtls: + description: Mutual TLS settings for workload. + properties: + mode: + description: Defines the mTLS mode used for peer authentication. + enum: + - UNSET + - DISABLE + - PERMISSIVE + - STRICT + type: string + type: object + portLevelMtls: + additionalProperties: + properties: + mode: + description: Defines the mTLS mode used for peer authentication. + enum: + - UNSET + - DISABLE + - PERMISSIVE + - STRICT + type: string + type: object + description: Port specific mutual TLS settings. + type: object + selector: + description: The selector determines the workloads to apply the ChannelAuthentication + on. + properties: + matchLabels: + additionalProperties: + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + istio: security + release: istio + name: requestauthentications.security.istio.io +spec: + group: security.istio.io + names: + categories: + - istio-io + - security-istio-io + kind: RequestAuthentication + listKind: RequestAuthenticationList + plural: requestauthentications + shortNames: + - ra + singular: requestauthentication + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: RequestAuthentication defines what request authentication + methods are supported by a workload. + properties: + jwtRules: + description: Define the list of JWTs that can be validated at the + selected workloads' proxy. + items: + properties: + audiences: + items: + type: string + type: array + forwardOriginalToken: + description: If set to true, the original token will be kept + for the upstream request. + type: boolean + fromHeaders: + description: List of header locations from which JWT is expected. + items: + properties: + name: + description: The HTTP header name. + type: string + prefix: + description: The prefix that should be stripped before + decoding the token. + type: string + type: object + type: array + fromParams: + description: List of query parameters from which JWT is expected. + items: + type: string + type: array + issuer: + description: Identifies the issuer that issued the JWT. + type: string + jwks: + description: JSON Web Key Set of public keys to validate signature + of the JWT. + type: string + jwks_uri: + type: string + jwksUri: + type: string + outputPayloadToHeader: + type: string + type: object + type: array + selector: + description: Optional. + properties: + matchLabels: + additionalProperties: + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + istio: telemetry + release: istio + name: telemetries.telemetry.istio.io +spec: + group: telemetry.istio.io + names: + categories: + - istio-io + - telemetry-istio-io + kind: Telemetry + listKind: TelemetryList + plural: telemetries + shortNames: + - telemetry + singular: telemetry + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Telemetry configuration for workloads. See more details + at: https://istio.io/docs/reference/config/telemetry.html' + properties: + accessLogging: + description: Optional. + items: + properties: + disabled: + description: Controls logging. + nullable: true + type: boolean + providers: + description: Optional. + items: + properties: + name: + description: Required. + type: string + type: object + type: array + type: object + type: array + metrics: + description: Optional. + items: + properties: + overrides: + description: Optional. + items: + properties: + disabled: + description: Optional. + nullable: true + type: boolean + match: + description: Match allows provides the scope of the override. + oneOf: + - not: + anyOf: + - required: + - metric + - required: + - customMetric + - required: + - metric + - required: + - customMetric + properties: + customMetric: + description: Allows free-form specification of a metric. + type: string + metric: + description: One of the well-known Istio Standard + Metrics. + enum: + - ALL_METRICS + - REQUEST_COUNT + - REQUEST_DURATION + - REQUEST_SIZE + - RESPONSE_SIZE + - TCP_OPENED_CONNECTIONS + - TCP_CLOSED_CONNECTIONS + - TCP_SENT_BYTES + - TCP_RECEIVED_BYTES + - GRPC_REQUEST_MESSAGES + - GRPC_RESPONSE_MESSAGES + type: string + mode: + description: 'Controls which mode of metrics generation + is selected: CLIENT and/or SERVER.' + enum: + - CLIENT_AND_SERVER + - CLIENT + - SERVER + type: string + type: object + tagOverrides: + additionalProperties: + properties: + operation: + description: Operation controls whether or not to + update/add a tag, or to remove it. + enum: + - UPSERT + - REMOVE + type: string + value: + description: Value is only considered if the operation + is `UPSERT`. + type: string + type: object + description: Optional. + type: object + type: object + type: array + providers: + description: Optional. + items: + properties: + name: + description: Required. + type: string + type: object + type: array + type: object + type: array + selector: + description: Optional. + properties: + matchLabels: + additionalProperties: + type: string + type: object + type: object + tracing: + description: Optional. + items: + properties: + customTags: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - literal + - required: + - environment + - required: + - header + - required: + - literal + - required: + - environment + - required: + - header + properties: + environment: + description: Environment adds the value of an environment + variable to each span. + properties: + defaultValue: + description: Optional. + type: string + name: + description: Name of the environment variable from + which to extract the tag value. + type: string + type: object + header: + description: RequestHeader adds the value of an header + from the request to each span. + properties: + defaultValue: + description: Optional. + type: string + name: + description: Name of the header from which to extract + the tag value. + type: string + type: object + literal: + description: Literal adds the same, hard-coded value to + each span. + properties: + value: + description: The tag value to use. + type: string + type: object + type: object + description: Optional. + type: object + disableSpanReporting: + description: Controls span reporting. + nullable: true + type: boolean + providers: + description: Optional. + items: + properties: + name: + description: Required. + type: string + type: object + type: array + randomSamplingPercentage: + nullable: true + type: number + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + +--- diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/base/crds/crd-operator.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/base/crds/crd-operator.yaml new file mode 100644 index 000000000..2a80f4186 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/base/crds/crd-operator.yaml @@ -0,0 +1,48 @@ +# SYNC WITH manifests/charts/istio-operator/templates +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: istiooperators.install.istio.io + labels: + release: istio +spec: + conversion: + strategy: None + group: install.istio.io + names: + kind: IstioOperator + listKind: IstioOperatorList + plural: istiooperators + singular: istiooperator + shortNames: + - iop + - io + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Istio control plane revision + jsonPath: .spec.revision + name: Revision + type: string + - description: IOP current state + jsonPath: .status.status + name: Status + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + subresources: + status: {} + name: v1alpha1 + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + served: true + storage: true +--- diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/base/files/gen-istio-cluster.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/base/files/gen-istio-cluster.yaml new file mode 100644 index 000000000..da4025a7d --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/base/files/gen-istio-cluster.yaml @@ -0,0 +1,6301 @@ +--- +# Source: crds/crd-all.gen.yaml +# DO NOT EDIT - Generated by Cue OpenAPI generator based on Istio APIs. +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: wasmplugins.extensions.istio.io +spec: + group: extensions.istio.io + names: + categories: + - istio-io + - extensions-istio-io + kind: WasmPlugin + listKind: WasmPluginList + plural: wasmplugins + singular: wasmplugin + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Extend the functionality provided by the Istio proxy through + WebAssembly filters. See more details at: https://istio.io/docs/reference/config/proxy_extensions/wasm-plugin.html' + properties: + imagePullPolicy: + description: The pull behaviour to be applied when fetching an OCI + image. + enum: + - UNSPECIFIED_POLICY + - IfNotPresent + - Always + type: string + imagePullSecret: + description: Credentials to use for OCI image pulling. + type: string + phase: + description: Determines where in the filter chain this `WasmPlugin` + is to be injected. + enum: + - UNSPECIFIED_PHASE + - AUTHN + - AUTHZ + - STATS + type: string + pluginConfig: + description: The configuration that will be passed on to the plugin. + type: object + x-kubernetes-preserve-unknown-fields: true + pluginName: + type: string + priority: + description: Determines ordering of `WasmPlugins` in the same `phase`. + nullable: true + type: integer + selector: + properties: + matchLabels: + additionalProperties: + type: string + type: object + type: object + sha256: + description: SHA256 checksum that will be used to verify Wasm module + or OCI container. + type: string + url: + description: URL of a Wasm module or OCI container. + type: string + verificationKey: + type: string + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: destinationrules.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: DestinationRule + listKind: DestinationRuleList + plural: destinationrules + shortNames: + - dr + singular: destinationrule + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The name of a service from the service registry + jsonPath: .spec.host + name: Host + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting load balancing, outlier detection, + etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html' + properties: + exportTo: + description: A list of namespaces to which this destination rule is + exported. + items: + type: string + type: array + host: + description: The name of a service from the service registry. + type: string + subsets: + items: + properties: + labels: + additionalProperties: + type: string + type: object + name: + description: Name of the subset. + type: string + trafficPolicy: + description: Traffic policies that apply to this subset. + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should + be upgraded to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP requests + to a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will + be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the + socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query + parameter. + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to + traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this + is DestinationRule-level and will override mesh + wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered list + of labels used to sort endpoints to do priority + based load balancing. + items: + type: string + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host + is ejected from the connection pool. + nullable: true + type: integer + consecutiveLocalOriginFailures: + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local + origin failures from external errors. + type: boolean + type: object + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection + should be upgraded to http2 for the associated + destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP + requests to a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to + a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream + connection pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per + connection to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol + will be preserved while initiating connection + to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and + TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP + connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE + on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between + keep-alive probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer + algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP + header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP + query parameter. + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' + separated, e.g. + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities + to traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, + this is DestinationRule-level and will override + mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered + list of labels used to sort endpoints to + do priority based load balancing. + items: + type: string + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host + is ejected from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a + host is ejected from the connection pool. + nullable: true + type: integer + consecutiveLocalOriginFailures: + nullable: true + type: integer + interval: + description: Time interval between ejection sweep + analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish + local origin failures from external errors. + type: boolean + type: object + port: + properties: + number: + type: integer + type: object + tls: + description: TLS related settings for connections + to the upstream service. + properties: + caCertificates: + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + type: string + insecureSkipVerify: + nullable: true + type: boolean + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server + during TLS handshake. + type: string + subjectAltNames: + items: + type: string + type: array + type: object + type: object + type: array + tls: + description: TLS related settings for connections to the + upstream service. + properties: + caCertificates: + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + type: string + insecureSkipVerify: + nullable: true + type: boolean + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during + TLS handshake. + type: string + subjectAltNames: + items: + type: string + type: array + type: object + type: object + type: object + type: array + trafficPolicy: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should be upgraded + to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP requests to + a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved + while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket + to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query parameter. + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, failover + or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to traffic + distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this is DestinationRule-level + and will override mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, failover + or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered list of labels + used to sort endpoints to do priority based load balancing. + items: + type: string + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host is ejected + from the connection pool. + nullable: true + type: integer + consecutiveLocalOriginFailures: + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local origin + failures from external errors. + type: boolean + type: object + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should + be upgraded to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP requests + to a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will + be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the + socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query + parameter. + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to + traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this + is DestinationRule-level and will override mesh + wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered list + of labels used to sort endpoints to do priority + based load balancing. + items: + type: string + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host + is ejected from the connection pool. + nullable: true + type: integer + consecutiveLocalOriginFailures: + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local + origin failures from external errors. + type: boolean + type: object + port: + properties: + number: + type: integer + type: object + tls: + description: TLS related settings for connections to the + upstream service. + properties: + caCertificates: + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + type: string + insecureSkipVerify: + nullable: true + type: boolean + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during + TLS handshake. + type: string + subjectAltNames: + items: + type: string + type: array + type: object + type: object + type: array + tls: + description: TLS related settings for connections to the upstream + service. + properties: + caCertificates: + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + type: string + insecureSkipVerify: + nullable: true + type: boolean + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during TLS + handshake. + type: string + subjectAltNames: + items: + type: string + type: array + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: The name of a service from the service registry + jsonPath: .spec.host + name: Host + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting load balancing, outlier detection, + etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html' + properties: + exportTo: + description: A list of namespaces to which this destination rule is + exported. + items: + type: string + type: array + host: + description: The name of a service from the service registry. + type: string + subsets: + items: + properties: + labels: + additionalProperties: + type: string + type: object + name: + description: Name of the subset. + type: string + trafficPolicy: + description: Traffic policies that apply to this subset. + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should + be upgraded to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP requests + to a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will + be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the + socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query + parameter. + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to + traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this + is DestinationRule-level and will override mesh + wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered list + of labels used to sort endpoints to do priority + based load balancing. + items: + type: string + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host + is ejected from the connection pool. + nullable: true + type: integer + consecutiveLocalOriginFailures: + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local + origin failures from external errors. + type: boolean + type: object + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection + should be upgraded to http2 for the associated + destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP + requests to a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to + a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream + connection pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per + connection to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol + will be preserved while initiating connection + to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and + TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP + connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE + on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between + keep-alive probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer + algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP + header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP + query parameter. + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' + separated, e.g. + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities + to traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, + this is DestinationRule-level and will override + mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered + list of labels used to sort endpoints to + do priority based load balancing. + items: + type: string + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host + is ejected from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a + host is ejected from the connection pool. + nullable: true + type: integer + consecutiveLocalOriginFailures: + nullable: true + type: integer + interval: + description: Time interval between ejection sweep + analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish + local origin failures from external errors. + type: boolean + type: object + port: + properties: + number: + type: integer + type: object + tls: + description: TLS related settings for connections + to the upstream service. + properties: + caCertificates: + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + type: string + insecureSkipVerify: + nullable: true + type: boolean + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server + during TLS handshake. + type: string + subjectAltNames: + items: + type: string + type: array + type: object + type: object + type: array + tls: + description: TLS related settings for connections to the + upstream service. + properties: + caCertificates: + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + type: string + insecureSkipVerify: + nullable: true + type: boolean + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during + TLS handshake. + type: string + subjectAltNames: + items: + type: string + type: array + type: object + type: object + type: object + type: array + trafficPolicy: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should be upgraded + to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP requests to + a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved + while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket + to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query parameter. + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, failover + or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to traffic + distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this is DestinationRule-level + and will override mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, failover + or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered list of labels + used to sort endpoints to do priority based load balancing. + items: + type: string + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host is ejected + from the connection pool. + nullable: true + type: integer + consecutiveLocalOriginFailures: + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local origin + failures from external errors. + type: boolean + type: object + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should + be upgraded to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP requests + to a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will + be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the + socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query + parameter. + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to + traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this + is DestinationRule-level and will override mesh + wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered list + of labels used to sort endpoints to do priority + based load balancing. + items: + type: string + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host + is ejected from the connection pool. + nullable: true + type: integer + consecutiveLocalOriginFailures: + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local + origin failures from external errors. + type: boolean + type: object + port: + properties: + number: + type: integer + type: object + tls: + description: TLS related settings for connections to the + upstream service. + properties: + caCertificates: + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + type: string + insecureSkipVerify: + nullable: true + type: boolean + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during + TLS handshake. + type: string + subjectAltNames: + items: + type: string + type: array + type: object + type: object + type: array + tls: + description: TLS related settings for connections to the upstream + service. + properties: + caCertificates: + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + type: string + insecureSkipVerify: + nullable: true + type: boolean + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during TLS + handshake. + type: string + subjectAltNames: + items: + type: string + type: array + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: envoyfilters.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: EnvoyFilter + listKind: EnvoyFilterList + plural: envoyfilters + singular: envoyfilter + scope: Namespaced + versions: + - name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Customizing Envoy configuration generated by Istio. See + more details at: https://istio.io/docs/reference/config/networking/envoy-filter.html' + properties: + configPatches: + description: One or more patches with match conditions. + items: + properties: + applyTo: + enum: + - INVALID + - LISTENER + - FILTER_CHAIN + - NETWORK_FILTER + - HTTP_FILTER + - ROUTE_CONFIGURATION + - VIRTUAL_HOST + - HTTP_ROUTE + - CLUSTER + - EXTENSION_CONFIG + - BOOTSTRAP + type: string + match: + description: Match on listener/route configuration/cluster. + oneOf: + - not: + anyOf: + - required: + - listener + - required: + - routeConfiguration + - required: + - cluster + - required: + - listener + - required: + - routeConfiguration + - required: + - cluster + properties: + cluster: + description: Match on envoy cluster attributes. + properties: + name: + description: The exact name of the cluster to match. + type: string + portNumber: + description: The service port for which this cluster + was generated. + type: integer + service: + description: The fully qualified service name for this + cluster. + type: string + subset: + description: The subset associated with the service. + type: string + type: object + context: + description: The specific config generation context to match + on. + enum: + - ANY + - SIDECAR_INBOUND + - SIDECAR_OUTBOUND + - GATEWAY + type: string + listener: + description: Match on envoy listener attributes. + properties: + filterChain: + description: Match a specific filter chain in a listener. + properties: + applicationProtocols: + description: Applies only to sidecars. + type: string + destinationPort: + description: The destination_port value used by + a filter chain's match condition. + type: integer + filter: + description: The name of a specific filter to apply + the patch to. + properties: + name: + description: The filter name to match on. + type: string + subFilter: + properties: + name: + description: The filter name to match on. + type: string + type: object + type: object + name: + description: The name assigned to the filter chain. + type: string + sni: + description: The SNI value used by a filter chain's + match condition. + type: string + transportProtocol: + description: Applies only to `SIDECAR_INBOUND` context. + type: string + type: object + name: + description: Match a specific listener by its name. + type: string + portName: + type: string + portNumber: + type: integer + type: object + proxy: + description: Match on properties associated with a proxy. + properties: + metadata: + additionalProperties: + type: string + type: object + proxyVersion: + type: string + type: object + routeConfiguration: + description: Match on envoy HTTP route configuration attributes. + properties: + gateway: + type: string + name: + description: Route configuration name to match on. + type: string + portName: + description: Applicable only for GATEWAY context. + type: string + portNumber: + type: integer + vhost: + properties: + name: + type: string + route: + description: Match a specific route within the virtual + host. + properties: + action: + description: Match a route with specific action + type. + enum: + - ANY + - ROUTE + - REDIRECT + - DIRECT_RESPONSE + type: string + name: + type: string + type: object + type: object + type: object + type: object + patch: + description: The patch to apply along with the operation. + properties: + filterClass: + description: Determines the filter insertion order. + enum: + - UNSPECIFIED + - AUTHN + - AUTHZ + - STATS + type: string + operation: + description: Determines how the patch should be applied. + enum: + - INVALID + - MERGE + - ADD + - REMOVE + - INSERT_BEFORE + - INSERT_AFTER + - INSERT_FIRST + - REPLACE + type: string + value: + description: The JSON config of the object being patched. + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + priority: + description: Priority defines the order in which patch sets are applied + within a context. + format: int32 + type: integer + workloadSelector: + properties: + labels: + additionalProperties: + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: gateways.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: Gateway + listKind: GatewayList + plural: gateways + shortNames: + - gw + singular: gateway + scope: Namespaced + versions: + - name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting edge load balancer. See more details + at: https://istio.io/docs/reference/config/networking/gateway.html' + properties: + selector: + additionalProperties: + type: string + type: object + servers: + description: A list of server specifications. + items: + properties: + bind: + type: string + defaultEndpoint: + type: string + hosts: + description: One or more hosts exposed by this gateway. + items: + type: string + type: array + name: + description: An optional name of the server, when set must be + unique across all servers. + type: string + port: + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + type: integer + type: object + tls: + description: Set of TLS related options that govern the server's + behavior. + properties: + caCertificates: + description: REQUIRED if mode is `MUTUAL`. + type: string + cipherSuites: + description: 'Optional: If specified, only support the specified + cipher list.' + items: + type: string + type: array + credentialName: + type: string + httpsRedirect: + type: boolean + maxProtocolVersion: + description: 'Optional: Maximum TLS protocol version.' + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + minProtocolVersion: + description: 'Optional: Minimum TLS protocol version.' + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + mode: + enum: + - PASSTHROUGH + - SIMPLE + - MUTUAL + - AUTO_PASSTHROUGH + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + serverCertificate: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + subjectAltNames: + items: + type: string + type: array + verifyCertificateHash: + items: + type: string + type: array + verifyCertificateSpki: + items: + type: string + type: array + type: object + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting edge load balancer. See more details + at: https://istio.io/docs/reference/config/networking/gateway.html' + properties: + selector: + additionalProperties: + type: string + type: object + servers: + description: A list of server specifications. + items: + properties: + bind: + type: string + defaultEndpoint: + type: string + hosts: + description: One or more hosts exposed by this gateway. + items: + type: string + type: array + name: + description: An optional name of the server, when set must be + unique across all servers. + type: string + port: + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + type: integer + type: object + tls: + description: Set of TLS related options that govern the server's + behavior. + properties: + caCertificates: + description: REQUIRED if mode is `MUTUAL`. + type: string + cipherSuites: + description: 'Optional: If specified, only support the specified + cipher list.' + items: + type: string + type: array + credentialName: + type: string + httpsRedirect: + type: boolean + maxProtocolVersion: + description: 'Optional: Maximum TLS protocol version.' + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + minProtocolVersion: + description: 'Optional: Minimum TLS protocol version.' + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + mode: + enum: + - PASSTHROUGH + - SIMPLE + - MUTUAL + - AUTO_PASSTHROUGH + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + serverCertificate: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + subjectAltNames: + items: + type: string + type: array + verifyCertificateHash: + items: + type: string + type: array + verifyCertificateSpki: + items: + type: string + type: array + type: object + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: serviceentries.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: ServiceEntry + listKind: ServiceEntryList + plural: serviceentries + shortNames: + - se + singular: serviceentry + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The hosts associated with the ServiceEntry + jsonPath: .spec.hosts + name: Hosts + type: string + - description: Whether the service is external to the mesh or part of the mesh + (MESH_EXTERNAL or MESH_INTERNAL) + jsonPath: .spec.location + name: Location + type: string + - description: Service discovery mode for the hosts (NONE, STATIC, or DNS) + jsonPath: .spec.resolution + name: Resolution + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting service registry. See more details + at: https://istio.io/docs/reference/config/networking/service-entry.html' + properties: + addresses: + description: The virtual IP addresses associated with the service. + items: + type: string + type: array + endpoints: + description: One or more endpoints associated with the service. + items: + properties: + address: + type: string + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + type: string + network: + type: string + ports: + additionalProperties: + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + type: string + weight: + description: The load balancing weight associated with the endpoint. + type: integer + type: object + type: array + exportTo: + description: A list of namespaces to which this service is exported. + items: + type: string + type: array + hosts: + description: The hosts associated with the ServiceEntry. + items: + type: string + type: array + location: + enum: + - MESH_EXTERNAL + - MESH_INTERNAL + type: string + ports: + description: The ports associated with the external service. + items: + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + type: integer + type: object + type: array + resolution: + description: Service discovery mode for the hosts. + enum: + - NONE + - STATIC + - DNS + - DNS_ROUND_ROBIN + type: string + subjectAltNames: + items: + type: string + type: array + workloadSelector: + description: Applicable only for MESH_INTERNAL services. + properties: + labels: + additionalProperties: + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: The hosts associated with the ServiceEntry + jsonPath: .spec.hosts + name: Hosts + type: string + - description: Whether the service is external to the mesh or part of the mesh + (MESH_EXTERNAL or MESH_INTERNAL) + jsonPath: .spec.location + name: Location + type: string + - description: Service discovery mode for the hosts (NONE, STATIC, or DNS) + jsonPath: .spec.resolution + name: Resolution + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting service registry. See more details + at: https://istio.io/docs/reference/config/networking/service-entry.html' + properties: + addresses: + description: The virtual IP addresses associated with the service. + items: + type: string + type: array + endpoints: + description: One or more endpoints associated with the service. + items: + properties: + address: + type: string + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + type: string + network: + type: string + ports: + additionalProperties: + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + type: string + weight: + description: The load balancing weight associated with the endpoint. + type: integer + type: object + type: array + exportTo: + description: A list of namespaces to which this service is exported. + items: + type: string + type: array + hosts: + description: The hosts associated with the ServiceEntry. + items: + type: string + type: array + location: + enum: + - MESH_EXTERNAL + - MESH_INTERNAL + type: string + ports: + description: The ports associated with the external service. + items: + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + type: integer + type: object + type: array + resolution: + description: Service discovery mode for the hosts. + enum: + - NONE + - STATIC + - DNS + - DNS_ROUND_ROBIN + type: string + subjectAltNames: + items: + type: string + type: array + workloadSelector: + description: Applicable only for MESH_INTERNAL services. + properties: + labels: + additionalProperties: + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: sidecars.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: Sidecar + listKind: SidecarList + plural: sidecars + singular: sidecar + scope: Namespaced + versions: + - name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting network reachability of a sidecar. + See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' + properties: + egress: + items: + properties: + bind: + type: string + captureMode: + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + hosts: + items: + type: string + type: array + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + type: integer + type: object + type: object + type: array + ingress: + items: + properties: + bind: + description: The IP to which the listener should be bound. + type: string + captureMode: + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + defaultEndpoint: + type: string + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + type: integer + type: object + type: object + type: array + outboundTrafficPolicy: + description: Configuration for the outbound traffic policy. + properties: + egressProxy: + properties: + host: + description: The name of a service from the service registry. + type: string + port: + description: Specifies the port on the host that is being + addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + type: object + mode: + enum: + - REGISTRY_ONLY + - ALLOW_ANY + type: string + type: object + workloadSelector: + properties: + labels: + additionalProperties: + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting network reachability of a sidecar. + See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' + properties: + egress: + items: + properties: + bind: + type: string + captureMode: + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + hosts: + items: + type: string + type: array + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + type: integer + type: object + type: object + type: array + ingress: + items: + properties: + bind: + description: The IP to which the listener should be bound. + type: string + captureMode: + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + defaultEndpoint: + type: string + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + type: integer + type: object + type: object + type: array + outboundTrafficPolicy: + description: Configuration for the outbound traffic policy. + properties: + egressProxy: + properties: + host: + description: The name of a service from the service registry. + type: string + port: + description: Specifies the port on the host that is being + addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + type: object + mode: + enum: + - REGISTRY_ONLY + - ALLOW_ANY + type: string + type: object + workloadSelector: + properties: + labels: + additionalProperties: + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: virtualservices.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: VirtualService + listKind: VirtualServiceList + plural: virtualservices + shortNames: + - vs + singular: virtualservice + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The names of gateways and sidecars that should apply these routes + jsonPath: .spec.gateways + name: Gateways + type: string + - description: The destination hosts to which traffic is being sent + jsonPath: .spec.hosts + name: Hosts + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting label/content routing, sni routing, + etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html' + properties: + exportTo: + description: A list of namespaces to which this virtual service is + exported. + items: + type: string + type: array + gateways: + description: The names of gateways and sidecars that should apply + these routes. + items: + type: string + type: array + hosts: + description: The destination hosts to which traffic is being sent. + items: + type: string + type: array + http: + description: An ordered list of route rules for HTTP traffic. + items: + properties: + corsPolicy: + description: Cross-Origin Resource Sharing policy (CORS). + properties: + allowCredentials: + nullable: true + type: boolean + allowHeaders: + items: + type: string + type: array + allowMethods: + description: List of HTTP methods allowed to access the + resource. + items: + type: string + type: array + allowOrigin: + description: The list of origins that are allowed to perform + CORS requests. + items: + type: string + type: array + allowOrigins: + description: String patterns that match allowed origins. + items: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + type: array + exposeHeaders: + items: + type: string + type: array + maxAge: + type: string + type: object + delegate: + properties: + name: + description: Name specifies the name of the delegate VirtualService. + type: string + namespace: + description: Namespace specifies the namespace where the + delegate VirtualService resides. + type: string + type: object + fault: + description: Fault injection policy to apply on HTTP traffic + at the client side. + properties: + abort: + oneOf: + - not: + anyOf: + - required: + - httpStatus + - required: + - grpcStatus + - required: + - http2Error + - required: + - httpStatus + - required: + - grpcStatus + - required: + - http2Error + properties: + grpcStatus: + type: string + http2Error: + type: string + httpStatus: + description: HTTP status code to use to abort the Http + request. + format: int32 + type: integer + percentage: + description: Percentage of requests to be aborted with + the error code provided. + properties: + value: + format: double + type: number + type: object + type: object + delay: + oneOf: + - not: + anyOf: + - required: + - fixedDelay + - required: + - exponentialDelay + - required: + - fixedDelay + - required: + - exponentialDelay + properties: + exponentialDelay: + type: string + fixedDelay: + description: Add a fixed delay before forwarding the + request. + type: string + percent: + description: Percentage of requests on which the delay + will be injected (0-100). + format: int32 + type: integer + percentage: + description: Percentage of requests on which the delay + will be injected. + properties: + value: + format: double + type: number + type: object + type: object + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + type: object + match: + items: + properties: + authority: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + gateways: + description: Names of gateways where the rule should be + applied. + items: + type: string + type: array + headers: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + type: object + ignoreUriCase: + description: Flag to specify whether the URI matching + should be case-insensitive. + type: boolean + method: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + name: + description: The name assigned to a match. + type: string + port: + description: Specifies the ports on the host that is being + addressed. + type: integer + queryParams: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + description: Query parameters for matching. + type: object + scheme: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + sourceLabels: + additionalProperties: + type: string + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + type: string + uri: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + withoutHeaders: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + description: withoutHeader has the same syntax with the + header, but has opposite meaning. + type: object + type: object + type: array + mirror: + properties: + host: + description: The name of a service from the service registry. + type: string + port: + description: Specifies the port on the host that is being + addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + type: object + mirror_percent: + description: Percentage of the traffic to be mirrored by the + `mirror` field. + nullable: true + type: integer + mirrorPercent: + description: Percentage of the traffic to be mirrored by the + `mirror` field. + nullable: true + type: integer + mirrorPercentage: + description: Percentage of the traffic to be mirrored by the + `mirror` field. + properties: + value: + format: double + type: number + type: object + name: + description: The name assigned to the route for debugging purposes. + type: string + redirect: + description: A HTTP rule can either redirect or forward (default) + traffic. + oneOf: + - not: + anyOf: + - required: + - port + - required: + - derivePort + - required: + - port + - required: + - derivePort + properties: + authority: + type: string + derivePort: + enum: + - FROM_PROTOCOL_DEFAULT + - FROM_REQUEST_PORT + type: string + port: + description: On a redirect, overwrite the port portion of + the URL with this value. + type: integer + redirectCode: + type: integer + scheme: + description: On a redirect, overwrite the scheme portion + of the URL with this value. + type: string + uri: + type: string + type: object + retries: + description: Retry policy for HTTP requests. + properties: + attempts: + description: Number of retries to be allowed for a given + request. + format: int32 + type: integer + perTryTimeout: + description: Timeout per attempt for a given request, including + the initial call and any retries. + type: string + retryOn: + description: Specifies the conditions under which retry + takes place. + type: string + retryRemoteLocalities: + description: Flag to specify whether the retries should + retry to other localities. + nullable: true + type: boolean + type: object + rewrite: + description: Rewrite HTTP URIs and Authority headers. + properties: + authority: + description: rewrite the Authority/Host header with this + value. + type: string + uri: + type: string + type: object + route: + description: A HTTP rule can either redirect or forward (default) + traffic. + items: + properties: + destination: + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + type: object + weight: + format: int32 + type: integer + type: object + type: array + timeout: + description: Timeout for HTTP requests, default is disabled. + type: string + type: object + type: array + tcp: + description: An ordered list of route rules for opaque TCP traffic. + items: + properties: + match: + items: + properties: + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination + with optional subnet. + items: + type: string + type: array + gateways: + description: Names of gateways where the rule should be + applied. + items: + type: string + type: array + port: + description: Specifies the port on the host that is being + addressed. + type: integer + sourceLabels: + additionalProperties: + type: string + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + type: string + sourceSubnet: + description: IPv4 or IPv6 ip address of source with optional + subnet. + type: string + type: object + type: array + route: + description: The destination to which the connection should + be forwarded to. + items: + properties: + destination: + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + type: object + weight: + format: int32 + type: integer + type: object + type: array + type: object + type: array + tls: + items: + properties: + match: + items: + properties: + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination + with optional subnet. + items: + type: string + type: array + gateways: + description: Names of gateways where the rule should be + applied. + items: + type: string + type: array + port: + description: Specifies the port on the host that is being + addressed. + type: integer + sniHosts: + description: SNI (server name indicator) to match on. + items: + type: string + type: array + sourceLabels: + additionalProperties: + type: string + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + type: string + type: object + type: array + route: + description: The destination to which the connection should + be forwarded to. + items: + properties: + destination: + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + type: object + weight: + format: int32 + type: integer + type: object + type: array + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: The names of gateways and sidecars that should apply these routes + jsonPath: .spec.gateways + name: Gateways + type: string + - description: The destination hosts to which traffic is being sent + jsonPath: .spec.hosts + name: Hosts + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting label/content routing, sni routing, + etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html' + properties: + exportTo: + description: A list of namespaces to which this virtual service is + exported. + items: + type: string + type: array + gateways: + description: The names of gateways and sidecars that should apply + these routes. + items: + type: string + type: array + hosts: + description: The destination hosts to which traffic is being sent. + items: + type: string + type: array + http: + description: An ordered list of route rules for HTTP traffic. + items: + properties: + corsPolicy: + description: Cross-Origin Resource Sharing policy (CORS). + properties: + allowCredentials: + nullable: true + type: boolean + allowHeaders: + items: + type: string + type: array + allowMethods: + description: List of HTTP methods allowed to access the + resource. + items: + type: string + type: array + allowOrigin: + description: The list of origins that are allowed to perform + CORS requests. + items: + type: string + type: array + allowOrigins: + description: String patterns that match allowed origins. + items: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + type: array + exposeHeaders: + items: + type: string + type: array + maxAge: + type: string + type: object + delegate: + properties: + name: + description: Name specifies the name of the delegate VirtualService. + type: string + namespace: + description: Namespace specifies the namespace where the + delegate VirtualService resides. + type: string + type: object + fault: + description: Fault injection policy to apply on HTTP traffic + at the client side. + properties: + abort: + oneOf: + - not: + anyOf: + - required: + - httpStatus + - required: + - grpcStatus + - required: + - http2Error + - required: + - httpStatus + - required: + - grpcStatus + - required: + - http2Error + properties: + grpcStatus: + type: string + http2Error: + type: string + httpStatus: + description: HTTP status code to use to abort the Http + request. + format: int32 + type: integer + percentage: + description: Percentage of requests to be aborted with + the error code provided. + properties: + value: + format: double + type: number + type: object + type: object + delay: + oneOf: + - not: + anyOf: + - required: + - fixedDelay + - required: + - exponentialDelay + - required: + - fixedDelay + - required: + - exponentialDelay + properties: + exponentialDelay: + type: string + fixedDelay: + description: Add a fixed delay before forwarding the + request. + type: string + percent: + description: Percentage of requests on which the delay + will be injected (0-100). + format: int32 + type: integer + percentage: + description: Percentage of requests on which the delay + will be injected. + properties: + value: + format: double + type: number + type: object + type: object + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + type: object + match: + items: + properties: + authority: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + gateways: + description: Names of gateways where the rule should be + applied. + items: + type: string + type: array + headers: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + type: object + ignoreUriCase: + description: Flag to specify whether the URI matching + should be case-insensitive. + type: boolean + method: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + name: + description: The name assigned to a match. + type: string + port: + description: Specifies the ports on the host that is being + addressed. + type: integer + queryParams: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + description: Query parameters for matching. + type: object + scheme: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + sourceLabels: + additionalProperties: + type: string + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + type: string + uri: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + withoutHeaders: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + description: withoutHeader has the same syntax with the + header, but has opposite meaning. + type: object + type: object + type: array + mirror: + properties: + host: + description: The name of a service from the service registry. + type: string + port: + description: Specifies the port on the host that is being + addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + type: object + mirror_percent: + description: Percentage of the traffic to be mirrored by the + `mirror` field. + nullable: true + type: integer + mirrorPercent: + description: Percentage of the traffic to be mirrored by the + `mirror` field. + nullable: true + type: integer + mirrorPercentage: + description: Percentage of the traffic to be mirrored by the + `mirror` field. + properties: + value: + format: double + type: number + type: object + name: + description: The name assigned to the route for debugging purposes. + type: string + redirect: + description: A HTTP rule can either redirect or forward (default) + traffic. + oneOf: + - not: + anyOf: + - required: + - port + - required: + - derivePort + - required: + - port + - required: + - derivePort + properties: + authority: + type: string + derivePort: + enum: + - FROM_PROTOCOL_DEFAULT + - FROM_REQUEST_PORT + type: string + port: + description: On a redirect, overwrite the port portion of + the URL with this value. + type: integer + redirectCode: + type: integer + scheme: + description: On a redirect, overwrite the scheme portion + of the URL with this value. + type: string + uri: + type: string + type: object + retries: + description: Retry policy for HTTP requests. + properties: + attempts: + description: Number of retries to be allowed for a given + request. + format: int32 + type: integer + perTryTimeout: + description: Timeout per attempt for a given request, including + the initial call and any retries. + type: string + retryOn: + description: Specifies the conditions under which retry + takes place. + type: string + retryRemoteLocalities: + description: Flag to specify whether the retries should + retry to other localities. + nullable: true + type: boolean + type: object + rewrite: + description: Rewrite HTTP URIs and Authority headers. + properties: + authority: + description: rewrite the Authority/Host header with this + value. + type: string + uri: + type: string + type: object + route: + description: A HTTP rule can either redirect or forward (default) + traffic. + items: + properties: + destination: + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + type: object + weight: + format: int32 + type: integer + type: object + type: array + timeout: + description: Timeout for HTTP requests, default is disabled. + type: string + type: object + type: array + tcp: + description: An ordered list of route rules for opaque TCP traffic. + items: + properties: + match: + items: + properties: + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination + with optional subnet. + items: + type: string + type: array + gateways: + description: Names of gateways where the rule should be + applied. + items: + type: string + type: array + port: + description: Specifies the port on the host that is being + addressed. + type: integer + sourceLabels: + additionalProperties: + type: string + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + type: string + sourceSubnet: + description: IPv4 or IPv6 ip address of source with optional + subnet. + type: string + type: object + type: array + route: + description: The destination to which the connection should + be forwarded to. + items: + properties: + destination: + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + type: object + weight: + format: int32 + type: integer + type: object + type: array + type: object + type: array + tls: + items: + properties: + match: + items: + properties: + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination + with optional subnet. + items: + type: string + type: array + gateways: + description: Names of gateways where the rule should be + applied. + items: + type: string + type: array + port: + description: Specifies the port on the host that is being + addressed. + type: integer + sniHosts: + description: SNI (server name indicator) to match on. + items: + type: string + type: array + sourceLabels: + additionalProperties: + type: string + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + type: string + type: object + type: array + route: + description: The destination to which the connection should + be forwarded to. + items: + properties: + destination: + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + type: object + weight: + format: int32 + type: integer + type: object + type: array + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: workloadentries.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: WorkloadEntry + listKind: WorkloadEntryList + plural: workloadentries + shortNames: + - we + singular: workloadentry + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: Address associated with the network endpoint. + jsonPath: .spec.address + name: Address + type: string + name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting VMs onboarded into the mesh. See + more details at: https://istio.io/docs/reference/config/networking/workload-entry.html' + properties: + address: + type: string + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + type: string + network: + type: string + ports: + additionalProperties: + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + type: string + weight: + description: The load balancing weight associated with the endpoint. + type: integer + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: Address associated with the network endpoint. + jsonPath: .spec.address + name: Address + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting VMs onboarded into the mesh. See + more details at: https://istio.io/docs/reference/config/networking/workload-entry.html' + properties: + address: + type: string + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + type: string + network: + type: string + ports: + additionalProperties: + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + type: string + weight: + description: The load balancing weight associated with the endpoint. + type: integer + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: workloadgroups.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: WorkloadGroup + listKind: WorkloadGroupList + plural: workloadgroups + shortNames: + - wg + singular: workloadgroup + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Describes a collection of workload instances. See more details + at: https://istio.io/docs/reference/config/networking/workload-group.html' + properties: + metadata: + description: Metadata that will be used for all corresponding `WorkloadEntries`. + properties: + annotations: + additionalProperties: + type: string + type: object + labels: + additionalProperties: + type: string + type: object + type: object + probe: + description: '`ReadinessProbe` describes the configuration the user + must provide for healthchecking on their workload.' + oneOf: + - not: + anyOf: + - required: + - httpGet + - required: + - tcpSocket + - required: + - exec + - required: + - httpGet + - required: + - tcpSocket + - required: + - exec + properties: + exec: + description: Health is determined by how the command that is executed + exited. + properties: + command: + description: Command to run. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for the probe to be + considered failed after having succeeded. + format: int32 + type: integer + httpGet: + properties: + host: + description: Host name to connect to, defaults to the pod + IP. + type: string + httpHeaders: + description: Headers the proxy will pass on to make the request. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + description: Port on which the endpoint lives. + type: integer + scheme: + type: string + type: object + initialDelaySeconds: + description: Number of seconds after the container has started + before readiness probes are initiated. + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform the probe. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for the probe to be + considered successful after having failed. + format: int32 + type: integer + tcpSocket: + description: Health is determined by if the proxy is able to connect. + properties: + host: + type: string + port: + type: integer + type: object + timeoutSeconds: + description: Number of seconds after which the probe times out. + format: int32 + type: integer + type: object + template: + description: Template to be used for the generation of `WorkloadEntry` + resources that belong to this `WorkloadGroup`. + properties: + address: + type: string + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + type: string + network: + type: string + ports: + additionalProperties: + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + type: string + weight: + description: The load balancing weight associated with the endpoint. + type: integer + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + istio: security + release: istio + name: authorizationpolicies.security.istio.io +spec: + group: security.istio.io + names: + categories: + - istio-io + - security-istio-io + kind: AuthorizationPolicy + listKind: AuthorizationPolicyList + plural: authorizationpolicies + singular: authorizationpolicy + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration for access control on workloads. See more + details at: https://istio.io/docs/reference/config/security/authorization-policy.html' + oneOf: + - not: + anyOf: + - required: + - provider + - required: + - provider + properties: + action: + description: Optional. + enum: + - ALLOW + - DENY + - AUDIT + - CUSTOM + type: string + provider: + description: Specifies detailed configuration of the CUSTOM action. + properties: + name: + description: Specifies the name of the extension provider. + type: string + type: object + rules: + description: Optional. + items: + properties: + from: + description: Optional. + items: + properties: + source: + description: Source specifies the source of a request. + properties: + ipBlocks: + description: Optional. + items: + type: string + type: array + namespaces: + description: Optional. + items: + type: string + type: array + notIpBlocks: + description: Optional. + items: + type: string + type: array + notNamespaces: + description: Optional. + items: + type: string + type: array + notPrincipals: + description: Optional. + items: + type: string + type: array + notRemoteIpBlocks: + description: Optional. + items: + type: string + type: array + notRequestPrincipals: + description: Optional. + items: + type: string + type: array + principals: + description: Optional. + items: + type: string + type: array + remoteIpBlocks: + description: Optional. + items: + type: string + type: array + requestPrincipals: + description: Optional. + items: + type: string + type: array + type: object + type: object + type: array + to: + description: Optional. + items: + properties: + operation: + description: Operation specifies the operation of a request. + properties: + hosts: + description: Optional. + items: + type: string + type: array + methods: + description: Optional. + items: + type: string + type: array + notHosts: + description: Optional. + items: + type: string + type: array + notMethods: + description: Optional. + items: + type: string + type: array + notPaths: + description: Optional. + items: + type: string + type: array + notPorts: + description: Optional. + items: + type: string + type: array + paths: + description: Optional. + items: + type: string + type: array + ports: + description: Optional. + items: + type: string + type: array + type: object + type: object + type: array + when: + description: Optional. + items: + properties: + key: + description: The name of an Istio attribute. + type: string + notValues: + description: Optional. + items: + type: string + type: array + values: + description: Optional. + items: + type: string + type: array + type: object + type: array + type: object + type: array + selector: + description: Optional. + properties: + matchLabels: + additionalProperties: + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + istio: security + release: istio + name: peerauthentications.security.istio.io +spec: + group: security.istio.io + names: + categories: + - istio-io + - security-istio-io + kind: PeerAuthentication + listKind: PeerAuthenticationList + plural: peerauthentications + shortNames: + - pa + singular: peerauthentication + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Defines the mTLS mode used for peer authentication. + jsonPath: .spec.mtls.mode + name: Mode + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: PeerAuthentication defines how traffic will be tunneled (or + not) to the sidecar. + properties: + mtls: + description: Mutual TLS settings for workload. + properties: + mode: + description: Defines the mTLS mode used for peer authentication. + enum: + - UNSET + - DISABLE + - PERMISSIVE + - STRICT + type: string + type: object + portLevelMtls: + additionalProperties: + properties: + mode: + description: Defines the mTLS mode used for peer authentication. + enum: + - UNSET + - DISABLE + - PERMISSIVE + - STRICT + type: string + type: object + description: Port specific mutual TLS settings. + type: object + selector: + description: The selector determines the workloads to apply the ChannelAuthentication + on. + properties: + matchLabels: + additionalProperties: + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + istio: security + release: istio + name: requestauthentications.security.istio.io +spec: + group: security.istio.io + names: + categories: + - istio-io + - security-istio-io + kind: RequestAuthentication + listKind: RequestAuthenticationList + plural: requestauthentications + shortNames: + - ra + singular: requestauthentication + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: RequestAuthentication defines what request authentication + methods are supported by a workload. + properties: + jwtRules: + description: Define the list of JWTs that can be validated at the + selected workloads' proxy. + items: + properties: + audiences: + items: + type: string + type: array + forwardOriginalToken: + description: If set to true, the original token will be kept + for the upstream request. + type: boolean + fromHeaders: + description: List of header locations from which JWT is expected. + items: + properties: + name: + description: The HTTP header name. + type: string + prefix: + description: The prefix that should be stripped before + decoding the token. + type: string + type: object + type: array + fromParams: + description: List of query parameters from which JWT is expected. + items: + type: string + type: array + issuer: + description: Identifies the issuer that issued the JWT. + type: string + jwks: + description: JSON Web Key Set of public keys to validate signature + of the JWT. + type: string + jwks_uri: + type: string + jwksUri: + type: string + outputPayloadToHeader: + type: string + type: object + type: array + selector: + description: Optional. + properties: + matchLabels: + additionalProperties: + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + istio: telemetry + release: istio + name: telemetries.telemetry.istio.io +spec: + group: telemetry.istio.io + names: + categories: + - istio-io + - telemetry-istio-io + kind: Telemetry + listKind: TelemetryList + plural: telemetries + shortNames: + - telemetry + singular: telemetry + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Telemetry configuration for workloads. See more details + at: https://istio.io/docs/reference/config/telemetry.html' + properties: + accessLogging: + description: Optional. + items: + properties: + disabled: + description: Controls logging. + nullable: true + type: boolean + providers: + description: Optional. + items: + properties: + name: + description: Required. + type: string + type: object + type: array + type: object + type: array + metrics: + description: Optional. + items: + properties: + overrides: + description: Optional. + items: + properties: + disabled: + description: Optional. + nullable: true + type: boolean + match: + description: Match allows provides the scope of the override. + oneOf: + - not: + anyOf: + - required: + - metric + - required: + - customMetric + - required: + - metric + - required: + - customMetric + properties: + customMetric: + description: Allows free-form specification of a metric. + type: string + metric: + description: One of the well-known Istio Standard + Metrics. + enum: + - ALL_METRICS + - REQUEST_COUNT + - REQUEST_DURATION + - REQUEST_SIZE + - RESPONSE_SIZE + - TCP_OPENED_CONNECTIONS + - TCP_CLOSED_CONNECTIONS + - TCP_SENT_BYTES + - TCP_RECEIVED_BYTES + - GRPC_REQUEST_MESSAGES + - GRPC_RESPONSE_MESSAGES + type: string + mode: + description: 'Controls which mode of metrics generation + is selected: CLIENT and/or SERVER.' + enum: + - CLIENT_AND_SERVER + - CLIENT + - SERVER + type: string + type: object + tagOverrides: + additionalProperties: + properties: + operation: + description: Operation controls whether or not to + update/add a tag, or to remove it. + enum: + - UPSERT + - REMOVE + type: string + value: + description: Value is only considered if the operation + is `UPSERT`. + type: string + type: object + description: Optional. + type: object + type: object + type: array + providers: + description: Optional. + items: + properties: + name: + description: Required. + type: string + type: object + type: array + type: object + type: array + selector: + description: Optional. + properties: + matchLabels: + additionalProperties: + type: string + type: object + type: object + tracing: + description: Optional. + items: + properties: + customTags: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - literal + - required: + - environment + - required: + - header + - required: + - literal + - required: + - environment + - required: + - header + properties: + environment: + description: Environment adds the value of an environment + variable to each span. + properties: + defaultValue: + description: Optional. + type: string + name: + description: Name of the environment variable from + which to extract the tag value. + type: string + type: object + header: + description: RequestHeader adds the value of an header + from the request to each span. + properties: + defaultValue: + description: Optional. + type: string + name: + description: Name of the header from which to extract + the tag value. + type: string + type: object + literal: + description: Literal adds the same, hard-coded value to + each span. + properties: + value: + description: The tag value to use. + type: string + type: object + type: object + description: Optional. + type: object + disableSpanReporting: + description: Controls span reporting. + nullable: true + type: boolean + providers: + description: Optional. + items: + properties: + name: + description: Required. + type: string + type: object + type: array + randomSamplingPercentage: + nullable: true + type: number + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + +--- + +--- +# Source: crds/crd-operator.yaml +# SYNC WITH manifests/charts/istio-operator/templates +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: istiooperators.install.istio.io + labels: + release: istio +spec: + conversion: + strategy: None + group: install.istio.io + names: + kind: IstioOperator + listKind: IstioOperatorList + plural: istiooperators + singular: istiooperator + shortNames: + - iop + - io + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Istio control plane revision + jsonPath: .spec.revision + name: Revision + type: string + - description: IOP current state + jsonPath: .status.status + name: Status + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + subresources: + status: {} + name: v1alpha1 + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + served: true + storage: true +--- + +--- +# Source: base/templates/reader-serviceaccount.yaml +# This service account aggregates reader permissions for the revisions in a given cluster +# Should be used for remote secret creation. +apiVersion: v1 +kind: ServiceAccount +metadata: + name: istio-reader-service-account + namespace: istio-system + labels: + app: istio-reader + release: istio +--- +# Source: base/templates/serviceaccount.yaml +# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- +# DO NOT EDIT! +# THIS IS A LEGACY CHART HERE FOR BACKCOMPAT +# UPDATED CHART AT manifests/charts/istio-control/istio-discovery +# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: istiod-service-account + namespace: istio-system + labels: + app: istiod + release: istio +--- +# Source: base/templates/clusterrole.yaml +# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- +# DO NOT EDIT! +# THIS IS A LEGACY CHART HERE FOR BACKCOMPAT +# UPDATED CHART AT manifests/charts/istio-control/istio-discovery +# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istiod-istio-system + labels: + app: istiod + release: istio +rules: + # sidecar injection controller + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update", "patch"] + + # configuration validation webhook controller + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update"] + + # istio configuration + # removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382) + # please proceed with caution + - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io"] + verbs: ["get", "watch", "list"] + resources: ["*"] + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "workloadentries" ] + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "workloadentries/status" ] + + # auto-detect installed CRD definitions + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "list", "watch"] + + # discovery and routing + - apiGroups: [""] + resources: ["pods", "nodes", "services", "namespaces", "endpoints"] + verbs: ["get", "list", "watch"] + - apiGroups: ["discovery.k8s.io"] + resources: ["endpointslices"] + verbs: ["get", "list", "watch"] + + # ingress controller + - apiGroups: ["networking.k8s.io"] + resources: ["ingresses", "ingressclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["networking.k8s.io"] + resources: ["ingresses/status"] + verbs: ["*"] + + # required for CA's namespace controller + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["create", "get", "list", "watch", "update"] + + # Istiod and bootstrap. + - apiGroups: ["certificates.k8s.io"] + resources: + - "certificatesigningrequests" + - "certificatesigningrequests/approval" + - "certificatesigningrequests/status" + verbs: ["update", "create", "get", "delete", "watch"] + - apiGroups: ["certificates.k8s.io"] + resources: + - "signers" + resourceNames: + - "kubernetes.io/legacy-unknown" + verbs: ["approve"] + + # Used by Istiod to verify the JWT tokens + - apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] + + # Used by Istiod to verify gateway SDS + - apiGroups: ["authorization.k8s.io"] + resources: ["subjectaccessreviews"] + verbs: ["create"] + + # Use for Kubernetes Service APIs + - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"] + resources: ["*"] + verbs: ["get", "watch", "list"] + - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"] + resources: ["*"] # TODO: should be on just */status but wildcard is not supported + verbs: ["update"] + + # Needed for multicluster secret reading, possibly ingress certs in the future + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "watch", "list"] + + # Used for MCS serviceexport management + - apiGroups: ["multicluster.x-k8s.io"] + resources: ["serviceexports"] + verbs: ["get", "watch", "list", "create", "delete"] + + # Used for MCS serviceimport management + - apiGroups: ["multicluster.x-k8s.io"] + resources: ["serviceimports"] + verbs: ["get", "watch", "list"] +--- +# Source: base/templates/clusterrole.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istio-reader-istio-system + labels: + app: istio-reader + release: istio +rules: + - apiGroups: + - "config.istio.io" + - "security.istio.io" + - "networking.istio.io" + - "authentication.istio.io" + - "rbac.istio.io" + resources: ["*"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets"] + verbs: ["get", "list", "watch"] + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list" ] + resources: [ "workloadentries" ] + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "list", "watch"] + - apiGroups: ["discovery.k8s.io"] + resources: ["endpointslices"] + verbs: ["get", "list", "watch"] + - apiGroups: ["apps"] + resources: ["replicasets"] + verbs: ["get", "list", "watch"] + - apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] + - apiGroups: ["authorization.k8s.io"] + resources: ["subjectaccessreviews"] + verbs: ["create"] + - apiGroups: ["multicluster.x-k8s.io"] + resources: ["serviceexports"] + verbs: ["get", "watch", "list"] + - apiGroups: ["multicluster.x-k8s.io"] + resources: ["serviceimports"] + verbs: ["get", "watch", "list"] +--- +# Source: base/templates/clusterrolebinding.yaml +# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- +# DO NOT EDIT! +# THIS IS A LEGACY CHART HERE FOR BACKCOMPAT +# UPDATED CHART AT manifests/charts/istio-control/istio-discovery +# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istio-reader-istio-system + labels: + app: istio-reader + release: istio +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-reader-istio-system +subjects: + - kind: ServiceAccount + name: istio-reader-service-account + namespace: istio-system +--- +# Source: base/templates/clusterrolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istiod-istio-system + labels: + app: istiod + release: istio +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istiod-istio-system +subjects: + - kind: ServiceAccount + name: istiod-service-account + namespace: istio-system +--- +# Source: base/templates/role.yaml +# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- +# DO NOT EDIT! +# THIS IS A LEGACY CHART HERE FOR BACKCOMPAT +# UPDATED CHART AT manifests/charts/istio-control/istio-discovery +# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: istiod-istio-system + namespace: istio-system + labels: + app: istiod + release: istio +rules: +# permissions to verify the webhook is ready and rejecting +# invalid config. We use --server-dry-run so no config is persisted. +- apiGroups: ["networking.istio.io"] + verbs: ["create"] + resources: ["gateways"] + +# For storing CA secret +- apiGroups: [""] + resources: ["secrets"] + # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config + verbs: ["create", "get", "watch", "list", "update", "delete"] +--- +# Source: base/templates/rolebinding.yaml +# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- +# DO NOT EDIT! +# THIS IS A LEGACY CHART HERE FOR BACKCOMPAT +# UPDATED CHART AT manifests/charts/istio-control/istio-discovery +# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: istiod-istio-system + namespace: istio-system + labels: + app: istiod + release: istio +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: istiod-istio-system +subjects: + - kind: ServiceAccount + name: istiod-service-account + namespace: istio-system +--- +# Source: base/templates/default.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: istiod-default-validator + labels: + app: istiod + release: istio + istio: istiod + istio.io/rev: default +webhooks: + - name: validation.istio.io + clientConfig: + service: + name: istiod + namespace: istio-system + path: "/validate" + rules: + - operations: + - CREATE + - UPDATE + apiGroups: + - security.istio.io + - networking.istio.io + apiVersions: + - "*" + resources: + - "*" + # Fail open until the validation webhook is ready. The webhook controller + # will update this to `Fail` and patch in the `caBundle` when the webhook + # endpoint is ready. + failurePolicy: Ignore + sideEffects: None + admissionReviewVersions: ["v1beta1", "v1"] diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/base/kustomization.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/base/kustomization.yaml new file mode 100644 index 000000000..dbde62f0a --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/base/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - files/gen-istio-cluster.yaml diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/base/templates/NOTES.txt b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/base/templates/NOTES.txt new file mode 100644 index 000000000..006450167 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/base/templates/NOTES.txt @@ -0,0 +1,5 @@ +Istio base successfully installed! + +To learn more about the release, try: + $ helm status {{ .Release.Name }} + $ helm get all {{ .Release.Name }} diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/base/templates/clusterrole.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/base/templates/clusterrole.yaml new file mode 100644 index 000000000..ef3300348 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/base/templates/clusterrole.yaml @@ -0,0 +1,178 @@ +# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- +# DO NOT EDIT! +# THIS IS A LEGACY CHART HERE FOR BACKCOMPAT +# UPDATED CHART AT manifests/charts/istio-control/istio-discovery +# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istiod-{{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} +rules: + # sidecar injection controller + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update", "patch"] + + # configuration validation webhook controller + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update"] + + # istio configuration + # removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382) + # please proceed with caution + - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io"] + verbs: ["get", "watch", "list"] + resources: ["*"] +{{- if .Values.global.istiod.enableAnalysis }} + - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io"] + verbs: ["update"] + # TODO: should be on just */status but wildcard is not supported + resources: ["*"] +{{- end }} + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "workloadentries" ] + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "workloadentries/status" ] + + # auto-detect installed CRD definitions + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "list", "watch"] + + # discovery and routing + - apiGroups: [""] + resources: ["pods", "nodes", "services", "namespaces", "endpoints"] + verbs: ["get", "list", "watch"] + - apiGroups: ["discovery.k8s.io"] + resources: ["endpointslices"] + verbs: ["get", "list", "watch"] + + # ingress controller +{{- if .Values.global.istiod.enableAnalysis }} + - apiGroups: ["extensions", "networking.k8s.io"] + resources: ["ingresses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["extensions", "networking.k8s.io"] + resources: ["ingresses/status"] + verbs: ["*"] +{{- end}} + - apiGroups: ["networking.k8s.io"] + resources: ["ingresses", "ingressclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["networking.k8s.io"] + resources: ["ingresses/status"] + verbs: ["*"] + + # required for CA's namespace controller + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["create", "get", "list", "watch", "update"] + + # Istiod and bootstrap. + - apiGroups: ["certificates.k8s.io"] + resources: + - "certificatesigningrequests" + - "certificatesigningrequests/approval" + - "certificatesigningrequests/status" + verbs: ["update", "create", "get", "delete", "watch"] + - apiGroups: ["certificates.k8s.io"] + resources: + - "signers" + resourceNames: + - "kubernetes.io/legacy-unknown" + verbs: ["approve"] + + # Used by Istiod to verify the JWT tokens + - apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] + + # Used by Istiod to verify gateway SDS + - apiGroups: ["authorization.k8s.io"] + resources: ["subjectaccessreviews"] + verbs: ["create"] + + # Use for Kubernetes Service APIs + - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"] + resources: ["*"] + verbs: ["get", "watch", "list"] + - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"] + resources: ["*"] # TODO: should be on just */status but wildcard is not supported + verbs: ["update"] + + # Needed for multicluster secret reading, possibly ingress certs in the future + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "watch", "list"] + + # Used for MCS serviceexport management + - apiGroups: ["multicluster.x-k8s.io"] + resources: ["serviceexports"] + verbs: ["get", "watch", "list", "create", "delete"] + + # Used for MCS serviceimport management + - apiGroups: ["multicluster.x-k8s.io"] + resources: ["serviceimports"] + verbs: ["get", "watch", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istio-reader-{{ .Values.global.istioNamespace }} + labels: + app: istio-reader + release: {{ .Release.Name }} +rules: + - apiGroups: + - "config.istio.io" + - "security.istio.io" + - "networking.istio.io" + - "authentication.istio.io" + - "rbac.istio.io" + resources: ["*"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets"] + verbs: ["get", "list", "watch"] + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list" ] + resources: [ "workloadentries" ] + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "list", "watch"] + - apiGroups: ["discovery.k8s.io"] + resources: ["endpointslices"] + verbs: ["get", "list", "watch"] + - apiGroups: ["apps"] + resources: ["replicasets"] + verbs: ["get", "list", "watch"] + - apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] + - apiGroups: ["authorization.k8s.io"] + resources: ["subjectaccessreviews"] + verbs: ["create"] + - apiGroups: ["multicluster.x-k8s.io"] + resources: ["serviceexports"] + verbs: ["get", "watch", "list"] + - apiGroups: ["multicluster.x-k8s.io"] + resources: ["serviceimports"] + verbs: ["get", "watch", "list"] +{{- if or .Values.global.externalIstiod }} + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["create", "get", "list", "watch", "update"] + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update"] +{{- end}} +--- diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/base/templates/clusterrolebinding.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/base/templates/clusterrolebinding.yaml new file mode 100644 index 000000000..d61729b29 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/base/templates/clusterrolebinding.yaml @@ -0,0 +1,37 @@ +# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- +# DO NOT EDIT! +# THIS IS A LEGACY CHART HERE FOR BACKCOMPAT +# UPDATED CHART AT manifests/charts/istio-control/istio-discovery +# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istio-reader-{{ .Values.global.istioNamespace }} + labels: + app: istio-reader + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-reader-{{ .Values.global.istioNamespace }} +subjects: + - kind: ServiceAccount + name: istio-reader-service-account + namespace: {{ .Values.global.istioNamespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istiod-{{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istiod-{{ .Values.global.istioNamespace }} +subjects: + - kind: ServiceAccount + name: istiod-service-account + namespace: {{ .Values.global.istioNamespace }} +--- diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/base/templates/crds.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/base/templates/crds.yaml new file mode 100644 index 000000000..871ee2a6b --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/base/templates/crds.yaml @@ -0,0 +1,4 @@ +{{- if .Values.base.enableCRDTemplates }} +{{ .Files.Get "crds/crd-all.gen.yaml" }} +{{ .Files.Get "crds/crd-operator.yaml" }} +{{- end }} diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/base/templates/default.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/base/templates/default.yaml new file mode 100644 index 000000000..9e85a3bad --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/base/templates/default.yaml @@ -0,0 +1,43 @@ +{{- if not (eq .Values.defaultRevision "") }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: istiod-default-validator + labels: + app: istiod + release: {{ .Release.Name }} + istio: istiod + istio.io/rev: {{ .Values.defaultRevision }} +webhooks: + - name: validation.istio.io + clientConfig: + {{- if .Values.base.validationURL }} + url: {{ .Values.base.validationURL }} + {{- else }} + service: + {{- if (eq .Values.defaultRevision "default") }} + name: istiod + {{- else }} + name: istiod-{{ .Values.defaultRevision }} + {{- end }} + namespace: {{ .Values.global.istioNamespace }} + path: "/validate" + {{- end }} + rules: + - operations: + - CREATE + - UPDATE + apiGroups: + - security.istio.io + - networking.istio.io + apiVersions: + - "*" + resources: + - "*" + # Fail open until the validation webhook is ready. The webhook controller + # will update this to `Fail` and patch in the `caBundle` when the webhook + # endpoint is ready. + failurePolicy: Ignore + sideEffects: None + admissionReviewVersions: ["v1beta1", "v1"] +{{- end }} diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/base/templates/endpoints.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/base/templates/endpoints.yaml new file mode 100644 index 000000000..996152bb0 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/base/templates/endpoints.yaml @@ -0,0 +1,30 @@ +{{- if .Values.global.remotePilotAddress }} + {{- if not .Values.global.externalIstiod }} +apiVersion: v1 +kind: Endpoints +metadata: + name: istiod-remote + namespace: {{ .Release.Namespace }} +subsets: +- addresses: + - ip: {{ .Values.global.remotePilotAddress }} + ports: + - port: 15012 + name: tcp-istiod + protocol: TCP + {{- else if regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress }} +apiVersion: v1 +kind: Endpoints +metadata: + name: istiod + namespace: {{ .Release.Namespace }} +subsets: +- addresses: + - ip: {{ .Values.global.remotePilotAddress }} + ports: + - port: 15012 + name: tcp-istiod + protocol: TCP + {{- end }} +--- +{{- end }} diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/base/templates/reader-serviceaccount.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/base/templates/reader-serviceaccount.yaml new file mode 100644 index 000000000..d9ce18c27 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/base/templates/reader-serviceaccount.yaml @@ -0,0 +1,16 @@ +# This service account aggregates reader permissions for the revisions in a given cluster +# Should be used for remote secret creation. +apiVersion: v1 +kind: ServiceAccount + {{- if .Values.global.imagePullSecrets }} +imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +metadata: + name: istio-reader-service-account + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istio-reader + release: {{ .Release.Name }} diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/base/templates/role.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/base/templates/role.yaml new file mode 100644 index 000000000..ca1a4243f --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/base/templates/role.yaml @@ -0,0 +1,25 @@ +# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- +# DO NOT EDIT! +# THIS IS A LEGACY CHART HERE FOR BACKCOMPAT +# UPDATED CHART AT manifests/charts/istio-control/istio-discovery +# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: istiod-{{ .Values.global.istioNamespace }} + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} +rules: +# permissions to verify the webhook is ready and rejecting +# invalid config. We use --server-dry-run so no config is persisted. +- apiGroups: ["networking.istio.io"] + verbs: ["create"] + resources: ["gateways"] + +# For storing CA secret +- apiGroups: [""] + resources: ["secrets"] + # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config + verbs: ["create", "get", "watch", "list", "update", "delete"] diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/base/templates/rolebinding.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/base/templates/rolebinding.yaml new file mode 100644 index 000000000..2b591fb89 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/base/templates/rolebinding.yaml @@ -0,0 +1,21 @@ +# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- +# DO NOT EDIT! +# THIS IS A LEGACY CHART HERE FOR BACKCOMPAT +# UPDATED CHART AT manifests/charts/istio-control/istio-discovery +# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: istiod-{{ .Values.global.istioNamespace }} + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: istiod-{{ .Values.global.istioNamespace }} +subjects: + - kind: ServiceAccount + name: istiod-service-account + namespace: {{ .Values.global.istioNamespace }} diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/base/templates/serviceaccount.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/base/templates/serviceaccount.yaml new file mode 100644 index 000000000..ec25fd250 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/base/templates/serviceaccount.yaml @@ -0,0 +1,19 @@ +# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- +# DO NOT EDIT! +# THIS IS A LEGACY CHART HERE FOR BACKCOMPAT +# UPDATED CHART AT manifests/charts/istio-control/istio-discovery +# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- +apiVersion: v1 +kind: ServiceAccount + {{- if .Values.global.imagePullSecrets }} +imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +metadata: + name: istiod-service-account + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/base/templates/services.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/base/templates/services.yaml new file mode 100644 index 000000000..606fd4459 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/base/templates/services.yaml @@ -0,0 +1,37 @@ +{{- if .Values.global.remotePilotAddress }} + {{- if not .Values.global.externalIstiod }} +# when istiod is enabled in remote cluster, we can't use istiod service name +apiVersion: v1 +kind: Service +metadata: + name: istiod-remote + namespace: {{ .Release.Namespace }} +spec: + ports: + - port: 15012 + name: tcp-istiod + protocol: TCP + clusterIP: None + {{- else }} +# when istiod isn't enabled in remote cluster, we can use istiod service name +apiVersion: v1 +kind: Service +metadata: + name: istiod + namespace: {{ .Release.Namespace }} +spec: + ports: + - port: 15012 + name: tcp-istiod + protocol: TCP + # if the remotePilotAddress is IP addr, we use clusterIP: None. + # else, we use externalName + {{- if regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress }} + clusterIP: None + {{- else }} + type: ExternalName + externalName: {{ .Values.global.remotePilotAddress }} + {{- end }} + {{- end }} +--- +{{- end }} diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/base/values.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/base/values.yaml new file mode 100644 index 000000000..96a74562e --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/base/values.yaml @@ -0,0 +1,29 @@ +global: + + # ImagePullSecrets for control plane ServiceAccount, list of secrets in the same namespace + # to use for pulling any images in pods that reference this ServiceAccount. + # Must be set for any cluster configured with private docker registry. + imagePullSecrets: [] + + # Used to locate istiod. + istioNamespace: istio-system + + istiod: + enableAnalysis: false + + configValidation: true + externalIstiod: false + remotePilotAddress: "" + +base: + # Used for helm2 to add the CRDs to templates. + enableCRDTemplates: false + + # Validation webhook configuration url + # For example: https://$remotePilotAddress:15017/validate + validationURL: "" + + # For istioctl usage to disable istio config crds in base + enableIstioConfigCRDs: true + +defaultRevision: "default" diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/default/Chart.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/default/Chart.yaml new file mode 100644 index 000000000..3d23a1b3a --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/default/Chart.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +name: istio-default +# This version is never actually shipped. istio/release-builder will replace it at build-time +# with the appropriate version +version: 1.0.0 +appVersion: 1.0.0 +description: Helm chart for istio default revision components. +keywords: + - istio +sources: + - http://github.com/istio/istio +engine: gotpl +icon: https://istio.io/latest/favicons/android-192x192.png diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/default/templates/mutatingwebhook.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/default/templates/mutatingwebhook.yaml new file mode 100644 index 000000000..54dc20cae --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/default/templates/mutatingwebhook.yaml @@ -0,0 +1,118 @@ +# Adapted from istio-discovery/templates/mutatingwebhook.yaml +# Removed paths for legacy and default selectors since a revision tag +# is inherently created from a specific revision +{{- define "core" }} +- name: {{.Prefix}}sidecar-injector.istio.io + clientConfig: + {{- if .Values.istiodRemote.injectionURL }} + url: {{ .Values.istiodRemote.injectionURL }} + {{- else }} + service: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + path: "/inject" + {{- end }} + caBundle: "" + sideEffects: None + rules: + - operations: [ "CREATE" ] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + failurePolicy: Fail + admissionReviewVersions: ["v1beta1", "v1"] +{{- end }} + +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: istio-revision-tag-default + labels: + istio.io/tag: "default" + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Pilot" + app: sidecar-injector + release: {{ .Release.Name }} +webhooks: +{{- include "core" (mergeOverwrite (deepCopy .) (dict "Prefix" "rev.namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + - "default" + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" +{{- include "core" (mergeOverwrite (deepCopy .) (dict "Prefix" "rev.object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: DoesNotExist + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + - key: istio.io/rev + operator: In + values: + - "default" + +{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} +{{- include "core" (mergeOverwrite (deepCopy .) (dict "Prefix" "namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: In + values: + - enabled + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + +{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} +{{- include "core" (mergeOverwrite (deepCopy .) (dict "Prefix" "object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: In + values: + - "true" + - key: istio.io/rev + operator: DoesNotExist + +{{- if .Values.sidecarInjectorWebhook.enableNamespacesByDefault }} +{{- /* Special case 3: no labels at all */}} +{{- include "core" (mergeOverwrite (deepCopy .) (dict "Prefix" "auto.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist +{{- end }} diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/default/templates/validatingwebhook.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/default/templates/validatingwebhook.yaml new file mode 100644 index 000000000..8d9fcc05d --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/default/templates/validatingwebhook.yaml @@ -0,0 +1,45 @@ +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: istiod-default-validator + labels: + app: istiod + istio: istiod + istio.io/rev: {{ .Values.revision | default "default" }} + istio.io/tag: "default" + # Required to make sure this resource is removed + # when purging Istio resources + operator.istio.io/component: Pilot +webhooks: + - name: validation.istio.io + clientConfig: + {{- if .Values.base.validationURL }} + url: {{ .Values.base.validationURL }} + {{- else }} + service: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} + path: "/validate" + {{- end }} + caBundle: "" # patched at runtime when the webhook is ready. + rules: + - operations: + - CREATE + - UPDATE + apiGroups: + - security.istio.io + - networking.istio.io + - telemetry.istio.io + - extensions.istio.io + apiVersions: + - "*" + resources: + - "*" + failurePolicy: Ignore + sideEffects: None + admissionReviewVersions: ["v1beta1", "v1"] + objectSelector: + matchExpressions: + - key: istio.io/rev + operator: DoesNotExist +--- diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/default/values.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/default/values.yaml new file mode 100644 index 000000000..3578b0f49 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/default/values.yaml @@ -0,0 +1,21 @@ +global: + # Used to locate istiod. + istioNamespace: "istio-system" + +base: + # Validation webhook configuration url + # For example: https://$remotePilotAddress:15017/validate + validationURL: "" + +istiodRemote: + # Sidecar injector mutating webhook configuration url + # For example: https://$remotePilotAddress:15017/inject + injectionURL: "" + +# Revision is set as 'version' label and part of the resource names when installing multiple control planes. +revision: "" + +sidecarInjectorWebhook: + # This enables injection of sidecar in all namespaces, + enableNamespacesByDefault: false + diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/gateway/Chart.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/gateway/Chart.yaml new file mode 100644 index 000000000..e9f8649ce --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/gateway/Chart.yaml @@ -0,0 +1,16 @@ +apiVersion: v2 +name: gateway +description: Helm chart for deploying Istio gateways +type: application + +# This version is never actually shipped. istio/release-builder will replace it at build-time +# with the appropriate version +version: 1.12.6 +appVersion: 1.12.6 + +sources: +- http://github.com/istio/istio +icon: https://istio.io/latest/favicons/android-192x192.png +keywords: +- istio +- gateways \ No newline at end of file diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/gateway/README.md b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/gateway/README.md new file mode 100644 index 000000000..31af55b44 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/gateway/README.md @@ -0,0 +1,127 @@ +# Istio Gateway Helm Chart + +This chart installs an Istio gateway deployment. + +## Setup Repo Info + +```console +helm repo add istio https://istio-release.storage.googleapis.com/charts +helm repo update +``` + +_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ + +## Installing the Chart + +To install the chart with the release name `istio-ingressgateway`: + +```console +helm install istio-ingressgateway istio/gateway +``` + +## Uninstalling the Chart + +To uninstall/delete the `istio-ingressgateway` deployment: + +```console +helm delete istio-ingressgateway +``` + +## Configuration + +To view support configuration options and documentation, run: + +```console +helm show values istio/gateway +``` + +### Examples + +#### Egress Gateway + +Deploying a Gateway to be used as an [Egress Gateway](https://istio.io/latest/docs/tasks/traffic-management/egress/egress-gateway/): + +```yaml +service: + # Egress gateways do not need an external LoadBalancer IP + type: ClusterIP +``` + +#### Multi-network/VM Gateway + +Deploying a Gateway to be used as a [Multi-network Gateway](https://istio.io/latest/docs/setup/install/multicluster/) for network `network-1`: + +```yaml +networkGateway: network-1 +``` + +### Migrating from other installation methods + +Installations from other installation methods (such as istioctl, Istio Operator, other helm charts, etc) can be migrated to use the new Helm charts +following the guidance below. +If you are able to, a clean installation is simpler. However, this often requires an external IP migration which can be challenging. + +WARNING: when installing over an existing deployment, the two deployments will be merged together by Helm, which may lead to unexpected results. + +#### General concerns + +For a smooth migration, the resource names and `Deployment.spec.selector` labels must match. + +If you install with `helm install istio-gateway istio/gateway`, resources will be named `istio-gateway` and the `selector` labels set to: + +```yaml +app: istio-gateway +istio: gateway # the release name with leading istio- prefix stripped +``` + +If your existing installation doesn't follow these names, you can override them. For example, if you have resources named `my-custom-gateway` with `selector` labels +`foo=bar,istio=ingressgateway`: + +```yaml +name: my-custom-gateway # Override the name to match existing resources +labels: + app: "" # Unset default app selector label + istio: ingressgateway # override default istio selector label + foo: bar # Add the existing custom selector label +``` + +#### Migrating an existing Helm release + +An existing helm release can be `helm upgrade`d to this chart by using the same release name. For example, if a previous +installation was done like: + +```console +helm install istio-ingress manifests/charts/gateways/istio-ingress -n istio-system +``` + +It could be upgraded with + +```console +helm upgrade istio-ingress manifests/charts/gateway -n istio-system --set name=istio-ingressgateway --set labels.app=istio-ingressgateway --set labels.istio=ingressgateway +``` + +Note the name and labels are overridden to match the names of the existing installation. + +Warning: the helm charts here default to using port 80 and 443, while the old charts used 8080 and 8443. +If you have AuthorizationPolicies that reference port these ports, you should update them during this process, +or customize the ports to match the old defaults. +See the [security advisory](https://istio.io/latest/news/security/istio-security-2021-002/) for more information. + +#### Other migrations + +If you see errors like `rendered manifests contain a resource that already exists` during installation, you may need to forcibly take ownership. + +The script below can handle this for you. Replace `RELEASE` and `NAMESPACE` with the name and namespace of the release: + +```console +KINDS=(service deployment) +RELEASE=istio-ingressgateway +NAMESPACE=istio-system +for KIND in "${KINDS[@]}"; do + kubectl --namespace $NAMESPACE --overwrite=true annotate $KIND $RELEASE meta.helm.sh/release-name=$RELEASE + kubectl --namespace $NAMESPACE --overwrite=true annotate $KIND $RELEASE meta.helm.sh/release-namespace=$NAMESPACE + kubectl --namespace $NAMESPACE --overwrite=true label $KIND $RELEASE app.kubernetes.io/managed-by=Helm +done +``` + +You may ignore errors about resources not being found. diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/gateway/templates/NOTES.txt b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/gateway/templates/NOTES.txt new file mode 100644 index 000000000..78451d33e --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/gateway/templates/NOTES.txt @@ -0,0 +1,9 @@ +"{{ include "gateway.name" . }}" successfully installed! + +To learn more about the release, try: + $ helm status {{ .Release.Name }} + $ helm get all {{ .Release.Name }} + +Next steps: + * Deploy an HTTP Gateway: https://istio.io/latest/docs/tasks/traffic-management/ingress/ingress-control/ + * Deploy an HTTPS Gateway: https://istio.io/latest/docs/tasks/traffic-management/ingress/secure-ingress/ diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/gateway/templates/_helpers.tpl b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/gateway/templates/_helpers.tpl new file mode 100644 index 000000000..e75d27345 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/gateway/templates/_helpers.tpl @@ -0,0 +1,52 @@ +{{- define "gateway.name" -}} +{{- if eq .Release.Name "RELEASE-NAME" -}} + {{- .Values.name | default "istio-ingressgateway" -}} +{{- else -}} + {{- .Values.name | default .Release.Name | default "istio-ingressgateway" -}} +{{- end -}} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "gateway.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{- define "gateway.labels" -}} +helm.sh/chart: {{ include "gateway.chart" . }} +{{ include "gateway.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +app.kubernetes.io/name: {{ include "gateway.name" . }} +{{- range $key, $val := .Values.labels }} +{{- if not (or (eq $key "app") (eq $key "istio")) }} +{{ $key | quote }}: {{ $val | quote }} +{{- end }} +{{- end }} +{{- end }} + +{{- define "gateway.selectorLabels" -}} +{{- if hasKey .Values.labels "app" }} +{{- with .Values.labels.app }}app: {{.|quote}} +{{- end}} +{{- else }}app: {{ include "gateway.name" . }} +{{- end }} +{{- if hasKey .Values.labels "istio" }} +{{- with .Values.labels.istio }} +istio: {{.|quote}} +{{- end}} +{{- else }} +istio: {{ include "gateway.name" . | trimPrefix "istio-" }} +{{- end }} +{{- end }} + +{{- define "gateway.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- .Values.serviceAccount.name | default (include "gateway.name" .) }} +{{- else }} +{{- .Values.serviceAccount.name | default "default" }} +{{- end }} +{{- end }} diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/gateway/templates/deployment.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/gateway/templates/deployment.yaml new file mode 100644 index 000000000..b8e1f1779 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/gateway/templates/deployment.yaml @@ -0,0 +1,99 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "gateway.name" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "gateway.labels" . | nindent 4}} + annotations: + {{- .Values.annotations | toYaml | nindent 4 }} +spec: + {{- if not .Values.autoscaling.enabled }} + replicas: {{ .Values.replicaCount }} + {{- end }} + selector: + matchLabels: + {{- include "gateway.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + sidecar.istio.io/inject: "true" + {{- with .Values.revision }} + istio.io/rev: {{ . }} + {{- end }} + {{- include "gateway.selectorLabels" . | nindent 8 }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "gateway.serviceAccountName" . }} + securityContext: + {{- if .Values.securityContext }} + {{- toYaml .Values.securityContext | nindent 8 }} + {{- else if (semverCompare ">=1.22-0" .Capabilities.KubeVersion.GitVersion) }} + # Safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326 + sysctls: + - name: net.ipv4.ip_unprivileged_port_start + value: "0" + {{- end }} + containers: + - name: istio-proxy + image: auto + securityContext: + {{- if .Values.containerSecurityContext }} + {{- toYaml .Values.containerSecurityContext | nindent 12 }} + {{- else if (semverCompare ">=1.22-0" .Capabilities.KubeVersion.GitVersion) }} + # Safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326 + capabilities: + drop: + - ALL + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + runAsUser: 1337 + runAsGroup: 1337 + runAsNonRoot: true + {{- else }} + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + runAsUser: 0 + runAsGroup: 1337 + runAsNonRoot: false + allowPrivilegeEscalation: true + readOnlyRootFilesystem: true + {{- end }} + env: + {{- with .Values.networkGateway }} + - name: ISTIO_META_REQUESTED_NETWORK_VIEW + value: "{{.}}" + {{- end }} + {{- range $key, $val := .Values.env }} + - name: {{ $key }} + value: {{ $val | quote }} + {{- end }} + ports: + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + resources: + {{- toYaml .Values.resources | nindent 12 }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/gateway/templates/hpa.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/gateway/templates/hpa.yaml new file mode 100644 index 000000000..956a5ee50 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/gateway/templates/hpa.yaml @@ -0,0 +1,28 @@ +{{- if .Values.autoscaling.enabled }} +apiVersion: autoscaling/v2beta2 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "gateway.name" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "gateway.labels" . | nindent 4 }} + annotations: + {{- .Values.annotations | toYaml | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "gateway.name" . }} + minReplicas: {{ .Values.autoscaling.minReplicas }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} + metrics: + {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} + type: Utilization + {{- end }} + +{{- end }} diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/gateway/templates/role.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/gateway/templates/role.yaml new file mode 100644 index 000000000..3febf79bc --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/gateway/templates/role.yaml @@ -0,0 +1,25 @@ +{{/*Set up roles for Istio Gateway. Not required for gateway-api*/}} +{{- if .Values.rbac.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "gateway.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +rules: +- apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "watch", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "gateway.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "gateway.serviceAccountName" . }} +subjects: +- kind: ServiceAccount + name: {{ include "gateway.serviceAccountName" . }} +{{- end }} diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/gateway/templates/service.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/gateway/templates/service.yaml new file mode 100644 index 000000000..068d9d3d4 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/gateway/templates/service.yaml @@ -0,0 +1,45 @@ +{{- if not (eq .Values.service.type "None") }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "gateway.name" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "gateway.labels" . | nindent 4 }} + {{- with .Values.networkGateway }} + topology.istio.io/network: "{{.}}" + {{- end }} + annotations: + {{- merge (deepCopy .Values.service.annotations) .Values.annotations | toYaml | nindent 4 }} +spec: +{{- with .Values.service.loadBalancerIP }} + loadBalancerIP: "{{ . }}" +{{- end }} +{{- with .Values.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: +{{ toYaml . | indent 4 }} +{{- end }} +{{- with .Values.service.externalTrafficPolicy }} + externalTrafficPolicy: "{{ . }}" +{{- end }} + type: {{ .Values.service.type }} + ports: +{{- if .Values.networkGateway }} + - name: status-port + port: 15021 + targetPort: 15021 + - name: tls + port: 15443 + targetPort: 15443 + - name: tls-istiod + port: 15012 + targetPort: 15012 + - name: tls-webhook + port: 15017 + targetPort: 15017 +{{- else }} +{{ .Values.service.ports | toYaml | indent 4 }} +{{- end }} + selector: + {{- include "gateway.selectorLabels" . | nindent 4 }} +{{- end }} diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/gateway/templates/serviceaccount.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/gateway/templates/serviceaccount.yaml new file mode 100644 index 000000000..e5b2304d6 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/gateway/templates/serviceaccount.yaml @@ -0,0 +1,13 @@ +{{- if .Values.serviceAccount.create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "gateway.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "gateway.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/gateway/values.schema.json b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/gateway/values.schema.json new file mode 100644 index 000000000..d52f8a89a --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/gateway/values.schema.json @@ -0,0 +1,179 @@ +{ + "$schema": "http://json-schema.org/schema#", + "type": "object", + "additionalProperties": false, + "properties": { + "affinity": { + "type": "object" + }, + "securityContext": { + "type": ["object", "null"] + }, + "containerSecurityContext": { + "type": ["object", "null"] + }, + "annotations": { + "additionalProperties": { + "type": [ + "string", + "integer" + ] + }, + "type": "object" + }, + "autoscaling": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "maxReplicas": { + "type": "integer" + }, + "minReplicas": { + "type": "integer" + }, + "targetCPUUtilizationPercentage": { + "type": "integer" + } + } + }, + "env": { + "type": "object" + }, + "labels": { + "type": "object" + }, + "name": { + "type": "string" + }, + "nodeSelector": { + "type": "object" + }, + "podAnnotations": { + "type": "object", + "properties": { + "inject.istio.io/templates": { + "type": "string" + }, + "prometheus.io/path": { + "type": "string" + }, + "prometheus.io/port": { + "type": "string" + }, + "prometheus.io/scrape": { + "type": "string" + } + } + }, + "replicaCount": { + "type": "integer" + }, + "resources": { + "type": "object", + "properties": { + "limits": { + "type": "object", + "properties": { + "cpu": { + "type": "string" + }, + "memory": { + "type": "string" + } + } + }, + "requests": { + "type": "object", + "properties": { + "cpu": { + "type": "string" + }, + "memory": { + "type": "string" + } + } + } + } + }, + "revision": { + "type": "string" + }, + "runAsRoot": { + "type": "boolean" + }, + "unprivilegedPort": { + "type": ["string", "boolean"], + "enum": [true, false, "auto"] + }, + "service": { + "type": "object", + "properties": { + "annotations": { + "type": "object" + }, + "externalTrafficPolicy": { + "type": "string" + }, + "loadBalancerIP": { + "type": "string" + }, + "loadBalancerSourceRanges": { + "type": "array" + }, + "ports": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string" + }, + "port": { + "type": "integer" + }, + "protocol": { + "type": "string" + }, + "targetPort": { + "type": "integer" + } + } + } + }, + "type": { + "type": "string" + } + } + }, + "serviceAccount": { + "type": "object", + "properties": { + "annotations": { + "type": "object" + }, + "name": { + "type": "string" + }, + "create": { + "type": "boolean" + } + } + }, + "rbac": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } + }, + "tolerations": { + "type": "array" + }, + "networkGateway": { + "type": "string" + } + } +} diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/gateway/values.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/gateway/values.yaml new file mode 100644 index 000000000..92cdacbca --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/gateway/values.yaml @@ -0,0 +1,86 @@ +# Name allows overriding the release name. Generally this should not be set +name: "" +# revision declares which revision this gateway is a part of +revision: "" + +replicaCount: 1 + +rbac: + # If enabled, roles will be created to enable accessing certificates from Gateways. This is not needed + # when using http://gateway-api.org/. + enabled: true + +serviceAccount: + # If set, a service account will be created. Otherwise, the default is used + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set, the release name is used + name: "" + +podAnnotations: + prometheus.io/port: "15020" + prometheus.io/scrape: "true" + prometheus.io/path: "/stats/prometheus" + inject.istio.io/templates: "gateway" + sidecar.istio.io/inject: "true" + +# Define the security context for the pod. +# If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. +# On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. +securityContext: ~ +containerSecurityContext: ~ + +service: + # Type of service. Set to "None" to disable the service entirely + type: LoadBalancer + ports: + - name: status-port + port: 15021 + protocol: TCP + targetPort: 15021 + - name: http2 + port: 80 + protocol: TCP + targetPort: 80 + - name: https + port: 443 + protocol: TCP + targetPort: 443 + annotations: {} + loadBalancerIP: "" + loadBalancerSourceRanges: [] + externalTrafficPolicy: "" + +resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 2000m + memory: 1024Mi + +autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 5 + targetCPUUtilizationPercentage: 80 + +# Pod environment variables +env: {} + +# Labels to apply to all resources +labels: {} + +# Annotations to apply to all resources +annotations: {} + +nodeSelector: {} + +tolerations: [] + +affinity: {} + +# If specified, the gateway will act as a network gateway for the given network. +networkGateway: "" diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/gateways/istio-egress/Chart.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/gateways/istio-egress/Chart.yaml new file mode 100644 index 000000000..62562b608 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/gateways/istio-egress/Chart.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +name: istio-egress +# This version is never actually shipped. istio/release-builder will replace it at build-time +# with the appropriate version +version: 1.12.6 +appVersion: 1.12.6 +tillerVersion: ">=2.7.2" +description: Helm chart for deploying Istio gateways +keywords: + - istio + - egressgateway + - gateways +sources: + - http://github.com/istio/istio +engine: gotpl +icon: https://istio.io/latest/favicons/android-192x192.png diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/gateways/istio-egress/NOTES.txt b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/gateways/istio-egress/NOTES.txt new file mode 100644 index 000000000..9baacc0ea --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/gateways/istio-egress/NOTES.txt @@ -0,0 +1,45 @@ + +Changes: +- separate namespace allows: +-- easier reconfig of just the gateway +-- TLS secrets and domain name management is isolated, for better security +-- simplified configuration +-- multiple versions of the ingress can be used, to minize upgrade risks + +- the new chart uses the default namespace service account, and doesn't require +additional RBAC permissions. + +- simplified label structure. Label change is not supported on upgrade. + +- for 'internal load balancer' you should deploy a separate gateway, in a different +namespace. + +All ingress gateway have a "app:ingressgateway" label, used to identify it as an +ingress, and an "istio: ingressgateway$SUFFIX" label of Gateway selection. + +The Gateways use "istio: ingressgateway$SUFFIX" selectors. + + +# Multiple gateway versions + + + +# Using different pilot versions + + + +# Migration from istio-system + +Istio 1.0 includes the gateways in istio-system. Since the external IP is associated +with the Service and bound to the namespace, it is recommended to: + +1. Install the new gateway in a new namespace. +2. Copy any TLS certificate to the new namespace, and configure the domains. +3. Checking the new gateway work - for example by overriding the IP in /etc/hosts +4. Modify the DNS server to add the A record of the new namespace +5. Check traffic +6. Delete the A record corresponding to the gateway in istio-system +7. Upgrade istio-system, disabling the ingressgateway +8. Delete the domain TLS certs from istio-system. + +If using certmanager, all Certificate and associated configs must be moved as well. diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/gateways/istio-egress/templates/_affinity.tpl b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/gateways/istio-egress/templates/_affinity.tpl new file mode 100644 index 000000000..7a4f39b2a --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/gateways/istio-egress/templates/_affinity.tpl @@ -0,0 +1,100 @@ +{{/* affinity - https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ */}} + +{{ define "nodeaffinity" }} +nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + {{- include "nodeAffinityRequiredDuringScheduling" . }} + preferredDuringSchedulingIgnoredDuringExecution: + {{- include "nodeAffinityPreferredDuringScheduling" . }} +{{- end }} + +{{- define "nodeAffinityRequiredDuringScheduling" }} + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/arch + operator: In + values: + {{- range $key, $val := .global.arch }} + {{- if gt ($val | int) 0 }} + - {{ $key | quote }} + {{- end }} + {{- end }} + {{- $nodeSelector := default .global.defaultNodeSelector .nodeSelector -}} + {{- range $key, $val := $nodeSelector }} + - key: {{ $key }} + operator: In + values: + - {{ $val | quote }} + {{- end }} +{{- end }} + +{{- define "nodeAffinityPreferredDuringScheduling" }} + {{- range $key, $val := .global.arch }} + {{- if gt ($val | int) 0 }} + - weight: {{ $val | int }} + preference: + matchExpressions: + - key: kubernetes.io/arch + operator: In + values: + - {{ $key | quote }} + {{- end }} + {{- end }} +{{- end }} + +{{- define "podAntiAffinity" }} +{{- if or .podAntiAffinityLabelSelector .podAntiAffinityTermLabelSelector}} + podAntiAffinity: + {{- if .podAntiAffinityLabelSelector }} + requiredDuringSchedulingIgnoredDuringExecution: + {{- include "podAntiAffinityRequiredDuringScheduling" . }} + {{- end }} + {{- if .podAntiAffinityTermLabelSelector }} + preferredDuringSchedulingIgnoredDuringExecution: + {{- include "podAntiAffinityPreferredDuringScheduling" . }} + {{- end }} +{{- end }} +{{- end }} + +{{- define "podAntiAffinityRequiredDuringScheduling" }} + {{- range $index, $item := .podAntiAffinityLabelSelector }} + - labelSelector: + matchExpressions: + - key: {{ $item.key }} + operator: {{ $item.operator }} + {{- if $item.values }} + values: + {{- $vals := split "," $item.values }} + {{- range $i, $v := $vals }} + - {{ $v | quote }} + {{- end }} + {{- end }} + topologyKey: {{ $item.topologyKey }} + {{- if $item.namespaces }} + namespaces: + {{- $ns := split "," $item.namespaces }} + {{- range $i, $n := $ns }} + - {{ $n | quote }} + {{- end }} + {{- end }} + {{- end }} +{{- end }} + +{{- define "podAntiAffinityPreferredDuringScheduling" }} + {{- range $index, $item := .podAntiAffinityTermLabelSelector }} + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: {{ $item.key }} + operator: {{ $item.operator }} + {{- if $item.values }} + values: + {{- $vals := split "," $item.values }} + {{- range $i, $v := $vals }} + - {{ $v | quote }} + {{- end }} + {{- end }} + topologyKey: {{ $item.topologyKey }} + weight: 100 + {{- end }} +{{- end }} diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/gateways/istio-egress/templates/autoscale.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/gateways/istio-egress/templates/autoscale.yaml new file mode 100644 index 000000000..6336373c1 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/gateways/istio-egress/templates/autoscale.yaml @@ -0,0 +1,27 @@ +{{ $gateway := index .Values "gateways" "istio-egressgateway" }} +{{- if and $gateway.autoscaleEnabled $gateway.autoscaleMin $gateway.autoscaleMax }} +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ $gateway.name }} + namespace: {{ .Release.Namespace }} + labels: +{{ $gateway.labels | toYaml | indent 4 }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "EgressGateways" +spec: + maxReplicas: {{ $gateway.autoscaleMax }} + minReplicas: {{ $gateway.autoscaleMin }} + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ $gateway.name }} + metrics: + - type: Resource + resource: + name: cpu + targetAverageUtilization: {{ $gateway.cpu.targetAverageUtilization }} +--- +{{- end }} diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/gateways/istio-egress/templates/deployment.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/gateways/istio-egress/templates/deployment.yaml new file mode 100644 index 000000000..8c71ea189 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/gateways/istio-egress/templates/deployment.yaml @@ -0,0 +1,327 @@ +{{- $gateway := index .Values "gateways" "istio-egressgateway" }} +{{- if eq $gateway.injectionTemplate "" }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ $gateway.name }} + namespace: {{ .Release.Namespace }} + labels: +{{ $gateway.labels | toYaml | indent 4 }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "EgressGateways" +spec: +{{- if not $gateway.autoscaleEnabled }} +{{- if $gateway.replicaCount }} + replicas: {{ $gateway.replicaCount }} +{{- end }} +{{- end }} + selector: + matchLabels: +{{ $gateway.labels | toYaml | indent 6 }} + strategy: + rollingUpdate: + maxSurge: {{ $gateway.rollingMaxSurge }} + maxUnavailable: {{ $gateway.rollingMaxUnavailable }} + template: + metadata: + labels: +{{ $gateway.labels | toYaml | indent 8 }} +{{- if eq .Release.Namespace "istio-system"}} + heritage: Tiller + release: istio + chart: gateways +{{- end }} + service.istio.io/canonical-name: {{ $gateway.name }} + {{- if not (eq .Values.revision "") }} + service.istio.io/canonical-revision: {{ .Values.revision }} + {{- else}} + service.istio.io/canonical-revision: latest + {{- end }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "EgressGateways" + sidecar.istio.io/inject: "false" + annotations: + {{- if .Values.meshConfig.enablePrometheusMerge }} + prometheus.io/port: "15020" + prometheus.io/scrape: "true" + prometheus.io/path: "/stats/prometheus" + {{- end }} + sidecar.istio.io/inject: "false" +{{- if $gateway.podAnnotations }} +{{ toYaml $gateway.podAnnotations | indent 8 }} +{{ end }} + spec: +{{- if not $gateway.runAsRoot }} + securityContext: + runAsUser: 1337 + runAsGroup: 1337 + runAsNonRoot: true + fsGroup: 1337 +{{- end }} + serviceAccountName: {{ $gateway.name }}-service-account +{{- if .Values.global.priorityClassName }} + priorityClassName: "{{ .Values.global.priorityClassName }}" +{{- end }} +{{- if .Values.global.proxy.enableCoreDump }} + initContainers: + - name: enable-core-dump +{{- if contains "/" .Values.global.proxy.image }} + image: "{{ .Values.global.proxy.image }}" +{{- else }} + image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image | default "proxyv2" }}:{{ .Values.global.tag }}" +{{- end }} +{{- if .Values.global.imagePullPolicy }} + imagePullPolicy: {{ .Values.global.imagePullPolicy }} +{{- end }} + command: + - /bin/sh + args: + - -c + - sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited + securityContext: + runAsUser: 0 + runAsGroup: 0 + runAsNonRoot: false + privileged: true +{{- end }} + containers: + - name: istio-proxy +{{- if contains "/" .Values.global.proxy.image }} + image: "{{ .Values.global.proxy.image }}" +{{- else }} + image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image | default "proxyv2" }}:{{ .Values.global.tag }}" +{{- end }} +{{- if .Values.global.imagePullPolicy }} + imagePullPolicy: {{ .Values.global.imagePullPolicy }} +{{- end }} + ports: + {{- range $key, $val := $gateway.ports }} + - containerPort: {{ $val.targetPort | default $val.port }} + protocol: {{ $val.protocol | default "TCP" }} + {{- end }} + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - router + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + {{- if .Values.global.proxy.logLevel }} + - --proxyLogLevel={{ .Values.global.proxy.logLevel }} + {{- end}} + {{- if .Values.global.proxy.componentLogLevel }} + - --proxyComponentLogLevel={{ .Values.global.proxy.componentLogLevel }} + {{- end}} + {{- if .Values.global.logging.level }} + - --log_output_level={{ .Values.global.logging.level }} + {{- end}} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if not $gateway.runAsRoot }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + {{- end }} + readinessProbe: + failureThreshold: 30 + httpGet: + path: /healthz/ready + port: 15021 + scheme: HTTP + initialDelaySeconds: 1 + periodSeconds: 2 + successThreshold: 1 + timeoutSeconds: 1 + resources: +{{- if $gateway.resources }} +{{ toYaml $gateway.resources | indent 12 }} +{{- else }} +{{ toYaml .Values.global.defaultResources | indent 12 }} +{{- end }} + env: + - name: JWT_POLICY + value: {{ .Values.global.jwtPolicy }} + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + - name: HOST_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.hostIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: ISTIO_META_WORKLOAD_NAME + value: {{ $gateway.name }} + - name: ISTIO_META_OWNER + value: kubernetes://apis/apps/v1/namespaces/{{ .Release.Namespace }}/deployments/{{ $gateway.name }} + {{- if $.Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ $.Values.global.meshID }}" + {{- else if .Values.meshConfig.trustDomain }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.meshConfig.trustDomain }}" + {{- end }} + {{- if .Values.meshConfig.trustDomain }} + - name: TRUST_DOMAIN + value: "{{ .Values.meshConfig.trustDomain }}" + {{- end }} + {{- if not $gateway.runAsRoot }} + - name: ISTIO_META_UNPRIVILEGED_POD + value: "true" + {{- end }} + {{- range $key, $val := $gateway.env }} + - name: {{ $key }} + value: "{{ $val }}" + {{- end }} + {{- range $key, $value := .Values.meshConfig.defaultConfig.proxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- $network_set := index $gateway.env "ISTIO_META_NETWORK" }} + {{- if and (not $network_set) .Values.global.network }} + - name: ISTIO_META_NETWORK + value: "{{ .Values.global.network }}" + {{- end }} + - name: ISTIO_META_CLUSTER_ID + value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}" + volumeMounts: + - name: istio-envoy + mountPath: /etc/istio/proxy + - name: config-volume + mountPath: /etc/istio/config +{{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert +{{- end }} +{{- if eq .Values.global.jwtPolicy "third-party-jwt" }} + - name: istio-token + mountPath: /var/run/secrets/tokens + readOnly: true +{{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - name: istio-certs + mountPath: /etc/certs + readOnly: true + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + - name: podinfo + mountPath: /etc/istio/pod + {{- range $gateway.secretVolumes }} + - name: {{ .name }} + mountPath: {{ .mountPath | quote }} + readOnly: true + {{- end }} + {{- range $gateway.configVolumes }} + {{- if .mountPath }} + - name: {{ .name }} + mountPath: {{ .mountPath | quote }} + readOnly: true + {{- end }} + {{- end }} +{{- if $gateway.additionalContainers }} +{{ toYaml $gateway.additionalContainers | indent 8 }} +{{- end }} + volumes: +{{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + configMap: + name: istio-ca-root-cert +{{- end }} + - name: podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + - name: istio-envoy + emptyDir: {} + - name: istio-data + emptyDir: {} +{{- if eq .Values.global.jwtPolicy "third-party-jwt" }} + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} +{{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - name: istio-certs + secret: + secretName: istio.istio-egressgateway-service-account + optional: true + {{- end }} + - name: config-volume + configMap: + name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + optional: true + {{- range $gateway.secretVolumes }} + - name: {{ .name }} + secret: + secretName: {{ .secretName | quote }} + optional: true + {{- end }} + {{- range $gateway.configVolumes }} + - name: {{ .name }} + configMap: + name: {{ .configMapName | quote }} + optional: true + {{- end }} + affinity: +{{ include "nodeaffinity" (dict "global" .Values.global "nodeSelector" $gateway.nodeSelector) | trim | indent 8 }} + {{- include "podAntiAffinity" $gateway | indent 6 }} +{{- if $gateway.tolerations }} + tolerations: +{{ toYaml $gateway.tolerations | indent 6 }} +{{- else if .Values.global.defaultTolerations }} + tolerations: +{{ toYaml .Values.global.defaultTolerations | indent 6 }} +{{- end }} +{{- end }} diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/gateways/istio-egress/templates/injected-deployment.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/gateways/istio-egress/templates/injected-deployment.yaml new file mode 100644 index 000000000..1c81ab15a --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/gateways/istio-egress/templates/injected-deployment.yaml @@ -0,0 +1,143 @@ +{{- $gateway := index .Values "gateways" "istio-egressgateway" }} +{{- if ne $gateway.injectionTemplate "" }} +{{/* This provides a minimal gateway, ready to be injected. + Any settings from values.gateways should be here - these are options specific to the gateway. + Global settings, like the image, various env vars and volumes, etc will be injected. + The normal Deployment is not suitable for this, as the original pod spec will override the injection template. */}} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ $gateway.name | default "istio-egressgateway" }} + namespace: {{ .Release.Namespace }} + labels: +{{ $gateway.labels | toYaml | indent 4 }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "EgressGateways" +spec: +{{- if not $gateway.autoscaleEnabled }} +{{- if $gateway.replicaCount }} + replicas: {{ $gateway.replicaCount }} +{{- end }} +{{- end }} + selector: + matchLabels: +{{ $gateway.labels | toYaml | indent 6 }} + strategy: + rollingUpdate: + maxSurge: {{ $gateway.rollingMaxSurge }} + maxUnavailable: {{ $gateway.rollingMaxUnavailable }} + template: + metadata: + labels: +{{ $gateway.labels | toYaml | indent 8 }} +{{- if eq .Release.Namespace "istio-system"}} + heritage: Tiller + release: istio + chart: gateways +{{- end }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "EgressGateways" + sidecar.istio.io/inject: "true" + {{- with .Values.revision }} + istio.io/rev: {{ . }} + {{- end }} + annotations: + {{- if .Values.meshConfig.enablePrometheusMerge }} + prometheus.io/port: "15020" + prometheus.io/scrape: "true" + prometheus.io/path: "/stats/prometheus" + {{- end }} + sidecar.istio.io/inject: "true" + inject.istio.io/templates: "{{ $gateway.injectionTemplate }}" +{{- if $gateway.podAnnotations }} +{{ toYaml $gateway.podAnnotations | indent 8 }} +{{ end }} + spec: +{{- if not $gateway.runAsRoot }} + securityContext: + runAsUser: 1337 + runAsGroup: 1337 + runAsNonRoot: true + fsGroup: 1337 +{{- end }} + serviceAccountName: {{ $gateway.name | default "istio-egressgateway" }}-service-account +{{- if .Values.global.priorityClassName }} + priorityClassName: "{{ .Values.global.priorityClassName }}" +{{- end }} + containers: + - name: istio-proxy + image: auto + ports: + {{- range $key, $val := $gateway.ports }} + - containerPort: {{ $val.targetPort | default $val.port }} + protocol: {{ $val.protocol | default "TCP" }} + {{- end }} + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + {{- if not $gateway.runAsRoot }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + {{- end }} + resources: +{{- if $gateway.resources }} +{{ toYaml $gateway.resources | indent 12 }} +{{- else }} +{{ toYaml .Values.global.defaultResources | indent 12 }} +{{- end }} + env: + {{- if not $gateway.runAsRoot }} + - name: ISTIO_META_UNPRIVILEGED_POD + value: "true" + {{- end }} + {{- range $key, $val := $gateway.env }} + - name: {{ $key }} + value: {{ $val | quote }} + {{- end }} + volumeMounts: + {{- range $gateway.secretVolumes }} + - name: {{ .name }} + mountPath: {{ .mountPath | quote }} + readOnly: true + {{- end }} + {{- range $gateway.configVolumes }} + {{- if .mountPath }} + - name: {{ .name }} + mountPath: {{ .mountPath | quote }} + readOnly: true + {{- end }} + {{- end }} +{{- if $gateway.additionalContainers }} +{{ toYaml $gateway.additionalContainers | indent 8 }} +{{- end }} + volumes: + {{- range $gateway.secretVolumes }} + - name: {{ .name }} + secret: + secretName: {{ .secretName | quote }} + optional: true + {{- end }} + {{- range $gateway.configVolumes }} + - name: {{ .name }} + configMap: + name: {{ .configMapName | quote }} + optional: true + {{- end }} + affinity: +{{ include "nodeaffinity" (dict "global" .Values.global "nodeSelector" $gateway.nodeSelector) | trim | indent 8 }} + {{- include "podAntiAffinity" $gateway | indent 6 }} +{{- if $gateway.tolerations }} + tolerations: +{{ toYaml $gateway.tolerations | indent 6 }} +{{- else if .Values.global.defaultTolerations }} + tolerations: +{{ toYaml .Values.global.defaultTolerations | indent 6 }} +{{- end }} +{{- end }} diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/gateways/istio-egress/templates/poddisruptionbudget.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/gateways/istio-egress/templates/poddisruptionbudget.yaml new file mode 100644 index 000000000..7d86413ec --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/gateways/istio-egress/templates/poddisruptionbudget.yaml @@ -0,0 +1,19 @@ +{{- if .Values.global.defaultPodDisruptionBudget.enabled }} +{{ $gateway := index .Values "gateways" "istio-egressgateway" }} +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: {{ $gateway.name }} + namespace: {{ .Release.Namespace }} + labels: +{{ $gateway.labels | toYaml | trim | indent 4 }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "EgressGateways" +spec: + minAvailable: 1 + selector: + matchLabels: +{{ $gateway.labels | toYaml | trim | indent 6 }} +{{- end }} diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/gateways/istio-egress/templates/role.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/gateways/istio-egress/templates/role.yaml new file mode 100644 index 000000000..c472fcef2 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/gateways/istio-egress/templates/role.yaml @@ -0,0 +1,16 @@ +{{ $gateway := index .Values "gateways" "istio-egressgateway" }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ $gateway.name }}-sds + namespace: {{ .Release.Namespace }} + labels: + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "EgressGateways" +rules: +- apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "watch", "list"] +--- diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/gateways/istio-egress/templates/rolebindings.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/gateways/istio-egress/templates/rolebindings.yaml new file mode 100644 index 000000000..fd1ffcd70 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/gateways/istio-egress/templates/rolebindings.yaml @@ -0,0 +1,19 @@ +{{ $gateway := index .Values "gateways" "istio-egressgateway" }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ $gateway.name }}-sds + namespace: {{ .Release.Namespace }} + labels: + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "EgressGateways" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ $gateway.name }}-sds +subjects: +- kind: ServiceAccount + name: {{ $gateway.name }}-service-account +--- diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/gateways/istio-egress/templates/service.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/gateways/istio-egress/templates/service.yaml new file mode 100644 index 000000000..2f8ce959e --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/gateways/istio-egress/templates/service.yaml @@ -0,0 +1,47 @@ +{{ $gateway := index .Values "gateways" "istio-egressgateway" }} +{{- if not $gateway.customService }} +apiVersion: v1 +kind: Service +metadata: + name: {{ $gateway.name }} + namespace: {{ .Release.Namespace }} + annotations: + {{- range $key, $val := $gateway.serviceAnnotations }} + {{ $key }}: {{ $val | quote }} + {{- end }} + labels: +{{ $gateway.labels | toYaml | indent 4 }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "EgressGateways" +spec: +{{- if $gateway.loadBalancerIP }} + loadBalancerIP: "{{ $gateway.loadBalancerIP }}" +{{- end }} +{{- if $gateway.loadBalancerSourceRanges }} + loadBalancerSourceRanges: +{{ toYaml $gateway.loadBalancerSourceRanges | indent 4 }} +{{- end }} +{{- if $gateway.externalTrafficPolicy }} + externalTrafficPolicy: {{$gateway.externalTrafficPolicy }} +{{- end }} + type: {{ $gateway.type }} + selector: +{{ $gateway.labels | toYaml | indent 4 }} + ports: + + {{- range $key, $val := $gateway.ports }} + - + {{- range $pkey, $pval := $val }} + {{ $pkey}}: {{ $pval }} + {{- end }} + {{- end }} + + {{ range $app := $gateway.egressPorts }} + - + port: {{ $app.port }} + name: {{ $app.name }} + {{- end }} +--- +{{ end }} diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/gateways/istio-egress/templates/serviceaccount.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/gateways/istio-egress/templates/serviceaccount.yaml new file mode 100644 index 000000000..b6a3eb40c --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/gateways/istio-egress/templates/serviceaccount.yaml @@ -0,0 +1,22 @@ +{{ $gateway := index .Values "gateways" "istio-egressgateway" }} +apiVersion: v1 +kind: ServiceAccount +{{- if .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range .Values.global.imagePullSecrets }} + - name: {{ . }} +{{- end }} +{{- end }} +metadata: + name: {{ $gateway.name }}-service-account + namespace: {{ .Release.Namespace }} + labels: +{{ $gateway.labels | toYaml | trim | indent 4 }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "EgressGateways" + {{- with $gateway.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/gateways/istio-egress/values.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/gateways/istio-egress/values.yaml new file mode 100644 index 000000000..d16698675 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/gateways/istio-egress/values.yaml @@ -0,0 +1,298 @@ +# Standalone istio egress gateway. +# Should be installed in a separate namespace, to minimize access to config +gateways: + istio-egressgateway: + name: istio-egressgateway + ports: + - port: 80 + targetPort: 8080 + name: http2 + protocol: TCP + - port: 443 + name: https + targetPort: 8443 + protocol: TCP + + labels: + app: istio-egressgateway + istio: egressgateway + + # Scalability tuning + # replicaCount: 1 + rollingMaxSurge: 100% + rollingMaxUnavailable: 25% + autoscaleEnabled: true + autoscaleMin: 1 + autoscaleMax: 5 + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 2000m + memory: 1024Mi + cpu: + targetAverageUtilization: 80 + + serviceAnnotations: {} + podAnnotations: {} + type: ClusterIP # change to NodePort or LoadBalancer if need be + + secretVolumes: + - name: egressgateway-certs + secretName: istio-egressgateway-certs + mountPath: /etc/istio/egressgateway-certs + - name: egressgateway-ca-certs + secretName: istio-egressgateway-ca-certs + mountPath: /etc/istio/egressgateway-ca-certs + + configVolumes: [] + additionalContainers: [] + + serviceAccount: + # Annotations to add to the service account + annotations: {} + + ### Advanced options ############ + # TODO: convert to real options, env should not be exposed + env: {} + # Set this to "external" if and only if you want the egress gateway to + # act as a transparent SNI gateway that routes mTLS/TLS traffic to + # external services defined using service entries, where the service + # entry has resolution set to DNS, has one or more endpoints with + # network field set to "external". By default its set to "" so that + # the egress gateway sees the same set of endpoints as the sidecars + # preserving backward compatibility + # ISTIO_META_REQUESTED_NETWORK_VIEW: "" + + nodeSelector: {} + tolerations: [] + + # Specify the pod anti-affinity that allows you to constrain which nodes + # your pod is eligible to be scheduled based on labels on pods that are + # already running on the node rather than based on labels on nodes. + # There are currently two types of anti-affinity: + # "requiredDuringSchedulingIgnoredDuringExecution" + # "preferredDuringSchedulingIgnoredDuringExecution" + # which denote "hard" vs. "soft" requirements, you can define your values + # in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector" + # correspondingly. + # For example: + # podAntiAffinityLabelSelector: + # - key: security + # operator: In + # values: S1,S2 + # topologyKey: "kubernetes.io/hostname" + # This pod anti-affinity rule says that the pod requires not to be scheduled + # onto a node if that node is already running a pod with label having key + # "security" and value "S1". + podAntiAffinityLabelSelector: [] + podAntiAffinityTermLabelSelector: [] + + # whether to run the gateway in a privileged container + runAsRoot: false + + # The injection template to use for the gateway. If not set, no injection will be performed. + injectionTemplate: "" + +# Revision is set as 'version' label and part of the resource names when installing multiple control planes. +revision: "" + +# For Helm compatibility. +ownerName: "" + +global: + # set the default set of namespaces to which services, service entries, virtual services, destination + # rules should be exported to. Currently only one value can be provided in this list. This value + # should be one of the following two options: + # * implies these objects are visible to all namespaces, enabling any sidecar to talk to any other sidecar. + # . implies these objects are visible to only to sidecars in the same namespace, or if imported as a Sidecar.egress.host + defaultConfigVisibilitySettings: [] + + # Default node selector to be applied to all deployments so that all pods can be + # constrained to run a particular nodes. Each component can overwrite these default + # values by adding its node selector block in the relevant section below and setting + # the desired values. + defaultNodeSelector: {} + + # enable pod disruption budget for the control plane, which is used to + # ensure Istio control plane components are gradually upgraded or recovered. + defaultPodDisruptionBudget: + enabled: true + + # A minimal set of requested resources to applied to all deployments so that + # Horizontal Pod Autoscaler will be able to function (if set). + # Each component can overwrite these default values by adding its own resources + # block in the relevant section below and setting the desired resources values. + defaultResources: + requests: + cpu: 10m + # memory: 128Mi + # limits: + # cpu: 100m + # memory: 128Mi + + # Default node tolerations to be applied to all deployments so that all pods can be + # scheduled to a particular nodes with matching taints. Each component can overwrite + # these default values by adding its tolerations block in the relevant section below + # and setting the desired values. + # Configure this field in case that all pods of Istio control plane are expected to + # be scheduled to particular nodes with specified taints. + defaultTolerations: [] + + # Default hub for Istio images. + # Releases are published to docker hub under 'istio' project. + # Dev builds from prow are on gcr.io + hub: docker.io/istio + + # Default tag for Istio images. + tag: 1.12.6 + + # Specify image pull policy if default behavior isn't desired. + # Default behavior: latest images will be Always else IfNotPresent. + imagePullPolicy: "" + + # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace + # to use for pulling any images in pods that reference this ServiceAccount. + # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) + # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. + # Must be set for any cluster configured with private docker registry. + imagePullSecrets: [] + # - private-registry-key + + # To output all istio components logs in json format by adding --log_as_json argument to each container argument + logAsJson: false + + # Specify pod scheduling arch(amd64, ppc64le, s390x) and weight as follows: + # 0 - Never scheduled + # 1 - Least preferred + # 2 - No preference + # 3 - Most preferred + arch: + amd64: 2 + s390x: 2 + ppc64le: 2 + + # Comma-separated minimum per-scope logging level of messages to output, in the form of :,: + # The control plane has different scopes depending on component, but can configure default log level across all components + # If empty, default scope and level will be used as configured in code + logging: + level: "default:info" + + # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and + # system-node-critical, it is better to configure this in order to make sure your Istio pods + # will not be killed because of low priority class. + # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + # for more detail. + priorityClassName: "" + + proxy: + image: proxyv2 + + # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value + # cluster domain. Default value is "cluster.local". + clusterDomain: "cluster.local" + + # Per Component log level for proxy, applies to gateways and sidecars. If a component level is + # not set, then the global "logLevel" will be used. + componentLogLevel: "misc:error" + + # If set, newly injected sidecars will have core dumps enabled. + enableCoreDump: false + + # Log level for proxy, applies to gateways and sidecars. + # Expected values are: trace|debug|info|warning|error|critical|off + logLevel: warning + + ############################################################################################## + # The following values are found in other charts. To effectively modify these values, make # + # make sure they are consistent across your Istio helm charts # + ############################################################################################## + + # The customized CA address to retrieve certificates for the pods in the cluster. + # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. + caAddress: "" + + # Used to locate istiod. + istioNamespace: istio-system + + # Configure the policy for validating JWT. + # Currently, two options are supported: "third-party-jwt" and "first-party-jwt". + jwtPolicy: "third-party-jwt" + + # Mesh ID means Mesh Identifier. It should be unique within the scope where + # meshes will interact with each other, but it is not required to be + # globally/universally unique. For example, if any of the following are true, + # then two meshes must have different Mesh IDs: + # - Meshes will have their telemetry aggregated in one place + # - Meshes will be federated together + # - Policy will be written referencing one mesh from the other + # + # If an administrator expects that any of these conditions may become true in + # the future, they should ensure their meshes have different Mesh IDs + # assigned. + # + # Within a multicluster mesh, each cluster must be (manually or auto) + # configured to have the same Mesh ID value. If an existing cluster 'joins' a + # multicluster mesh, it will need to be migrated to the new mesh ID. Details + # of migration TBD, and it may be a disruptive operation to change the Mesh + # ID post-install. + # + # If the mesh admin does not specify a value, Istio will use the value of the + # mesh's Trust Domain. The best practice is to select a proper Trust Domain + # value. + meshID: "" + + # Use the user-specified, secret volume mounted key and certs for Pilot and workloads. + mountMtlsCerts: false + + multiCluster: + # Set to true to connect two kubernetes clusters via their respective + # ingressgateway services when pods in each cluster cannot directly + # talk to one another. All clusters should be using Istio mTLS and must + # have a shared root CA for this model to work. + enabled: false + # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection + # to properly label proxies + clusterName: "" + + # Network defines the network this cluster belong to. This name + # corresponds to the networks in the map of mesh networks. + network: "" + + # Configure the certificate provider for control plane communication. + # Currently, two providers are supported: "kubernetes" and "istiod". + # As some platforms may not have kubernetes signing APIs, + # Istiod is the default + pilotCertProvider: istiod + + sds: + # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. + # When a CSR is sent from Citadel Agent to the CA (e.g. Citadel), this aud is to make sure the + # JWT is intended for the CA. + token: + aud: istio-ca + + sts: + # The service port used by Security Token Service (STS) server to handle token exchange requests. + # Setting this port to a non-zero value enables STS server. + servicePort: 0 + +meshConfig: + enablePrometheusMerge: true + + # The trust domain corresponds to the trust root of a system + # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain + trustDomain: "cluster.local" + + defaultConfig: + proxyMetadata: {} + tracing: + # tlsSettings: + # mode: DISABLE # DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL + # clientCertificate: # example: /etc/istio/tracer/cert-chain.pem + # privateKey: # example: /etc/istio/tracer/key.pem + # caCertificates: # example: /etc/istio/tracer/root-cert.pem + # sni: # example: tracer.somedomain + # subjectAltNames: [] + # - tracer.somedomain diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/gateways/istio-ingress/Chart.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/gateways/istio-ingress/Chart.yaml new file mode 100644 index 000000000..065d38994 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/gateways/istio-ingress/Chart.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +name: istio-ingress +# This version is never actually shipped. istio/release-builder will replace it at build-time +# with the appropriate version +version: 1.12.6 +appVersion: 1.12.6 +tillerVersion: ">=2.7.2" +description: Helm chart for deploying Istio gateways +keywords: + - istio + - ingressgateway + - gateways +sources: + - http://github.com/istio/istio +engine: gotpl +icon: https://istio.io/latest/favicons/android-192x192.png diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/gateways/istio-ingress/NOTES.txt b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/gateways/istio-ingress/NOTES.txt new file mode 100644 index 000000000..221ee5605 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/gateways/istio-ingress/NOTES.txt @@ -0,0 +1,43 @@ + +Changes: +- separate namespace allows: +-- easier reconfig of just the gateway +-- TLS secrets and domain name management is isolated, for better security +-- simplified configuration +-- multiple versions of the ingress can be used, to minimize upgrade risks + +- the new chart uses the default namespace service account, and doesn't require +additional RBAC permissions. + +- simplified label and chart structure. +- ability to run a pilot dedicated for the gateway, isolated from the main pilot. This is more robust, safer on upgrades +and allows a bit more flexibility. +- the dedicated pilot-per-ingress is required if the gateway needs to support k8s-style ingress. + +# Port and basic host configuration + +In order to configure the Service object, the install/upgrade needs to provide a list of all ports. +In the past, this was done when installing/upgrading full istio, and involved some duplication - ports configured +both in upgrade, Gateway and VirtualService. + +The new Ingress chart uses a 'values.yaml' (see user-example-ingress), which auto-generates Service ports, +Gateways and basic VirtualService. It is still possible to only configure the ports in Service, and do manual +config for the rest. + +All internal services ( telemetry, pilot debug ports, mesh expansion ) can now be configured via the new mechanism. + +# Migration from istio-system + +Istio 1.0 includes the gateways in istio-system. Since the external IP is associated +with the Service and bound to the namespace, it is recommended to: + +1. Install the new gateway in a new namespace. +2. Copy any TLS certificate to the new namespace, and configure the domains. +3. Checking the new gateway work - for example by overriding the IP in /etc/hosts +4. Modify the DNS server to add the A record of the new namespace +5. Check traffic +6. Delete the A record corresponding to the gateway in istio-system +7. Upgrade istio-system, disabling the ingressgateway +8. Delete the domain TLS certs from istio-system. + +If using certmanager, all Certificate and associated configs must be moved as well. diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/gateways/istio-ingress/templates/_affinity.tpl b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/gateways/istio-ingress/templates/_affinity.tpl new file mode 100644 index 000000000..7a4f39b2a --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/gateways/istio-ingress/templates/_affinity.tpl @@ -0,0 +1,100 @@ +{{/* affinity - https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ */}} + +{{ define "nodeaffinity" }} +nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + {{- include "nodeAffinityRequiredDuringScheduling" . }} + preferredDuringSchedulingIgnoredDuringExecution: + {{- include "nodeAffinityPreferredDuringScheduling" . }} +{{- end }} + +{{- define "nodeAffinityRequiredDuringScheduling" }} + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/arch + operator: In + values: + {{- range $key, $val := .global.arch }} + {{- if gt ($val | int) 0 }} + - {{ $key | quote }} + {{- end }} + {{- end }} + {{- $nodeSelector := default .global.defaultNodeSelector .nodeSelector -}} + {{- range $key, $val := $nodeSelector }} + - key: {{ $key }} + operator: In + values: + - {{ $val | quote }} + {{- end }} +{{- end }} + +{{- define "nodeAffinityPreferredDuringScheduling" }} + {{- range $key, $val := .global.arch }} + {{- if gt ($val | int) 0 }} + - weight: {{ $val | int }} + preference: + matchExpressions: + - key: kubernetes.io/arch + operator: In + values: + - {{ $key | quote }} + {{- end }} + {{- end }} +{{- end }} + +{{- define "podAntiAffinity" }} +{{- if or .podAntiAffinityLabelSelector .podAntiAffinityTermLabelSelector}} + podAntiAffinity: + {{- if .podAntiAffinityLabelSelector }} + requiredDuringSchedulingIgnoredDuringExecution: + {{- include "podAntiAffinityRequiredDuringScheduling" . }} + {{- end }} + {{- if .podAntiAffinityTermLabelSelector }} + preferredDuringSchedulingIgnoredDuringExecution: + {{- include "podAntiAffinityPreferredDuringScheduling" . }} + {{- end }} +{{- end }} +{{- end }} + +{{- define "podAntiAffinityRequiredDuringScheduling" }} + {{- range $index, $item := .podAntiAffinityLabelSelector }} + - labelSelector: + matchExpressions: + - key: {{ $item.key }} + operator: {{ $item.operator }} + {{- if $item.values }} + values: + {{- $vals := split "," $item.values }} + {{- range $i, $v := $vals }} + - {{ $v | quote }} + {{- end }} + {{- end }} + topologyKey: {{ $item.topologyKey }} + {{- if $item.namespaces }} + namespaces: + {{- $ns := split "," $item.namespaces }} + {{- range $i, $n := $ns }} + - {{ $n | quote }} + {{- end }} + {{- end }} + {{- end }} +{{- end }} + +{{- define "podAntiAffinityPreferredDuringScheduling" }} + {{- range $index, $item := .podAntiAffinityTermLabelSelector }} + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: {{ $item.key }} + operator: {{ $item.operator }} + {{- if $item.values }} + values: + {{- $vals := split "," $item.values }} + {{- range $i, $v := $vals }} + - {{ $v | quote }} + {{- end }} + {{- end }} + topologyKey: {{ $item.topologyKey }} + weight: 100 + {{- end }} +{{- end }} diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/gateways/istio-ingress/templates/autoscale.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/gateways/istio-ingress/templates/autoscale.yaml new file mode 100644 index 000000000..8cf8f6687 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/gateways/istio-ingress/templates/autoscale.yaml @@ -0,0 +1,27 @@ +{{ $gateway := index .Values "gateways" "istio-ingressgateway" }} +{{- if and $gateway.autoscaleEnabled $gateway.autoscaleMin $gateway.autoscaleMax }} +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ $gateway.name }} + namespace: {{ .Release.Namespace }} + labels: +{{ $gateway.labels | toYaml | indent 4 }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "IngressGateways" +spec: + maxReplicas: {{ $gateway.autoscaleMax }} + minReplicas: {{ $gateway.autoscaleMin }} + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ $gateway.name }} + metrics: + - type: Resource + resource: + name: cpu + targetAverageUtilization: {{ $gateway.cpu.targetAverageUtilization }} +--- +{{- end }} diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/gateways/istio-ingress/templates/deployment.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/gateways/istio-ingress/templates/deployment.yaml new file mode 100644 index 000000000..45d7695a4 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/gateways/istio-ingress/templates/deployment.yaml @@ -0,0 +1,327 @@ +{{- $gateway := index .Values "gateways" "istio-ingressgateway" }} +{{- if eq $gateway.injectionTemplate "" }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ $gateway.name }} + namespace: {{ .Release.Namespace }} + labels: +{{ $gateway.labels | toYaml | indent 4 }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "IngressGateways" +spec: +{{- if not $gateway.autoscaleEnabled }} +{{- if $gateway.replicaCount }} + replicas: {{ $gateway.replicaCount }} +{{- end }} +{{- end }} + selector: + matchLabels: +{{ $gateway.labels | toYaml | indent 6 }} + strategy: + rollingUpdate: + maxSurge: {{ $gateway.rollingMaxSurge }} + maxUnavailable: {{ $gateway.rollingMaxUnavailable }} + template: + metadata: + labels: +{{ $gateway.labels | toYaml | indent 8 }} +{{- if eq .Release.Namespace "istio-system"}} + heritage: Tiller + release: istio + chart: gateways +{{- end }} + service.istio.io/canonical-name: {{ $gateway.name }} + {{- if not (eq .Values.revision "") }} + service.istio.io/canonical-revision: {{ .Values.revision }} + {{- else}} + service.istio.io/canonical-revision: latest + {{- end }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "IngressGateways" + sidecar.istio.io/inject: "false" + annotations: + {{- if .Values.meshConfig.enablePrometheusMerge }} + prometheus.io/port: "15020" + prometheus.io/scrape: "true" + prometheus.io/path: "/stats/prometheus" + {{- end }} + sidecar.istio.io/inject: "false" +{{- if $gateway.podAnnotations }} +{{ toYaml $gateway.podAnnotations | indent 8 }} +{{ end }} + spec: +{{- if not $gateway.runAsRoot }} + securityContext: + runAsUser: 1337 + runAsGroup: 1337 + runAsNonRoot: true + fsGroup: 1337 +{{- end }} + serviceAccountName: {{ $gateway.name }}-service-account +{{- if .Values.global.priorityClassName }} + priorityClassName: "{{ .Values.global.priorityClassName }}" +{{- end }} +{{- if .Values.global.proxy.enableCoreDump }} + initContainers: + - name: enable-core-dump +{{- if contains "/" .Values.global.proxy.image }} + image: "{{ .Values.global.proxy.image }}" +{{- else }} + image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image | default "proxyv2" }}:{{ .Values.global.tag }}" +{{- end }} +{{- if .Values.global.imagePullPolicy }} + imagePullPolicy: {{ .Values.global.imagePullPolicy }} +{{- end }} + command: + - /bin/sh + args: + - -c + - sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited + securityContext: + runAsUser: 0 + runAsGroup: 0 + runAsNonRoot: false + privileged: true +{{- end }} + containers: + - name: istio-proxy +{{- if contains "/" .Values.global.proxy.image }} + image: "{{ .Values.global.proxy.image }}" +{{- else }} + image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image | default "proxyv2" }}:{{ .Values.global.tag }}" +{{- end }} +{{- if .Values.global.imagePullPolicy }} + imagePullPolicy: {{ .Values.global.imagePullPolicy }} +{{- end }} + ports: + {{- range $key, $val := $gateway.ports }} + - containerPort: {{ $val.targetPort | default $val.port }} + protocol: {{ $val.protocol | default "TCP" }} + {{- end }} + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - router + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + {{- if .Values.global.proxy.logLevel }} + - --proxyLogLevel={{ .Values.global.proxy.logLevel }} + {{- end}} + {{- if .Values.global.proxy.componentLogLevel }} + - --proxyComponentLogLevel={{ .Values.global.proxy.componentLogLevel }} + {{- end}} + {{- if .Values.global.logging.level }} + - --log_output_level={{ .Values.global.logging.level }} + {{- end}} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if not $gateway.runAsRoot }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + {{- end }} + readinessProbe: + failureThreshold: 30 + httpGet: + path: /healthz/ready + port: 15021 + scheme: HTTP + initialDelaySeconds: 1 + periodSeconds: 2 + successThreshold: 1 + timeoutSeconds: 1 + resources: +{{- if $gateway.resources }} +{{ toYaml $gateway.resources | indent 12 }} +{{- else }} +{{ toYaml .Values.global.defaultResources | indent 12 }} +{{- end }} + env: + - name: JWT_POLICY + value: {{ .Values.global.jwtPolicy }} + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + - name: HOST_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.hostIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: ISTIO_META_WORKLOAD_NAME + value: {{ $gateway.name }} + - name: ISTIO_META_OWNER + value: kubernetes://apis/apps/v1/namespaces/{{ .Release.Namespace }}/deployments/{{ $gateway.name }} + {{- if $.Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ $.Values.global.meshID }}" + {{- else if .Values.meshConfig.trustDomain }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.meshConfig.trustDomain }}" + {{- end }} + {{- if .Values.meshConfig.trustDomain }} + - name: TRUST_DOMAIN + value: "{{ .Values.meshConfig.trustDomain }}" + {{- end }} + {{- if not $gateway.runAsRoot }} + - name: ISTIO_META_UNPRIVILEGED_POD + value: "true" + {{- end }} + {{- range $key, $val := $gateway.env }} + - name: {{ $key }} + value: "{{ $val }}" + {{- end }} + {{- range $key, $value := .Values.meshConfig.defaultConfig.proxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- $network_set := index $gateway.env "ISTIO_META_NETWORK" }} + {{- if and (not $network_set) .Values.global.network }} + - name: ISTIO_META_NETWORK + value: "{{ .Values.global.network }}" + {{- end }} + - name: ISTIO_META_CLUSTER_ID + value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}" + volumeMounts: + - name: istio-envoy + mountPath: /etc/istio/proxy + - name: config-volume + mountPath: /etc/istio/config +{{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert +{{- end }} +{{- if eq .Values.global.jwtPolicy "third-party-jwt" }} + - name: istio-token + mountPath: /var/run/secrets/tokens + readOnly: true +{{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - name: istio-certs + mountPath: /etc/certs + readOnly: true + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + - name: podinfo + mountPath: /etc/istio/pod + {{- range $gateway.secretVolumes }} + - name: {{ .name }} + mountPath: {{ .mountPath | quote }} + readOnly: true + {{- end }} + {{- range $gateway.configVolumes }} + {{- if .mountPath }} + - name: {{ .name }} + mountPath: {{ .mountPath | quote }} + readOnly: true + {{- end }} + {{- end }} +{{- if $gateway.additionalContainers }} +{{ toYaml $gateway.additionalContainers | indent 8 }} +{{- end }} + volumes: +{{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + configMap: + name: istio-ca-root-cert +{{- end }} + - name: podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + - name: istio-envoy + emptyDir: {} + - name: istio-data + emptyDir: {} +{{- if eq .Values.global.jwtPolicy "third-party-jwt" }} + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} +{{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - name: istio-certs + secret: + secretName: istio.istio-ingressgateway-service-account + optional: true + {{- end }} + - name: config-volume + configMap: + name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + optional: true + {{- range $gateway.secretVolumes }} + - name: {{ .name }} + secret: + secretName: {{ .secretName | quote }} + optional: true + {{- end }} + {{- range $gateway.configVolumes }} + - name: {{ .name }} + configMap: + name: {{ .configMapName | quote }} + optional: true + {{- end }} + affinity: +{{ include "nodeaffinity" (dict "global" .Values.global "nodeSelector" $gateway.nodeSelector) | trim | indent 8 }} + {{- include "podAntiAffinity" $gateway | indent 6 }} +{{- if $gateway.tolerations }} + tolerations: +{{ toYaml $gateway.tolerations | indent 6 }} +{{- else if .Values.global.defaultTolerations }} + tolerations: +{{ toYaml .Values.global.defaultTolerations | indent 6 }} +{{- end }} +{{- end }} diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/gateways/istio-ingress/templates/injected-deployment.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/gateways/istio-ingress/templates/injected-deployment.yaml new file mode 100644 index 000000000..13e75d0e6 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/gateways/istio-ingress/templates/injected-deployment.yaml @@ -0,0 +1,143 @@ +{{- $gateway := index .Values "gateways" "istio-ingressgateway" }} +{{- if ne $gateway.injectionTemplate "" }} +{{/* This provides a minimal gateway, ready to be injected. + Any settings from values.gateways should be here - these are options specific to the gateway. + Global settings, like the image, various env vars and volumes, etc will be injected. + The normal Deployment is not suitable for this, as the original pod spec will override the injection template. */}} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ $gateway.name | default "istio-ingressgateway" }} + namespace: {{ .Release.Namespace }} + labels: +{{ $gateway.labels | toYaml | indent 4 }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "IngressGateways" +spec: +{{- if not $gateway.autoscaleEnabled }} +{{- if $gateway.replicaCount }} + replicas: {{ $gateway.replicaCount }} +{{- end }} +{{- end }} + selector: + matchLabels: +{{ $gateway.labels | toYaml | indent 6 }} + strategy: + rollingUpdate: + maxSurge: {{ $gateway.rollingMaxSurge }} + maxUnavailable: {{ $gateway.rollingMaxUnavailable }} + template: + metadata: + labels: +{{ $gateway.labels | toYaml | indent 8 }} +{{- if eq .Release.Namespace "istio-system"}} + heritage: Tiller + release: istio + chart: gateways +{{- end }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "IngressGateways" + sidecar.istio.io/inject: "true" + {{- with .Values.revision }} + istio.io/rev: {{ . }} + {{- end }} + annotations: + {{- if .Values.meshConfig.enablePrometheusMerge }} + prometheus.io/port: "15020" + prometheus.io/scrape: "true" + prometheus.io/path: "/stats/prometheus" + {{- end }} + sidecar.istio.io/inject: "true" + inject.istio.io/templates: "{{ $gateway.injectionTemplate }}" +{{- if $gateway.podAnnotations }} +{{ toYaml $gateway.podAnnotations | indent 8 }} +{{ end }} + spec: +{{- if not $gateway.runAsRoot }} + securityContext: + runAsUser: 1337 + runAsGroup: 1337 + runAsNonRoot: true + fsGroup: 1337 +{{- end }} + serviceAccountName: {{ $gateway.name | default "istio-ingressgateway" }}-service-account +{{- if .Values.global.priorityClassName }} + priorityClassName: "{{ .Values.global.priorityClassName }}" +{{- end }} + containers: + - name: istio-proxy + image: auto + ports: + {{- range $key, $val := $gateway.ports }} + - containerPort: {{ $val.targetPort | default $val.port }} + protocol: {{ $val.protocol | default "TCP" }} + {{- end }} + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + {{- if not $gateway.runAsRoot }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + {{- end }} + resources: +{{- if $gateway.resources }} +{{ toYaml $gateway.resources | indent 12 }} +{{- else }} +{{ toYaml .Values.global.defaultResources | indent 12 }} +{{- end }} + env: + {{- if not $gateway.runAsRoot }} + - name: ISTIO_META_UNPRIVILEGED_POD + value: "true" + {{- end }} + {{- range $key, $val := $gateway.env }} + - name: {{ $key }} + value: {{ $val | quote }} + {{- end }} + volumeMounts: + {{- range $gateway.secretVolumes }} + - name: {{ .name }} + mountPath: {{ .mountPath | quote }} + readOnly: true + {{- end }} + {{- range $gateway.configVolumes }} + {{- if .mountPath }} + - name: {{ .name }} + mountPath: {{ .mountPath | quote }} + readOnly: true + {{- end }} + {{- end }} +{{- if $gateway.additionalContainers }} +{{ toYaml $gateway.additionalContainers | indent 8 }} +{{- end }} + volumes: + {{- range $gateway.secretVolumes }} + - name: {{ .name }} + secret: + secretName: {{ .secretName | quote }} + optional: true + {{- end }} + {{- range $gateway.configVolumes }} + - name: {{ .name }} + configMap: + name: {{ .configMapName | quote }} + optional: true + {{- end }} + affinity: +{{ include "nodeaffinity" (dict "global" .Values.global "nodeSelector" $gateway.nodeSelector) | trim | indent 8 }} + {{- include "podAntiAffinity" $gateway | indent 6 }} +{{- if $gateway.tolerations }} + tolerations: +{{ toYaml $gateway.tolerations | indent 6 }} +{{- else if .Values.global.defaultTolerations }} + tolerations: +{{ toYaml .Values.global.defaultTolerations | indent 6 }} +{{- end }} +{{- end }} diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/gateways/istio-ingress/templates/poddisruptionbudget.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/gateways/istio-ingress/templates/poddisruptionbudget.yaml new file mode 100644 index 000000000..523a43fc3 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/gateways/istio-ingress/templates/poddisruptionbudget.yaml @@ -0,0 +1,19 @@ +{{- if .Values.global.defaultPodDisruptionBudget.enabled }} +{{ $gateway := index .Values "gateways" "istio-ingressgateway" }} +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: {{ $gateway.name }} + namespace: {{ .Release.Namespace }} + labels: +{{ $gateway.labels | toYaml | trim | indent 4 }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "IngressGateways" +spec: + minAvailable: 1 + selector: + matchLabels: +{{ $gateway.labels | toYaml | trim | indent 6 }} +{{- end }} diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/gateways/istio-ingress/templates/role.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/gateways/istio-ingress/templates/role.yaml new file mode 100644 index 000000000..3e21bca5b --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/gateways/istio-ingress/templates/role.yaml @@ -0,0 +1,16 @@ +{{ $gateway := index .Values "gateways" "istio-ingressgateway" }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ $gateway.name }}-sds + namespace: {{ .Release.Namespace }} + labels: + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "IngressGateways" +rules: +- apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "watch", "list"] +--- diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/gateways/istio-ingress/templates/rolebindings.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/gateways/istio-ingress/templates/rolebindings.yaml new file mode 100644 index 000000000..d45255792 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/gateways/istio-ingress/templates/rolebindings.yaml @@ -0,0 +1,19 @@ +{{ $gateway := index .Values "gateways" "istio-ingressgateway" }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ $gateway.name }}-sds + namespace: {{ .Release.Namespace }} + labels: + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "IngressGateways" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ $gateway.name }}-sds +subjects: +- kind: ServiceAccount + name: {{ $gateway.name }}-service-account +--- diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/gateways/istio-ingress/templates/service.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/gateways/istio-ingress/templates/service.yaml new file mode 100644 index 000000000..a3b97be16 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/gateways/istio-ingress/templates/service.yaml @@ -0,0 +1,47 @@ +{{ $gateway := index .Values "gateways" "istio-ingressgateway" }} +{{- if not $gateway.customService }} +apiVersion: v1 +kind: Service +metadata: + name: {{ $gateway.name }} + namespace: {{ .Release.Namespace }} + annotations: + {{- range $key, $val := $gateway.serviceAnnotations }} + {{ $key }}: {{ $val | quote }} + {{- end }} + labels: +{{ $gateway.labels | toYaml | indent 4 }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "IngressGateways" +spec: +{{- if $gateway.loadBalancerIP }} + loadBalancerIP: "{{ $gateway.loadBalancerIP }}" +{{- end }} +{{- if $gateway.loadBalancerSourceRanges }} + loadBalancerSourceRanges: +{{ toYaml $gateway.loadBalancerSourceRanges | indent 4 }} +{{- end }} +{{- if $gateway.externalTrafficPolicy }} + externalTrafficPolicy: {{$gateway.externalTrafficPolicy }} +{{- end }} + type: {{ $gateway.type }} + selector: +{{ $gateway.labels | toYaml | indent 4 }} + ports: + + {{- range $key, $val := $gateway.ports }} + - + {{- range $pkey, $pval := $val }} + {{ $pkey}}: {{ $pval }} + {{- end }} + {{- end }} + + {{ range $app := $gateway.ingressPorts }} + - + port: {{ $app.port }} + name: {{ $app.name }} + {{- end }} +--- +{{ end }} diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/gateways/istio-ingress/templates/serviceaccount.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/gateways/istio-ingress/templates/serviceaccount.yaml new file mode 100644 index 000000000..9cf3034cd --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/gateways/istio-ingress/templates/serviceaccount.yaml @@ -0,0 +1,22 @@ +{{ $gateway := index .Values "gateways" "istio-ingressgateway" }} +apiVersion: v1 +kind: ServiceAccount +{{- if .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range .Values.global.imagePullSecrets }} + - name: {{ . }} +{{- end }} +{{- end }} +metadata: + name: {{ $gateway.name }}-service-account + namespace: {{ .Release.Namespace }} + labels: +{{ $gateway.labels | toYaml | trim | indent 4 }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "IngressGateways" + {{- with $gateway.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/gateways/istio-ingress/values.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/gateways/istio-ingress/values.yaml new file mode 100644 index 000000000..2762186d9 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/gateways/istio-ingress/values.yaml @@ -0,0 +1,316 @@ +# A-la-carte istio ingress gateway. +# Must be installed in a separate namespace, to minimize access to secrets. + +gateways: + istio-ingressgateway: + name: istio-ingressgateway + labels: + app: istio-ingressgateway + istio: ingressgateway + ports: + ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. + # Note that AWS ELB will by default perform health checks on the first port + # on this list. Setting this to the health check port will ensure that health + # checks always work. https://github.com/istio/istio/issues/12503 + - port: 15021 + targetPort: 15021 + name: status-port + protocol: TCP + - port: 80 + targetPort: 8080 + name: http2 + protocol: TCP + - port: 443 + targetPort: 8443 + name: https + protocol: TCP + + # Scalability tuning + # replicaCount: 1 + rollingMaxSurge: 100% + rollingMaxUnavailable: 25% + autoscaleEnabled: true + autoscaleMin: 1 + autoscaleMax: 5 + + cpu: + targetAverageUtilization: 80 + + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 2000m + memory: 1024Mi + + loadBalancerIP: "" + loadBalancerSourceRanges: [] + serviceAnnotations: {} + + # To generate an internal load balancer: + # --set serviceAnnotations.cloud.google.com/load-balancer-type=internal + #serviceAnnotations: + # cloud.google.com/load-balancer-type: "internal" + + podAnnotations: {} + type: LoadBalancer #change to NodePort, ClusterIP or LoadBalancer if need be + + ############## + secretVolumes: + - name: ingressgateway-certs + secretName: istio-ingressgateway-certs + mountPath: /etc/istio/ingressgateway-certs + - name: ingressgateway-ca-certs + secretName: istio-ingressgateway-ca-certs + mountPath: /etc/istio/ingressgateway-ca-certs + + customService: false + externalTrafficPolicy: "" + + ingressPorts: [] + additionalContainers: [] + configVolumes: [] + + serviceAccount: + # Annotations to add to the service account + annotations: {} + + ### Advanced options ############ + env: {} + nodeSelector: {} + tolerations: [] + + # Specify the pod anti-affinity that allows you to constrain which nodes + # your pod is eligible to be scheduled based on labels on pods that are + # already running on the node rather than based on labels on nodes. + # There are currently two types of anti-affinity: + # "requiredDuringSchedulingIgnoredDuringExecution" + # "preferredDuringSchedulingIgnoredDuringExecution" + # which denote "hard" vs. "soft" requirements, you can define your values + # in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector" + # correspondingly. + # For example: + # podAntiAffinityLabelSelector: + # - key: security + # operator: In + # values: S1,S2 + # topologyKey: "kubernetes.io/hostname" + # This pod anti-affinity rule says that the pod requires not to be scheduled + # onto a node if that node is already running a pod with label having key + # "security" and value "S1". + podAntiAffinityLabelSelector: [] + podAntiAffinityTermLabelSelector: [] + + # whether to run the gateway in a privileged container + runAsRoot: false + + # The injection template to use for the gateway. If not set, no injection will be performed. + injectionTemplate: "" + +# Revision is set as 'version' label and part of the resource names when installing multiple control planes. +revision: "" + +# For Helm compatibility. +ownerName: "" + +global: + # set the default set of namespaces to which services, service entries, virtual services, destination + # rules should be exported to. Currently only one value can be provided in this list. This value + # should be one of the following two options: + # * implies these objects are visible to all namespaces, enabling any sidecar to talk to any other sidecar. + # . implies these objects are visible to only to sidecars in the same namespace, or if imported as a Sidecar.egress.host + defaultConfigVisibilitySettings: [] + + # Default node selector to be applied to all deployments so that all pods can be + # constrained to run a particular nodes. Each component can overwrite these default + # values by adding its node selector block in the relevant section below and setting + # the desired values. + defaultNodeSelector: {} + + # enable pod disruption budget for the control plane, which is used to + # ensure Istio control plane components are gradually upgraded or recovered. + defaultPodDisruptionBudget: + enabled: true + + # A minimal set of requested resources to applied to all deployments so that + # Horizontal Pod Autoscaler will be able to function (if set). + # Each component can overwrite these default values by adding its own resources + # block in the relevant section below and setting the desired resources values. + defaultResources: + requests: + cpu: 10m + # memory: 128Mi + # limits: + # cpu: 100m + # memory: 128Mi + + # Default node tolerations to be applied to all deployments so that all pods can be + # scheduled to a particular nodes with matching taints. Each component can overwrite + # these default values by adding its tolerations block in the relevant section below + # and setting the desired values. + # Configure this field in case that all pods of Istio control plane are expected to + # be scheduled to particular nodes with specified taints. + defaultTolerations: [] + + # Default hub for Istio images. + # Releases are published to docker hub under 'istio' project. + # Dev builds from prow are on gcr.io + hub: docker.io/istio + + # Default tag for Istio images. + tag: 1.12.6 + + # Specify image pull policy if default behavior isn't desired. + # Default behavior: latest images will be Always else IfNotPresent. + imagePullPolicy: "" + + # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace + # to use for pulling any images in pods that reference this ServiceAccount. + # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) + # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. + # Must be set for any cluster configured with private docker registry. + imagePullSecrets: [] + # - private-registry-key + + # To output all istio components logs in json format by adding --log_as_json argument to each container argument + logAsJson: false + + # Specify pod scheduling arch(amd64, ppc64le, s390x) and weight as follows: + # 0 - Never scheduled + # 1 - Least preferred + # 2 - No preference + # 3 - Most preferred + arch: + amd64: 2 + s390x: 2 + ppc64le: 2 + + # Comma-separated minimum per-scope logging level of messages to output, in the form of :,: + # The control plane has different scopes depending on component, but can configure default log level across all components + # If empty, default scope and level will be used as configured in code + logging: + level: "default:info" + + # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and + # system-node-critical, it is better to configure this in order to make sure your Istio pods + # will not be killed because of low priority class. + # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + # for more detail. + priorityClassName: "" + + proxy: + image: proxyv2 + + # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value + # cluster domain. Default value is "cluster.local". + clusterDomain: "cluster.local" + + # Per Component log level for proxy, applies to gateways and sidecars. If a component level is + # not set, then the global "logLevel" will be used. + componentLogLevel: "misc:error" + + # If set, newly injected sidecars will have core dumps enabled. + enableCoreDump: false + + # Log level for proxy, applies to gateways and sidecars. + # Expected values are: trace|debug|info|warning|error|critical|off + logLevel: warning + + ############################################################################################## + # The following values are found in other charts. To effectively modify these values, make # + # make sure they are consistent across your Istio helm charts # + ############################################################################################## + + # The customized CA address to retrieve certificates for the pods in the cluster. + # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. + caAddress: "" + + # Used to locate istiod. + istioNamespace: istio-system + + # Configure the policy for validating JWT. + # Currently, two options are supported: "third-party-jwt" and "first-party-jwt". + jwtPolicy: "third-party-jwt" + + # Mesh ID means Mesh Identifier. It should be unique within the scope where + # meshes will interact with each other, but it is not required to be + # globally/universally unique. For example, if any of the following are true, + # then two meshes must have different Mesh IDs: + # - Meshes will have their telemetry aggregated in one place + # - Meshes will be federated together + # - Policy will be written referencing one mesh from the other + # + # If an administrator expects that any of these conditions may become true in + # the future, they should ensure their meshes have different Mesh IDs + # assigned. + # + # Within a multicluster mesh, each cluster must be (manually or auto) + # configured to have the same Mesh ID value. If an existing cluster 'joins' a + # multicluster mesh, it will need to be migrated to the new mesh ID. Details + # of migration TBD, and it may be a disruptive operation to change the Mesh + # ID post-install. + # + # If the mesh admin does not specify a value, Istio will use the value of the + # mesh's Trust Domain. The best practice is to select a proper Trust Domain + # value. + meshID: "" + + # Use the user-specified, secret volume mounted key and certs for Pilot and workloads. + mountMtlsCerts: false + + multiCluster: + # Set to true to connect two kubernetes clusters via their respective + # ingressgateway services when pods in each cluster cannot directly + # talk to one another. All clusters should be using Istio mTLS and must + # have a shared root CA for this model to work. + enabled: false + # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection + # to properly label proxies + clusterName: "" + # The suffix for global service names + globalDomainSuffix: "global" + # Enable envoy filter to translate `globalDomainSuffix` to cluster local suffix for cross cluster communication + includeEnvoyFilter: true + + # Network defines the network this cluster belong to. This name + # corresponds to the networks in the map of mesh networks. + network: "" + + # Configure the certificate provider for control plane communication. + # Currently, two providers are supported: "kubernetes" and "istiod". + # As some platforms may not have kubernetes signing APIs, + # Istiod is the default + pilotCertProvider: istiod + + sds: + # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. + # When a CSR is sent from Citadel Agent to the CA (e.g. Citadel), this aud is to make sure the + # JWT is intended for the CA. + token: + aud: istio-ca + + sts: + # The service port used by Security Token Service (STS) server to handle token exchange requests. + # Setting this port to a non-zero value enables STS server. + servicePort: 0 + + +meshConfig: + enablePrometheusMerge: true + + # The trust domain corresponds to the trust root of a system + # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain + trustDomain: "cluster.local" + + defaultConfig: + proxyMetadata: {} + tracing: + # tlsSettings: + # mode: DISABLE # DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL + # clientCertificate: # example: /etc/istio/tracer/cert-chain.pem + # privateKey: # example: /etc/istio/tracer/key.pem + # caCertificates: # example: /etc/istio/tracer/root-cert.pem + # sni: # example: tracer.somedomain + # subjectAltNames: [] + # - tracer.somedomain diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/install-OpenShift.md b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/install-OpenShift.md new file mode 100644 index 000000000..0417c07a3 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/install-OpenShift.md @@ -0,0 +1,43 @@ +# Installing Istio on OpenShift using Helm + +> Note: Be aware of the [platform setup required for OpenShift](https://istio.io/latest/docs/setup/platform-setup/openshift/) when installing Istio. + +To install with Helm, you must first create the namespace that you wish to install in if the namespace does not exist already. The default namespace used is `istio-system` and can be created as follows: + +```console +kubectl create namespace istio-system +``` + +The installation process using the Helm charts is as follows: + +1) `base` chart creates cluster-wide CRDs, cluster bindings and cluster resources. It is possible to change the namespace from `istio-system` but it is not recommended. + +```console +helm install istio-base -n istio-system manifests/charts/base +``` + +2) `istio-cni` chart installs the CNI plugin. This should be installed after the `base` chart and prior to `istiod` chart. Need to add `--set istio_cni.enabled=true` to the `istiod` install to enable its usage. + +```console +helm install istio-cni -n kube-system manifests/charts/istio-cni --set cni.cniBinDir="/var/lib/cni/bin" --set cni.cniConfDir="/etc/cni/multus/net.d" --set cni.chained=false --set cni.cniConfFileName="istio-cni.conf" --set cni.excludeNamespaces[0]="istio-system" --set cni.excludeNamespaces[1]="kube-system" --set cni.repair.enabled=false --set cni.logLevel=info +``` + +3) `istio-control/istio-discovery` chart installs a revision of istiod. + +```console + helm install -n istio-system istio-17 manifests/charts/istio-control/istio-discovery --set istio_cni.enabled=true --set global.jwtPolicy=first-party-jwt --set sidecarInjectorWebhook.injectedAnnotations."k8s\.v1\.cni\.cncf\.io/networks"="istio-cni" +``` + +4) `gateways` charts install a load balancer with `ingress` and `egress`. + +Ingress secrets and access should be separated from the control plane. + +```console +helm install -n istio-system istio-ingress manifests/charts/gateways/istio-ingress --set global.jwtPolicy=first-party-jwt +``` + +Egress secrets and access should be separated from the control plane. + +```console +helm install -n istio-system istio-egress manifests/charts/gateways/istio-egress --set global.jwtPolicy=first-party-jwt +``` diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-cni/Chart.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-cni/Chart.yaml new file mode 100644 index 000000000..036677ad9 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-cni/Chart.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +name: cni +# This version is never actually shipped. istio/release-builder will replace it at build-time +# with the appropriate version +version: 1.12.6 +appVersion: 1.12.6 +description: Helm chart for istio-cni components +keywords: + - istio-cni + - istio +sources: + - http://github.com/istio/cni +engine: gotpl +icon: https://istio.io/latest/favicons/android-192x192.png diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-cni/README.md b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-cni/README.md new file mode 100644 index 000000000..b7fbc5d52 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-cni/README.md @@ -0,0 +1,24 @@ +# Istio CNI Helm Chart + +This chart installs the Istio CNI Plugin. See the [CNI installation guide](https://istio.io/latest/docs/setup/additional-setup/cni/) +for more information. + +## Setup Repo Info + +```console +helm repo add istio https://istio-release.storage.googleapis.com/charts +helm repo update +``` + +_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ + +## Installing the Chart + +To install the chart with the release name `istio-cni`: + +```console +helm install istio-cni istio/cni -n kube-system +``` + +Installation in `kube-system` is recommended to ensure the [`system-node-critical`](https://kubernetes.io/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/) +`priorityClassName` can be used. diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-cni/templates/NOTES.txt b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-cni/templates/NOTES.txt new file mode 100644 index 000000000..994628240 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-cni/templates/NOTES.txt @@ -0,0 +1,5 @@ +"{{ .Release.Name }}" successfully installed! + +To learn more about the release, try: + $ helm status {{ .Release.Name }} + $ helm get all {{ .Release.Name }} diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-cni/templates/clusterrole.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-cni/templates/clusterrole.yaml new file mode 100644 index 000000000..7f7030de3 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-cni/templates/clusterrole.yaml @@ -0,0 +1,63 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istio-cni + labels: + app: istio-cni + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Cni" +rules: +- apiGroups: [""] + resources: + - pods + - nodes + verbs: + - get +--- +{{- if .Values.cni.repair.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istio-cni-repair-role + labels: + app: istio-cni + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Cni" +rules: +- apiGroups: [""] + resources: ["pods"] + verbs: ["get", "list", "watch", "delete", "patch", "update" ] +- apiGroups: [""] + resources: ["events"] + verbs: ["get", "list", "watch", "delete", "patch", "update", "create" ] +{{- end }} +--- + {{- if .Values.cni.taint.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istio-cni-taint-role + labels: + app: istio-cni + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Cni" +rules: + - apiGroups: [""] + resources: ["pods"] + verbs: ["get", "list", "watch", "patch"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get", "list"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "list", "create", "update"] + {{- end }} diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-cni/templates/clusterrolebinding.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-cni/templates/clusterrolebinding.yaml new file mode 100644 index 000000000..deabd5238 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-cni/templates/clusterrolebinding.yaml @@ -0,0 +1,78 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istio-cni + labels: + app: istio-cni + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Cni" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-cni +subjects: +- kind: ServiceAccount + name: istio-cni + namespace: {{ .Release.Namespace }} +--- +{{- if .Values.cni.repair.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istio-cni-repair-rolebinding + labels: + k8s-app: istio-cni-repair + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Cni" +subjects: +- kind: ServiceAccount + name: istio-cni + namespace: {{ .Release.Namespace}} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-cni-repair-role +{{- end }} +--- +{{- if ne .Values.cni.psp_cluster_role "" }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: istio-cni-psp + namespace: {{ .Release.Namespace }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Cni" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ .Values.cni.psp_cluster_role }} +subjects: +- kind: ServiceAccount + name: istio-cni + namespace: {{ .Release.Namespace }} +{{- end }} +--- +{{- if .Values.cni.taint.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istio-cni-taint-rolebinding + labels: + k8s-app: istio-cni-taint + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Cni" +subjects: + - kind: ServiceAccount + name: istio-cni + namespace: {{ .Release.Namespace}} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-cni-taint-role +{{- end }} diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-cni/templates/configmap-cni.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-cni/templates/configmap-cni.yaml new file mode 100644 index 000000000..9c51b257e --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-cni/templates/configmap-cni.yaml @@ -0,0 +1,46 @@ +kind: ConfigMap +apiVersion: v1 +metadata: + name: istio-cni-config + namespace: {{ .Release.Namespace }} + labels: + app: istio-cni + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Cni" +data: + # The CNI network configuration to add to the plugin chain on each node. The special + # values in this config will be automatically populated. + cni_network_config: |- + { + "cniVersion": "0.3.1", + "name": "istio-cni", + "type": "istio-cni", + "log_level": {{ quote .Values.cni.logLevel }}, + "log_uds_address": "__LOG_UDS_ADDRESS__", + "kubernetes": { + "kubeconfig": "__KUBECONFIG_FILEPATH__", + "cni_bin_dir": {{ quote .Values.cni.cniBinDir }}, + "exclude_namespaces": [ {{ range $idx, $ns := .Values.cni.excludeNamespaces }}{{ if $idx }}, {{ end }}{{ quote $ns }}{{ end }} ] + } + } +--- + {{- if .Values.cni.taint.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: "istio-cni-taint-configmap" + namespace: {{ .Release.Namespace }} + labels: + app: istio-cni + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Cni" +data: + config: | + - name: istio-cni + selector: k8s-app=istio-cni-node + namespace: {{ .Release.Namespace }} + {{- end }} diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-cni/templates/daemonset.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-cni/templates/daemonset.yaml new file mode 100644 index 000000000..b04be9277 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-cni/templates/daemonset.yaml @@ -0,0 +1,172 @@ +# This manifest installs the Istio install-cni container, as well +# as the Istio CNI plugin and config on +# each master and worker node in a Kubernetes cluster. +kind: DaemonSet +apiVersion: apps/v1 +metadata: + name: istio-cni-node + namespace: {{ .Release.Namespace }} + labels: + k8s-app: istio-cni-node + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Cni" +spec: + selector: + matchLabels: + k8s-app: istio-cni-node + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 + template: + metadata: + labels: + k8s-app: istio-cni-node + sidecar.istio.io/inject: "false" + annotations: + # This, along with the CriticalAddonsOnly toleration below, + # marks the pod as a critical add-on, ensuring it gets + # priority scheduling and that its resources are reserved + # if it ever gets evicted. + scheduler.alpha.kubernetes.io/critical-pod: '' + sidecar.istio.io/inject: "false" + # Add Prometheus Scrape annotations + prometheus.io/scrape: 'true' + prometheus.io/port: "15014" + prometheus.io/path: '/metrics' + # Custom annotations + {{- if .Values.cni.podAnnotations }} +{{ toYaml .Values.cni.podAnnotations | indent 8 }} + {{- end }} + spec: + nodeSelector: + kubernetes.io/os: linux + tolerations: + # Make sure istio-cni-node gets scheduled on all nodes. + - effect: NoSchedule + operator: Exists + # Mark the pod as a critical add-on for rescheduling. + - key: CriticalAddonsOnly + operator: Exists + - effect: NoExecute + operator: Exists + priorityClassName: system-node-critical + serviceAccountName: istio-cni + # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force + # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods. + terminationGracePeriodSeconds: 5 + containers: + # This container installs the Istio CNI binaries + # and CNI network config file on each node. + - name: install-cni +{{- if contains "/" .Values.cni.image }} + image: "{{ .Values.cni.image }}" +{{- else }} + image: "{{ .Values.cni.hub | default .Values.global.hub }}/{{ .Values.cni.image | default "install-cni" }}:{{ .Values.cni.tag | default .Values.global.tag }}" +{{- end }} +{{- if or .Values.cni.pullPolicy .Values.global.imagePullPolicy }} + imagePullPolicy: {{ .Values.cni.pullPolicy | default .Values.global.imagePullPolicy }} +{{- end }} + livenessProbe: + httpGet: + path: /healthz + port: 8000 + initialDelaySeconds: 5 + readinessProbe: + httpGet: + path: /readyz + port: 8000 + securityContext: + runAsGroup: 0 + runAsUser: 0 + runAsNonRoot: false + privileged: {{ .Values.cni.privileged }} + command: ["install-cni"] + env: +{{- if .Values.cni.cniConfFileName }} + # Name of the CNI config file to create. + - name: CNI_CONF_NAME + value: "{{ .Values.cni.cniConfFileName }}" +{{- end }} + # The CNI network config to install on each node. + - name: CNI_NETWORK_CONFIG + valueFrom: + configMapKeyRef: + name: istio-cni-config + key: cni_network_config + - name: CNI_NET_DIR + value: {{ default "/etc/cni/net.d" .Values.cni.cniConfDir }} + # Deploy as a standalone CNI plugin or as chained? + - name: CHAINED_CNI_PLUGIN + value: "{{ .Values.cni.chained }}" + - name: REPAIR_ENABLED + value: "{{ .Values.cni.repair.enabled }}" + - name: REPAIR_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: REPAIR_LABEL_PODS + value: "{{.Values.cni.repair.labelPods}}" + # Set to true to enable pod deletion + - name: REPAIR_DELETE_PODS + value: "{{.Values.cni.repair.deletePods}}" + - name: REPAIR_RUN_AS_DAEMON + value: "true" + - name: REPAIR_SIDECAR_ANNOTATION + value: "sidecar.istio.io/status" + - name: REPAIR_INIT_CONTAINER_NAME + value: "{{ .Values.cni.repair.initContainerName }}" + - name: REPAIR_BROKEN_POD_LABEL_KEY + value: "{{.Values.cni.repair.brokenPodLabelKey}}" + - name: REPAIR_BROKEN_POD_LABEL_VALUE + value: "{{.Values.cni.repair.brokenPodLabelValue}}" + volumeMounts: + - mountPath: /host/opt/cni/bin + name: cni-bin-dir + - mountPath: /host/etc/cni/net.d + name: cni-net-dir + - mountPath: /var/run/istio-cni + name: cni-log-dir + resources: +{{- if .Values.cni.resources }} +{{ toYaml .Values.cni.resources | trim | indent 12 }} +{{- else }} +{{ toYaml .Values.global.defaultResources | trim | indent 12 }} +{{- end }} +{{- if .Values.cni.taint.enabled }} + - name: taint-controller +{{- if contains "/" .Values.cni.image }} + image: "{{ .Values.cni.image }}" +{{- else }} + image: "{{ .Values.cni.hub | default .Values.global.hub }}/{{ .Values.cni.image | default "install-cni" }}:{{ .Values.cni.tag | default .Values.global.tag }}" +{{- end }} +{{- if or .Values.cni.pullPolicy .Values.global.imagePullPolicy }} + imagePullPolicy: {{ .Values.cni.pullPolicy | default .Values.global.imagePullPolicy }} +{{- end }} + command: ["/opt/local/bin/istio-cni-taint"] + securityContext: + runAsUser: 1337 + runAsGroup: 1337 + runAsNonRoot: true + env: + - name: "TAINT_RUN-AS-DAEMON" + value: "true" + - name: "TAINT_CONFIGMAP-NAME" + value: "istio-cni-taint-configmap" + - name: "TAINT_CONFIGMAP-NAMESPACE" + value: {{ .Release.Namespace | quote }} +{{- end }} + volumes: + # Used to install CNI. + - name: cni-bin-dir + hostPath: + path: {{ default "/opt/cni/bin" .Values.cni.cniBinDir }} + - name: cni-net-dir + hostPath: + path: {{ default "/etc/cni/net.d" .Values.cni.cniConfDir }} + # Used for UDS log + - name: cni-log-dir + hostPath: + path: /var/run/istio-cni diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-cni/templates/resourcequota.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-cni/templates/resourcequota.yaml new file mode 100644 index 000000000..15946ae72 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-cni/templates/resourcequota.yaml @@ -0,0 +1,16 @@ +{{- if .Values.cni.resourceQuotas.enabled }} +apiVersion: v1 +kind: ResourceQuota +metadata: + name: istio-cni-resource-quota + namespace: {{ .Release.Namespace }} +spec: + hard: + pods: {{ .Values.cni.resourceQuotas.pods | quote }} + scopeSelector: + matchExpressions: + - operator: In + scopeName: PriorityClass + values: + - system-node-critical +{{- end }} diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-cni/templates/serviceaccount.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-cni/templates/serviceaccount.yaml new file mode 100644 index 000000000..4645db63a --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-cni/templates/serviceaccount.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: ServiceAccount +{{- if .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range .Values.global.imagePullSecrets }} + - name: {{ . }} +{{- end }} +{{- end }} +metadata: + name: istio-cni + namespace: {{ .Release.Namespace }} + labels: + app: istio-cni + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Cni" diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-cni/values.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-cni/values.yaml new file mode 100644 index 000000000..3c169f4f2 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-cni/values.yaml @@ -0,0 +1,97 @@ +cni: + hub: "" + tag: "" + image: install-cni + pullPolicy: "" + + logLevel: info + + # Configuration file to insert istio-cni plugin configuration + # by default this will be the first file found in the cni-conf-dir + # Example + # cniConfFileName: 10-calico.conflist + + # CNI bin and conf dir override settings + # defaults: + cniBinDir: /opt/cni/bin + cniConfDir: /etc/cni/net.d + cniConfFileName: "" + + excludeNamespaces: + - istio-system + - kube-system + + # Custom annotations on pod level, if you need them + podAnnotations: {} + + # If this value is set a RoleBinding will be created + # in the same namespace as the istio-cni DaemonSet is created. + # This can be used to bind a preexisting ClusterRole to the istio/cni ServiceAccount + # e.g. if you use PodSecurityPolicies + psp_cluster_role: "" + + # Deploy the config files as plugin chain (value "true") or as standalone files in the conf dir (value "false")? + # Some k8s flavors (e.g. OpenShift) do not support the chain approach, set to false if this is the case + chained: true + + # Allow the istio-cni container to run in privileged mode, needed for some platforms (e.g. OpenShift) + privileged: false + + repair: + enabled: true + hub: "" + tag: "" + + labelPods: true + deletePods: true + + initContainerName: "istio-validation" + + brokenPodLabelKey: "cni.istio.io/uninitialized" + brokenPodLabelValue: "true" + + resources: + requests: + cpu: 100m + memory: 100Mi + + # Experimental taint controller for further race condition mitigation + taint: + enabled: false + + resourceQuotas: + enabled: false + pods: 5000 + +# Revision is set as 'version' label and part of the resource names when installing multiple control planes. +revision: "" + +# For Helm compatibility. +ownerName: "" + +global: + # Default hub for Istio images. + # Releases are published to docker hub under 'istio' project. + # Dev builds from prow are on gcr.io + hub: docker.io/istio + + # Default tag for Istio images. + tag: 1.12.6 + + # Specify image pull policy if default behavior isn't desired. + # Default behavior: latest images will be Always else IfNotPresent. + imagePullPolicy: "" + + # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace + # to use for pulling any images in pods that reference this ServiceAccount. + # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) + # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. + # Must be set for any cluster configured with private docker registry. + imagePullSecrets: [] + # - private-registry-key + + # Default resources allocated + defaultResources: + requests: + cpu: 100m + memory: 100Mi diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-control/istio-discovery/Chart.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-control/istio-discovery/Chart.yaml new file mode 100644 index 000000000..58e7d89b0 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-control/istio-discovery/Chart.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +name: istiod +# This version is never actually shipped. istio/release-builder will replace it at build-time +# with the appropriate version +version: 1.12.6 +appVersion: 1.12.6 +tillerVersion: ">=2.7.2" +description: Helm chart for istio control plane +keywords: + - istio + - istiod + - istio-discovery +sources: + - http://github.com/istio/istio +engine: gotpl +icon: https://istio.io/latest/favicons/android-192x192.png diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-control/istio-discovery/README.md b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-control/istio-discovery/README.md new file mode 100644 index 000000000..9d4d07a42 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-control/istio-discovery/README.md @@ -0,0 +1,59 @@ +# Istiod Helm Chart + +This chart installs an Istiod deployment. + +## Setup Repo Info + +```console +helm repo add istio https://istio-release.storage.googleapis.com/charts +helm repo update +``` + +_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ + +## Installing the Chart + +Before installing, ensure CRDs are installed in the cluster (from the `istio/base` chart). + +To install the chart with the release name `istiod`: + +```console +kubectl create namespace istio-system +helm install istiod istio/istiod --namespace istio-system +``` + +## Uninstalling the Chart + +To uninstall/delete the `istiod` deployment: + +```console +helm delete istiod --namespace istio-system +``` + +## Configuration + +To view support configuration options and documentation, run: + +```console +helm show values istio/istiod +``` + +### Examples + +#### Configuring mesh configuration settings + +Any [Mesh Config](https://istio.io/latest/docs/reference/config/istio.mesh.v1alpha1/) options can be configured like below: + +```yaml +meshConfig: + accessLogFile: /dev/stdout +``` + +#### Revisions + +Control plane revisions allow deploying multiple versions of the control plane in the same cluster. +This allows safe [canary upgrades](https://istio.io/latest/docs/setup/upgrade/canary/) + +```yaml +revision: my-revision-name +``` diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-control/istio-discovery/files/gateway-injection-template.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-control/istio-discovery/files/gateway-injection-template.yaml new file mode 100644 index 000000000..9ce002a5b --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-control/istio-discovery/files/gateway-injection-template.yaml @@ -0,0 +1,215 @@ +{{- $containers := list }} +{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} +metadata: + labels: + service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} + service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} + istio.io/rev: {{ .Revision | default "default" | quote }} + annotations: { + {{- if eq (len $containers) 1 }} + kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", + kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", + {{ end }} + } +spec: + containers: + - name: istio-proxy + {{- if contains "/" .Values.global.proxy.image }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}" + {{- end }} + ports: + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - router + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} + - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} + - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + {{- if .Values.global.proxy.lifecycle }} + lifecycle: + {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} + {{- end }} + env: + - name: JWT_POLICY + value: {{ .Values.global.jwtPolicy }} + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + - name: ISTIO_META_POD_PORTS + value: |- + [ + {{- $first := true }} + {{- range $index1, $c := .Spec.Containers }} + {{- range $index2, $p := $c.Ports }} + {{- if (structToJSON $p) }} + {{if not $first}},{{end}}{{ structToJSON $p }} + {{- $first = false }} + {{- end }} + {{- end}} + {{- end}} + ] + - name: ISTIO_META_APP_CONTAINERS + value: "{{ $containers | join "," }}" + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + - name: ISTIO_META_INTERCEPTION_MODE + value: "{{ .ProxyConfig.InterceptionMode.String }}" + {{- if .Values.global.network }} + - name: ISTIO_META_NETWORK + value: "{{ .Values.global.network }}" + {{- end }} + {{- if .DeploymentMeta.Name }} + - name: ISTIO_META_WORKLOAD_NAME + value: "{{ .DeploymentMeta.Name }}" + {{ end }} + {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} + - name: ISTIO_META_OWNER + value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} + {{- end}} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + readinessProbe: + httpGet: + path: /healthz/ready + port: 15021 + initialDelaySeconds: {{.Values.global.proxy.readinessInitialDelaySeconds }} + periodSeconds: {{ .Values.global.proxy.readinessPeriodSeconds }} + timeoutSeconds: 3 + failureThreshold: {{ .Values.global.proxy.readinessFailureThreshold }} + volumeMounts: + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + mountPath: /var/run/secrets/workload-spiffe-credentials + readOnly: true + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + # SDS channel between istioagent and Envoy + - mountPath: /etc/istio/proxy + name: istio-envoy + {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} + - mountPath: /var/run/secrets/tokens + name: istio-token + {{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - mountPath: /etc/certs/ + name: istio-certs + readOnly: true + {{- end }} + - name: istio-podinfo + mountPath: /etc/istio/pod + volumes: + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + csi: + driver: workloadcertificates.security.cloud.google.com + {{- end }} + # SDS channel between istioagent and Envoy + - emptyDir: + medium: Memory + name: istio-envoy + - name: istio-data + emptyDir: {} + - name: istio-podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + configMap: + name: istio-ca-root-cert + {{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - name: istio-certs + secret: + optional: true + {{ if eq .Spec.ServiceAccountName "" }} + secretName: istio.default + {{ else -}} + secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} + {{ end -}} + {{- end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} + {{- if eq (env "ENABLE_LEGACY_FSGROUP_INJECTION" "true") "true" }} + securityContext: + fsGroup: 1337 + {{- end }} diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-control/istio-discovery/files/gen-istio.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-control/istio-discovery/files/gen-istio.yaml new file mode 100644 index 000000000..d8ca33b91 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-control/istio-discovery/files/gen-istio.yaml @@ -0,0 +1,2544 @@ +--- +# Source: istiod/templates/poddisruptionbudget.yaml +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: istiod + namespace: istio-system + labels: + app: istiod + istio.io/rev: default + install.operator.istio.io/owning-resource: unknown + operator.istio.io/component: "Pilot" + release: istio + istio: pilot +spec: + minAvailable: 1 + selector: + matchLabels: + app: istiod + istio: pilot +--- +# Source: istiod/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: istiod + namespace: istio-system + labels: + app: istiod + release: istio +--- +# Source: istiod/templates/configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio + namespace: istio-system + labels: + istio.io/rev: default + install.operator.istio.io/owning-resource: unknown + operator.istio.io/component: "Pilot" + release: istio +data: + + # Configuration file for the mesh networks to be used by the Split Horizon EDS. + meshNetworks: |- + networks: {} + + mesh: |- + defaultConfig: + discoveryAddress: istiod.istio-system.svc:15012 + tracing: + zipkin: + address: zipkin.istio-system:9411 + enablePrometheusMerge: true + rootNamespace: istio-system + trustDomain: cluster.local +--- +# Source: istiod/templates/istiod-injector-configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-sidecar-injector + namespace: istio-system + labels: + istio.io/rev: default + install.operator.istio.io/owning-resource: unknown + operator.istio.io/component: "Pilot" + release: istio +data: + + values: |- + { + "global": { + "caAddress": "", + "caName": "", + "configCluster": false, + "defaultPodDisruptionBudget": { + "enabled": true + }, + "defaultResources": { + "requests": { + "cpu": "10m" + } + }, + "externalIstiod": false, + "hub": "gcr.io/istio-testing", + "imagePullPolicy": "", + "imagePullSecrets": [], + "istioNamespace": "istio-system", + "istiod": { + "enableAnalysis": false + }, + "jwtPolicy": "third-party-jwt", + "logAsJson": false, + "logging": { + "level": "default:info" + }, + "meshID": "", + "meshNetworks": {}, + "mountMtlsCerts": false, + "multiCluster": { + "clusterName": "", + "enabled": false + }, + "network": "", + "omitSidecarInjectorConfigMap": false, + "oneNamespace": false, + "operatorManageWebhooks": false, + "pilotCertProvider": "istiod", + "priorityClassName": "", + "proxy": { + "autoInject": "enabled", + "clusterDomain": "cluster.local", + "componentLogLevel": "misc:error", + "enableCoreDump": false, + "excludeIPRanges": "", + "excludeInboundPorts": "", + "excludeOutboundPorts": "", + "holdApplicationUntilProxyStarts": false, + "image": "proxyv2", + "includeIPRanges": "*", + "includeInboundPorts": "*", + "includeOutboundPorts": "", + "logLevel": "warning", + "privileged": false, + "readinessFailureThreshold": 30, + "readinessInitialDelaySeconds": 1, + "readinessPeriodSeconds": 2, + "resources": { + "limits": { + "cpu": "2000m", + "memory": "1024Mi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "statusPort": 15020, + "tracer": "zipkin" + }, + "proxy_init": { + "image": "proxyv2", + "resources": { + "limits": { + "cpu": "2000m", + "memory": "1024Mi" + }, + "requests": { + "cpu": "10m", + "memory": "10Mi" + } + } + }, + "remotePilotAddress": "", + "sds": { + "token": { + "aud": "istio-ca" + } + }, + "sts": { + "servicePort": 0 + }, + "tag": "latest", + "tracer": { + "datadog": { + "address": "$(HOST_IP):8126" + }, + "lightstep": { + "accessToken": "", + "address": "" + }, + "stackdriver": { + "debug": false, + "maxNumberOfAnnotations": 200, + "maxNumberOfAttributes": 200, + "maxNumberOfMessageEvents": 200 + }, + "zipkin": { + "address": "" + } + }, + "useMCP": false + }, + "revision": "", + "sidecarInjectorWebhook": { + "alwaysInjectSelector": [], + "defaultTemplates": [], + "enableNamespacesByDefault": false, + "injectedAnnotations": {}, + "neverInjectSelector": [], + "objectSelector": { + "autoInject": true, + "enabled": true + }, + "rewriteAppHTTPProbe": true, + "templates": {} + } + } + + # To disable injection: use omitSidecarInjectorConfigMap, which disables the webhook patching + # and istiod webhook functionality. + # + # New fields should not use Values - it is a 'primary' config object, users should be able + # to fine tune it or use it with kube-inject. + config: |- + # defaultTemplates defines the default template to use for pods that do not explicitly specify a template + defaultTemplates: [sidecar] + policy: enabled + alwaysInjectSelector: + [] + neverInjectSelector: + [] + injectedAnnotations: + template: "{{ Template_Version_And_Istio_Version_Mismatched_Check_Installation }}" + templates: + sidecar: | + {{- $containers := list }} + {{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} + metadata: + labels: + security.istio.io/tlsMode: {{ index .ObjectMeta.Labels `security.istio.io/tlsMode` | default "istio" | quote }} + service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} + service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} + annotations: { + {{- if eq (len $containers) 1 }} + kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", + kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", + {{ end }} + {{- if .Values.istio_cni.enabled }} + {{- if not .Values.istio_cni.chained }} + k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `istio-cni` }}', + {{- end }} + sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}", + {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}traffic.sidecar.istio.io/includeOutboundIPRanges: "{{.}}",{{ end }} + {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{.}}",{{ end }} + {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}traffic.sidecar.istio.io/includeInboundPorts: "{{.}}",{{ end }} + traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}", + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") }} + traffic.sidecar.istio.io/includeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}", + {{- end }} + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }} + traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}", + {{- end }} + {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}traffic.sidecar.istio.io/kubevirtInterfaces: "{{.}}",{{ end }} + {{- end }} + } + spec: + {{- $holdProxy := or .ProxyConfig.HoldApplicationUntilProxyStarts.GetValue .Values.global.proxy.holdApplicationUntilProxyStarts }} + initContainers: + {{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }} + {{ if .Values.istio_cni.enabled -}} + - name: istio-validation + {{ else -}} + - name: istio-init + {{ end -}} + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}" + {{- else }} + image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}" + {{- end }} + args: + - istio-iptables + - "-p" + - {{ .MeshConfig.ProxyListenPort | default "15001" | quote }} + - "-z" + - "15006" + - "-u" + - "1337" + - "-m" + - "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}" + - "-i" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}" + - "-x" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}" + - "-b" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}" + - "-d" + {{- if excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }} + - "15090,15021,{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}" + {{- else }} + - "15090,15021" + {{- end }} + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") -}} + - "-q" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}" + {{ end -}} + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}} + - "-o" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}" + {{ end -}} + {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}} + - "-k" + - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}" + {{ end -}} + {{ if .Values.istio_cni.enabled -}} + - "--run-validation" + - "--skip-rule-apply" + {{ end -}} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + {{- if .ProxyConfig.ProxyMetadata }} + env: + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- end }} + resources: + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} + requests: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" + {{ end }} + {{- end }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + limits: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" + {{ end }} + {{- end }} + {{- else }} + {{- if .Values.global.proxy.resources }} + {{ toYaml .Values.global.proxy.resources | indent 6 }} + {{- end }} + {{- end }} + securityContext: + allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} + privileged: {{ .Values.global.proxy.privileged }} + capabilities: + {{- if not .Values.istio_cni.enabled }} + add: + - NET_ADMIN + - NET_RAW + {{- end }} + drop: + - ALL + {{- if not .Values.istio_cni.enabled }} + readOnlyRootFilesystem: false + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 + {{- else }} + readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsUser: 1337 + runAsNonRoot: true + {{- end }} + restartPolicy: Always + {{ end -}} + {{- if eq (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }} + - name: enable-core-dump + args: + - -c + - sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited + command: + - /bin/sh + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}" + {{- else }} + image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}" + {{- end }} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + resources: {} + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - SYS_ADMIN + drop: + - ALL + privileged: true + readOnlyRootFilesystem: false + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 + {{ end }} + containers: + - name: istio-proxy + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}" + {{- end }} + ports: + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - sidecar + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} + - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} + - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + {{- if gt .EstimatedConcurrency 0 }} + - --concurrency + - "{{ .EstimatedConcurrency }}" + {{- end -}} + {{- if .Values.global.proxy.lifecycle }} + lifecycle: + {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} + {{- else if $holdProxy }} + lifecycle: + postStart: + exec: + command: + - pilot-agent + - wait + {{- end }} + env: + {{- if eq (env "PILOT_ENABLE_INBOUND_PASSTHROUGH" "true") "false" }} + - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION + value: "true" + {{- end }} + - name: JWT_POLICY + value: {{ .Values.global.jwtPolicy }} + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + - name: ISTIO_META_POD_PORTS + value: |- + [ + {{- $first := true }} + {{- range $index1, $c := .Spec.Containers }} + {{- range $index2, $p := $c.Ports }} + {{- if (structToJSON $p) }} + {{if not $first}},{{end}}{{ structToJSON $p }} + {{- $first = false }} + {{- end }} + {{- end}} + {{- end}} + ] + - name: ISTIO_META_APP_CONTAINERS + value: "{{ $containers | join "," }}" + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + - name: ISTIO_META_INTERCEPTION_MODE + value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}" + {{- if .Values.global.network }} + - name: ISTIO_META_NETWORK + value: "{{ .Values.global.network }}" + {{- end }} + {{- if .DeploymentMeta.Name }} + - name: ISTIO_META_WORKLOAD_NAME + value: "{{ .DeploymentMeta.Name }}" + {{ end }} + {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} + - name: ISTIO_META_OWNER + value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} + {{- end}} + {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - name: ISTIO_BOOTSTRAP_OVERRIDE + value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" + {{- end }} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} + {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- end }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} + readinessProbe: + httpGet: + path: /healthz/ready + port: 15021 + initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} + periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} + timeoutSeconds: 3 + failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} + {{ end -}} + securityContext: + {{- if eq (index .ProxyConfig.ProxyMetadata "IPTABLES_TRACE_LOGGING") "true" }} + allowPrivilegeEscalation: true + capabilities: + add: + - NET_ADMIN + drop: + - ALL + privileged: true + readOnlyRootFilesystem: {{ ne (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }} + runAsGroup: 1337 + fsGroup: 1337 + runAsNonRoot: false + runAsUser: 0 + {{- else }} + allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} + capabilities: + {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} + add: + {{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}} + - NET_ADMIN + {{- end }} + {{ if eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true` -}} + - NET_BIND_SERVICE + {{- end }} + {{- end }} + drop: + - ALL + privileged: {{ .Values.global.proxy.privileged }} + readOnlyRootFilesystem: {{ ne (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }} + runAsGroup: 1337 + fsGroup: 1337 + {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} + runAsNonRoot: false + runAsUser: 0 + {{- else -}} + runAsNonRoot: true + runAsUser: 1337 + {{- end }} + {{- end }} + resources: + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} + requests: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" + {{ end }} + {{- end }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + limits: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" + {{ end }} + {{- end }} + {{- else }} + {{- if .Values.global.proxy.resources }} + {{ toYaml .Values.global.proxy.resources | indent 6 }} + {{- end }} + {{- end }} + volumeMounts: + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + mountPath: /var/run/secrets/workload-spiffe-credentials + readOnly: true + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - mountPath: /etc/istio/custom-bootstrap + name: custom-bootstrap-volume + {{- end }} + # SDS channel between istioagent and Envoy + - mountPath: /etc/istio/proxy + name: istio-envoy + {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} + - mountPath: /var/run/secrets/tokens + name: istio-token + {{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - mountPath: /etc/certs/ + name: istio-certs + readOnly: true + {{- end }} + - name: istio-podinfo + mountPath: /etc/istio/pod + {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} + - mountPath: {{ directory .ProxyConfig.GetTracing.GetTlsSettings.GetCaCertificates }} + name: lightstep-certs + readOnly: true + {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} + {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 6 }} + {{ end }} + {{- end }} + volumes: + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + csi: + driver: workloadcertificates.security.cloud.google.com + {{- end }} + {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - name: custom-bootstrap-volume + configMap: + name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} + {{- end }} + # SDS channel between istioagent and Envoy + - emptyDir: + medium: Memory + name: istio-envoy + - name: istio-data + emptyDir: {} + - name: istio-podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + configMap: + name: istio-ca-root-cert + {{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - name: istio-certs + secret: + optional: true + {{ if eq .Spec.ServiceAccountName "" }} + secretName: istio.default + {{ else -}} + secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} + {{ end -}} + {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} + {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 4 }} + {{ end }} + {{ end }} + {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} + - name: lightstep-certs + secret: + optional: true + secretName: lightstep.cacert + {{- end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} + {{- if eq (env "ENABLE_LEGACY_FSGROUP_INJECTION" "true") "true" }} + securityContext: + fsGroup: 1337 + {{- end }} + gateway: | + {{- $containers := list }} + {{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} + metadata: + labels: + service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} + service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} + istio.io/rev: {{ .Revision | default "default" | quote }} + annotations: { + {{- if eq (len $containers) 1 }} + kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", + kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", + {{ end }} + } + spec: + containers: + - name: istio-proxy + {{- if contains "/" .Values.global.proxy.image }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}" + {{- end }} + ports: + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - router + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} + - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} + - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + {{- if .Values.global.proxy.lifecycle }} + lifecycle: + {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} + {{- end }} + env: + - name: JWT_POLICY + value: {{ .Values.global.jwtPolicy }} + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + - name: ISTIO_META_POD_PORTS + value: |- + [ + {{- $first := true }} + {{- range $index1, $c := .Spec.Containers }} + {{- range $index2, $p := $c.Ports }} + {{- if (structToJSON $p) }} + {{if not $first}},{{end}}{{ structToJSON $p }} + {{- $first = false }} + {{- end }} + {{- end}} + {{- end}} + ] + - name: ISTIO_META_APP_CONTAINERS + value: "{{ $containers | join "," }}" + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + - name: ISTIO_META_INTERCEPTION_MODE + value: "{{ .ProxyConfig.InterceptionMode.String }}" + {{- if .Values.global.network }} + - name: ISTIO_META_NETWORK + value: "{{ .Values.global.network }}" + {{- end }} + {{- if .DeploymentMeta.Name }} + - name: ISTIO_META_WORKLOAD_NAME + value: "{{ .DeploymentMeta.Name }}" + {{ end }} + {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} + - name: ISTIO_META_OWNER + value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} + {{- end}} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + readinessProbe: + httpGet: + path: /healthz/ready + port: 15021 + initialDelaySeconds: {{.Values.global.proxy.readinessInitialDelaySeconds }} + periodSeconds: {{ .Values.global.proxy.readinessPeriodSeconds }} + timeoutSeconds: 3 + failureThreshold: {{ .Values.global.proxy.readinessFailureThreshold }} + volumeMounts: + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + mountPath: /var/run/secrets/workload-spiffe-credentials + readOnly: true + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + # SDS channel between istioagent and Envoy + - mountPath: /etc/istio/proxy + name: istio-envoy + {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} + - mountPath: /var/run/secrets/tokens + name: istio-token + {{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - mountPath: /etc/certs/ + name: istio-certs + readOnly: true + {{- end }} + - name: istio-podinfo + mountPath: /etc/istio/pod + volumes: + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + csi: + driver: workloadcertificates.security.cloud.google.com + {{- end }} + # SDS channel between istioagent and Envoy + - emptyDir: + medium: Memory + name: istio-envoy + - name: istio-data + emptyDir: {} + - name: istio-podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + configMap: + name: istio-ca-root-cert + {{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - name: istio-certs + secret: + optional: true + {{ if eq .Spec.ServiceAccountName "" }} + secretName: istio.default + {{ else -}} + secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} + {{ end -}} + {{- end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} + {{- if eq (env "ENABLE_LEGACY_FSGROUP_INJECTION" "true") "true" }} + securityContext: + fsGroup: 1337 + {{- end }} + grpc-simple: | + metadata: + sidecar.istio.io/rewriteAppHTTPProbers: "false" + spec: + initContainers: + - name: grpc-bootstrap-init + image: busybox:1.28 + volumeMounts: + - mountPath: /var/lib/grpc/data/ + name: grpc-io-proxyless-bootstrap + env: + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: ISTIO_NAMESPACE + value: | + {{ .Values.global.istioNamespace }} + command: + - sh + - "-c" + - |- + NODE_ID="sidecar~${INSTANCE_IP}~${POD_NAME}.${POD_NAMESPACE}~cluster.local" + SERVER_URI="dns:///istiod.${ISTIO_NAMESPACE}.svc:15010" + echo ' + { + "xds_servers": [ + { + "server_uri": "'${SERVER_URI}'", + "channel_creds": [{"type": "insecure"}], + "server_features" : ["xds_v3"] + } + ], + "node": { + "id": "'${NODE_ID}'", + "metadata": { + "GENERATOR": "grpc" + } + } + }' > /var/lib/grpc/data/bootstrap.json + containers: + {{- range $index, $container := .Spec.Containers }} + - name: {{ $container.Name }} + env: + - name: GRPC_XDS_BOOTSTRAP + value: /var/lib/grpc/data/bootstrap.json + - name: GRPC_GO_LOG_VERBOSITY_LEVEL + value: "99" + - name: GRPC_GO_LOG_SEVERITY_LEVEL + value: info + volumeMounts: + - mountPath: /var/lib/grpc/data/ + name: grpc-io-proxyless-bootstrap + {{- end }} + volumes: + - name: grpc-io-proxyless-bootstrap + emptyDir: {} + grpc-agent: | + {{- $containers := list }} + {{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} + metadata: + annotations: { + {{- if eq (len $containers) 1 }} + kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", + kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", + {{ end }} + sidecar.istio.io/rewriteAppHTTPProbers: "false", + } + spec: + containers: + {{- range $index, $container := .Spec.Containers }} + {{ if not (eq $container.Name "istio-proxy") }} + - name: {{ $container.Name }} + env: + - name: "GRPC_XDS_EXPERIMENTAL_SECURITY_SUPPORT" + value: "true" + - name: "GRPC_XDS_BOOTSTRAP" + value: "/etc/istio/proxy/grpc-bootstrap.json" + volumeMounts: + - mountPath: /var/lib/istio/data + name: istio-data + # UDS channel between istioagent and gRPC client for XDS/SDS + - mountPath: /etc/istio/proxy + name: istio-xds + {{- end }} + {{- end }} + - name: istio-proxy + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}" + {{- end }} + args: + - proxy + - sidecar + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + env: + - name: ISTIO_META_GENERATOR + value: grpc + - name: OUTPUT_CERTS + value: /var/lib/istio/data + {{- if eq (env "PILOT_ENABLE_INBOUND_PASSTHROUGH" "true") "false" }} + - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION + value: "true" + {{- end }} + - name: JWT_POLICY + value: {{ .Values.global.jwtPolicy }} + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + - name: ISTIO_META_POD_PORTS + value: |- + [ + {{- $first := true }} + {{- range $index1, $c := .Spec.Containers }} + {{- range $index2, $p := $c.Ports }} + {{- if (structToJSON $p) }} + {{if not $first}},{{end}}{{ structToJSON $p }} + {{- $first = false }} + {{- end }} + {{- end}} + {{- end}} + ] + - name: ISTIO_META_APP_CONTAINERS + value: "{{ $containers | join "," }}" + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + - name: ISTIO_META_INTERCEPTION_MODE + value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}" + {{- if .Values.global.network }} + - name: ISTIO_META_NETWORK + value: "{{ .Values.global.network }}" + {{- end }} + {{- if .DeploymentMeta.Name }} + - name: ISTIO_META_WORKLOAD_NAME + value: "{{ .DeploymentMeta.Name }}" + {{ end }} + {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} + - name: ISTIO_META_OWNER + value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} + {{- end}} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + # grpc uses xds:/// to resolve – no need to resolve VIP + - name: ISTIO_META_DNS_CAPTURE + value: "false" + - name: DISABLE_ENVOY + value: "true" + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} + readinessProbe: + httpGet: + path: /healthz/ready + port: {{ .Values.global.proxy.statusPort }} + initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} + periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} + timeoutSeconds: 3 + failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} + {{ end -}} + resources: + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} + requests: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" + {{ end }} + {{- end }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + limits: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" + {{ end }} + {{- end }} + {{- else }} + {{- if .Values.global.proxy.resources }} + {{ toYaml .Values.global.proxy.resources | indent 6 }} + {{- end }} + {{- end }} + volumeMounts: + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + # UDS channel between istioagent and gRPC client for XDS/SDS + - mountPath: /etc/istio/proxy + name: istio-xds + {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} + - mountPath: /var/run/secrets/tokens + name: istio-token + {{- end }} + - name: istio-podinfo + mountPath: /etc/istio/pod + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} + {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 6 }} + {{ end }} + {{- end }} + volumes: + # UDS channel between istioagent and gRPC client for XDS/SDS + - emptyDir: + medium: Memory + name: istio-xds + - name: istio-data + emptyDir: {} + - name: istio-podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + configMap: + name: istio-ca-root-cert + {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} + {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 4 }} + {{ end }} + {{ end }} +--- +# Source: istiod/templates/clusterrole.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istiod-clusterrole-istio-system + labels: + app: istiod + release: istio +rules: + # sidecar injection controller + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update", "patch"] + + # configuration validation webhook controller + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update"] + + # istio configuration + # removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382) + # please proceed with caution + - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"] + verbs: ["get", "watch", "list"] + resources: ["*"] + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "workloadentries" ] + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "workloadentries/status" ] + + # auto-detect installed CRD definitions + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "list", "watch"] + + # discovery and routing + - apiGroups: [""] + resources: ["pods", "nodes", "services", "namespaces", "endpoints"] + verbs: ["get", "list", "watch"] + - apiGroups: ["discovery.k8s.io"] + resources: ["endpointslices"] + verbs: ["get", "list", "watch"] + + # ingress controller + - apiGroups: ["networking.k8s.io"] + resources: ["ingresses", "ingressclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["networking.k8s.io"] + resources: ["ingresses/status"] + verbs: ["*"] + + # required for CA's namespace controller + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["create", "get", "list", "watch", "update"] + + # Istiod and bootstrap. + - apiGroups: ["certificates.k8s.io"] + resources: + - "certificatesigningrequests" + - "certificatesigningrequests/approval" + - "certificatesigningrequests/status" + verbs: ["update", "create", "get", "delete", "watch"] + - apiGroups: ["certificates.k8s.io"] + resources: + - "signers" + resourceNames: + - "kubernetes.io/legacy-unknown" + verbs: ["approve"] + + # Used by Istiod to verify the JWT tokens + - apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] + + # Used by Istiod to verify gateway SDS + - apiGroups: ["authorization.k8s.io"] + resources: ["subjectaccessreviews"] + verbs: ["create"] + + # Use for Kubernetes Service APIs + - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"] + resources: ["*"] + verbs: ["get", "watch", "list"] + - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"] + resources: ["*"] # TODO: should be on just */status but wildcard is not supported + verbs: ["update", "patch"] + + # Needed for multicluster secret reading, possibly ingress certs in the future + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "watch", "list"] + + # Used for MCS serviceexport management + - apiGroups: ["multicluster.x-k8s.io"] + resources: ["serviceexports"] + verbs: [ "get", "watch", "list", "create", "delete"] + + # Used for MCS serviceimport management + - apiGroups: ["multicluster.x-k8s.io"] + resources: ["serviceimports"] + verbs: ["get", "watch", "list"] +--- +# Source: istiod/templates/clusterrole.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istiod-gateway-controller-istio-system + labels: + app: istiod + release: istio +rules: + - apiGroups: ["apps"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "deployments" ] + - apiGroups: [""] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "services" ] +--- +# Source: istiod/templates/reader-clusterrole.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istio-reader-clusterrole-istio-system + labels: + app: istio-reader + release: istio +rules: + - apiGroups: + - "config.istio.io" + - "security.istio.io" + - "networking.istio.io" + - "authentication.istio.io" + - "rbac.istio.io" + resources: ["*"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets"] + verbs: ["get", "list", "watch"] + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list" ] + resources: [ "workloadentries" ] + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "list", "watch"] + - apiGroups: ["discovery.k8s.io"] + resources: ["endpointslices"] + verbs: ["get", "list", "watch"] + - apiGroups: ["multicluster.x-k8s.io"] + resources: ["serviceexports"] + verbs: ["get", "list", "watch"] + - apiGroups: ["multicluster.x-k8s.io"] + resources: ["serviceimports"] + verbs: ["get", "list", "watch"] + - apiGroups: ["apps"] + resources: ["replicasets"] + verbs: ["get", "list", "watch"] + - apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] + - apiGroups: ["authorization.k8s.io"] + resources: ["subjectaccessreviews"] + verbs: ["create"] +--- +# Source: istiod/templates/clusterrolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istiod-clusterrole-istio-system + labels: + app: istiod + release: istio +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istiod-clusterrole-istio-system +subjects: + - kind: ServiceAccount + name: istiod + namespace: istio-system +--- +# Source: istiod/templates/clusterrolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istiod-gateway-controller-istio-system + labels: + app: istiod + release: istio +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istiod-gateway-controller-istio-system +subjects: +- kind: ServiceAccount + name: istiod + namespace: istio-system +--- +# Source: istiod/templates/reader-clusterrolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istio-reader-clusterrole-istio-system + labels: + app: istio-reader + release: istio +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-reader-clusterrole-istio-system +subjects: + - kind: ServiceAccount + name: istio-reader-service-account + namespace: istio-system +--- +# Source: istiod/templates/role.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: istiod + namespace: istio-system + labels: + app: istiod + release: istio +rules: +# permissions to verify the webhook is ready and rejecting +# invalid config. We use --server-dry-run so no config is persisted. +- apiGroups: ["networking.istio.io"] + verbs: ["create"] + resources: ["gateways"] + +# For storing CA secret +- apiGroups: [""] + resources: ["secrets"] + # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config + verbs: ["create", "get", "watch", "list", "update", "delete"] +--- +# Source: istiod/templates/rolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: istiod + namespace: istio-system + labels: + app: istiod + release: istio +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: istiod +subjects: + - kind: ServiceAccount + name: istiod + namespace: istio-system +--- +# Source: istiod/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: istiod + namespace: istio-system + labels: + istio.io/rev: default + install.operator.istio.io/owning-resource: unknown + operator.istio.io/component: "Pilot" + app: istiod + istio: pilot + release: istio +spec: + ports: + - port: 15010 + name: grpc-xds # plaintext + protocol: TCP + - port: 15012 + name: https-dns # mTLS with k8s-signed cert + protocol: TCP + - port: 443 + name: https-webhook # validation and injection + targetPort: 15017 + protocol: TCP + - port: 15014 + name: http-monitoring # prometheus stats + protocol: TCP + selector: + app: istiod + # Label used by the 'default' service. For versioned deployments we match with app and version. + # This avoids default deployment picking the canary + istio: pilot +--- +# Source: istiod/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: istiod + namespace: istio-system + labels: + app: istiod + istio.io/rev: default + install.operator.istio.io/owning-resource: unknown + operator.istio.io/component: "Pilot" + istio: pilot + release: istio +spec: + strategy: + rollingUpdate: + maxSurge: 100% + maxUnavailable: 25% + selector: + matchLabels: + istio: pilot + template: + metadata: + labels: + app: istiod + istio.io/rev: default + install.operator.istio.io/owning-resource: unknown + sidecar.istio.io/inject: "false" + operator.istio.io/component: "Pilot" + istio: pilot + annotations: + prometheus.io/port: "15014" + prometheus.io/scrape: "true" + sidecar.istio.io/inject: "false" + spec: + serviceAccountName: istiod + securityContext: + fsGroup: 1337 + containers: + - name: discovery + image: "gcr.io/istio-testing/pilot:latest" + args: + - "discovery" + - --monitoringAddr=:15014 + - --log_output_level=default:info + - --domain + - cluster.local + - --keepaliveMaxServerConnectionAge + - "30m" + ports: + - containerPort: 8080 + protocol: TCP + - containerPort: 15010 + protocol: TCP + - containerPort: 15017 + protocol: TCP + readinessProbe: + httpGet: + path: /ready + port: 8080 + initialDelaySeconds: 1 + periodSeconds: 3 + timeoutSeconds: 5 + env: + - name: REVISION + value: "default" + - name: JWT_POLICY + value: third-party-jwt + - name: PILOT_CERT_PROVIDER + value: istiod + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.serviceAccountName + - name: KUBECONFIG + value: /var/run/secrets/remote/config + - name: PILOT_TRACE_SAMPLING + value: "1" + - name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_OUTBOUND + value: "true" + - name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_INBOUND + value: "true" + - name: ISTIOD_ADDR + value: istiod.istio-system.svc:15012 + - name: PILOT_ENABLE_ANALYSIS + value: "false" + - name: CLUSTER_ID + value: "Kubernetes" + resources: + requests: + cpu: 500m + memory: 2048Mi + securityContext: + readOnlyRootFilesystem: true + runAsUser: 1337 + runAsGroup: 1337 + runAsNonRoot: true + capabilities: + drop: + - ALL + volumeMounts: + - name: istio-token + mountPath: /var/run/secrets/tokens + readOnly: true + - name: local-certs + mountPath: /var/run/secrets/istio-dns + - name: cacerts + mountPath: /etc/cacerts + readOnly: true + - name: istio-kubeconfig + mountPath: /var/run/secrets/remote + readOnly: true + volumes: + # Technically not needed on this pod - but it helps debugging/testing SDS + # Should be removed after everything works. + - emptyDir: + medium: Memory + name: local-certs + - name: istio-token + projected: + sources: + - serviceAccountToken: + audience: istio-ca + expirationSeconds: 43200 + path: istio-token + # Optional: user-generated root + - name: cacerts + secret: + secretName: cacerts + optional: true + - name: istio-kubeconfig + secret: + secretName: istio-kubeconfig + optional: true +--- +# Source: istiod/templates/autoscale.yaml +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: istiod + namespace: istio-system + labels: + app: istiod + release: istio + istio.io/rev: default + install.operator.istio.io/owning-resource: unknown + operator.istio.io/component: "Pilot" +spec: + maxReplicas: 5 + minReplicas: 1 + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: istiod + metrics: + - type: Resource + resource: + name: cpu + targetAverageUtilization: 80 +--- +# Source: istiod/templates/revision-tags.yaml +# Adapted from istio-discovery/templates/mutatingwebhook.yaml +# Removed paths for legacy and default selectors since a revision tag +# is inherently created from a specific revision +--- +# Source: istiod/templates/telemetryv2_1.10.yaml +# Note: http stats filter is wasm enabled only in sidecars. +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: stats-filter-1.10 + namespace: istio-system + labels: + istio.io/rev: default +spec: + configPatches: + - applyTo: HTTP_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.10.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + { + "debug": "false", + "stat_prefix": "istio" + } + vm_config: + vm_id: stats_outbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats + - applyTo: HTTP_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.10.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stats_inbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + { + "debug": "false", + "stat_prefix": "istio", + "disable_host_header_fallback": true, + "metrics": [ + { + "dimensions": { + "destination_cluster": "node.metadata['CLUSTER_ID']", + "source_cluster": "downstream_peer.cluster_id" + } + } + ] + } + vm_config: + vm_id: stats_inbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats + - applyTo: HTTP_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.10.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + { + "debug": "false", + "stat_prefix": "istio", + "disable_host_header_fallback": true + } + vm_config: + vm_id: stats_outbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats +--- +# Source: istiod/templates/telemetryv2_1.10.yaml +# Note: tcp stats filter is wasm enabled only in sidecars. +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: tcp-stats-filter-1.10 + namespace: istio-system + labels: + istio.io/rev: default +spec: + configPatches: + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.10.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stats_inbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + { + "debug": "false", + "stat_prefix": "istio", + "metrics": [ + { + "dimensions": { + "destination_cluster": "node.metadata['CLUSTER_ID']", + "source_cluster": "downstream_peer.cluster_id" + } + } + ] + } + vm_config: + vm_id: tcp_stats_inbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: "envoy.wasm.stats" + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.10.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + { + "debug": "false", + "stat_prefix": "istio" + } + vm_config: + vm_id: tcp_stats_outbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: "envoy.wasm.stats" + - applyTo: NETWORK_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.10.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + { + "debug": "false", + "stat_prefix": "istio" + } + vm_config: + vm_id: tcp_stats_outbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: "envoy.wasm.stats" +--- +# Source: istiod/templates/telemetryv2_1.11.yaml +# Note: http stats filter is wasm enabled only in sidecars. +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: stats-filter-1.11 + namespace: istio-system + labels: + istio.io/rev: default +spec: + configPatches: + - applyTo: HTTP_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.11.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + { + "debug": "false", + "stat_prefix": "istio" + } + vm_config: + vm_id: stats_outbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats + - applyTo: HTTP_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.11.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stats_inbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + { + "debug": "false", + "stat_prefix": "istio", + "disable_host_header_fallback": true, + "metrics": [ + { + "dimensions": { + "destination_cluster": "node.metadata['CLUSTER_ID']", + "source_cluster": "downstream_peer.cluster_id" + } + } + ] + } + vm_config: + vm_id: stats_inbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats + - applyTo: HTTP_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.11.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + { + "debug": "false", + "stat_prefix": "istio", + "disable_host_header_fallback": true + } + vm_config: + vm_id: stats_outbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats +--- +# Source: istiod/templates/telemetryv2_1.11.yaml +# Note: tcp stats filter is wasm enabled only in sidecars. +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: tcp-stats-filter-1.11 + namespace: istio-system + labels: + istio.io/rev: default +spec: + configPatches: + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.11.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stats_inbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + { + "debug": "false", + "stat_prefix": "istio", + "metrics": [ + { + "dimensions": { + "destination_cluster": "node.metadata['CLUSTER_ID']", + "source_cluster": "downstream_peer.cluster_id" + } + } + ] + } + vm_config: + vm_id: tcp_stats_inbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: "envoy.wasm.stats" + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.11.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + { + "debug": "false", + "stat_prefix": "istio" + } + vm_config: + vm_id: tcp_stats_outbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: "envoy.wasm.stats" + - applyTo: NETWORK_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.11.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + { + "debug": "false", + "stat_prefix": "istio" + } + vm_config: + vm_id: tcp_stats_outbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: "envoy.wasm.stats" +--- +# Source: istiod/templates/telemetryv2_1.12.yaml +# Note: http stats filter is wasm enabled only in sidecars. +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: stats-filter-1.12 + namespace: istio-system + labels: + istio.io/rev: default +spec: + configPatches: + - applyTo: HTTP_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.12.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + { + "debug": "false", + "stat_prefix": "istio" + } + vm_config: + vm_id: stats_outbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats + - applyTo: HTTP_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.12.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stats_inbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + { + "debug": "false", + "stat_prefix": "istio", + "disable_host_header_fallback": true, + "metrics": [ + { + "dimensions": { + "destination_cluster": "node.metadata['CLUSTER_ID']", + "source_cluster": "downstream_peer.cluster_id" + } + } + ] + } + vm_config: + vm_id: stats_inbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats + - applyTo: HTTP_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.12.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + { + "debug": "false", + "stat_prefix": "istio", + "disable_host_header_fallback": true + } + vm_config: + vm_id: stats_outbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats +--- +# Source: istiod/templates/telemetryv2_1.12.yaml +# Note: tcp stats filter is wasm enabled only in sidecars. +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: tcp-stats-filter-1.12 + namespace: istio-system + labels: + istio.io/rev: default +spec: + configPatches: + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.12.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stats_inbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + { + "debug": "false", + "stat_prefix": "istio", + "metrics": [ + { + "dimensions": { + "destination_cluster": "node.metadata['CLUSTER_ID']", + "source_cluster": "downstream_peer.cluster_id" + } + } + ] + } + vm_config: + vm_id: tcp_stats_inbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: "envoy.wasm.stats" + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.12.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + { + "debug": "false", + "stat_prefix": "istio" + } + vm_config: + vm_id: tcp_stats_outbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: "envoy.wasm.stats" + - applyTo: NETWORK_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.12.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + { + "debug": "false", + "stat_prefix": "istio" + } + vm_config: + vm_id: tcp_stats_outbound + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: "envoy.wasm.stats" +--- +# Source: istiod/templates/mutatingwebhook.yaml +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: istio-sidecar-injector + labels: + istio.io/rev: default + install.operator.istio.io/owning-resource: unknown + operator.istio.io/component: "Pilot" + app: sidecar-injector + release: istio +webhooks: +- name: rev.namespace.sidecar-injector.istio.io + clientConfig: + service: + name: istiod + namespace: istio-system + path: "/inject" + port: 443 + caBundle: "" + sideEffects: None + rules: + - operations: [ "CREATE" ] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + failurePolicy: Fail + admissionReviewVersions: ["v1beta1", "v1"] + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + - "default" + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" +- name: rev.object.sidecar-injector.istio.io + clientConfig: + service: + name: istiod + namespace: istio-system + path: "/inject" + port: 443 + caBundle: "" + sideEffects: None + rules: + - operations: [ "CREATE" ] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + failurePolicy: Fail + admissionReviewVersions: ["v1beta1", "v1"] + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: DoesNotExist + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + - key: istio.io/rev + operator: In + values: + - "default" +- name: namespace.sidecar-injector.istio.io + clientConfig: + service: + name: istiod + namespace: istio-system + path: "/inject" + port: 443 + caBundle: "" + sideEffects: None + rules: + - operations: [ "CREATE" ] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + failurePolicy: Fail + admissionReviewVersions: ["v1beta1", "v1"] + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: In + values: + - enabled + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" +- name: object.sidecar-injector.istio.io + clientConfig: + service: + name: istiod + namespace: istio-system + path: "/inject" + port: 443 + caBundle: "" + sideEffects: None + rules: + - operations: [ "CREATE" ] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + failurePolicy: Fail + admissionReviewVersions: ["v1beta1", "v1"] + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: In + values: + - "true" + - key: istio.io/rev + operator: DoesNotExist diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-control/istio-discovery/files/grpc-agent.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-control/istio-discovery/files/grpc-agent.yaml new file mode 100644 index 000000000..547e03e0c --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-control/istio-discovery/files/grpc-agent.yaml @@ -0,0 +1,233 @@ +{{- $containers := list }} +{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} +metadata: + annotations: { + {{- if eq (len $containers) 1 }} + kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", + kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", + {{ end }} + sidecar.istio.io/rewriteAppHTTPProbers: "false", + } +spec: + containers: + {{- range $index, $container := .Spec.Containers }} + {{ if not (eq $container.Name "istio-proxy") }} + - name: {{ $container.Name }} + env: + - name: "GRPC_XDS_EXPERIMENTAL_SECURITY_SUPPORT" + value: "true" + - name: "GRPC_XDS_BOOTSTRAP" + value: "/etc/istio/proxy/grpc-bootstrap.json" + volumeMounts: + - mountPath: /var/lib/istio/data + name: istio-data + # UDS channel between istioagent and gRPC client for XDS/SDS + - mountPath: /etc/istio/proxy + name: istio-xds + {{- end }} + {{- end }} + - name: istio-proxy + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}" + {{- end }} + args: + - proxy + - sidecar + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + env: + - name: ISTIO_META_GENERATOR + value: grpc + - name: OUTPUT_CERTS + value: /var/lib/istio/data + {{- if eq (env "PILOT_ENABLE_INBOUND_PASSTHROUGH" "true") "false" }} + - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION + value: "true" + {{- end }} + - name: JWT_POLICY + value: {{ .Values.global.jwtPolicy }} + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + - name: ISTIO_META_POD_PORTS + value: |- + [ + {{- $first := true }} + {{- range $index1, $c := .Spec.Containers }} + {{- range $index2, $p := $c.Ports }} + {{- if (structToJSON $p) }} + {{if not $first}},{{end}}{{ structToJSON $p }} + {{- $first = false }} + {{- end }} + {{- end}} + {{- end}} + ] + - name: ISTIO_META_APP_CONTAINERS + value: "{{ $containers | join "," }}" + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + - name: ISTIO_META_INTERCEPTION_MODE + value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}" + {{- if .Values.global.network }} + - name: ISTIO_META_NETWORK + value: "{{ .Values.global.network }}" + {{- end }} + {{- if .DeploymentMeta.Name }} + - name: ISTIO_META_WORKLOAD_NAME + value: "{{ .DeploymentMeta.Name }}" + {{ end }} + {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} + - name: ISTIO_META_OWNER + value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} + {{- end}} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + # grpc uses xds:/// to resolve – no need to resolve VIP + - name: ISTIO_META_DNS_CAPTURE + value: "false" + - name: DISABLE_ENVOY + value: "true" + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} + readinessProbe: + httpGet: + path: /healthz/ready + port: {{ .Values.global.proxy.statusPort }} + initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} + periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} + timeoutSeconds: 3 + failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} + {{ end -}} + resources: + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} + requests: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" + {{ end }} + {{- end }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + limits: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" + {{ end }} + {{- end }} + {{- else }} + {{- if .Values.global.proxy.resources }} + {{ toYaml .Values.global.proxy.resources | indent 6 }} + {{- end }} + {{- end }} + volumeMounts: + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + # UDS channel between istioagent and gRPC client for XDS/SDS + - mountPath: /etc/istio/proxy + name: istio-xds + {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} + - mountPath: /var/run/secrets/tokens + name: istio-token + {{- end }} + - name: istio-podinfo + mountPath: /etc/istio/pod + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} + {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 6 }} + {{ end }} + {{- end }} + volumes: + # UDS channel between istioagent and gRPC client for XDS/SDS + - emptyDir: + medium: Memory + name: istio-xds + - name: istio-data + emptyDir: {} + - name: istio-podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations +{{- if eq .Values.global.jwtPolicy "third-party-jwt" }} + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} +{{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + configMap: + name: istio-ca-root-cert + {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} + {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 4 }} + {{ end }} + {{ end }} diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-control/istio-discovery/files/grpc-simple.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-control/istio-discovery/files/grpc-simple.yaml new file mode 100644 index 000000000..4346a41c6 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-control/istio-discovery/files/grpc-simple.yaml @@ -0,0 +1,64 @@ +metadata: + sidecar.istio.io/rewriteAppHTTPProbers: "false" +spec: + initContainers: + - name: grpc-bootstrap-init + image: busybox:1.28 + volumeMounts: + - mountPath: /var/lib/grpc/data/ + name: grpc-io-proxyless-bootstrap + env: + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: ISTIO_NAMESPACE + value: | + {{ .Values.global.istioNamespace }} + command: + - sh + - "-c" + - |- + NODE_ID="sidecar~${INSTANCE_IP}~${POD_NAME}.${POD_NAMESPACE}~cluster.local" + SERVER_URI="dns:///istiod.${ISTIO_NAMESPACE}.svc:15010" + echo ' + { + "xds_servers": [ + { + "server_uri": "'${SERVER_URI}'", + "channel_creds": [{"type": "insecure"}], + "server_features" : ["xds_v3"] + } + ], + "node": { + "id": "'${NODE_ID}'", + "metadata": { + "GENERATOR": "grpc" + } + } + }' > /var/lib/grpc/data/bootstrap.json + containers: + {{- range $index, $container := .Spec.Containers }} + - name: {{ $container.Name }} + env: + - name: GRPC_XDS_BOOTSTRAP + value: /var/lib/grpc/data/bootstrap.json + - name: GRPC_GO_LOG_VERBOSITY_LEVEL + value: "99" + - name: GRPC_GO_LOG_SEVERITY_LEVEL + value: info + volumeMounts: + - mountPath: /var/lib/grpc/data/ + name: grpc-io-proxyless-bootstrap + {{- end }} + volumes: + - name: grpc-io-proxyless-bootstrap + emptyDir: {} diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-control/istio-discovery/files/injection-template.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-control/istio-discovery/files/injection-template.yaml new file mode 100644 index 000000000..f338913aa --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-control/istio-discovery/files/injection-template.yaml @@ -0,0 +1,491 @@ +{{- $containers := list }} +{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} +metadata: + labels: + security.istio.io/tlsMode: {{ index .ObjectMeta.Labels `security.istio.io/tlsMode` | default "istio" | quote }} + service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} + service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} + annotations: { + {{- if eq (len $containers) 1 }} + kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", + kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", + {{ end }} +{{- if .Values.istio_cni.enabled }} + {{- if not .Values.istio_cni.chained }} + k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `istio-cni` }}', + {{- end }} + sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}", + {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}traffic.sidecar.istio.io/includeOutboundIPRanges: "{{.}}",{{ end }} + {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{.}}",{{ end }} + {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}traffic.sidecar.istio.io/includeInboundPorts: "{{.}}",{{ end }} + traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}", + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") }} + traffic.sidecar.istio.io/includeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}", + {{- end }} + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }} + traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}", + {{- end }} + {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}traffic.sidecar.istio.io/kubevirtInterfaces: "{{.}}",{{ end }} +{{- end }} + } +spec: + {{- $holdProxy := or .ProxyConfig.HoldApplicationUntilProxyStarts.GetValue .Values.global.proxy.holdApplicationUntilProxyStarts }} + initContainers: + {{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }} + {{ if .Values.istio_cni.enabled -}} + - name: istio-validation + {{ else -}} + - name: istio-init + {{ end -}} + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}" + {{- else }} + image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}" + {{- end }} + args: + - istio-iptables + - "-p" + - {{ .MeshConfig.ProxyListenPort | default "15001" | quote }} + - "-z" + - "15006" + - "-u" + - "1337" + - "-m" + - "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}" + - "-i" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}" + - "-x" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}" + - "-b" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}" + - "-d" + {{- if excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }} + - "15090,15021,{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}" + {{- else }} + - "15090,15021" + {{- end }} + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") -}} + - "-q" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}" + {{ end -}} + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}} + - "-o" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}" + {{ end -}} + {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}} + - "-k" + - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}" + {{ end -}} + {{ if .Values.istio_cni.enabled -}} + - "--run-validation" + - "--skip-rule-apply" + {{ end -}} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + {{- if .ProxyConfig.ProxyMetadata }} + env: + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- end }} + resources: + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} + requests: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" + {{ end }} + {{- end }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + limits: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" + {{ end }} + {{- end }} + {{- else }} + {{- if .Values.global.proxy.resources }} + {{ toYaml .Values.global.proxy.resources | indent 6 }} + {{- end }} + {{- end }} + securityContext: + allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} + privileged: {{ .Values.global.proxy.privileged }} + capabilities: + {{- if not .Values.istio_cni.enabled }} + add: + - NET_ADMIN + - NET_RAW + {{- end }} + drop: + - ALL + {{- if not .Values.istio_cni.enabled }} + readOnlyRootFilesystem: false + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 + {{- else }} + readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsUser: 1337 + runAsNonRoot: true + {{- end }} + restartPolicy: Always + {{ end -}} + {{- if eq (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }} + - name: enable-core-dump + args: + - -c + - sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited + command: + - /bin/sh + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}" + {{- else }} + image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}" + {{- end }} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + resources: {} + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - SYS_ADMIN + drop: + - ALL + privileged: true + readOnlyRootFilesystem: false + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 + {{ end }} + containers: + - name: istio-proxy + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}" + {{- end }} + ports: + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - sidecar + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} + - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} + - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + {{- if gt .EstimatedConcurrency 0 }} + - --concurrency + - "{{ .EstimatedConcurrency }}" + {{- end -}} + {{- if .Values.global.proxy.lifecycle }} + lifecycle: + {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} + {{- else if $holdProxy }} + lifecycle: + postStart: + exec: + command: + - pilot-agent + - wait + {{- end }} + env: + {{- if eq (env "PILOT_ENABLE_INBOUND_PASSTHROUGH" "true") "false" }} + - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION + value: "true" + {{- end }} + - name: JWT_POLICY + value: {{ .Values.global.jwtPolicy }} + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + - name: ISTIO_META_POD_PORTS + value: |- + [ + {{- $first := true }} + {{- range $index1, $c := .Spec.Containers }} + {{- range $index2, $p := $c.Ports }} + {{- if (structToJSON $p) }} + {{if not $first}},{{end}}{{ structToJSON $p }} + {{- $first = false }} + {{- end }} + {{- end}} + {{- end}} + ] + - name: ISTIO_META_APP_CONTAINERS + value: "{{ $containers | join "," }}" + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + - name: ISTIO_META_INTERCEPTION_MODE + value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}" + {{- if .Values.global.network }} + - name: ISTIO_META_NETWORK + value: "{{ .Values.global.network }}" + {{- end }} + {{- if .DeploymentMeta.Name }} + - name: ISTIO_META_WORKLOAD_NAME + value: "{{ .DeploymentMeta.Name }}" + {{ end }} + {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} + - name: ISTIO_META_OWNER + value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} + {{- end}} + {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - name: ISTIO_BOOTSTRAP_OVERRIDE + value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" + {{- end }} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} + {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- end }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} + readinessProbe: + httpGet: + path: /healthz/ready + port: 15021 + initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} + periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} + timeoutSeconds: 3 + failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} + {{ end -}} + securityContext: + {{- if eq (index .ProxyConfig.ProxyMetadata "IPTABLES_TRACE_LOGGING") "true" }} + allowPrivilegeEscalation: true + capabilities: + add: + - NET_ADMIN + drop: + - ALL + privileged: true + readOnlyRootFilesystem: {{ ne (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }} + runAsGroup: 1337 + fsGroup: 1337 + runAsNonRoot: false + runAsUser: 0 + {{- else }} + allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} + capabilities: + {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} + add: + {{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}} + - NET_ADMIN + {{- end }} + {{ if eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true` -}} + - NET_BIND_SERVICE + {{- end }} + {{- end }} + drop: + - ALL + privileged: {{ .Values.global.proxy.privileged }} + readOnlyRootFilesystem: {{ ne (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }} + runAsGroup: 1337 + fsGroup: 1337 + {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} + runAsNonRoot: false + runAsUser: 0 + {{- else -}} + runAsNonRoot: true + runAsUser: 1337 + {{- end }} + {{- end }} + resources: + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} + requests: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" + {{ end }} + {{- end }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + limits: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" + {{ end }} + {{- end }} + {{- else }} + {{- if .Values.global.proxy.resources }} + {{ toYaml .Values.global.proxy.resources | indent 6 }} + {{- end }} + {{- end }} + volumeMounts: + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + mountPath: /var/run/secrets/workload-spiffe-credentials + readOnly: true + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - mountPath: /etc/istio/custom-bootstrap + name: custom-bootstrap-volume + {{- end }} + # SDS channel between istioagent and Envoy + - mountPath: /etc/istio/proxy + name: istio-envoy + {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} + - mountPath: /var/run/secrets/tokens + name: istio-token + {{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - mountPath: /etc/certs/ + name: istio-certs + readOnly: true + {{- end }} + - name: istio-podinfo + mountPath: /etc/istio/pod + {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} + - mountPath: {{ directory .ProxyConfig.GetTracing.GetTlsSettings.GetCaCertificates }} + name: lightstep-certs + readOnly: true + {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} + {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 6 }} + {{ end }} + {{- end }} + volumes: + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + csi: + driver: workloadcertificates.security.cloud.google.com + {{- end }} + {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - name: custom-bootstrap-volume + configMap: + name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} + {{- end }} + # SDS channel between istioagent and Envoy + - emptyDir: + medium: Memory + name: istio-envoy + - name: istio-data + emptyDir: {} + - name: istio-podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + configMap: + name: istio-ca-root-cert + {{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - name: istio-certs + secret: + optional: true + {{ if eq .Spec.ServiceAccountName "" }} + secretName: istio.default + {{ else -}} + secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} + {{ end -}} + {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} + {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 4 }} + {{ end }} + {{ end }} + {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} + - name: lightstep-certs + secret: + optional: true + secretName: lightstep.cacert + {{- end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} + {{- if eq (env "ENABLE_LEGACY_FSGROUP_INJECTION" "true") "true" }} + securityContext: + fsGroup: 1337 + {{- end }} diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-control/istio-discovery/kustomization.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-control/istio-discovery/kustomization.yaml new file mode 100644 index 000000000..7f9bbc394 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-control/istio-discovery/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - files/gen-istio.yaml diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-control/istio-discovery/templates/NOTES.txt b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-control/istio-discovery/templates/NOTES.txt new file mode 100644 index 000000000..f369b56da --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-control/istio-discovery/templates/NOTES.txt @@ -0,0 +1,21 @@ +"istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}" successfully installed! + +To learn more about the release, try: + $ helm status {{ .Release.Name }} + $ helm get all {{ .Release.Name }} + +Next steps: + * Deploy a Gateway: https://istio.io/latest/docs/setup/additional-setup/gateway/ + * Try out our tasks to get started on common configurations: + * https://istio.io/latest/docs/tasks/traffic-management + * https://istio.io/latest/docs/tasks/security/ + * https://istio.io/latest/docs/tasks/policy-enforcement/ + * https://istio.io/latest/docs/tasks/policy-enforcement/ + * Review the list of actively supported releases, CVE publications and our hardening guide: + * https://istio.io/latest/docs/releases/supported-releases/ + * https://istio.io/latest/news/security/ + * https://istio.io/latest/docs/ops/best-practices/security/ + +For further documentation see https://istio.io website + +Tell us how your install/upgrade experience went at https://forms.gle/FegQbc9UvePd4Z9z7 diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-control/istio-discovery/templates/autoscale.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-control/istio-discovery/templates/autoscale.yaml new file mode 100644 index 000000000..b8b14ad0b --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-control/istio-discovery/templates/autoscale.yaml @@ -0,0 +1,26 @@ +{{- if and .Values.pilot.autoscaleEnabled .Values.pilot.autoscaleMin .Values.pilot.autoscaleMax }} +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Pilot" +spec: + maxReplicas: {{ .Values.pilot.autoscaleMax }} + minReplicas: {{ .Values.pilot.autoscaleMin }} + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + metrics: + - type: Resource + resource: + name: cpu + targetAverageUtilization: {{ .Values.pilot.cpu.targetAverageUtilization }} +--- +{{- end }} diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-control/istio-discovery/templates/clusterrole.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-control/istio-discovery/templates/clusterrole.yaml new file mode 100644 index 000000000..67d29fd18 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-control/istio-discovery/templates/clusterrole.yaml @@ -0,0 +1,134 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} +rules: + # sidecar injection controller + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update", "patch"] + + # configuration validation webhook controller + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update"] + + # istio configuration + # removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382) + # please proceed with caution + - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"] + verbs: ["get", "watch", "list"] + resources: ["*"] +{{- if .Values.global.istiod.enableAnalysis }} + - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"] + verbs: ["update"] + # TODO: should be on just */status but wildcard is not supported + resources: ["*"] +{{- end }} + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "workloadentries" ] + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "workloadentries/status" ] + + # auto-detect installed CRD definitions + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "list", "watch"] + + # discovery and routing + - apiGroups: [""] + resources: ["pods", "nodes", "services", "namespaces", "endpoints"] + verbs: ["get", "list", "watch"] + - apiGroups: ["discovery.k8s.io"] + resources: ["endpointslices"] + verbs: ["get", "list", "watch"] + + # ingress controller +{{- if .Values.global.istiod.enableAnalysis }} + - apiGroups: ["extensions", "networking.k8s.io"] + resources: ["ingresses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["extensions", "networking.k8s.io"] + resources: ["ingresses/status"] + verbs: ["*"] +{{- end}} + - apiGroups: ["networking.k8s.io"] + resources: ["ingresses", "ingressclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["networking.k8s.io"] + resources: ["ingresses/status"] + verbs: ["*"] + + # required for CA's namespace controller + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["create", "get", "list", "watch", "update"] + + # Istiod and bootstrap. + - apiGroups: ["certificates.k8s.io"] + resources: + - "certificatesigningrequests" + - "certificatesigningrequests/approval" + - "certificatesigningrequests/status" + verbs: ["update", "create", "get", "delete", "watch"] + - apiGroups: ["certificates.k8s.io"] + resources: + - "signers" + resourceNames: + - "kubernetes.io/legacy-unknown" + verbs: ["approve"] + + # Used by Istiod to verify the JWT tokens + - apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] + + # Used by Istiod to verify gateway SDS + - apiGroups: ["authorization.k8s.io"] + resources: ["subjectaccessreviews"] + verbs: ["create"] + + # Use for Kubernetes Service APIs + - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"] + resources: ["*"] + verbs: ["get", "watch", "list"] + - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"] + resources: ["*"] # TODO: should be on just */status but wildcard is not supported + verbs: ["update", "patch"] + + # Needed for multicluster secret reading, possibly ingress certs in the future + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "watch", "list"] + + # Used for MCS serviceexport management + - apiGroups: ["multicluster.x-k8s.io"] + resources: ["serviceexports"] + verbs: [ "get", "watch", "list", "create", "delete"] + + # Used for MCS serviceimport management + - apiGroups: ["multicluster.x-k8s.io"] + resources: ["serviceimports"] + verbs: ["get", "watch", "list"] +--- +{{- if not (eq (toString .Values.pilot.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} +rules: + - apiGroups: ["apps"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "deployments" ] + - apiGroups: [""] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "services" ] +{{- end }} diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-control/istio-discovery/templates/clusterrolebinding.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-control/istio-discovery/templates/clusterrolebinding.yaml new file mode 100644 index 000000000..f6e425210 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-control/istio-discovery/templates/clusterrolebinding.yaml @@ -0,0 +1,33 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} +subjects: + - kind: ServiceAccount + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} +--- +{{- if not (eq (toString .Values.pilot.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} +subjects: +- kind: ServiceAccount + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} +{{- end }} \ No newline at end of file diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-control/istio-discovery/templates/configmap-jwks.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-control/istio-discovery/templates/configmap-jwks.yaml new file mode 100644 index 000000000..7b719ac7e --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-control/istio-discovery/templates/configmap-jwks.yaml @@ -0,0 +1,14 @@ +{{- if .Values.pilot.jwksResolverExtraRootCA }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Pilot" +data: + extra.pem: {{ .Values.pilot.jwksResolverExtraRootCA | quote }} +{{- end }} diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-control/istio-discovery/templates/configmap.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-control/istio-discovery/templates/configmap.yaml new file mode 100644 index 000000000..17b52f101 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-control/istio-discovery/templates/configmap.yaml @@ -0,0 +1,100 @@ +{{- define "mesh" }} + # The trust domain corresponds to the trust root of a system. + # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain + trustDomain: "cluster.local" + + # The namespace to treat as the administrative root namespace for Istio configuration. + # When processing a leaf namespace Istio will search for declarations in that namespace first + # and if none are found it will search in the root namespace. Any matching declaration found in the root namespace + # is processed as if it were declared in the leaf namespace. + rootNamespace: {{ .Values.meshConfig.rootNamespace | default .Values.global.istioNamespace }} + + defaultConfig: + {{- if .Values.global.meshID }} + meshId: {{ .Values.global.meshID }} + {{- end }} + tracing: + {{- if eq .Values.global.proxy.tracer "lightstep" }} + lightstep: + # Address of the LightStep Satellite pool + address: {{ .Values.global.tracer.lightstep.address }} + # Access Token used to communicate with the Satellite pool + accessToken: {{ .Values.global.tracer.lightstep.accessToken }} + {{- else if eq .Values.global.proxy.tracer "zipkin" }} + zipkin: + # Address of the Zipkin collector + address: {{ .Values.global.tracer.zipkin.address | default (print "zipkin." .Values.global.istioNamespace ":9411") }} + {{- else if eq .Values.global.proxy.tracer "datadog" }} + datadog: + # Address of the Datadog Agent + address: {{ .Values.global.tracer.datadog.address | default "$(HOST_IP):8126" }} + {{- else if eq .Values.global.proxy.tracer "stackdriver" }} + stackdriver: + # enables trace output to stdout. + {{- if $.Values.global.tracer.stackdriver.debug }} + debug: {{ $.Values.global.tracer.stackdriver.debug }} + {{- end }} + {{- if $.Values.global.tracer.stackdriver.maxNumberOfAttributes }} + # The global default max number of attributes per span. + maxNumberOfAttributes: {{ $.Values.global.tracer.stackdriver.maxNumberOfAttributes | default "200" }} + {{- end }} + {{- if $.Values.global.tracer.stackdriver.maxNumberOfAnnotations }} + # The global default max number of annotation events per span. + maxNumberOfAnnotations: {{ $.Values.global.tracer.stackdriver.maxNumberOfAnnotations | default "200" }} + {{- end }} + {{- if $.Values.global.tracer.stackdriver.maxNumberOfMessageEvents }} + # The global default max number of message events per span. + maxNumberOfMessageEvents: {{ $.Values.global.tracer.stackdriver.maxNumberOfMessageEvents | default "200" }} + {{- end }} + {{- else if eq .Values.global.proxy.tracer "openCensusAgent" }} + {{/* Fill in openCensusAgent configuration from meshConfig so it isn't overwritten below */}} +{{ toYaml $.Values.meshConfig.defaultConfig.tracing | indent 8 }} + {{- else }} + {} + {{- end }} + {{- if .Values.global.remotePilotAddress }} + {{- if not .Values.global.externalIstiod }} + discoveryAddress: {{ printf "istiod-remote.%s.svc" .Release.Namespace }}:15012 + {{- else }} + discoveryAddress: {{ printf "istiod.%s.svc" .Release.Namespace }}:15012 + {{- end }} + {{- else }} + discoveryAddress: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{.Release.Namespace}}.svc:15012 + {{- end }} +{{- end }} + +{{/* We take the mesh config above, defined with individual values.yaml, and merge with .Values.meshConfig */}} +{{/* The intent here is that meshConfig.foo becomes the API, rather than re-inventing the API in values.yaml */}} +{{- $originalMesh := include "mesh" . | fromYaml }} +{{- $mesh := mergeOverwrite $originalMesh .Values.meshConfig }} + +{{- if .Values.pilot.configMap }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Pilot" + release: {{ .Release.Name }} +data: + + # Configuration file for the mesh networks to be used by the Split Horizon EDS. + meshNetworks: |- + {{- if .Values.global.meshNetworks }} + networks: +{{ toYaml .Values.global.meshNetworks | trim | indent 6 }} + {{- else }} + networks: {} + {{- end }} + + mesh: |- +{{- if .Values.meshConfig }} +{{ $mesh | toYaml | indent 4 }} +{{- else }} +{{- include "mesh" . }} +{{- end }} +--- +{{- end }} diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-control/istio-discovery/templates/deployment.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-control/istio-discovery/templates/deployment.yaml new file mode 100644 index 000000000..434d102b4 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-control/istio-discovery/templates/deployment.yaml @@ -0,0 +1,219 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app: istiod + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Pilot" + istio: pilot + release: {{ .Release.Name }} +{{- range $key, $val := .Values.pilot.deploymentLabels }} + {{ $key }}: "{{ $val }}" +{{- end }} +spec: +{{- if not .Values.pilot.autoscaleEnabled }} +{{- if .Values.pilot.replicaCount }} + replicas: {{ .Values.pilot.replicaCount }} +{{- end }} +{{- end }} + strategy: + rollingUpdate: + maxSurge: {{ .Values.pilot.rollingMaxSurge }} + maxUnavailable: {{ .Values.pilot.rollingMaxUnavailable }} + selector: + matchLabels: + {{- if ne .Values.revision "" }} + app: istiod + istio.io/rev: {{ .Values.revision | default "default" }} + {{- else }} + istio: pilot + {{- end }} + template: + metadata: + labels: + app: istiod + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + sidecar.istio.io/inject: "false" + operator.istio.io/component: "Pilot" + {{- if ne .Values.revision "" }} + istio: istiod + {{- else }} + istio: pilot + {{- end }} + {{- range $key, $val := .Values.pilot.podLabels }} + {{ $key }}: "{{ $val }}" + {{- end }} + annotations: + {{- if .Values.meshConfig.enablePrometheusMerge }} + prometheus.io/port: "15014" + prometheus.io/scrape: "true" + {{- end }} + sidecar.istio.io/inject: "false" + {{- if .Values.pilot.podAnnotations }} +{{ toYaml .Values.pilot.podAnnotations | indent 8 }} + {{- end }} + spec: +{{- if .Values.pilot.nodeSelector }} + nodeSelector: +{{ toYaml .Values.pilot.nodeSelector | indent 8 }} +{{- end }} + serviceAccountName: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} +{{- if .Values.global.priorityClassName }} + priorityClassName: "{{ .Values.global.priorityClassName }}" +{{- end }} + securityContext: + fsGroup: 1337 + containers: + - name: discovery +{{- if contains "/" .Values.pilot.image }} + image: "{{ .Values.pilot.image }}" +{{- else }} + image: "{{ .Values.pilot.hub | default .Values.global.hub }}/{{ .Values.pilot.image | default "pilot" }}:{{ .Values.pilot.tag | default .Values.global.tag }}" +{{- end }} +{{- if .Values.global.imagePullPolicy }} + imagePullPolicy: {{ .Values.global.imagePullPolicy }} +{{- end }} + args: + - "discovery" + - --monitoringAddr=:15014 +{{- if .Values.global.logging.level }} + - --log_output_level={{ .Values.global.logging.level }} +{{- end}} +{{- if .Values.global.logAsJson }} + - --log_as_json +{{- end }} + - --domain + - {{ .Values.global.proxy.clusterDomain }} +{{- if .Values.global.oneNamespace }} + - "-a" + - {{ .Release.Namespace }} +{{- end }} +{{- if .Values.pilot.plugins }} + - --plugins={{ .Values.pilot.plugins }} +{{- end }} + - --keepaliveMaxServerConnectionAge + - "{{ .Values.pilot.keepaliveMaxServerConnectionAge }}" + ports: + - containerPort: 8080 + protocol: TCP + - containerPort: 15010 + protocol: TCP + - containerPort: 15017 + protocol: TCP + readinessProbe: + httpGet: + path: /ready + port: 8080 + initialDelaySeconds: 1 + periodSeconds: 3 + timeoutSeconds: 5 + env: + - name: REVISION + value: "{{ .Values.revision | default `default` }}" + - name: JWT_POLICY + value: {{ .Values.global.jwtPolicy }} + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.serviceAccountName + - name: KUBECONFIG + value: /var/run/secrets/remote/config + {{- if .Values.pilot.env }} + {{- range $key, $val := .Values.pilot.env }} + - name: {{ $key }} + value: "{{ $val }}" + {{- end }} + {{- end }} +{{- if .Values.pilot.traceSampling }} + - name: PILOT_TRACE_SAMPLING + value: "{{ .Values.pilot.traceSampling }}" +{{- end }} + - name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_OUTBOUND + value: "{{ .Values.pilot.enableProtocolSniffingForOutbound }}" + - name: PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_INBOUND + value: "{{ .Values.pilot.enableProtocolSniffingForInbound }}" + - name: ISTIOD_ADDR + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Release.Namespace }}.svc:15012 + - name: PILOT_ENABLE_ANALYSIS + value: "{{ .Values.global.istiod.enableAnalysis }}" + - name: CLUSTER_ID + value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}" + resources: +{{- if .Values.pilot.resources }} +{{ toYaml .Values.pilot.resources | trim | indent 12 }} +{{- else }} +{{ toYaml .Values.global.defaultResources | trim | indent 12 }} +{{- end }} + securityContext: + readOnlyRootFilesystem: true + runAsUser: 1337 + runAsGroup: 1337 + runAsNonRoot: true + capabilities: + drop: + - ALL + volumeMounts: + {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} + - name: istio-token + mountPath: /var/run/secrets/tokens + readOnly: true + {{- end }} + - name: local-certs + mountPath: /var/run/secrets/istio-dns + - name: cacerts + mountPath: /etc/cacerts + readOnly: true + - name: istio-kubeconfig + mountPath: /var/run/secrets/remote + readOnly: true + {{- if .Values.pilot.jwksResolverExtraRootCA }} + - name: extracacerts + mountPath: /cacerts + {{- end }} + volumes: + # Technically not needed on this pod - but it helps debugging/testing SDS + # Should be removed after everything works. + - emptyDir: + medium: Memory + name: local-certs + {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} + - name: istio-token + projected: + sources: + - serviceAccountToken: + audience: {{ .Values.global.sds.token.aud }} + expirationSeconds: 43200 + path: istio-token + {{- end }} + # Optional: user-generated root + - name: cacerts + secret: + secretName: cacerts + optional: true + - name: istio-kubeconfig + secret: + secretName: istio-kubeconfig + optional: true + {{- if .Values.pilot.jwksResolverExtraRootCA }} + - name: extracacerts + configMap: + name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- end }} +--- diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-control/istio-discovery/templates/istiod-injector-configmap.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-control/istio-discovery/templates/istiod-injector-configmap.yaml new file mode 100644 index 000000000..b6b1fa8e8 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-control/istio-discovery/templates/istiod-injector-configmap.yaml @@ -0,0 +1,67 @@ +{{- if not .Values.global.omitSidecarInjectorConfigMap }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Pilot" + release: {{ .Release.Name }} +data: +{{/* Scope the values to just top level fields used in the template, to reduce the size. */}} + values: |- +{{ pick .Values "global" "istio_cni" "sidecarInjectorWebhook" "revision" | toPrettyJson | indent 4 }} + + # To disable injection: use omitSidecarInjectorConfigMap, which disables the webhook patching + # and istiod webhook functionality. + # + # New fields should not use Values - it is a 'primary' config object, users should be able + # to fine tune it or use it with kube-inject. + config: |- + # defaultTemplates defines the default template to use for pods that do not explicitly specify a template + {{- if .Values.sidecarInjectorWebhook.defaultTemplates }} + defaultTemplates: +{{- range .Values.sidecarInjectorWebhook.defaultTemplates}} + - {{ . }} +{{- end }} + {{- else }} + defaultTemplates: [sidecar] + {{- end }} + policy: {{ .Values.global.proxy.autoInject }} + alwaysInjectSelector: +{{ toYaml .Values.sidecarInjectorWebhook.alwaysInjectSelector | trim | indent 6 }} + neverInjectSelector: +{{ toYaml .Values.sidecarInjectorWebhook.neverInjectSelector | trim | indent 6 }} + injectedAnnotations: + {{- range $key, $val := .Values.sidecarInjectorWebhook.injectedAnnotations }} + "{{ $key }}": "{{ $val }}" + {{- end }} + {{- /* If someone ends up with this new template, but an older Istiod image, they will attempt to render this template + which will fail with "Pod injection failed: template: inject:1: function "Istio_1_9_Required_Template_And_Version_Mismatched" not defined". + This should make it obvious that their installation is broken. + */}} + template: {{ `{{ Template_Version_And_Istio_Version_Mismatched_Check_Installation }}` | quote }} + templates: +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "sidecar") }} + sidecar: | +{{ .Files.Get "files/injection-template.yaml" | trim | indent 8 }} +{{- end }} +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "gateway") }} + gateway: | +{{ .Files.Get "files/gateway-injection-template.yaml" | trim | indent 8 }} +{{- end }} +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-simple") }} + grpc-simple: | +{{ .Files.Get "files/grpc-simple.yaml" | trim | indent 8 }} +{{- end }} +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-agent") }} + grpc-agent: | +{{ .Files.Get "files/grpc-agent.yaml" | trim | indent 8 }} +{{- end }} +{{- with .Values.sidecarInjectorWebhook.templates }} +{{ toYaml . | trim | indent 6 }} +{{- end }} + +{{- end }} diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-control/istio-discovery/templates/mutatingwebhook.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-control/istio-discovery/templates/mutatingwebhook.yaml new file mode 100644 index 000000000..dcb84dde3 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-control/istio-discovery/templates/mutatingwebhook.yaml @@ -0,0 +1,144 @@ +{{- /* Core defines the common configuration used by all webhook segments */}} +{{- define "core" }} +{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign +a unique prefix to each. */}} +- name: {{.Prefix}}sidecar-injector.istio.io + clientConfig: + {{- if .Values.istiodRemote.injectionURL }} + url: "{{ .Values.istiodRemote.injectionURL }}" + {{- else }} + service: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + path: "{{ .Values.istiodRemote.injectionPath }}" + port: 443 + {{- end }} + caBundle: "" + sideEffects: None + rules: + - operations: [ "CREATE" ] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + failurePolicy: Fail + admissionReviewVersions: ["v1beta1", "v1"] +{{- end }} +{{- /* Installed for each revision - not installed for cluster resources ( cluster roles, bindings, crds) */}} +{{- if not .Values.global.operatorManageWebhooks }} +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: +{{- if eq .Release.Namespace "istio-system"}} + name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} +{{- else }} + name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} +{{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Pilot" + app: sidecar-injector + release: {{ .Release.Name }} +webhooks: +{{- /* Set up the selectors. First section is for revision, rest is for "default" revision */}} + +{{- /* Case 1: namespace selector matches, and object doesn't disable */}} +{{- /* Note: if both revision and legacy selector, we give precedence to the legacy one */}} +{{- include "core" (mergeOverwrite (deepCopy .) (dict "Prefix" "rev.namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + {{- if (eq .Values.revision "") }} + - "default" + {{- else }} + - "{{ .Values.revision }}" + {{- end }} + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + +{{- /* Case 2: No namespace selector, but object selects our revision (and doesn't disable) */}} +{{- include "core" (mergeOverwrite (deepCopy .) (dict "Prefix" "rev.object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: DoesNotExist + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + - key: istio.io/rev + operator: In + values: + {{- if (eq .Values.revision "") }} + - "default" + {{- else }} + - "{{ .Values.revision }}" + {{- end }} + + +{{- /* Webhooks for default revision */}} +{{- if (eq .Values.revision "") }} + +{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} +{{- include "core" (mergeOverwrite (deepCopy .) (dict "Prefix" "namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: In + values: + - enabled + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + +{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} +{{- include "core" (mergeOverwrite (deepCopy .) (dict "Prefix" "object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: In + values: + - "true" + - key: istio.io/rev + operator: DoesNotExist + +{{- if .Values.sidecarInjectorWebhook.enableNamespacesByDefault }} +{{- /* Special case 3: no labels at all */}} +{{- include "core" (mergeOverwrite (deepCopy .) (dict "Prefix" "auto.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist +{{- end }} + +{{- end }} +{{- end }} diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-control/istio-discovery/templates/poddisruptionbudget.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-control/istio-discovery/templates/poddisruptionbudget.yaml new file mode 100644 index 000000000..40b2e6015 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-control/istio-discovery/templates/poddisruptionbudget.yaml @@ -0,0 +1,25 @@ +{{- if .Values.global.defaultPodDisruptionBudget.enabled }} +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app: istiod + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Pilot" + release: {{ .Release.Name }} + istio: pilot +spec: + minAvailable: 1 + selector: + matchLabels: + app: istiod + {{- if ne .Values.revision "" }} + istio.io/rev: {{ .Values.revision }} + {{- else }} + istio: pilot + {{- end }} +--- +{{- end }} diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-control/istio-discovery/templates/reader-clusterrole.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-control/istio-discovery/templates/reader-clusterrole.yaml new file mode 100644 index 000000000..69e4dd381 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-control/istio-discovery/templates/reader-clusterrole.yaml @@ -0,0 +1,54 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istio-reader + release: {{ .Release.Name }} +rules: + - apiGroups: + - "config.istio.io" + - "security.istio.io" + - "networking.istio.io" + - "authentication.istio.io" + - "rbac.istio.io" + resources: ["*"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets"] + verbs: ["get", "list", "watch"] + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list" ] + resources: [ "workloadentries" ] + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "list", "watch"] + - apiGroups: ["discovery.k8s.io"] + resources: ["endpointslices"] + verbs: ["get", "list", "watch"] + - apiGroups: ["multicluster.x-k8s.io"] + resources: ["serviceexports"] + verbs: ["get", "list", "watch"] + - apiGroups: ["multicluster.x-k8s.io"] + resources: ["serviceimports"] + verbs: ["get", "list", "watch"] + - apiGroups: ["apps"] + resources: ["replicasets"] + verbs: ["get", "list", "watch"] + - apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] + - apiGroups: ["authorization.k8s.io"] + resources: ["subjectaccessreviews"] + verbs: ["create"] +{{- if .Values.global.externalIstiod }} + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["create", "get", "list", "watch", "update"] + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update"] +{{- end}} diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-control/istio-discovery/templates/reader-clusterrolebinding.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-control/istio-discovery/templates/reader-clusterrolebinding.yaml new file mode 100644 index 000000000..4f9925c9d --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-control/istio-discovery/templates/reader-clusterrolebinding.yaml @@ -0,0 +1,15 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istio-reader + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} +subjects: + - kind: ServiceAccount + name: istio-reader-service-account + namespace: {{ .Values.global.istioNamespace }} diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-control/istio-discovery/templates/revision-tags.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-control/istio-discovery/templates/revision-tags.yaml new file mode 100644 index 000000000..2ec985f04 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-control/istio-discovery/templates/revision-tags.yaml @@ -0,0 +1,130 @@ +# Adapted from istio-discovery/templates/mutatingwebhook.yaml +# Removed paths for legacy and default selectors since a revision tag +# is inherently created from a specific revision +{{- define "core" }} +- name: {{.Prefix}}sidecar-injector.istio.io + clientConfig: + {{- if .Values.istiodRemote.injectionURL }} + url: "{{ .Values.istiodRemote.injectionURL }}" + {{- else }} + service: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + path: "{{ .Values.istiodRemote.injectionPath }}" + {{- end }} + caBundle: "" + sideEffects: None + rules: + - operations: [ "CREATE" ] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + failurePolicy: Fail + admissionReviewVersions: ["v1beta1", "v1"] +{{- end }} + +{{- range $tagName := $.Values.revisionTags }} +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: +{{- if eq $.Release.Namespace "istio-system"}} + name: istio-revision-tag-{{ $tagName }} +{{- else }} + name: istio-revision-tag-{{ $tagName }}-{{ $.Release.Namespace }} +{{- end }} + labels: + istio.io/tag: {{ $tagName }} + istio.io/rev: {{ $.Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ $.Values.ownerName | default "unknown" }} + operator.istio.io/component: "Pilot" + app: sidecar-injector + release: {{ $.Release.Name }} +webhooks: +{{- include "core" (mergeOverwrite (deepCopy $) (dict "Prefix" "rev.namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + - "{{ $tagName }}" + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" +{{- include "core" (mergeOverwrite (deepCopy $) (dict "Prefix" "rev.object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: DoesNotExist + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + - key: istio.io/rev + operator: In + values: + - "{{ $tagName }}" + +{{- /* When the tag is "default" we want to create webhooks for the default revision */}} +{{- /* These webhooks should be kept in sync with istio-discovery/templates/mutatingwebhook.yaml */}} +{{- if (eq $tagName "default") }} + +{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} +{{- include "core" (mergeOverwrite (deepCopy $) (dict "Prefix" "namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: In + values: + - enabled + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + +{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} +{{- include "core" (mergeOverwrite (deepCopy $) (dict "Prefix" "object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: In + values: + - "true" + - key: istio.io/rev + operator: DoesNotExist + +{{- if $.Values.sidecarInjectorWebhook.enableNamespacesByDefault }} +{{- /* Special case 3: no labels at all */}} +{{- include "core" (mergeOverwrite (deepCopy $) (dict "Prefix" "auto.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist +{{- end }} + +{{- end }} +{{- end }} diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-control/istio-discovery/templates/role.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-control/istio-discovery/templates/role.yaml new file mode 100644 index 000000000..25c4f5c3b --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-control/istio-discovery/templates/role.yaml @@ -0,0 +1,20 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} +rules: +# permissions to verify the webhook is ready and rejecting +# invalid config. We use --server-dry-run so no config is persisted. +- apiGroups: ["networking.istio.io"] + verbs: ["create"] + resources: ["gateways"] + +# For storing CA secret +- apiGroups: [""] + resources: ["secrets"] + # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config + verbs: ["create", "get", "watch", "list", "update", "delete"] diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-control/istio-discovery/templates/rolebinding.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-control/istio-discovery/templates/rolebinding.yaml new file mode 100644 index 000000000..0d700f008 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-control/istio-discovery/templates/rolebinding.yaml @@ -0,0 +1,16 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} +subjects: + - kind: ServiceAccount + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-control/istio-discovery/templates/service.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-control/istio-discovery/templates/service.yaml new file mode 100644 index 000000000..b5ddf5b6e --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-control/istio-discovery/templates/service.yaml @@ -0,0 +1,41 @@ +apiVersion: v1 +kind: Service +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + {{- if .Values.pilot.serviceAnnotations }} + annotations: +{{ toYaml .Values.pilot.serviceAnnotations | indent 4 }} + {{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Pilot" + app: istiod + istio: pilot + release: {{ .Release.Name }} +spec: + ports: + - port: 15010 + name: grpc-xds # plaintext + protocol: TCP + - port: 15012 + name: https-dns # mTLS with k8s-signed cert + protocol: TCP + - port: 443 + name: https-webhook # validation and injection + targetPort: 15017 + protocol: TCP + - port: 15014 + name: http-monitoring # prometheus stats + protocol: TCP + selector: + app: istiod + {{- if ne .Values.revision "" }} + istio.io/rev: {{ .Values.revision }} + {{- else }} + # Label used by the 'default' service. For versioned deployments we match with app and version. + # This avoids default deployment picking the canary + istio: pilot + {{- end }} +--- diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-control/istio-discovery/templates/serviceaccount.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-control/istio-discovery/templates/serviceaccount.yaml new file mode 100644 index 000000000..ee6cbc326 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-control/istio-discovery/templates/serviceaccount.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: ServiceAccount + {{- if .Values.global.imagePullSecrets }} +imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} +--- diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-control/istio-discovery/templates/telemetryv2_1.10.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-control/istio-discovery/templates/telemetryv2_1.10.yaml new file mode 100644 index 000000000..65f0eddf8 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-control/istio-discovery/templates/telemetryv2_1.10.yaml @@ -0,0 +1,601 @@ +{{- if and .Values.telemetry.enabled .Values.telemetry.v2.enabled }} +--- +# Note: http stats filter is wasm enabled only in sidecars. +{{- if .Values.telemetry.v2.prometheus.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: stats-filter-1.10{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- if .Values.meshConfig.rootNamespace }} + namespace: {{ .Values.meshConfig.rootNamespace }} + {{- else }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} +spec: + configPatches: + - applyTo: HTTP_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.10.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }} + { + "debug": "false", + "stat_prefix": "istio" + } + {{- else }} + {{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }} + {{- end }} + vm_config: + vm_id: stats_outbound + {{- if .Values.telemetry.v2.prometheus.wasmEnabled }} + runtime: envoy.wasm.runtime.v8 + allow_precompiled: true + code: + local: + filename: /etc/istio/extensions/stats-filter.compiled.wasm + {{- else }} + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats + {{- end }} + - applyTo: HTTP_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.10.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stats_inbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.prometheus.configOverride.inboundSidecar }} + { + "debug": "false", + "stat_prefix": "istio", + "disable_host_header_fallback": true, + "metrics": [ + { + "dimensions": { + "destination_cluster": "node.metadata['CLUSTER_ID']", + "source_cluster": "downstream_peer.cluster_id" + } + } + ] + } + {{- else }} + {{ toJson .Values.telemetry.v2.prometheus.configOverride.inboundSidecar | indent 18 }} + {{- end }} + vm_config: + vm_id: stats_inbound + {{- if .Values.telemetry.v2.prometheus.wasmEnabled }} + runtime: envoy.wasm.runtime.v8 + allow_precompiled: true + code: + local: + filename: /etc/istio/extensions/stats-filter.compiled.wasm + {{- else }} + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats + {{- end }} + - applyTo: HTTP_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.10.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.prometheus.configOverride.gateway }} + { + "debug": "false", + "stat_prefix": "istio", + "disable_host_header_fallback": true + } + {{- else }} + {{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }} + {{- end }} + vm_config: + vm_id: stats_outbound + {{- if .Values.telemetry.v2.prometheus.wasmEnabled }} + runtime: envoy.wasm.runtime.v8 + allow_precompiled: true + code: + local: + filename: /etc/istio/extensions/stats-filter.compiled.wasm + {{- else }} + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats + {{- end }} +--- +# Note: tcp stats filter is wasm enabled only in sidecars. +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: tcp-stats-filter-1.10{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- if .Values.meshConfig.rootNamespace }} + namespace: {{ .Values.meshConfig.rootNamespace }} + {{- else }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} +spec: + configPatches: + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.10.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stats_inbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.prometheus.configOverride.inboundSidecar }} + { + "debug": "false", + "stat_prefix": "istio", + "metrics": [ + { + "dimensions": { + "destination_cluster": "node.metadata['CLUSTER_ID']", + "source_cluster": "downstream_peer.cluster_id" + } + } + ] + } + {{- else }} + {{ toJson .Values.telemetry.v2.prometheus.configOverride.inboundSidecar | indent 18 }} + {{- end }} + vm_config: + vm_id: tcp_stats_inbound + {{- if .Values.telemetry.v2.prometheus.wasmEnabled }} + runtime: envoy.wasm.runtime.v8 + allow_precompiled: true + code: + local: + filename: /etc/istio/extensions/stats-filter.compiled.wasm + {{- else }} + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: "envoy.wasm.stats" + {{- end }} + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.10.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }} + { + "debug": "false", + "stat_prefix": "istio" + } + {{- else }} + {{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }} + {{- end }} + vm_config: + vm_id: tcp_stats_outbound + {{- if .Values.telemetry.v2.prometheus.wasmEnabled }} + runtime: envoy.wasm.runtime.v8 + allow_precompiled: true + code: + local: + filename: /etc/istio/extensions/stats-filter.compiled.wasm + {{- else }} + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: "envoy.wasm.stats" + {{- end }} + - applyTo: NETWORK_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.10.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.prometheus.configOverride.gateway }} + { + "debug": "false", + "stat_prefix": "istio" + } + {{- else }} + {{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }} + {{- end }} + vm_config: + vm_id: tcp_stats_outbound + {{- if .Values.telemetry.v2.prometheus.wasmEnabled }} + runtime: envoy.wasm.runtime.v8 + allow_precompiled: true + code: + local: + filename: /etc/istio/extensions/stats-filter.compiled.wasm + {{- else }} + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: "envoy.wasm.stats" + {{- end }} +--- +{{- end }} +{{- if .Values.telemetry.v2.stackdriver.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: stackdriver-filter-1.10{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- if .Values.meshConfig.rootNamespace }} + namespace: {{ .Values.meshConfig.rootNamespace }} + {{- else }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} +spec: + configPatches: +{{- if not .Values.telemetry.v2.stackdriver.disableOutbound }} + - applyTo: HTTP_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.10.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stackdriver + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stackdriver_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.stackdriver.configOverride }} + {"access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}"} + {{- else }} + {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} + {{- end }} + vm_config: + vm_id: stackdriver_outbound + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: envoy.wasm.null.stackdriver } +{{- end }} + - applyTo: HTTP_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.10.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stackdriver + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stackdriver_inbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.stackdriver.configOverride }} + {"disable_server_access_logging": {{ not .Values.telemetry.v2.stackdriver.logging }}, "access_logging": "{{ .Values.telemetry.v2.stackdriver.inboundAccessLogging }}", "disable_host_header_fallback": true} + {{- else }} + {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} + {{- end }} + vm_config: + vm_id: stackdriver_inbound + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: envoy.wasm.null.stackdriver } + - applyTo: HTTP_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.10.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stackdriver + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stackdriver_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.stackdriver.configOverride }} + {"access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", "disable_host_header_fallback": true} + {{- else }} + {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} + {{- end }} + vm_config: + vm_id: stackdriver_outbound + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: envoy.wasm.null.stackdriver } +--- +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: tcp-stackdriver-filter-1.10{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- if .Values.meshConfig.rootNamespace }} + namespace: {{ .Values.meshConfig.rootNamespace }} + {{- else }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} +spec: + configPatches: + {{- if not .Values.telemetry.v2.stackdriver.disableOutbound }} + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.10.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stackdriver + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stackdriver_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.stackdriver.configOverride }} + {"access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}"} + {{- else }} + {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} + {{- end }} + vm_config: + vm_id: stackdriver_outbound + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: envoy.wasm.null.stackdriver } + {{- end }} + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.10.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stackdriver + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stackdriver_inbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.stackdriver.configOverride }} + {"disable_server_access_logging": {{ not .Values.telemetry.v2.stackdriver.logging }}, "access_logging": "{{ .Values.telemetry.v2.stackdriver.inboundAccessLogging }}"} + {{- else }} + {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} + {{- end }} + vm_config: + vm_id: stackdriver_inbound + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: envoy.wasm.null.stackdriver } + - applyTo: NETWORK_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.10.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stackdriver + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stackdriver_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.stackdriver.configOverride }} + {"access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}"} + {{- else }} + {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} + {{- end }} + vm_config: + vm_id: stackdriver_outbound + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: envoy.wasm.null.stackdriver } +--- +{{- if .Values.telemetry.v2.accessLogPolicy.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: stackdriver-sampling-accesslog-filter-1.10{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- if .Values.meshConfig.rootNamespace }} + namespace: {{ .Values.meshConfig.rootNamespace }} + {{- else }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} +spec: + configPatches: + - applyTo: HTTP_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '1\.10.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "istio.stackdriver" + patch: + operation: INSERT_BEFORE + value: + name: istio.access_log + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + { + "log_window_duration": "{{ .Values.telemetry.v2.accessLogPolicy.logWindowDuration }}" + } + vm_config: + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: "envoy.wasm.access_log_policy" } +--- +{{- end }} +{{- end }} +{{- end }} diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-control/istio-discovery/templates/telemetryv2_1.11.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-control/istio-discovery/templates/telemetryv2_1.11.yaml new file mode 100644 index 000000000..fba3a5ec2 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-control/istio-discovery/templates/telemetryv2_1.11.yaml @@ -0,0 +1,601 @@ +{{- if and .Values.telemetry.enabled .Values.telemetry.v2.enabled }} +--- +# Note: http stats filter is wasm enabled only in sidecars. +{{- if .Values.telemetry.v2.prometheus.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: stats-filter-1.11{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- if .Values.meshConfig.rootNamespace }} + namespace: {{ .Values.meshConfig.rootNamespace }} + {{- else }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} +spec: + configPatches: + - applyTo: HTTP_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.11.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }} + { + "debug": "false", + "stat_prefix": "istio" + } + {{- else }} + {{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }} + {{- end }} + vm_config: + vm_id: stats_outbound + {{- if .Values.telemetry.v2.prometheus.wasmEnabled }} + runtime: envoy.wasm.runtime.v8 + allow_precompiled: true + code: + local: + filename: /etc/istio/extensions/stats-filter.compiled.wasm + {{- else }} + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats + {{- end }} + - applyTo: HTTP_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.11.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stats_inbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.prometheus.configOverride.inboundSidecar }} + { + "debug": "false", + "stat_prefix": "istio", + "disable_host_header_fallback": true, + "metrics": [ + { + "dimensions": { + "destination_cluster": "node.metadata['CLUSTER_ID']", + "source_cluster": "downstream_peer.cluster_id" + } + } + ] + } + {{- else }} + {{ toJson .Values.telemetry.v2.prometheus.configOverride.inboundSidecar | indent 18 }} + {{- end }} + vm_config: + vm_id: stats_inbound + {{- if .Values.telemetry.v2.prometheus.wasmEnabled }} + runtime: envoy.wasm.runtime.v8 + allow_precompiled: true + code: + local: + filename: /etc/istio/extensions/stats-filter.compiled.wasm + {{- else }} + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats + {{- end }} + - applyTo: HTTP_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.11.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.prometheus.configOverride.gateway }} + { + "debug": "false", + "stat_prefix": "istio", + "disable_host_header_fallback": true + } + {{- else }} + {{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }} + {{- end }} + vm_config: + vm_id: stats_outbound + {{- if .Values.telemetry.v2.prometheus.wasmEnabled }} + runtime: envoy.wasm.runtime.v8 + allow_precompiled: true + code: + local: + filename: /etc/istio/extensions/stats-filter.compiled.wasm + {{- else }} + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats + {{- end }} +--- +# Note: tcp stats filter is wasm enabled only in sidecars. +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: tcp-stats-filter-1.11{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- if .Values.meshConfig.rootNamespace }} + namespace: {{ .Values.meshConfig.rootNamespace }} + {{- else }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} +spec: + configPatches: + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.11.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stats_inbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.prometheus.configOverride.inboundSidecar }} + { + "debug": "false", + "stat_prefix": "istio", + "metrics": [ + { + "dimensions": { + "destination_cluster": "node.metadata['CLUSTER_ID']", + "source_cluster": "downstream_peer.cluster_id" + } + } + ] + } + {{- else }} + {{ toJson .Values.telemetry.v2.prometheus.configOverride.inboundSidecar | indent 18 }} + {{- end }} + vm_config: + vm_id: tcp_stats_inbound + {{- if .Values.telemetry.v2.prometheus.wasmEnabled }} + runtime: envoy.wasm.runtime.v8 + allow_precompiled: true + code: + local: + filename: /etc/istio/extensions/stats-filter.compiled.wasm + {{- else }} + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: "envoy.wasm.stats" + {{- end }} + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.11.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }} + { + "debug": "false", + "stat_prefix": "istio" + } + {{- else }} + {{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }} + {{- end }} + vm_config: + vm_id: tcp_stats_outbound + {{- if .Values.telemetry.v2.prometheus.wasmEnabled }} + runtime: envoy.wasm.runtime.v8 + allow_precompiled: true + code: + local: + filename: /etc/istio/extensions/stats-filter.compiled.wasm + {{- else }} + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: "envoy.wasm.stats" + {{- end }} + - applyTo: NETWORK_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.11.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.prometheus.configOverride.gateway }} + { + "debug": "false", + "stat_prefix": "istio" + } + {{- else }} + {{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }} + {{- end }} + vm_config: + vm_id: tcp_stats_outbound + {{- if .Values.telemetry.v2.prometheus.wasmEnabled }} + runtime: envoy.wasm.runtime.v8 + allow_precompiled: true + code: + local: + filename: /etc/istio/extensions/stats-filter.compiled.wasm + {{- else }} + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: "envoy.wasm.stats" + {{- end }} +--- +{{- end }} +{{- if .Values.telemetry.v2.stackdriver.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: stackdriver-filter-1.11{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- if .Values.meshConfig.rootNamespace }} + namespace: {{ .Values.meshConfig.rootNamespace }} + {{- else }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} +spec: + configPatches: +{{- if not .Values.telemetry.v2.stackdriver.disableOutbound }} + - applyTo: HTTP_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.11.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stackdriver + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stackdriver_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.stackdriver.configOverride }} + {"access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}"} + {{- else }} + {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} + {{- end }} + vm_config: + vm_id: stackdriver_outbound + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: envoy.wasm.null.stackdriver } +{{- end }} + - applyTo: HTTP_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.11.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stackdriver + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stackdriver_inbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.stackdriver.configOverride }} + {"disable_server_access_logging": {{ not .Values.telemetry.v2.stackdriver.logging }}, "access_logging": "{{ .Values.telemetry.v2.stackdriver.inboundAccessLogging }}", "disable_host_header_fallback": true} + {{- else }} + {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} + {{- end }} + vm_config: + vm_id: stackdriver_inbound + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: envoy.wasm.null.stackdriver } + - applyTo: HTTP_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.11.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stackdriver + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stackdriver_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.stackdriver.configOverride }} + {"access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", "disable_host_header_fallback": true} + {{- else }} + {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} + {{- end }} + vm_config: + vm_id: stackdriver_outbound + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: envoy.wasm.null.stackdriver } +--- +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: tcp-stackdriver-filter-1.11{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- if .Values.meshConfig.rootNamespace }} + namespace: {{ .Values.meshConfig.rootNamespace }} + {{- else }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} +spec: + configPatches: + {{- if not .Values.telemetry.v2.stackdriver.disableOutbound }} + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.11.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stackdriver + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stackdriver_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.stackdriver.configOverride }} + {"access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}"} + {{- else }} + {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} + {{- end }} + vm_config: + vm_id: stackdriver_outbound + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: envoy.wasm.null.stackdriver } + {{- end }} + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.11.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stackdriver + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stackdriver_inbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.stackdriver.configOverride }} + {"disable_server_access_logging": {{ not .Values.telemetry.v2.stackdriver.logging }}, "access_logging": "{{ .Values.telemetry.v2.stackdriver.inboundAccessLogging }}"} + {{- else }} + {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} + {{- end }} + vm_config: + vm_id: stackdriver_inbound + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: envoy.wasm.null.stackdriver } + - applyTo: NETWORK_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.11.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stackdriver + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stackdriver_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.stackdriver.configOverride }} + {"access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}"} + {{- else }} + {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} + {{- end }} + vm_config: + vm_id: stackdriver_outbound + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: envoy.wasm.null.stackdriver } +--- +{{- if .Values.telemetry.v2.accessLogPolicy.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: stackdriver-sampling-accesslog-filter-1.11{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- if .Values.meshConfig.rootNamespace }} + namespace: {{ .Values.meshConfig.rootNamespace }} + {{- else }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} +spec: + configPatches: + - applyTo: HTTP_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '1\.11.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "istio.stackdriver" + patch: + operation: INSERT_BEFORE + value: + name: istio.access_log + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + { + "log_window_duration": "{{ .Values.telemetry.v2.accessLogPolicy.logWindowDuration }}" + } + vm_config: + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: "envoy.wasm.access_log_policy" } +--- +{{- end }} +{{- end }} +{{- end }} diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-control/istio-discovery/templates/telemetryv2_1.12.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-control/istio-discovery/templates/telemetryv2_1.12.yaml new file mode 100644 index 000000000..aeb987f23 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-control/istio-discovery/templates/telemetryv2_1.12.yaml @@ -0,0 +1,601 @@ +{{- if and .Values.telemetry.enabled .Values.telemetry.v2.enabled }} +--- +# Note: http stats filter is wasm enabled only in sidecars. +{{- if .Values.telemetry.v2.prometheus.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: stats-filter-1.12{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- if .Values.meshConfig.rootNamespace }} + namespace: {{ .Values.meshConfig.rootNamespace }} + {{- else }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} +spec: + configPatches: + - applyTo: HTTP_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.12.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }} + { + "debug": "false", + "stat_prefix": "istio" + } + {{- else }} + {{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }} + {{- end }} + vm_config: + vm_id: stats_outbound + {{- if .Values.telemetry.v2.prometheus.wasmEnabled }} + runtime: envoy.wasm.runtime.v8 + allow_precompiled: true + code: + local: + filename: /etc/istio/extensions/stats-filter.compiled.wasm + {{- else }} + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats + {{- end }} + - applyTo: HTTP_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.12.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stats_inbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.prometheus.configOverride.inboundSidecar }} + { + "debug": "false", + "stat_prefix": "istio", + "disable_host_header_fallback": true, + "metrics": [ + { + "dimensions": { + "destination_cluster": "node.metadata['CLUSTER_ID']", + "source_cluster": "downstream_peer.cluster_id" + } + } + ] + } + {{- else }} + {{ toJson .Values.telemetry.v2.prometheus.configOverride.inboundSidecar | indent 18 }} + {{- end }} + vm_config: + vm_id: stats_inbound + {{- if .Values.telemetry.v2.prometheus.wasmEnabled }} + runtime: envoy.wasm.runtime.v8 + allow_precompiled: true + code: + local: + filename: /etc/istio/extensions/stats-filter.compiled.wasm + {{- else }} + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats + {{- end }} + - applyTo: HTTP_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.12.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.prometheus.configOverride.gateway }} + { + "debug": "false", + "stat_prefix": "istio", + "disable_host_header_fallback": true + } + {{- else }} + {{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }} + {{- end }} + vm_config: + vm_id: stats_outbound + {{- if .Values.telemetry.v2.prometheus.wasmEnabled }} + runtime: envoy.wasm.runtime.v8 + allow_precompiled: true + code: + local: + filename: /etc/istio/extensions/stats-filter.compiled.wasm + {{- else }} + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats + {{- end }} +--- +# Note: tcp stats filter is wasm enabled only in sidecars. +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: tcp-stats-filter-1.12{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- if .Values.meshConfig.rootNamespace }} + namespace: {{ .Values.meshConfig.rootNamespace }} + {{- else }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} +spec: + configPatches: + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.12.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stats_inbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.prometheus.configOverride.inboundSidecar }} + { + "debug": "false", + "stat_prefix": "istio", + "metrics": [ + { + "dimensions": { + "destination_cluster": "node.metadata['CLUSTER_ID']", + "source_cluster": "downstream_peer.cluster_id" + } + } + ] + } + {{- else }} + {{ toJson .Values.telemetry.v2.prometheus.configOverride.inboundSidecar | indent 18 }} + {{- end }} + vm_config: + vm_id: tcp_stats_inbound + {{- if .Values.telemetry.v2.prometheus.wasmEnabled }} + runtime: envoy.wasm.runtime.v8 + allow_precompiled: true + code: + local: + filename: /etc/istio/extensions/stats-filter.compiled.wasm + {{- else }} + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: "envoy.wasm.stats" + {{- end }} + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.12.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }} + { + "debug": "false", + "stat_prefix": "istio" + } + {{- else }} + {{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }} + {{- end }} + vm_config: + vm_id: tcp_stats_outbound + {{- if .Values.telemetry.v2.prometheus.wasmEnabled }} + runtime: envoy.wasm.runtime.v8 + allow_precompiled: true + code: + local: + filename: /etc/istio/extensions/stats-filter.compiled.wasm + {{- else }} + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: "envoy.wasm.stats" + {{- end }} + - applyTo: NETWORK_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.12.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.prometheus.configOverride.gateway }} + { + "debug": "false", + "stat_prefix": "istio" + } + {{- else }} + {{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }} + {{- end }} + vm_config: + vm_id: tcp_stats_outbound + {{- if .Values.telemetry.v2.prometheus.wasmEnabled }} + runtime: envoy.wasm.runtime.v8 + allow_precompiled: true + code: + local: + filename: /etc/istio/extensions/stats-filter.compiled.wasm + {{- else }} + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: "envoy.wasm.stats" + {{- end }} +--- +{{- end }} +{{- if .Values.telemetry.v2.stackdriver.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: stackdriver-filter-1.12{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- if .Values.meshConfig.rootNamespace }} + namespace: {{ .Values.meshConfig.rootNamespace }} + {{- else }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} +spec: + configPatches: +{{- if not .Values.telemetry.v2.stackdriver.disableOutbound }} + - applyTo: HTTP_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.12.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stackdriver + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stackdriver_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.stackdriver.configOverride }} + {"access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}"} + {{- else }} + {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} + {{- end }} + vm_config: + vm_id: stackdriver_outbound + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: envoy.wasm.null.stackdriver } +{{- end }} + - applyTo: HTTP_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.12.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stackdriver + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stackdriver_inbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.stackdriver.configOverride }} + {"disable_server_access_logging": {{ not .Values.telemetry.v2.stackdriver.logging }}, "access_logging": "{{ .Values.telemetry.v2.stackdriver.inboundAccessLogging }}", "disable_host_header_fallback": true} + {{- else }} + {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} + {{- end }} + vm_config: + vm_id: stackdriver_inbound + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: envoy.wasm.null.stackdriver } + - applyTo: HTTP_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.12.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stackdriver + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stackdriver_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.stackdriver.configOverride }} + {"access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", "disable_host_header_fallback": true} + {{- else }} + {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} + {{- end }} + vm_config: + vm_id: stackdriver_outbound + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: envoy.wasm.null.stackdriver } +--- +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: tcp-stackdriver-filter-1.12{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- if .Values.meshConfig.rootNamespace }} + namespace: {{ .Values.meshConfig.rootNamespace }} + {{- else }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} +spec: + configPatches: + {{- if not .Values.telemetry.v2.stackdriver.disableOutbound }} + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.12.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stackdriver + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stackdriver_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.stackdriver.configOverride }} + {"access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}"} + {{- else }} + {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} + {{- end }} + vm_config: + vm_id: stackdriver_outbound + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: envoy.wasm.null.stackdriver } + {{- end }} + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.12.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stackdriver + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stackdriver_inbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.stackdriver.configOverride }} + {"disable_server_access_logging": {{ not .Values.telemetry.v2.stackdriver.logging }}, "access_logging": "{{ .Values.telemetry.v2.stackdriver.inboundAccessLogging }}"} + {{- else }} + {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} + {{- end }} + vm_config: + vm_id: stackdriver_inbound + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: envoy.wasm.null.stackdriver } + - applyTo: NETWORK_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.12.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stackdriver + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stackdriver_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.stackdriver.configOverride }} + {"access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}"} + {{- else }} + {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} + {{- end }} + vm_config: + vm_id: stackdriver_outbound + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: envoy.wasm.null.stackdriver } +--- +{{- if .Values.telemetry.v2.accessLogPolicy.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: stackdriver-sampling-accesslog-filter-1.12{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- if .Values.meshConfig.rootNamespace }} + namespace: {{ .Values.meshConfig.rootNamespace }} + {{- else }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} +spec: + configPatches: + - applyTo: HTTP_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '1\.12.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "istio.stackdriver" + patch: + operation: INSERT_BEFORE + value: + name: istio.access_log + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + { + "log_window_duration": "{{ .Values.telemetry.v2.accessLogPolicy.logWindowDuration }}" + } + vm_config: + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: "envoy.wasm.access_log_policy" } +--- +{{- end }} +{{- end }} +{{- end }} diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-control/istio-discovery/templates/validatingwebhookconfiguration.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-control/istio-discovery/templates/validatingwebhookconfiguration.yaml new file mode 100644 index 000000000..15102a174 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-control/istio-discovery/templates/validatingwebhookconfiguration.yaml @@ -0,0 +1,56 @@ +{{- if .Values.global.configValidation }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: istio-validator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} + istio: istiod + istio.io/rev: {{ .Values.revision | default "default" }} +webhooks: + # Webhook handling per-revision validation. Mostly here so we can determine whether webhooks + # are rejecting invalid configs on a per-revision basis. + - name: rev.validation.istio.io + clientConfig: + # Should change from base but cannot for API compat + {{- if .Values.base.validationURL }} + url: {{ .Values.base.validationURL }} + {{- else }} + service: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} + path: "/validate" + {{- end }} + caBundle: "" # patched at runtime when the webhook is ready. + rules: + - operations: + - CREATE + - UPDATE + apiGroups: + - security.istio.io + - networking.istio.io + - telemetry.istio.io + - extensions.istio.io + apiVersions: + - "*" + resources: + - "*" + # Fail open until the validation webhook is ready. The webhook controller + # will update this to `Fail` and patch in the `caBundle` when the webhook + # endpoint is ready. + failurePolicy: Ignore + sideEffects: None + admissionReviewVersions: ["v1beta1", "v1"] + objectSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + {{- if (eq .Values.revision "") }} + - "default" + {{- else }} + - "{{ .Values.revision }}" + {{- end }} +--- +{{- end }} diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-control/istio-discovery/values.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-control/istio-discovery/values.yaml new file mode 100644 index 000000000..2386acae4 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-control/istio-discovery/values.yaml @@ -0,0 +1,536 @@ +#.Values.pilot for discovery and mesh wide config + +## Discovery Settings +pilot: + autoscaleEnabled: true + autoscaleMin: 1 + autoscaleMax: 5 + replicaCount: 1 + rollingMaxSurge: 100% + rollingMaxUnavailable: 25% + + hub: "" + tag: "" + + # Can be a full hub/image:tag + image: pilot + traceSampling: 1.0 + + # Resources for a small pilot install + resources: + requests: + cpu: 500m + memory: 2048Mi + + env: {} + + cpu: + targetAverageUtilization: 80 + + # if protocol sniffing is enabled for outbound + enableProtocolSniffingForOutbound: true + # if protocol sniffing is enabled for inbound + enableProtocolSniffingForInbound: true + + nodeSelector: {} + podAnnotations: {} + serviceAnnotations: {} + + # You can use jwksResolverExtraRootCA to provide a root certificate + # in PEM format. This will then be trusted by pilot when resolving + # JWKS URIs. + jwksResolverExtraRootCA: "" + + # This is used to set the source of configuration for + # the associated address in configSource, if nothing is specificed + # the default MCP is assumed. + configSource: + subscribedResources: [] + + plugins: [] + + # The following is used to limit how long a sidecar can be connected + # to a pilot. It balances out load across pilot instances at the cost of + # increasing system churn. + keepaliveMaxServerConnectionAge: 30m + + # Additional labels to apply to the deployment. + deploymentLabels: {} + + + ## Mesh config settings + + # Install the mesh config map, generated from values.yaml. + # If false, pilot wil use default values (by default) or user-supplied values. + configMap: true + + # Additional labels to apply on the pod level for monitoring and logging configuration. + podLabels: {} + + +sidecarInjectorWebhook: + # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or + # always skip the injection on pods that match that label selector, regardless of the global policy. + # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions + neverInjectSelector: [] + alwaysInjectSelector: [] + + # injectedAnnotations are additional annotations that will be added to the pod spec after injection + # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations: + # + # annotations: + # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default + # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default + # + # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before + # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify: + # injectedAnnotations: + # container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default + # container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default + injectedAnnotations: {} + + # This enables injection of sidecar in all namespaces, + # with the exception of namespaces with "istio-injection:disabled" annotation + # Only one environment should have this enabled. + enableNamespacesByDefault: false + + # Enable objectSelector to filter out pods with no need for sidecar before calling istiod. + # It is enabled by default as the minimum supported Kubernetes version is 1.15+ + objectSelector: + enabled: true + autoInject: true + + rewriteAppHTTPProbe: true + + # Templates defines a set of custom injection templates that can be used. For example, defining: + # + # templates: + # hello: | + # metadata: + # labels: + # hello: world + # + # Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod + # being injected with the hello=world labels. + # This is intended for advanced configuration only; most users should use the built in template + templates: {} + + # Default templates specifies a set of default templates that are used in sidecar injection. + # By default, a template `sidecar` is always provided, which contains the template of default sidecar. + # To inject other additional templates, define it using the `templates` option, and add it to + # the default templates list. + # For example: + # + # templates: + # hello: | + # metadata: + # labels: + # hello: world + # + # defaultTemplates: ["sidecar", "hello"] + defaultTemplates: [] +istiodRemote: + # Sidecar injector mutating webhook configuration clientConfig.url value. + # For example: https://$remotePilotAddress:15017/inject + # The host should not refer to a service running in the cluster; use a service reference by specifying + # the clientConfig.service field instead. + injectionURL: "" + + # Sidecar injector mutating webhook configuration path value for the clientConfig.service field. + # Override to pass env variables, for example: /inject/cluster/remote/net/network2 + injectionPath: "/inject" +telemetry: + enabled: true + v2: + # For Null VM case now. + # This also enables metadata exchange. + enabled: true + metadataExchange: + # Indicates whether to enable WebAssembly runtime for metadata exchange filter. + wasmEnabled: false + # Indicate if prometheus stats filter is enabled or not + prometheus: + enabled: true + # Indicates whether to enable WebAssembly runtime for stats filter. + wasmEnabled: false + # overrides stats EnvoyFilter configuration. + configOverride: + gateway: {} + inboundSidecar: {} + outboundSidecar: {} + # stackdriver filter settings. + stackdriver: + enabled: false + logging: false + monitoring: false + topology: false # deprecated. setting this to true will have no effect, as this option is no longer supported. + disableOutbound: false + # configOverride parts give you the ability to override the low level configuration params passed to envoy filter. + + configOverride: {} + # e.g. + # disable_server_access_logging: false + # disable_host_header_fallback: true + # Access Log Policy Filter Settings. This enables filtering of access logs from stackdriver. + accessLogPolicy: + enabled: false + # To reduce the number of successful logs, default log window duration is + # set to 12 hours. + logWindowDuration: "43200s" +# Revision is set as 'version' label and part of the resource names when installing multiple control planes. +revision: "" + +# Revision tags are aliases to Istio control plane revisions +revisionTags: [] + +# For Helm compatibility. +ownerName: "" + +# meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior +# See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options +meshConfig: + enablePrometheusMerge: true + # Config for the default ProxyConfig. + # Initially using directly the proxy metadata - can also be activated using annotations + # on the pod. This is an unsupported low-level API, pending review and decisions on + # enabling the feature. Enabling the DNS listener is safe - and allows further testing + # and gradual adoption by setting capture only on specific workloads. It also allows + # VMs to use other DNS options, like dnsmasq or unbound. + + # The namespace to treat as the administrative root namespace for Istio configuration. + # When processing a leaf namespace Istio will search for declarations in that namespace first + # and if none are found it will search in the root namespace. Any matching declaration found in the root namespace + # is processed as if it were declared in the leaf namespace. + + rootNamespace: + + # The trust domain corresponds to the trust root of a system + # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain + trustDomain: "cluster.local" + + # TODO: the intent is to eventually have this enabled by default when security is used. + # It is not clear if user should normally need to configure - the metadata is typically + # used as an escape and to control testing and rollout, but it is not intended as a long-term + # stable API. + + # What we may configure in mesh config is the ".global" - and use of other suffixes. + # No hurry to do this in 1.6, we're trying to prove the code. + +global: + # Used to locate istiod. + istioNamespace: istio-system + # enable pod disruption budget for the control plane, which is used to + # ensure Istio control plane components are gradually upgraded or recovered. + defaultPodDisruptionBudget: + enabled: true + # The values aren't mutable due to a current PodDisruptionBudget limitation + # minAvailable: 1 + + # A minimal set of requested resources to applied to all deployments so that + # Horizontal Pod Autoscaler will be able to function (if set). + # Each component can overwrite these default values by adding its own resources + # block in the relevant section below and setting the desired resources values. + defaultResources: + requests: + cpu: 10m + # memory: 128Mi + # limits: + # cpu: 100m + # memory: 128Mi + + # Default hub for Istio images. + # Releases are published to docker hub under 'istio' project. + # Dev builds from prow are on gcr.io + hub: docker.io/istio + # Default tag for Istio images. + tag: 1.12.6 + + # Specify image pull policy if default behavior isn't desired. + # Default behavior: latest images will be Always else IfNotPresent. + imagePullPolicy: "" + + # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace + # to use for pulling any images in pods that reference this ServiceAccount. + # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) + # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. + # Must be set for any cluster configured with private docker registry. + imagePullSecrets: [] + # - private-registry-key + + # Enabled by default in master for maximising testing. + istiod: + enableAnalysis: false + + # To output all istio components logs in json format by adding --log_as_json argument to each container argument + logAsJson: false + + # Comma-separated minimum per-scope logging level of messages to output, in the form of :,: + # The control plane has different scopes depending on component, but can configure default log level across all components + # If empty, default scope and level will be used as configured in code + logging: + level: "default:info" + + omitSidecarInjectorConfigMap: false + + # Whether to restrict the applications namespace the controller manages; + # If not set, controller watches all namespaces + oneNamespace: false + + # Configure whether Operator manages webhook configurations. The current behavior + # of Istiod is to manage its own webhook configurations. + # When this option is set as true, Istio Operator, instead of webhooks, manages the + # webhook configurations. When this option is set as false, webhooks manage their + # own webhook configurations. + operatorManageWebhooks: false + + # Custom DNS config for the pod to resolve names of services in other + # clusters. Use this to add additional search domains, and other settings. + # see + # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config + # This does not apply to gateway pods as they typically need a different + # set of DNS settings than the normal application pods (e.g., in + # multicluster scenarios). + # NOTE: If using templates, follow the pattern in the commented example below. + #podDNSSearchNamespaces: + #- global + #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global" + + # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and + # system-node-critical, it is better to configure this in order to make sure your Istio pods + # will not be killed because of low priority class. + # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + # for more detail. + priorityClassName: "" + + proxy: + image: proxyv2 + + # This controls the 'policy' in the sidecar injector. + autoInject: enabled + + # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value + # cluster domain. Default value is "cluster.local". + clusterDomain: "cluster.local" + + # Per Component log level for proxy, applies to gateways and sidecars. If a component level is + # not set, then the global "logLevel" will be used. + componentLogLevel: "misc:error" + + # If set, newly injected sidecars will have core dumps enabled. + enableCoreDump: false + + # istio ingress capture allowlist + # examples: + # Redirect only selected ports: --includeInboundPorts="80,8080" + excludeInboundPorts: "" + includeInboundPorts: "*" + + + # istio egress capture allowlist + # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly + # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16" + # would only capture egress traffic on those two IP Ranges, all other outbound traffic would + # be allowed by the sidecar + includeIPRanges: "*" + excludeIPRanges: "" + includeOutboundPorts: "" + excludeOutboundPorts: "" + + # Log level for proxy, applies to gateways and sidecars. + # Expected values are: trace|debug|info|warning|error|critical|off + logLevel: warning + + #If set to true, istio-proxy container will have privileged securityContext + privileged: false + + # The number of successive failed probes before indicating readiness failure. + readinessFailureThreshold: 30 + + # The initial delay for readiness probes in seconds. + readinessInitialDelaySeconds: 1 + + # The period between readiness probes. + readinessPeriodSeconds: 2 + + # Resources for the sidecar. + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 2000m + memory: 1024Mi + + # Default port for Pilot agent health checks. A value of 0 will disable health checking. + statusPort: 15020 + + # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver. + # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file. + tracer: "zipkin" + + # Controls if sidecar is injected at the front of the container list and blocks the start of the other containers until the proxy is ready + holdApplicationUntilProxyStarts: false + + proxy_init: + # Base name for the proxy_init container, used to configure iptables. + image: proxyv2 + resources: + limits: + cpu: 2000m + memory: 1024Mi + requests: + cpu: 10m + memory: 10Mi + + # configure remote pilot and istiod service and endpoint + remotePilotAddress: "" + + ############################################################################################## + # The following values are found in other charts. To effectively modify these values, make # + # make sure they are consistent across your Istio helm charts # + ############################################################################################## + + # The customized CA address to retrieve certificates for the pods in the cluster. + # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. + # If not set explicitly, default to the Istio discovery address. + caAddress: "" + + # Configure a remote cluster data plane controlled by an external istiod. + # When set to true, istiod is not deployed locally and only a subset of the other + # discovery charts are enabled. + externalIstiod: false + + # Configure a remote cluster as the config cluster for an external istiod. + configCluster: false + + # Configure the policy for validating JWT. + # Currently, two options are supported: "third-party-jwt" and "first-party-jwt". + jwtPolicy: "third-party-jwt" + + # Mesh ID means Mesh Identifier. It should be unique within the scope where + # meshes will interact with each other, but it is not required to be + # globally/universally unique. For example, if any of the following are true, + # then two meshes must have different Mesh IDs: + # - Meshes will have their telemetry aggregated in one place + # - Meshes will be federated together + # - Policy will be written referencing one mesh from the other + # + # If an administrator expects that any of these conditions may become true in + # the future, they should ensure their meshes have different Mesh IDs + # assigned. + # + # Within a multicluster mesh, each cluster must be (manually or auto) + # configured to have the same Mesh ID value. If an existing cluster 'joins' a + # multicluster mesh, it will need to be migrated to the new mesh ID. Details + # of migration TBD, and it may be a disruptive operation to change the Mesh + # ID post-install. + # + # If the mesh admin does not specify a value, Istio will use the value of the + # mesh's Trust Domain. The best practice is to select a proper Trust Domain + # value. + meshID: "" + + # Configure the mesh networks to be used by the Split Horizon EDS. + # + # The following example defines two networks with different endpoints association methods. + # For `network1` all endpoints that their IP belongs to the provided CIDR range will be + # mapped to network1. The gateway for this network example is specified by its public IP + # address and port. + # The second network, `network2`, in this example is defined differently with all endpoints + # retrieved through the specified Multi-Cluster registry being mapped to network2. The + # gateway is also defined differently with the name of the gateway service on the remote + # cluster. The public IP for the gateway will be determined from that remote service (only + # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service, + # it still need to be configured manually). + # + # meshNetworks: + # network1: + # endpoints: + # - fromCidr: "192.168.0.1/24" + # gateways: + # - address: 1.1.1.1 + # port: 80 + # network2: + # endpoints: + # - fromRegistry: reg1 + # gateways: + # - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local + # port: 443 + # + meshNetworks: {} + + # Use the user-specified, secret volume mounted key and certs for Pilot and workloads. + mountMtlsCerts: false + + multiCluster: + # Set to true to connect two kubernetes clusters via their respective + # ingressgateway services when pods in each cluster cannot directly + # talk to one another. All clusters should be using Istio mTLS and must + # have a shared root CA for this model to work. + enabled: false + # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection + # to properly label proxies + clusterName: "" + + # Network defines the network this cluster belong to. This name + # corresponds to the networks in the map of mesh networks. + network: "" + + # Configure the certificate provider for control plane communication. + # Currently, two providers are supported: "kubernetes" and "istiod". + # As some platforms may not have kubernetes signing APIs, + # Istiod is the default + pilotCertProvider: istiod + + sds: + # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. + # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the + # JWT is intended for the CA. + token: + aud: istio-ca + + sts: + # The service port used by Security Token Service (STS) server to handle token exchange requests. + # Setting this port to a non-zero value enables STS server. + servicePort: 0 + + # Configuration for each of the supported tracers + tracer: + # Configuration for envoy to send trace data to LightStep. + # Disabled by default. + # address: the : of the satellite pool + # accessToken: required for sending data to the pool + # + datadog: + # Host:Port for submitting traces to the Datadog agent. + address: "$(HOST_IP):8126" + lightstep: + address: "" # example: lightstep-satellite:443 + accessToken: "" # example: abcdefg1234567 + stackdriver: + # enables trace output to stdout. + debug: false + # The global default max number of message events per span. + maxNumberOfMessageEvents: 200 + # The global default max number of annotation events per span. + maxNumberOfAnnotations: 200 + # The global default max number of attributes per span. + maxNumberOfAttributes: 200 + zipkin: + # Host:Port for reporting trace data in zipkin format. If not specified, will default to + # zipkin service (port 9411) in the same namespace as the other istio components. + address: "" + + # Use the Mesh Control Protocol (MCP) for configuring Istiod. Requires an MCP source. + useMCP: false + + # The name of the CA for workload certificates. + # For example, when caName=GkeWorkloadCertificate, GKE workload certificates + # will be used as the certificates for workloads. + # The default value is "" and when caName="", the CA will be configured by other + # mechanisms (e.g., environmental variable CA_PROVIDER). + caName: "" + +base: + # For istioctl usage to disable istio config crds in base + enableIstioConfigCRDs: true diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-operator/Chart.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-operator/Chart.yaml new file mode 100644 index 000000000..76da1e50f --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-operator/Chart.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +name: istio-operator +# This version is never actually shipped. istio/release-builder will replace it at build-time +# with the appropriate version +version: 1.12.6 +appVersion: 1.12.6 +tillerVersion: ">=2.7.2" +description: Helm chart for deploying Istio operator +keywords: + - istio + - operator +sources: + - https://github.com/istio/istio/tree/master/operator +engine: gotpl +icon: https://istio.io/latest/favicons/android-192x192.png diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-operator/crds/crd-operator.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-operator/crds/crd-operator.yaml new file mode 100644 index 000000000..93ac1de07 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-operator/crds/crd-operator.yaml @@ -0,0 +1,48 @@ +# SYNC WITH manifests/charts/base/files +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: istiooperators.install.istio.io + labels: + release: istio +spec: + conversion: + strategy: None + group: install.istio.io + names: + kind: IstioOperator + listKind: IstioOperatorList + plural: istiooperators + singular: istiooperator + shortNames: + - iop + - io + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Istio control plane revision + jsonPath: .spec.revision + name: Revision + type: string + - description: IOP current state + jsonPath: .status.status + name: Status + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + subresources: + status: {} + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + served: true + storage: true +--- diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-operator/files/gen-operator.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-operator/files/gen-operator.yaml new file mode 100644 index 000000000..3ddb5ec81 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-operator/files/gen-operator.yaml @@ -0,0 +1,212 @@ +--- +# Source: istio-operator/templates/service_account.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + namespace: istio-operator + name: istio-operator +--- +# Source: istio-operator/templates/clusterrole.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + name: istio-operator +rules: +# istio groups +- apiGroups: + - authentication.istio.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - config.istio.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - install.istio.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - networking.istio.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - security.istio.io + resources: + - '*' + verbs: + - '*' +# k8s groups +- apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + verbs: + - '*' +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions.apiextensions.k8s.io + - customresourcedefinitions + verbs: + - '*' +- apiGroups: + - apps + - extensions + resources: + - daemonsets + - deployments + - deployments/finalizers + - replicasets + verbs: + - '*' +- apiGroups: + - autoscaling + resources: + - horizontalpodautoscalers + verbs: + - '*' +- apiGroups: + - monitoring.coreos.com + resources: + - servicemonitors + verbs: + - get + - create + - update +- apiGroups: + - policy + resources: + - poddisruptionbudgets + verbs: + - '*' +- apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterrolebindings + - clusterroles + - roles + - rolebindings + verbs: + - '*' +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - create + - update +- apiGroups: + - "" + resources: + - configmaps + - endpoints + - events + - namespaces + - pods + - pods/proxy + - pods/portforward + - persistentvolumeclaims + - secrets + - services + - serviceaccounts + verbs: + - '*' +--- +# Source: istio-operator/templates/clusterrole_binding.yaml +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: istio-operator +subjects: +- kind: ServiceAccount + name: istio-operator + namespace: istio-operator +roleRef: + kind: ClusterRole + name: istio-operator + apiGroup: rbac.authorization.k8s.io +--- +# Source: istio-operator/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + namespace: istio-operator + labels: + name: istio-operator + name: istio-operator +spec: + ports: + - name: http-metrics + port: 8383 + targetPort: 8383 + protocol: TCP + selector: + name: istio-operator +--- +# Source: istio-operator/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + namespace: istio-operator + name: istio-operator +spec: + replicas: 1 + selector: + matchLabels: + name: istio-operator + template: + metadata: + labels: + name: istio-operator + spec: + serviceAccountName: istio-operator + containers: + - name: istio-operator + image: gcr.io/istio-testing/operator:1.12-dev + command: + - operator + - server + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsUser: 1337 + runAsNonRoot: true + imagePullPolicy: IfNotPresent + resources: + limits: + cpu: 200m + memory: 256Mi + requests: + cpu: 50m + memory: 128Mi + env: + - name: WATCH_NAMESPACE + value: "istio-system" + - name: LEADER_ELECTION_NAMESPACE + value: "istio-operator" + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: OPERATOR_NAME + value: "istio-operator" + - name: WAIT_FOR_RESOURCES_TIMEOUT + value: "300s" + - name: REVISION + value: "" diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-operator/templates/clusterrole.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-operator/templates/clusterrole.yaml new file mode 100644 index 000000000..56dec904e --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-operator/templates/clusterrole.yaml @@ -0,0 +1,116 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} +rules: +# istio groups +- apiGroups: + - authentication.istio.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - config.istio.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - install.istio.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - networking.istio.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - security.istio.io + resources: + - '*' + verbs: + - '*' +# k8s groups +- apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + verbs: + - '*' +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions.apiextensions.k8s.io + - customresourcedefinitions + verbs: + - '*' +- apiGroups: + - apps + - extensions + resources: + - daemonsets + - deployments + - deployments/finalizers + - replicasets + verbs: + - '*' +- apiGroups: + - autoscaling + resources: + - horizontalpodautoscalers + verbs: + - '*' +- apiGroups: + - monitoring.coreos.com + resources: + - servicemonitors + verbs: + - get + - create + - update +- apiGroups: + - policy + resources: + - poddisruptionbudgets + verbs: + - '*' +- apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterrolebindings + - clusterroles + - roles + - rolebindings + verbs: + - '*' +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - create + - update +- apiGroups: + - "" + resources: + - configmaps + - endpoints + - events + - namespaces + - pods + - pods/proxy + - pods/portforward + - persistentvolumeclaims + - secrets + - services + - serviceaccounts + verbs: + - '*' +--- diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-operator/templates/clusterrole_binding.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-operator/templates/clusterrole_binding.yaml new file mode 100644 index 000000000..a3df073ab --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-operator/templates/clusterrole_binding.yaml @@ -0,0 +1,13 @@ +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} +subjects: +- kind: ServiceAccount + name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{.Release.Namespace}} +roleRef: + kind: ClusterRole + name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + apiGroup: rbac.authorization.k8s.io +--- diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-operator/templates/crds.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-operator/templates/crds.yaml new file mode 100644 index 000000000..a37036508 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-operator/templates/crds.yaml @@ -0,0 +1,6 @@ +{{- if .Values.enableCRDTemplates -}} +{{- range $path, $bytes := .Files.Glob "crds/*.yaml" -}} +--- +{{ $.Files.Get $path }} +{{- end -}} +{{- end -}} diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-operator/templates/deployment.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-operator/templates/deployment.yaml new file mode 100644 index 000000000..5d4dffad3 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-operator/templates/deployment.yaml @@ -0,0 +1,58 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + namespace: {{.Release.Namespace}} + name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} +spec: + replicas: 1 + selector: + matchLabels: + name: istio-operator + template: + metadata: + labels: + name: istio-operator + {{- range $key, $val := .Values.podLabels }} + {{ $key }}: "{{ $val }}" + {{- end }} + {{- if .Values.podAnnotations }} + annotations: +{{ toYaml .Values.podAnnotations | indent 8 }} + {{- end }} + spec: + serviceAccountName: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + containers: + - name: istio-operator + image: {{.Values.hub}}/operator:{{.Values.tag}} + command: + - operator + - server + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsUser: 1337 + runAsNonRoot: true + imagePullPolicy: IfNotPresent + resources: +{{ toYaml .Values.operator.resources | trim | indent 12 }} + env: + - name: WATCH_NAMESPACE + value: {{.Values.watchedNamespaces | quote}} + - name: LEADER_ELECTION_NAMESPACE + value: {{.Release.Namespace | quote}} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: OPERATOR_NAME + value: {{.Release.Namespace | quote}} + - name: WAIT_FOR_RESOURCES_TIMEOUT + value: {{.Values.waitForResourcesTimeout | quote}} + - name: REVISION + value: {{.Values.revision | quote}} +--- diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-operator/templates/service.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-operator/templates/service.yaml new file mode 100644 index 000000000..e32e8ea0a --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-operator/templates/service.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Service +metadata: + namespace: {{.Release.Namespace}} + labels: + name: istio-operator + name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} +spec: + ports: + - name: http-metrics + port: 8383 + targetPort: 8383 + protocol: TCP + selector: + name: istio-operator +--- diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-operator/templates/service_account.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-operator/templates/service_account.yaml new file mode 100644 index 000000000..fe9d4cf2b --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-operator/templates/service_account.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + namespace: {{.Release.Namespace}} + name: istio-operator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} +{{- if .Values.imagePullSecrets }} +imagePullSecrets: +{{- range .Values.imagePullSecrets }} +- name: {{ . }} +{{- end }} +{{- end }} +--- diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-operator/values.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-operator/values.yaml new file mode 100644 index 000000000..bf160b97d --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istio-operator/values.yaml @@ -0,0 +1,30 @@ +hub: docker.io/istio +tag: 1.12.6 + +# ImagePullSecrets for operator ServiceAccount, list of secrets in the same namespace +# used to pull operator image. Must be set for any cluster configured with private docker registry. +imagePullSecrets: [] + +# Used to replace istioNamespace to support operator watch multiple namespaces. +watchedNamespaces: istio-system +waitForResourcesTimeout: 300s + +# Used for helm2 to add the CRDs to templates. +enableCRDTemplates: false + +# revision for the operator resources +revision: "" + +# Operator resource defaults +operator: + resources: + limits: + cpu: 200m + memory: 256Mi + requests: + cpu: 50m + memory: 128Mi + +# Additional labels and annotations to apply on the pod level for monitoring and logging configuration. +podLabels: {} +podAnnotations: {} diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istiod-remote/Chart.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istiod-remote/Chart.yaml new file mode 100644 index 000000000..6f8d35ee5 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istiod-remote/Chart.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +name: istiod-remote +# This version is never actually shipped. istio/release-builder will replace it at build-time +# with the appropriate version +version: 1.12.6 +appVersion: 1.12.6 +tillerVersion: ">=2.7.2" +description: Helm chart for a remote cluster using an external istio control plane +keywords: + - istio + - external-istiod +sources: + - http://github.com/istio/istio +engine: gotpl +icon: https://istio.io/latest/favicons/android-192x192.png diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istiod-remote/NOTES.txt b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istiod-remote/NOTES.txt new file mode 100644 index 000000000..0230b6f86 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istiod-remote/NOTES.txt @@ -0,0 +1,4 @@ +Install for a remote cluster using an external control plane. + +The templates in this directory are copies of base and istio-discovery templates. +DO NOT EDIT! Make changes in the corresponding files in base or istio-discovery and they will be copied here by make gen. diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istiod-remote/files/gateway-injection-template.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istiod-remote/files/gateway-injection-template.yaml new file mode 100644 index 000000000..9ce002a5b --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istiod-remote/files/gateway-injection-template.yaml @@ -0,0 +1,215 @@ +{{- $containers := list }} +{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} +metadata: + labels: + service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} + service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} + istio.io/rev: {{ .Revision | default "default" | quote }} + annotations: { + {{- if eq (len $containers) 1 }} + kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", + kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", + {{ end }} + } +spec: + containers: + - name: istio-proxy + {{- if contains "/" .Values.global.proxy.image }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}" + {{- end }} + ports: + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - router + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} + - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} + - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + {{- if .Values.global.proxy.lifecycle }} + lifecycle: + {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} + {{- end }} + env: + - name: JWT_POLICY + value: {{ .Values.global.jwtPolicy }} + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + - name: ISTIO_META_POD_PORTS + value: |- + [ + {{- $first := true }} + {{- range $index1, $c := .Spec.Containers }} + {{- range $index2, $p := $c.Ports }} + {{- if (structToJSON $p) }} + {{if not $first}},{{end}}{{ structToJSON $p }} + {{- $first = false }} + {{- end }} + {{- end}} + {{- end}} + ] + - name: ISTIO_META_APP_CONTAINERS + value: "{{ $containers | join "," }}" + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + - name: ISTIO_META_INTERCEPTION_MODE + value: "{{ .ProxyConfig.InterceptionMode.String }}" + {{- if .Values.global.network }} + - name: ISTIO_META_NETWORK + value: "{{ .Values.global.network }}" + {{- end }} + {{- if .DeploymentMeta.Name }} + - name: ISTIO_META_WORKLOAD_NAME + value: "{{ .DeploymentMeta.Name }}" + {{ end }} + {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} + - name: ISTIO_META_OWNER + value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} + {{- end}} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + readinessProbe: + httpGet: + path: /healthz/ready + port: 15021 + initialDelaySeconds: {{.Values.global.proxy.readinessInitialDelaySeconds }} + periodSeconds: {{ .Values.global.proxy.readinessPeriodSeconds }} + timeoutSeconds: 3 + failureThreshold: {{ .Values.global.proxy.readinessFailureThreshold }} + volumeMounts: + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + mountPath: /var/run/secrets/workload-spiffe-credentials + readOnly: true + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + # SDS channel between istioagent and Envoy + - mountPath: /etc/istio/proxy + name: istio-envoy + {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} + - mountPath: /var/run/secrets/tokens + name: istio-token + {{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - mountPath: /etc/certs/ + name: istio-certs + readOnly: true + {{- end }} + - name: istio-podinfo + mountPath: /etc/istio/pod + volumes: + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + csi: + driver: workloadcertificates.security.cloud.google.com + {{- end }} + # SDS channel between istioagent and Envoy + - emptyDir: + medium: Memory + name: istio-envoy + - name: istio-data + emptyDir: {} + - name: istio-podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + configMap: + name: istio-ca-root-cert + {{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - name: istio-certs + secret: + optional: true + {{ if eq .Spec.ServiceAccountName "" }} + secretName: istio.default + {{ else -}} + secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} + {{ end -}} + {{- end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} + {{- if eq (env "ENABLE_LEGACY_FSGROUP_INJECTION" "true") "true" }} + securityContext: + fsGroup: 1337 + {{- end }} diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istiod-remote/files/injection-template.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istiod-remote/files/injection-template.yaml new file mode 100644 index 000000000..f338913aa --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istiod-remote/files/injection-template.yaml @@ -0,0 +1,491 @@ +{{- $containers := list }} +{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} +metadata: + labels: + security.istio.io/tlsMode: {{ index .ObjectMeta.Labels `security.istio.io/tlsMode` | default "istio" | quote }} + service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} + service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} + annotations: { + {{- if eq (len $containers) 1 }} + kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", + kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", + {{ end }} +{{- if .Values.istio_cni.enabled }} + {{- if not .Values.istio_cni.chained }} + k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `istio-cni` }}', + {{- end }} + sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}", + {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}traffic.sidecar.istio.io/includeOutboundIPRanges: "{{.}}",{{ end }} + {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{.}}",{{ end }} + {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}traffic.sidecar.istio.io/includeInboundPorts: "{{.}}",{{ end }} + traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}", + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") }} + traffic.sidecar.istio.io/includeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}", + {{- end }} + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }} + traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}", + {{- end }} + {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}traffic.sidecar.istio.io/kubevirtInterfaces: "{{.}}",{{ end }} +{{- end }} + } +spec: + {{- $holdProxy := or .ProxyConfig.HoldApplicationUntilProxyStarts.GetValue .Values.global.proxy.holdApplicationUntilProxyStarts }} + initContainers: + {{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }} + {{ if .Values.istio_cni.enabled -}} + - name: istio-validation + {{ else -}} + - name: istio-init + {{ end -}} + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}" + {{- else }} + image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}" + {{- end }} + args: + - istio-iptables + - "-p" + - {{ .MeshConfig.ProxyListenPort | default "15001" | quote }} + - "-z" + - "15006" + - "-u" + - "1337" + - "-m" + - "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}" + - "-i" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}" + - "-x" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}" + - "-b" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}" + - "-d" + {{- if excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }} + - "15090,15021,{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}" + {{- else }} + - "15090,15021" + {{- end }} + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") -}} + - "-q" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}" + {{ end -}} + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}} + - "-o" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}" + {{ end -}} + {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}} + - "-k" + - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}" + {{ end -}} + {{ if .Values.istio_cni.enabled -}} + - "--run-validation" + - "--skip-rule-apply" + {{ end -}} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + {{- if .ProxyConfig.ProxyMetadata }} + env: + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- end }} + resources: + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} + requests: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" + {{ end }} + {{- end }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + limits: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" + {{ end }} + {{- end }} + {{- else }} + {{- if .Values.global.proxy.resources }} + {{ toYaml .Values.global.proxy.resources | indent 6 }} + {{- end }} + {{- end }} + securityContext: + allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} + privileged: {{ .Values.global.proxy.privileged }} + capabilities: + {{- if not .Values.istio_cni.enabled }} + add: + - NET_ADMIN + - NET_RAW + {{- end }} + drop: + - ALL + {{- if not .Values.istio_cni.enabled }} + readOnlyRootFilesystem: false + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 + {{- else }} + readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsUser: 1337 + runAsNonRoot: true + {{- end }} + restartPolicy: Always + {{ end -}} + {{- if eq (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }} + - name: enable-core-dump + args: + - -c + - sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited + command: + - /bin/sh + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}" + {{- else }} + image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}" + {{- end }} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + resources: {} + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - SYS_ADMIN + drop: + - ALL + privileged: true + readOnlyRootFilesystem: false + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 + {{ end }} + containers: + - name: istio-proxy + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}" + {{- end }} + ports: + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - sidecar + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} + - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} + - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + {{- if gt .EstimatedConcurrency 0 }} + - --concurrency + - "{{ .EstimatedConcurrency }}" + {{- end -}} + {{- if .Values.global.proxy.lifecycle }} + lifecycle: + {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} + {{- else if $holdProxy }} + lifecycle: + postStart: + exec: + command: + - pilot-agent + - wait + {{- end }} + env: + {{- if eq (env "PILOT_ENABLE_INBOUND_PASSTHROUGH" "true") "false" }} + - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION + value: "true" + {{- end }} + - name: JWT_POLICY + value: {{ .Values.global.jwtPolicy }} + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + - name: ISTIO_META_POD_PORTS + value: |- + [ + {{- $first := true }} + {{- range $index1, $c := .Spec.Containers }} + {{- range $index2, $p := $c.Ports }} + {{- if (structToJSON $p) }} + {{if not $first}},{{end}}{{ structToJSON $p }} + {{- $first = false }} + {{- end }} + {{- end}} + {{- end}} + ] + - name: ISTIO_META_APP_CONTAINERS + value: "{{ $containers | join "," }}" + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + - name: ISTIO_META_INTERCEPTION_MODE + value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}" + {{- if .Values.global.network }} + - name: ISTIO_META_NETWORK + value: "{{ .Values.global.network }}" + {{- end }} + {{- if .DeploymentMeta.Name }} + - name: ISTIO_META_WORKLOAD_NAME + value: "{{ .DeploymentMeta.Name }}" + {{ end }} + {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} + - name: ISTIO_META_OWNER + value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} + {{- end}} + {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - name: ISTIO_BOOTSTRAP_OVERRIDE + value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" + {{- end }} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} + {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- end }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} + readinessProbe: + httpGet: + path: /healthz/ready + port: 15021 + initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} + periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} + timeoutSeconds: 3 + failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} + {{ end -}} + securityContext: + {{- if eq (index .ProxyConfig.ProxyMetadata "IPTABLES_TRACE_LOGGING") "true" }} + allowPrivilegeEscalation: true + capabilities: + add: + - NET_ADMIN + drop: + - ALL + privileged: true + readOnlyRootFilesystem: {{ ne (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }} + runAsGroup: 1337 + fsGroup: 1337 + runAsNonRoot: false + runAsUser: 0 + {{- else }} + allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} + capabilities: + {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} + add: + {{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}} + - NET_ADMIN + {{- end }} + {{ if eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true` -}} + - NET_BIND_SERVICE + {{- end }} + {{- end }} + drop: + - ALL + privileged: {{ .Values.global.proxy.privileged }} + readOnlyRootFilesystem: {{ ne (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }} + runAsGroup: 1337 + fsGroup: 1337 + {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} + runAsNonRoot: false + runAsUser: 0 + {{- else -}} + runAsNonRoot: true + runAsUser: 1337 + {{- end }} + {{- end }} + resources: + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} + requests: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" + {{ end }} + {{- end }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + limits: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" + {{ end }} + {{- end }} + {{- else }} + {{- if .Values.global.proxy.resources }} + {{ toYaml .Values.global.proxy.resources | indent 6 }} + {{- end }} + {{- end }} + volumeMounts: + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + mountPath: /var/run/secrets/workload-spiffe-credentials + readOnly: true + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - mountPath: /etc/istio/custom-bootstrap + name: custom-bootstrap-volume + {{- end }} + # SDS channel between istioagent and Envoy + - mountPath: /etc/istio/proxy + name: istio-envoy + {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} + - mountPath: /var/run/secrets/tokens + name: istio-token + {{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - mountPath: /etc/certs/ + name: istio-certs + readOnly: true + {{- end }} + - name: istio-podinfo + mountPath: /etc/istio/pod + {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} + - mountPath: {{ directory .ProxyConfig.GetTracing.GetTlsSettings.GetCaCertificates }} + name: lightstep-certs + readOnly: true + {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} + {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 6 }} + {{ end }} + {{- end }} + volumes: + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + csi: + driver: workloadcertificates.security.cloud.google.com + {{- end }} + {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - name: custom-bootstrap-volume + configMap: + name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} + {{- end }} + # SDS channel between istioagent and Envoy + - emptyDir: + medium: Memory + name: istio-envoy + - name: istio-data + emptyDir: {} + - name: istio-podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + {{- if eq .Values.global.jwtPolicy "third-party-jwt" }} + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + configMap: + name: istio-ca-root-cert + {{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - name: istio-certs + secret: + optional: true + {{ if eq .Spec.ServiceAccountName "" }} + secretName: istio.default + {{ else -}} + secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} + {{ end -}} + {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} + {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 4 }} + {{ end }} + {{ end }} + {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} + - name: lightstep-certs + secret: + optional: true + secretName: lightstep.cacert + {{- end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} + {{- if eq (env "ENABLE_LEGACY_FSGROUP_INJECTION" "true") "true" }} + securityContext: + fsGroup: 1337 + {{- end }} diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istiod-remote/templates/clusterrole.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istiod-remote/templates/clusterrole.yaml new file mode 100644 index 000000000..fb092e96d --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istiod-remote/templates/clusterrole.yaml @@ -0,0 +1,136 @@ +{{- if .Values.global.configCluster }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} +rules: + # sidecar injection controller + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update", "patch"] + + # configuration validation webhook controller + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update"] + + # istio configuration + # removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382) + # please proceed with caution + - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"] + verbs: ["get", "watch", "list"] + resources: ["*"] +{{- if .Values.global.istiod.enableAnalysis }} + - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"] + verbs: ["update"] + # TODO: should be on just */status but wildcard is not supported + resources: ["*"] +{{- end }} + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "workloadentries" ] + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "workloadentries/status" ] + + # auto-detect installed CRD definitions + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "list", "watch"] + + # discovery and routing + - apiGroups: [""] + resources: ["pods", "nodes", "services", "namespaces", "endpoints"] + verbs: ["get", "list", "watch"] + - apiGroups: ["discovery.k8s.io"] + resources: ["endpointslices"] + verbs: ["get", "list", "watch"] + + # ingress controller +{{- if .Values.global.istiod.enableAnalysis }} + - apiGroups: ["extensions", "networking.k8s.io"] + resources: ["ingresses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["extensions", "networking.k8s.io"] + resources: ["ingresses/status"] + verbs: ["*"] +{{- end}} + - apiGroups: ["networking.k8s.io"] + resources: ["ingresses", "ingressclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["networking.k8s.io"] + resources: ["ingresses/status"] + verbs: ["*"] + + # required for CA's namespace controller + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["create", "get", "list", "watch", "update"] + + # Istiod and bootstrap. + - apiGroups: ["certificates.k8s.io"] + resources: + - "certificatesigningrequests" + - "certificatesigningrequests/approval" + - "certificatesigningrequests/status" + verbs: ["update", "create", "get", "delete", "watch"] + - apiGroups: ["certificates.k8s.io"] + resources: + - "signers" + resourceNames: + - "kubernetes.io/legacy-unknown" + verbs: ["approve"] + + # Used by Istiod to verify the JWT tokens + - apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] + + # Used by Istiod to verify gateway SDS + - apiGroups: ["authorization.k8s.io"] + resources: ["subjectaccessreviews"] + verbs: ["create"] + + # Use for Kubernetes Service APIs + - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"] + resources: ["*"] + verbs: ["get", "watch", "list"] + - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"] + resources: ["*"] # TODO: should be on just */status but wildcard is not supported + verbs: ["update", "patch"] + + # Needed for multicluster secret reading, possibly ingress certs in the future + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "watch", "list"] + + # Used for MCS serviceexport management + - apiGroups: ["multicluster.x-k8s.io"] + resources: ["serviceexports"] + verbs: [ "get", "watch", "list", "create", "delete"] + + # Used for MCS serviceimport management + - apiGroups: ["multicluster.x-k8s.io"] + resources: ["serviceimports"] + verbs: ["get", "watch", "list"] +--- +{{- if not (eq (toString .Values.pilot.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} +rules: + - apiGroups: ["apps"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "deployments" ] + - apiGroups: [""] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "services" ] +{{- end }} +{{- end }} diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istiod-remote/templates/clusterrolebinding.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istiod-remote/templates/clusterrolebinding.yaml new file mode 100644 index 000000000..932cdce02 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istiod-remote/templates/clusterrolebinding.yaml @@ -0,0 +1,35 @@ +{{- if .Values.global.configCluster }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} +subjects: + - kind: ServiceAccount + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} +--- +{{- if not (eq (toString .Values.pilot.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} +subjects: +- kind: ServiceAccount + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} +{{- end }} +{{- end }} diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istiod-remote/templates/configmap.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istiod-remote/templates/configmap.yaml new file mode 100644 index 000000000..17b52f101 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istiod-remote/templates/configmap.yaml @@ -0,0 +1,100 @@ +{{- define "mesh" }} + # The trust domain corresponds to the trust root of a system. + # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain + trustDomain: "cluster.local" + + # The namespace to treat as the administrative root namespace for Istio configuration. + # When processing a leaf namespace Istio will search for declarations in that namespace first + # and if none are found it will search in the root namespace. Any matching declaration found in the root namespace + # is processed as if it were declared in the leaf namespace. + rootNamespace: {{ .Values.meshConfig.rootNamespace | default .Values.global.istioNamespace }} + + defaultConfig: + {{- if .Values.global.meshID }} + meshId: {{ .Values.global.meshID }} + {{- end }} + tracing: + {{- if eq .Values.global.proxy.tracer "lightstep" }} + lightstep: + # Address of the LightStep Satellite pool + address: {{ .Values.global.tracer.lightstep.address }} + # Access Token used to communicate with the Satellite pool + accessToken: {{ .Values.global.tracer.lightstep.accessToken }} + {{- else if eq .Values.global.proxy.tracer "zipkin" }} + zipkin: + # Address of the Zipkin collector + address: {{ .Values.global.tracer.zipkin.address | default (print "zipkin." .Values.global.istioNamespace ":9411") }} + {{- else if eq .Values.global.proxy.tracer "datadog" }} + datadog: + # Address of the Datadog Agent + address: {{ .Values.global.tracer.datadog.address | default "$(HOST_IP):8126" }} + {{- else if eq .Values.global.proxy.tracer "stackdriver" }} + stackdriver: + # enables trace output to stdout. + {{- if $.Values.global.tracer.stackdriver.debug }} + debug: {{ $.Values.global.tracer.stackdriver.debug }} + {{- end }} + {{- if $.Values.global.tracer.stackdriver.maxNumberOfAttributes }} + # The global default max number of attributes per span. + maxNumberOfAttributes: {{ $.Values.global.tracer.stackdriver.maxNumberOfAttributes | default "200" }} + {{- end }} + {{- if $.Values.global.tracer.stackdriver.maxNumberOfAnnotations }} + # The global default max number of annotation events per span. + maxNumberOfAnnotations: {{ $.Values.global.tracer.stackdriver.maxNumberOfAnnotations | default "200" }} + {{- end }} + {{- if $.Values.global.tracer.stackdriver.maxNumberOfMessageEvents }} + # The global default max number of message events per span. + maxNumberOfMessageEvents: {{ $.Values.global.tracer.stackdriver.maxNumberOfMessageEvents | default "200" }} + {{- end }} + {{- else if eq .Values.global.proxy.tracer "openCensusAgent" }} + {{/* Fill in openCensusAgent configuration from meshConfig so it isn't overwritten below */}} +{{ toYaml $.Values.meshConfig.defaultConfig.tracing | indent 8 }} + {{- else }} + {} + {{- end }} + {{- if .Values.global.remotePilotAddress }} + {{- if not .Values.global.externalIstiod }} + discoveryAddress: {{ printf "istiod-remote.%s.svc" .Release.Namespace }}:15012 + {{- else }} + discoveryAddress: {{ printf "istiod.%s.svc" .Release.Namespace }}:15012 + {{- end }} + {{- else }} + discoveryAddress: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{.Release.Namespace}}.svc:15012 + {{- end }} +{{- end }} + +{{/* We take the mesh config above, defined with individual values.yaml, and merge with .Values.meshConfig */}} +{{/* The intent here is that meshConfig.foo becomes the API, rather than re-inventing the API in values.yaml */}} +{{- $originalMesh := include "mesh" . | fromYaml }} +{{- $mesh := mergeOverwrite $originalMesh .Values.meshConfig }} + +{{- if .Values.pilot.configMap }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Pilot" + release: {{ .Release.Name }} +data: + + # Configuration file for the mesh networks to be used by the Split Horizon EDS. + meshNetworks: |- + {{- if .Values.global.meshNetworks }} + networks: +{{ toYaml .Values.global.meshNetworks | trim | indent 6 }} + {{- else }} + networks: {} + {{- end }} + + mesh: |- +{{- if .Values.meshConfig }} +{{ $mesh | toYaml | indent 4 }} +{{- else }} +{{- include "mesh" . }} +{{- end }} +--- +{{- end }} diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istiod-remote/templates/crd-all.gen.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istiod-remote/templates/crd-all.gen.yaml new file mode 100644 index 000000000..5bda3b01e --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istiod-remote/templates/crd-all.gen.yaml @@ -0,0 +1,5943 @@ +{{- if .Values.global.configCluster }} +# DO NOT EDIT - Generated by Cue OpenAPI generator based on Istio APIs. +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: wasmplugins.extensions.istio.io +spec: + group: extensions.istio.io + names: + categories: + - istio-io + - extensions-istio-io + kind: WasmPlugin + listKind: WasmPluginList + plural: wasmplugins + singular: wasmplugin + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Extend the functionality provided by the Istio proxy through + WebAssembly filters. See more details at: https://istio.io/docs/reference/config/proxy_extensions/wasm-plugin.html' + properties: + imagePullPolicy: + description: The pull behaviour to be applied when fetching an OCI + image. + enum: + - UNSPECIFIED_POLICY + - IfNotPresent + - Always + type: string + imagePullSecret: + description: Credentials to use for OCI image pulling. + type: string + phase: + description: Determines where in the filter chain this `WasmPlugin` + is to be injected. + enum: + - UNSPECIFIED_PHASE + - AUTHN + - AUTHZ + - STATS + type: string + pluginConfig: + description: The configuration that will be passed on to the plugin. + type: object + x-kubernetes-preserve-unknown-fields: true + pluginName: + type: string + priority: + description: Determines ordering of `WasmPlugins` in the same `phase`. + nullable: true + type: integer + selector: + properties: + matchLabels: + additionalProperties: + type: string + type: object + type: object + sha256: + description: SHA256 checksum that will be used to verify Wasm module + or OCI container. + type: string + url: + description: URL of a Wasm module or OCI container. + type: string + verificationKey: + type: string + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: destinationrules.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: DestinationRule + listKind: DestinationRuleList + plural: destinationrules + shortNames: + - dr + singular: destinationrule + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The name of a service from the service registry + jsonPath: .spec.host + name: Host + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting load balancing, outlier detection, + etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html' + properties: + exportTo: + description: A list of namespaces to which this destination rule is + exported. + items: + type: string + type: array + host: + description: The name of a service from the service registry. + type: string + subsets: + items: + properties: + labels: + additionalProperties: + type: string + type: object + name: + description: Name of the subset. + type: string + trafficPolicy: + description: Traffic policies that apply to this subset. + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should + be upgraded to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP requests + to a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will + be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the + socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query + parameter. + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to + traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this + is DestinationRule-level and will override mesh + wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered list + of labels used to sort endpoints to do priority + based load balancing. + items: + type: string + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host + is ejected from the connection pool. + nullable: true + type: integer + consecutiveLocalOriginFailures: + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local + origin failures from external errors. + type: boolean + type: object + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection + should be upgraded to http2 for the associated + destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP + requests to a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to + a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream + connection pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per + connection to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol + will be preserved while initiating connection + to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and + TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP + connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE + on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between + keep-alive probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer + algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP + header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP + query parameter. + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' + separated, e.g. + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities + to traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, + this is DestinationRule-level and will override + mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered + list of labels used to sort endpoints to + do priority based load balancing. + items: + type: string + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host + is ejected from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a + host is ejected from the connection pool. + nullable: true + type: integer + consecutiveLocalOriginFailures: + nullable: true + type: integer + interval: + description: Time interval between ejection sweep + analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish + local origin failures from external errors. + type: boolean + type: object + port: + properties: + number: + type: integer + type: object + tls: + description: TLS related settings for connections + to the upstream service. + properties: + caCertificates: + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + type: string + insecureSkipVerify: + nullable: true + type: boolean + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server + during TLS handshake. + type: string + subjectAltNames: + items: + type: string + type: array + type: object + type: object + type: array + tls: + description: TLS related settings for connections to the + upstream service. + properties: + caCertificates: + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + type: string + insecureSkipVerify: + nullable: true + type: boolean + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during + TLS handshake. + type: string + subjectAltNames: + items: + type: string + type: array + type: object + type: object + type: object + type: array + trafficPolicy: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should be upgraded + to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP requests to + a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved + while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket + to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query parameter. + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, failover + or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to traffic + distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this is DestinationRule-level + and will override mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, failover + or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered list of labels + used to sort endpoints to do priority based load balancing. + items: + type: string + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host is ejected + from the connection pool. + nullable: true + type: integer + consecutiveLocalOriginFailures: + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local origin + failures from external errors. + type: boolean + type: object + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should + be upgraded to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP requests + to a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will + be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the + socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query + parameter. + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to + traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this + is DestinationRule-level and will override mesh + wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered list + of labels used to sort endpoints to do priority + based load balancing. + items: + type: string + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host + is ejected from the connection pool. + nullable: true + type: integer + consecutiveLocalOriginFailures: + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local + origin failures from external errors. + type: boolean + type: object + port: + properties: + number: + type: integer + type: object + tls: + description: TLS related settings for connections to the + upstream service. + properties: + caCertificates: + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + type: string + insecureSkipVerify: + nullable: true + type: boolean + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during + TLS handshake. + type: string + subjectAltNames: + items: + type: string + type: array + type: object + type: object + type: array + tls: + description: TLS related settings for connections to the upstream + service. + properties: + caCertificates: + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + type: string + insecureSkipVerify: + nullable: true + type: boolean + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during TLS + handshake. + type: string + subjectAltNames: + items: + type: string + type: array + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: The name of a service from the service registry + jsonPath: .spec.host + name: Host + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting load balancing, outlier detection, + etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html' + properties: + exportTo: + description: A list of namespaces to which this destination rule is + exported. + items: + type: string + type: array + host: + description: The name of a service from the service registry. + type: string + subsets: + items: + properties: + labels: + additionalProperties: + type: string + type: object + name: + description: Name of the subset. + type: string + trafficPolicy: + description: Traffic policies that apply to this subset. + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should + be upgraded to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP requests + to a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will + be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the + socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query + parameter. + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to + traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this + is DestinationRule-level and will override mesh + wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered list + of labels used to sort endpoints to do priority + based load balancing. + items: + type: string + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host + is ejected from the connection pool. + nullable: true + type: integer + consecutiveLocalOriginFailures: + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local + origin failures from external errors. + type: boolean + type: object + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection + should be upgraded to http2 for the associated + destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP + requests to a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to + a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream + connection pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per + connection to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol + will be preserved while initiating connection + to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and + TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP + connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE + on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between + keep-alive probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer + algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP + header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP + query parameter. + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' + separated, e.g. + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities + to traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, + this is DestinationRule-level and will override + mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered + list of labels used to sort endpoints to + do priority based load balancing. + items: + type: string + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host + is ejected from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a + host is ejected from the connection pool. + nullable: true + type: integer + consecutiveLocalOriginFailures: + nullable: true + type: integer + interval: + description: Time interval between ejection sweep + analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish + local origin failures from external errors. + type: boolean + type: object + port: + properties: + number: + type: integer + type: object + tls: + description: TLS related settings for connections + to the upstream service. + properties: + caCertificates: + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + type: string + insecureSkipVerify: + nullable: true + type: boolean + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server + during TLS handshake. + type: string + subjectAltNames: + items: + type: string + type: array + type: object + type: object + type: array + tls: + description: TLS related settings for connections to the + upstream service. + properties: + caCertificates: + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + type: string + insecureSkipVerify: + nullable: true + type: boolean + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during + TLS handshake. + type: string + subjectAltNames: + items: + type: string + type: array + type: object + type: object + type: object + type: array + trafficPolicy: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should be upgraded + to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP requests to + a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved + while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket + to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query parameter. + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, failover + or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to traffic + distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this is DestinationRule-level + and will override mesh wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, failover + or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered list of labels + used to sort endpoints to do priority based load balancing. + items: + type: string + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host is ejected + from the connection pool. + nullable: true + type: integer + consecutiveLocalOriginFailures: + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local origin + failures from external errors. + type: boolean + type: object + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: Specify if http1.1 connection should + be upgraded to http2 for the associated destination. + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of pending HTTP requests + to a destination. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of requests to a backend. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will + be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the + socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + probes: + type: integer + time: + type: string + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + - required: + - simple + - properties: + consistentHash: + oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + required: + - consistentHash + properties: + consistentHash: + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query + parameter. + type: string + minimumRingSize: + type: integer + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + type: string + to: + additionalProperties: + type: integer + description: Map of upstream localities to + traffic distribution weights. + type: object + type: object + type: array + enabled: + description: enable locality load balancing, this + is DestinationRule-level and will override mesh + wide settings in entirety. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered list + of labels used to sort endpoints to do priority + based load balancing. + items: + type: string + type: array + type: object + simple: + enum: + - ROUND_ROBIN + - LEAST_CONN + - RANDOM + - PASSTHROUGH + type: string + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host + is ejected from the connection pool. + nullable: true + type: integer + consecutiveLocalOriginFailures: + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + maxEjectionPercent: + format: int32 + type: integer + minHealthPercent: + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local + origin failures from external errors. + type: boolean + type: object + port: + properties: + number: + type: integer + type: object + tls: + description: TLS related settings for connections to the + upstream service. + properties: + caCertificates: + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + type: string + insecureSkipVerify: + nullable: true + type: boolean + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during + TLS handshake. + type: string + subjectAltNames: + items: + type: string + type: array + type: object + type: object + type: array + tls: + description: TLS related settings for connections to the upstream + service. + properties: + caCertificates: + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + type: string + insecureSkipVerify: + nullable: true + type: boolean + mode: + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during TLS + handshake. + type: string + subjectAltNames: + items: + type: string + type: array + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: envoyfilters.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: EnvoyFilter + listKind: EnvoyFilterList + plural: envoyfilters + singular: envoyfilter + scope: Namespaced + versions: + - name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Customizing Envoy configuration generated by Istio. See + more details at: https://istio.io/docs/reference/config/networking/envoy-filter.html' + properties: + configPatches: + description: One or more patches with match conditions. + items: + properties: + applyTo: + enum: + - INVALID + - LISTENER + - FILTER_CHAIN + - NETWORK_FILTER + - HTTP_FILTER + - ROUTE_CONFIGURATION + - VIRTUAL_HOST + - HTTP_ROUTE + - CLUSTER + - EXTENSION_CONFIG + - BOOTSTRAP + type: string + match: + description: Match on listener/route configuration/cluster. + oneOf: + - not: + anyOf: + - required: + - listener + - required: + - routeConfiguration + - required: + - cluster + - required: + - listener + - required: + - routeConfiguration + - required: + - cluster + properties: + cluster: + description: Match on envoy cluster attributes. + properties: + name: + description: The exact name of the cluster to match. + type: string + portNumber: + description: The service port for which this cluster + was generated. + type: integer + service: + description: The fully qualified service name for this + cluster. + type: string + subset: + description: The subset associated with the service. + type: string + type: object + context: + description: The specific config generation context to match + on. + enum: + - ANY + - SIDECAR_INBOUND + - SIDECAR_OUTBOUND + - GATEWAY + type: string + listener: + description: Match on envoy listener attributes. + properties: + filterChain: + description: Match a specific filter chain in a listener. + properties: + applicationProtocols: + description: Applies only to sidecars. + type: string + destinationPort: + description: The destination_port value used by + a filter chain's match condition. + type: integer + filter: + description: The name of a specific filter to apply + the patch to. + properties: + name: + description: The filter name to match on. + type: string + subFilter: + properties: + name: + description: The filter name to match on. + type: string + type: object + type: object + name: + description: The name assigned to the filter chain. + type: string + sni: + description: The SNI value used by a filter chain's + match condition. + type: string + transportProtocol: + description: Applies only to `SIDECAR_INBOUND` context. + type: string + type: object + name: + description: Match a specific listener by its name. + type: string + portName: + type: string + portNumber: + type: integer + type: object + proxy: + description: Match on properties associated with a proxy. + properties: + metadata: + additionalProperties: + type: string + type: object + proxyVersion: + type: string + type: object + routeConfiguration: + description: Match on envoy HTTP route configuration attributes. + properties: + gateway: + type: string + name: + description: Route configuration name to match on. + type: string + portName: + description: Applicable only for GATEWAY context. + type: string + portNumber: + type: integer + vhost: + properties: + name: + type: string + route: + description: Match a specific route within the virtual + host. + properties: + action: + description: Match a route with specific action + type. + enum: + - ANY + - ROUTE + - REDIRECT + - DIRECT_RESPONSE + type: string + name: + type: string + type: object + type: object + type: object + type: object + patch: + description: The patch to apply along with the operation. + properties: + filterClass: + description: Determines the filter insertion order. + enum: + - UNSPECIFIED + - AUTHN + - AUTHZ + - STATS + type: string + operation: + description: Determines how the patch should be applied. + enum: + - INVALID + - MERGE + - ADD + - REMOVE + - INSERT_BEFORE + - INSERT_AFTER + - INSERT_FIRST + - REPLACE + type: string + value: + description: The JSON config of the object being patched. + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + priority: + description: Priority defines the order in which patch sets are applied + within a context. + format: int32 + type: integer + workloadSelector: + properties: + labels: + additionalProperties: + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: gateways.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: Gateway + listKind: GatewayList + plural: gateways + shortNames: + - gw + singular: gateway + scope: Namespaced + versions: + - name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting edge load balancer. See more details + at: https://istio.io/docs/reference/config/networking/gateway.html' + properties: + selector: + additionalProperties: + type: string + type: object + servers: + description: A list of server specifications. + items: + properties: + bind: + type: string + defaultEndpoint: + type: string + hosts: + description: One or more hosts exposed by this gateway. + items: + type: string + type: array + name: + description: An optional name of the server, when set must be + unique across all servers. + type: string + port: + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + type: integer + type: object + tls: + description: Set of TLS related options that govern the server's + behavior. + properties: + caCertificates: + description: REQUIRED if mode is `MUTUAL`. + type: string + cipherSuites: + description: 'Optional: If specified, only support the specified + cipher list.' + items: + type: string + type: array + credentialName: + type: string + httpsRedirect: + type: boolean + maxProtocolVersion: + description: 'Optional: Maximum TLS protocol version.' + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + minProtocolVersion: + description: 'Optional: Minimum TLS protocol version.' + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + mode: + enum: + - PASSTHROUGH + - SIMPLE + - MUTUAL + - AUTO_PASSTHROUGH + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + serverCertificate: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + subjectAltNames: + items: + type: string + type: array + verifyCertificateHash: + items: + type: string + type: array + verifyCertificateSpki: + items: + type: string + type: array + type: object + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting edge load balancer. See more details + at: https://istio.io/docs/reference/config/networking/gateway.html' + properties: + selector: + additionalProperties: + type: string + type: object + servers: + description: A list of server specifications. + items: + properties: + bind: + type: string + defaultEndpoint: + type: string + hosts: + description: One or more hosts exposed by this gateway. + items: + type: string + type: array + name: + description: An optional name of the server, when set must be + unique across all servers. + type: string + port: + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + type: integer + type: object + tls: + description: Set of TLS related options that govern the server's + behavior. + properties: + caCertificates: + description: REQUIRED if mode is `MUTUAL`. + type: string + cipherSuites: + description: 'Optional: If specified, only support the specified + cipher list.' + items: + type: string + type: array + credentialName: + type: string + httpsRedirect: + type: boolean + maxProtocolVersion: + description: 'Optional: Maximum TLS protocol version.' + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + minProtocolVersion: + description: 'Optional: Minimum TLS protocol version.' + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + mode: + enum: + - PASSTHROUGH + - SIMPLE + - MUTUAL + - AUTO_PASSTHROUGH + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + serverCertificate: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + subjectAltNames: + items: + type: string + type: array + verifyCertificateHash: + items: + type: string + type: array + verifyCertificateSpki: + items: + type: string + type: array + type: object + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: serviceentries.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: ServiceEntry + listKind: ServiceEntryList + plural: serviceentries + shortNames: + - se + singular: serviceentry + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The hosts associated with the ServiceEntry + jsonPath: .spec.hosts + name: Hosts + type: string + - description: Whether the service is external to the mesh or part of the mesh + (MESH_EXTERNAL or MESH_INTERNAL) + jsonPath: .spec.location + name: Location + type: string + - description: Service discovery mode for the hosts (NONE, STATIC, or DNS) + jsonPath: .spec.resolution + name: Resolution + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting service registry. See more details + at: https://istio.io/docs/reference/config/networking/service-entry.html' + properties: + addresses: + description: The virtual IP addresses associated with the service. + items: + type: string + type: array + endpoints: + description: One or more endpoints associated with the service. + items: + properties: + address: + type: string + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + type: string + network: + type: string + ports: + additionalProperties: + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + type: string + weight: + description: The load balancing weight associated with the endpoint. + type: integer + type: object + type: array + exportTo: + description: A list of namespaces to which this service is exported. + items: + type: string + type: array + hosts: + description: The hosts associated with the ServiceEntry. + items: + type: string + type: array + location: + enum: + - MESH_EXTERNAL + - MESH_INTERNAL + type: string + ports: + description: The ports associated with the external service. + items: + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + type: integer + type: object + type: array + resolution: + description: Service discovery mode for the hosts. + enum: + - NONE + - STATIC + - DNS + - DNS_ROUND_ROBIN + type: string + subjectAltNames: + items: + type: string + type: array + workloadSelector: + description: Applicable only for MESH_INTERNAL services. + properties: + labels: + additionalProperties: + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: The hosts associated with the ServiceEntry + jsonPath: .spec.hosts + name: Hosts + type: string + - description: Whether the service is external to the mesh or part of the mesh + (MESH_EXTERNAL or MESH_INTERNAL) + jsonPath: .spec.location + name: Location + type: string + - description: Service discovery mode for the hosts (NONE, STATIC, or DNS) + jsonPath: .spec.resolution + name: Resolution + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting service registry. See more details + at: https://istio.io/docs/reference/config/networking/service-entry.html' + properties: + addresses: + description: The virtual IP addresses associated with the service. + items: + type: string + type: array + endpoints: + description: One or more endpoints associated with the service. + items: + properties: + address: + type: string + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + type: string + network: + type: string + ports: + additionalProperties: + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + type: string + weight: + description: The load balancing weight associated with the endpoint. + type: integer + type: object + type: array + exportTo: + description: A list of namespaces to which this service is exported. + items: + type: string + type: array + hosts: + description: The hosts associated with the ServiceEntry. + items: + type: string + type: array + location: + enum: + - MESH_EXTERNAL + - MESH_INTERNAL + type: string + ports: + description: The ports associated with the external service. + items: + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + type: integer + type: object + type: array + resolution: + description: Service discovery mode for the hosts. + enum: + - NONE + - STATIC + - DNS + - DNS_ROUND_ROBIN + type: string + subjectAltNames: + items: + type: string + type: array + workloadSelector: + description: Applicable only for MESH_INTERNAL services. + properties: + labels: + additionalProperties: + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: sidecars.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: Sidecar + listKind: SidecarList + plural: sidecars + singular: sidecar + scope: Namespaced + versions: + - name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting network reachability of a sidecar. + See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' + properties: + egress: + items: + properties: + bind: + type: string + captureMode: + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + hosts: + items: + type: string + type: array + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + type: integer + type: object + type: object + type: array + ingress: + items: + properties: + bind: + description: The IP to which the listener should be bound. + type: string + captureMode: + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + defaultEndpoint: + type: string + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + type: integer + type: object + type: object + type: array + outboundTrafficPolicy: + description: Configuration for the outbound traffic policy. + properties: + egressProxy: + properties: + host: + description: The name of a service from the service registry. + type: string + port: + description: Specifies the port on the host that is being + addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + type: object + mode: + enum: + - REGISTRY_ONLY + - ALLOW_ANY + type: string + type: object + workloadSelector: + properties: + labels: + additionalProperties: + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting network reachability of a sidecar. + See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' + properties: + egress: + items: + properties: + bind: + type: string + captureMode: + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + hosts: + items: + type: string + type: array + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + type: integer + type: object + type: object + type: array + ingress: + items: + properties: + bind: + description: The IP to which the listener should be bound. + type: string + captureMode: + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + defaultEndpoint: + type: string + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + type: integer + type: object + type: object + type: array + outboundTrafficPolicy: + description: Configuration for the outbound traffic policy. + properties: + egressProxy: + properties: + host: + description: The name of a service from the service registry. + type: string + port: + description: Specifies the port on the host that is being + addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + type: object + mode: + enum: + - REGISTRY_ONLY + - ALLOW_ANY + type: string + type: object + workloadSelector: + properties: + labels: + additionalProperties: + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: virtualservices.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: VirtualService + listKind: VirtualServiceList + plural: virtualservices + shortNames: + - vs + singular: virtualservice + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The names of gateways and sidecars that should apply these routes + jsonPath: .spec.gateways + name: Gateways + type: string + - description: The destination hosts to which traffic is being sent + jsonPath: .spec.hosts + name: Hosts + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting label/content routing, sni routing, + etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html' + properties: + exportTo: + description: A list of namespaces to which this virtual service is + exported. + items: + type: string + type: array + gateways: + description: The names of gateways and sidecars that should apply + these routes. + items: + type: string + type: array + hosts: + description: The destination hosts to which traffic is being sent. + items: + type: string + type: array + http: + description: An ordered list of route rules for HTTP traffic. + items: + properties: + corsPolicy: + description: Cross-Origin Resource Sharing policy (CORS). + properties: + allowCredentials: + nullable: true + type: boolean + allowHeaders: + items: + type: string + type: array + allowMethods: + description: List of HTTP methods allowed to access the + resource. + items: + type: string + type: array + allowOrigin: + description: The list of origins that are allowed to perform + CORS requests. + items: + type: string + type: array + allowOrigins: + description: String patterns that match allowed origins. + items: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + type: array + exposeHeaders: + items: + type: string + type: array + maxAge: + type: string + type: object + delegate: + properties: + name: + description: Name specifies the name of the delegate VirtualService. + type: string + namespace: + description: Namespace specifies the namespace where the + delegate VirtualService resides. + type: string + type: object + fault: + description: Fault injection policy to apply on HTTP traffic + at the client side. + properties: + abort: + oneOf: + - not: + anyOf: + - required: + - httpStatus + - required: + - grpcStatus + - required: + - http2Error + - required: + - httpStatus + - required: + - grpcStatus + - required: + - http2Error + properties: + grpcStatus: + type: string + http2Error: + type: string + httpStatus: + description: HTTP status code to use to abort the Http + request. + format: int32 + type: integer + percentage: + description: Percentage of requests to be aborted with + the error code provided. + properties: + value: + format: double + type: number + type: object + type: object + delay: + oneOf: + - not: + anyOf: + - required: + - fixedDelay + - required: + - exponentialDelay + - required: + - fixedDelay + - required: + - exponentialDelay + properties: + exponentialDelay: + type: string + fixedDelay: + description: Add a fixed delay before forwarding the + request. + type: string + percent: + description: Percentage of requests on which the delay + will be injected (0-100). + format: int32 + type: integer + percentage: + description: Percentage of requests on which the delay + will be injected. + properties: + value: + format: double + type: number + type: object + type: object + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + type: object + match: + items: + properties: + authority: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + gateways: + description: Names of gateways where the rule should be + applied. + items: + type: string + type: array + headers: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + type: object + ignoreUriCase: + description: Flag to specify whether the URI matching + should be case-insensitive. + type: boolean + method: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + name: + description: The name assigned to a match. + type: string + port: + description: Specifies the ports on the host that is being + addressed. + type: integer + queryParams: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + description: Query parameters for matching. + type: object + scheme: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + sourceLabels: + additionalProperties: + type: string + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + type: string + uri: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + withoutHeaders: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + description: withoutHeader has the same syntax with the + header, but has opposite meaning. + type: object + type: object + type: array + mirror: + properties: + host: + description: The name of a service from the service registry. + type: string + port: + description: Specifies the port on the host that is being + addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + type: object + mirror_percent: + description: Percentage of the traffic to be mirrored by the + `mirror` field. + nullable: true + type: integer + mirrorPercent: + description: Percentage of the traffic to be mirrored by the + `mirror` field. + nullable: true + type: integer + mirrorPercentage: + description: Percentage of the traffic to be mirrored by the + `mirror` field. + properties: + value: + format: double + type: number + type: object + name: + description: The name assigned to the route for debugging purposes. + type: string + redirect: + description: A HTTP rule can either redirect or forward (default) + traffic. + oneOf: + - not: + anyOf: + - required: + - port + - required: + - derivePort + - required: + - port + - required: + - derivePort + properties: + authority: + type: string + derivePort: + enum: + - FROM_PROTOCOL_DEFAULT + - FROM_REQUEST_PORT + type: string + port: + description: On a redirect, overwrite the port portion of + the URL with this value. + type: integer + redirectCode: + type: integer + scheme: + description: On a redirect, overwrite the scheme portion + of the URL with this value. + type: string + uri: + type: string + type: object + retries: + description: Retry policy for HTTP requests. + properties: + attempts: + description: Number of retries to be allowed for a given + request. + format: int32 + type: integer + perTryTimeout: + description: Timeout per attempt for a given request, including + the initial call and any retries. + type: string + retryOn: + description: Specifies the conditions under which retry + takes place. + type: string + retryRemoteLocalities: + description: Flag to specify whether the retries should + retry to other localities. + nullable: true + type: boolean + type: object + rewrite: + description: Rewrite HTTP URIs and Authority headers. + properties: + authority: + description: rewrite the Authority/Host header with this + value. + type: string + uri: + type: string + type: object + route: + description: A HTTP rule can either redirect or forward (default) + traffic. + items: + properties: + destination: + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + type: object + weight: + format: int32 + type: integer + type: object + type: array + timeout: + description: Timeout for HTTP requests, default is disabled. + type: string + type: object + type: array + tcp: + description: An ordered list of route rules for opaque TCP traffic. + items: + properties: + match: + items: + properties: + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination + with optional subnet. + items: + type: string + type: array + gateways: + description: Names of gateways where the rule should be + applied. + items: + type: string + type: array + port: + description: Specifies the port on the host that is being + addressed. + type: integer + sourceLabels: + additionalProperties: + type: string + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + type: string + sourceSubnet: + description: IPv4 or IPv6 ip address of source with optional + subnet. + type: string + type: object + type: array + route: + description: The destination to which the connection should + be forwarded to. + items: + properties: + destination: + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + type: object + weight: + format: int32 + type: integer + type: object + type: array + type: object + type: array + tls: + items: + properties: + match: + items: + properties: + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination + with optional subnet. + items: + type: string + type: array + gateways: + description: Names of gateways where the rule should be + applied. + items: + type: string + type: array + port: + description: Specifies the port on the host that is being + addressed. + type: integer + sniHosts: + description: SNI (server name indicator) to match on. + items: + type: string + type: array + sourceLabels: + additionalProperties: + type: string + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + type: string + type: object + type: array + route: + description: The destination to which the connection should + be forwarded to. + items: + properties: + destination: + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + type: object + weight: + format: int32 + type: integer + type: object + type: array + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: The names of gateways and sidecars that should apply these routes + jsonPath: .spec.gateways + name: Gateways + type: string + - description: The destination hosts to which traffic is being sent + jsonPath: .spec.hosts + name: Hosts + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting label/content routing, sni routing, + etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html' + properties: + exportTo: + description: A list of namespaces to which this virtual service is + exported. + items: + type: string + type: array + gateways: + description: The names of gateways and sidecars that should apply + these routes. + items: + type: string + type: array + hosts: + description: The destination hosts to which traffic is being sent. + items: + type: string + type: array + http: + description: An ordered list of route rules for HTTP traffic. + items: + properties: + corsPolicy: + description: Cross-Origin Resource Sharing policy (CORS). + properties: + allowCredentials: + nullable: true + type: boolean + allowHeaders: + items: + type: string + type: array + allowMethods: + description: List of HTTP methods allowed to access the + resource. + items: + type: string + type: array + allowOrigin: + description: The list of origins that are allowed to perform + CORS requests. + items: + type: string + type: array + allowOrigins: + description: String patterns that match allowed origins. + items: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + type: array + exposeHeaders: + items: + type: string + type: array + maxAge: + type: string + type: object + delegate: + properties: + name: + description: Name specifies the name of the delegate VirtualService. + type: string + namespace: + description: Namespace specifies the namespace where the + delegate VirtualService resides. + type: string + type: object + fault: + description: Fault injection policy to apply on HTTP traffic + at the client side. + properties: + abort: + oneOf: + - not: + anyOf: + - required: + - httpStatus + - required: + - grpcStatus + - required: + - http2Error + - required: + - httpStatus + - required: + - grpcStatus + - required: + - http2Error + properties: + grpcStatus: + type: string + http2Error: + type: string + httpStatus: + description: HTTP status code to use to abort the Http + request. + format: int32 + type: integer + percentage: + description: Percentage of requests to be aborted with + the error code provided. + properties: + value: + format: double + type: number + type: object + type: object + delay: + oneOf: + - not: + anyOf: + - required: + - fixedDelay + - required: + - exponentialDelay + - required: + - fixedDelay + - required: + - exponentialDelay + properties: + exponentialDelay: + type: string + fixedDelay: + description: Add a fixed delay before forwarding the + request. + type: string + percent: + description: Percentage of requests on which the delay + will be injected (0-100). + format: int32 + type: integer + percentage: + description: Percentage of requests on which the delay + will be injected. + properties: + value: + format: double + type: number + type: object + type: object + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + type: object + match: + items: + properties: + authority: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + gateways: + description: Names of gateways where the rule should be + applied. + items: + type: string + type: array + headers: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + type: object + ignoreUriCase: + description: Flag to specify whether the URI matching + should be case-insensitive. + type: boolean + method: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + name: + description: The name assigned to a match. + type: string + port: + description: Specifies the ports on the host that is being + addressed. + type: integer + queryParams: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + description: Query parameters for matching. + type: object + scheme: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + sourceLabels: + additionalProperties: + type: string + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + type: string + uri: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + withoutHeaders: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + type: string + type: object + description: withoutHeader has the same syntax with the + header, but has opposite meaning. + type: object + type: object + type: array + mirror: + properties: + host: + description: The name of a service from the service registry. + type: string + port: + description: Specifies the port on the host that is being + addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + type: object + mirror_percent: + description: Percentage of the traffic to be mirrored by the + `mirror` field. + nullable: true + type: integer + mirrorPercent: + description: Percentage of the traffic to be mirrored by the + `mirror` field. + nullable: true + type: integer + mirrorPercentage: + description: Percentage of the traffic to be mirrored by the + `mirror` field. + properties: + value: + format: double + type: number + type: object + name: + description: The name assigned to the route for debugging purposes. + type: string + redirect: + description: A HTTP rule can either redirect or forward (default) + traffic. + oneOf: + - not: + anyOf: + - required: + - port + - required: + - derivePort + - required: + - port + - required: + - derivePort + properties: + authority: + type: string + derivePort: + enum: + - FROM_PROTOCOL_DEFAULT + - FROM_REQUEST_PORT + type: string + port: + description: On a redirect, overwrite the port portion of + the URL with this value. + type: integer + redirectCode: + type: integer + scheme: + description: On a redirect, overwrite the scheme portion + of the URL with this value. + type: string + uri: + type: string + type: object + retries: + description: Retry policy for HTTP requests. + properties: + attempts: + description: Number of retries to be allowed for a given + request. + format: int32 + type: integer + perTryTimeout: + description: Timeout per attempt for a given request, including + the initial call and any retries. + type: string + retryOn: + description: Specifies the conditions under which retry + takes place. + type: string + retryRemoteLocalities: + description: Flag to specify whether the retries should + retry to other localities. + nullable: true + type: boolean + type: object + rewrite: + description: Rewrite HTTP URIs and Authority headers. + properties: + authority: + description: rewrite the Authority/Host header with this + value. + type: string + uri: + type: string + type: object + route: + description: A HTTP rule can either redirect or forward (default) + traffic. + items: + properties: + destination: + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + type: object + weight: + format: int32 + type: integer + type: object + type: array + timeout: + description: Timeout for HTTP requests, default is disabled. + type: string + type: object + type: array + tcp: + description: An ordered list of route rules for opaque TCP traffic. + items: + properties: + match: + items: + properties: + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination + with optional subnet. + items: + type: string + type: array + gateways: + description: Names of gateways where the rule should be + applied. + items: + type: string + type: array + port: + description: Specifies the port on the host that is being + addressed. + type: integer + sourceLabels: + additionalProperties: + type: string + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + type: string + sourceSubnet: + description: IPv4 or IPv6 ip address of source with optional + subnet. + type: string + type: object + type: array + route: + description: The destination to which the connection should + be forwarded to. + items: + properties: + destination: + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + type: object + weight: + format: int32 + type: integer + type: object + type: array + type: object + type: array + tls: + items: + properties: + match: + items: + properties: + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination + with optional subnet. + items: + type: string + type: array + gateways: + description: Names of gateways where the rule should be + applied. + items: + type: string + type: array + port: + description: Specifies the port on the host that is being + addressed. + type: integer + sniHosts: + description: SNI (server name indicator) to match on. + items: + type: string + type: array + sourceLabels: + additionalProperties: + type: string + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + type: string + type: object + type: array + route: + description: The destination to which the connection should + be forwarded to. + items: + properties: + destination: + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + type: object + weight: + format: int32 + type: integer + type: object + type: array + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: workloadentries.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: WorkloadEntry + listKind: WorkloadEntryList + plural: workloadentries + shortNames: + - we + singular: workloadentry + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: Address associated with the network endpoint. + jsonPath: .spec.address + name: Address + type: string + name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting VMs onboarded into the mesh. See + more details at: https://istio.io/docs/reference/config/networking/workload-entry.html' + properties: + address: + type: string + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + type: string + network: + type: string + ports: + additionalProperties: + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + type: string + weight: + description: The load balancing weight associated with the endpoint. + type: integer + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: Address associated with the network endpoint. + jsonPath: .spec.address + name: Address + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting VMs onboarded into the mesh. See + more details at: https://istio.io/docs/reference/config/networking/workload-entry.html' + properties: + address: + type: string + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + type: string + network: + type: string + ports: + additionalProperties: + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + type: string + weight: + description: The load balancing weight associated with the endpoint. + type: integer + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: workloadgroups.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: WorkloadGroup + listKind: WorkloadGroupList + plural: workloadgroups + shortNames: + - wg + singular: workloadgroup + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Describes a collection of workload instances. See more details + at: https://istio.io/docs/reference/config/networking/workload-group.html' + properties: + metadata: + description: Metadata that will be used for all corresponding `WorkloadEntries`. + properties: + annotations: + additionalProperties: + type: string + type: object + labels: + additionalProperties: + type: string + type: object + type: object + probe: + description: '`ReadinessProbe` describes the configuration the user + must provide for healthchecking on their workload.' + oneOf: + - not: + anyOf: + - required: + - httpGet + - required: + - tcpSocket + - required: + - exec + - required: + - httpGet + - required: + - tcpSocket + - required: + - exec + properties: + exec: + description: Health is determined by how the command that is executed + exited. + properties: + command: + description: Command to run. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures for the probe to be + considered failed after having succeeded. + format: int32 + type: integer + httpGet: + properties: + host: + description: Host name to connect to, defaults to the pod + IP. + type: string + httpHeaders: + description: Headers the proxy will pass on to make the request. + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + description: Port on which the endpoint lives. + type: integer + scheme: + type: string + type: object + initialDelaySeconds: + description: Number of seconds after the container has started + before readiness probes are initiated. + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform the probe. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes for the probe to be + considered successful after having failed. + format: int32 + type: integer + tcpSocket: + description: Health is determined by if the proxy is able to connect. + properties: + host: + type: string + port: + type: integer + type: object + timeoutSeconds: + description: Number of seconds after which the probe times out. + format: int32 + type: integer + type: object + template: + description: Template to be used for the generation of `WorkloadEntry` + resources that belong to this `WorkloadGroup`. + properties: + address: + type: string + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + type: object + locality: + description: The locality associated with the endpoint. + type: string + network: + type: string + ports: + additionalProperties: + type: integer + description: Set of ports associated with the endpoint. + type: object + serviceAccount: + type: string + weight: + description: The load balancing weight associated with the endpoint. + type: integer + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + istio: security + release: istio + name: authorizationpolicies.security.istio.io +spec: + group: security.istio.io + names: + categories: + - istio-io + - security-istio-io + kind: AuthorizationPolicy + listKind: AuthorizationPolicyList + plural: authorizationpolicies + singular: authorizationpolicy + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration for access control on workloads. See more + details at: https://istio.io/docs/reference/config/security/authorization-policy.html' + oneOf: + - not: + anyOf: + - required: + - provider + - required: + - provider + properties: + action: + description: Optional. + enum: + - ALLOW + - DENY + - AUDIT + - CUSTOM + type: string + provider: + description: Specifies detailed configuration of the CUSTOM action. + properties: + name: + description: Specifies the name of the extension provider. + type: string + type: object + rules: + description: Optional. + items: + properties: + from: + description: Optional. + items: + properties: + source: + description: Source specifies the source of a request. + properties: + ipBlocks: + description: Optional. + items: + type: string + type: array + namespaces: + description: Optional. + items: + type: string + type: array + notIpBlocks: + description: Optional. + items: + type: string + type: array + notNamespaces: + description: Optional. + items: + type: string + type: array + notPrincipals: + description: Optional. + items: + type: string + type: array + notRemoteIpBlocks: + description: Optional. + items: + type: string + type: array + notRequestPrincipals: + description: Optional. + items: + type: string + type: array + principals: + description: Optional. + items: + type: string + type: array + remoteIpBlocks: + description: Optional. + items: + type: string + type: array + requestPrincipals: + description: Optional. + items: + type: string + type: array + type: object + type: object + type: array + to: + description: Optional. + items: + properties: + operation: + description: Operation specifies the operation of a request. + properties: + hosts: + description: Optional. + items: + type: string + type: array + methods: + description: Optional. + items: + type: string + type: array + notHosts: + description: Optional. + items: + type: string + type: array + notMethods: + description: Optional. + items: + type: string + type: array + notPaths: + description: Optional. + items: + type: string + type: array + notPorts: + description: Optional. + items: + type: string + type: array + paths: + description: Optional. + items: + type: string + type: array + ports: + description: Optional. + items: + type: string + type: array + type: object + type: object + type: array + when: + description: Optional. + items: + properties: + key: + description: The name of an Istio attribute. + type: string + notValues: + description: Optional. + items: + type: string + type: array + values: + description: Optional. + items: + type: string + type: array + type: object + type: array + type: object + type: array + selector: + description: Optional. + properties: + matchLabels: + additionalProperties: + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + istio: security + release: istio + name: peerauthentications.security.istio.io +spec: + group: security.istio.io + names: + categories: + - istio-io + - security-istio-io + kind: PeerAuthentication + listKind: PeerAuthenticationList + plural: peerauthentications + shortNames: + - pa + singular: peerauthentication + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Defines the mTLS mode used for peer authentication. + jsonPath: .spec.mtls.mode + name: Mode + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: PeerAuthentication defines how traffic will be tunneled (or + not) to the sidecar. + properties: + mtls: + description: Mutual TLS settings for workload. + properties: + mode: + description: Defines the mTLS mode used for peer authentication. + enum: + - UNSET + - DISABLE + - PERMISSIVE + - STRICT + type: string + type: object + portLevelMtls: + additionalProperties: + properties: + mode: + description: Defines the mTLS mode used for peer authentication. + enum: + - UNSET + - DISABLE + - PERMISSIVE + - STRICT + type: string + type: object + description: Port specific mutual TLS settings. + type: object + selector: + description: The selector determines the workloads to apply the ChannelAuthentication + on. + properties: + matchLabels: + additionalProperties: + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + istio: security + release: istio + name: requestauthentications.security.istio.io +spec: + group: security.istio.io + names: + categories: + - istio-io + - security-istio-io + kind: RequestAuthentication + listKind: RequestAuthenticationList + plural: requestauthentications + shortNames: + - ra + singular: requestauthentication + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: RequestAuthentication defines what request authentication + methods are supported by a workload. + properties: + jwtRules: + description: Define the list of JWTs that can be validated at the + selected workloads' proxy. + items: + properties: + audiences: + items: + type: string + type: array + forwardOriginalToken: + description: If set to true, the original token will be kept + for the upstream request. + type: boolean + fromHeaders: + description: List of header locations from which JWT is expected. + items: + properties: + name: + description: The HTTP header name. + type: string + prefix: + description: The prefix that should be stripped before + decoding the token. + type: string + type: object + type: array + fromParams: + description: List of query parameters from which JWT is expected. + items: + type: string + type: array + issuer: + description: Identifies the issuer that issued the JWT. + type: string + jwks: + description: JSON Web Key Set of public keys to validate signature + of the JWT. + type: string + jwks_uri: + type: string + jwksUri: + type: string + outputPayloadToHeader: + type: string + type: object + type: array + selector: + description: Optional. + properties: + matchLabels: + additionalProperties: + type: string + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + istio: telemetry + release: istio + name: telemetries.telemetry.istio.io +spec: + group: telemetry.istio.io + names: + categories: + - istio-io + - telemetry-istio-io + kind: Telemetry + listKind: TelemetryList + plural: telemetries + shortNames: + - telemetry + singular: telemetry + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Telemetry configuration for workloads. See more details + at: https://istio.io/docs/reference/config/telemetry.html' + properties: + accessLogging: + description: Optional. + items: + properties: + disabled: + description: Controls logging. + nullable: true + type: boolean + providers: + description: Optional. + items: + properties: + name: + description: Required. + type: string + type: object + type: array + type: object + type: array + metrics: + description: Optional. + items: + properties: + overrides: + description: Optional. + items: + properties: + disabled: + description: Optional. + nullable: true + type: boolean + match: + description: Match allows provides the scope of the override. + oneOf: + - not: + anyOf: + - required: + - metric + - required: + - customMetric + - required: + - metric + - required: + - customMetric + properties: + customMetric: + description: Allows free-form specification of a metric. + type: string + metric: + description: One of the well-known Istio Standard + Metrics. + enum: + - ALL_METRICS + - REQUEST_COUNT + - REQUEST_DURATION + - REQUEST_SIZE + - RESPONSE_SIZE + - TCP_OPENED_CONNECTIONS + - TCP_CLOSED_CONNECTIONS + - TCP_SENT_BYTES + - TCP_RECEIVED_BYTES + - GRPC_REQUEST_MESSAGES + - GRPC_RESPONSE_MESSAGES + type: string + mode: + description: 'Controls which mode of metrics generation + is selected: CLIENT and/or SERVER.' + enum: + - CLIENT_AND_SERVER + - CLIENT + - SERVER + type: string + type: object + tagOverrides: + additionalProperties: + properties: + operation: + description: Operation controls whether or not to + update/add a tag, or to remove it. + enum: + - UPSERT + - REMOVE + type: string + value: + description: Value is only considered if the operation + is `UPSERT`. + type: string + type: object + description: Optional. + type: object + type: object + type: array + providers: + description: Optional. + items: + properties: + name: + description: Required. + type: string + type: object + type: array + type: object + type: array + selector: + description: Optional. + properties: + matchLabels: + additionalProperties: + type: string + type: object + type: object + tracing: + description: Optional. + items: + properties: + customTags: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - literal + - required: + - environment + - required: + - header + - required: + - literal + - required: + - environment + - required: + - header + properties: + environment: + description: Environment adds the value of an environment + variable to each span. + properties: + defaultValue: + description: Optional. + type: string + name: + description: Name of the environment variable from + which to extract the tag value. + type: string + type: object + header: + description: RequestHeader adds the value of an header + from the request to each span. + properties: + defaultValue: + description: Optional. + type: string + name: + description: Name of the header from which to extract + the tag value. + type: string + type: object + literal: + description: Literal adds the same, hard-coded value to + each span. + properties: + value: + description: The tag value to use. + type: string + type: object + type: object + description: Optional. + type: object + disableSpanReporting: + description: Controls span reporting. + nullable: true + type: boolean + providers: + description: Optional. + items: + properties: + name: + description: Required. + type: string + type: object + type: array + randomSamplingPercentage: + nullable: true + type: number + type: object + type: array + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + +--- +{{- end }} diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istiod-remote/templates/crd-operator.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istiod-remote/templates/crd-operator.yaml new file mode 100644 index 000000000..42e95ee8e --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istiod-remote/templates/crd-operator.yaml @@ -0,0 +1,50 @@ +{{- if .Values.global.configCluster }} +# SYNC WITH manifests/charts/istio-operator/templates +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: istiooperators.install.istio.io + labels: + release: istio +spec: + conversion: + strategy: None + group: install.istio.io + names: + kind: IstioOperator + listKind: IstioOperatorList + plural: istiooperators + singular: istiooperator + shortNames: + - iop + - io + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Istio control plane revision + jsonPath: .spec.revision + name: Revision + type: string + - description: IOP current state + jsonPath: .status.status + name: Status + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + subresources: + status: {} + name: v1alpha1 + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + served: true + storage: true +--- +{{- end }} diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istiod-remote/templates/istiod-injector-configmap.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istiod-remote/templates/istiod-injector-configmap.yaml new file mode 100644 index 000000000..b6b1fa8e8 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istiod-remote/templates/istiod-injector-configmap.yaml @@ -0,0 +1,67 @@ +{{- if not .Values.global.omitSidecarInjectorConfigMap }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Pilot" + release: {{ .Release.Name }} +data: +{{/* Scope the values to just top level fields used in the template, to reduce the size. */}} + values: |- +{{ pick .Values "global" "istio_cni" "sidecarInjectorWebhook" "revision" | toPrettyJson | indent 4 }} + + # To disable injection: use omitSidecarInjectorConfigMap, which disables the webhook patching + # and istiod webhook functionality. + # + # New fields should not use Values - it is a 'primary' config object, users should be able + # to fine tune it or use it with kube-inject. + config: |- + # defaultTemplates defines the default template to use for pods that do not explicitly specify a template + {{- if .Values.sidecarInjectorWebhook.defaultTemplates }} + defaultTemplates: +{{- range .Values.sidecarInjectorWebhook.defaultTemplates}} + - {{ . }} +{{- end }} + {{- else }} + defaultTemplates: [sidecar] + {{- end }} + policy: {{ .Values.global.proxy.autoInject }} + alwaysInjectSelector: +{{ toYaml .Values.sidecarInjectorWebhook.alwaysInjectSelector | trim | indent 6 }} + neverInjectSelector: +{{ toYaml .Values.sidecarInjectorWebhook.neverInjectSelector | trim | indent 6 }} + injectedAnnotations: + {{- range $key, $val := .Values.sidecarInjectorWebhook.injectedAnnotations }} + "{{ $key }}": "{{ $val }}" + {{- end }} + {{- /* If someone ends up with this new template, but an older Istiod image, they will attempt to render this template + which will fail with "Pod injection failed: template: inject:1: function "Istio_1_9_Required_Template_And_Version_Mismatched" not defined". + This should make it obvious that their installation is broken. + */}} + template: {{ `{{ Template_Version_And_Istio_Version_Mismatched_Check_Installation }}` | quote }} + templates: +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "sidecar") }} + sidecar: | +{{ .Files.Get "files/injection-template.yaml" | trim | indent 8 }} +{{- end }} +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "gateway") }} + gateway: | +{{ .Files.Get "files/gateway-injection-template.yaml" | trim | indent 8 }} +{{- end }} +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-simple") }} + grpc-simple: | +{{ .Files.Get "files/grpc-simple.yaml" | trim | indent 8 }} +{{- end }} +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-agent") }} + grpc-agent: | +{{ .Files.Get "files/grpc-agent.yaml" | trim | indent 8 }} +{{- end }} +{{- with .Values.sidecarInjectorWebhook.templates }} +{{ toYaml . | trim | indent 6 }} +{{- end }} + +{{- end }} diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istiod-remote/templates/mutatingwebhook.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istiod-remote/templates/mutatingwebhook.yaml new file mode 100644 index 000000000..dcb84dde3 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istiod-remote/templates/mutatingwebhook.yaml @@ -0,0 +1,144 @@ +{{- /* Core defines the common configuration used by all webhook segments */}} +{{- define "core" }} +{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign +a unique prefix to each. */}} +- name: {{.Prefix}}sidecar-injector.istio.io + clientConfig: + {{- if .Values.istiodRemote.injectionURL }} + url: "{{ .Values.istiodRemote.injectionURL }}" + {{- else }} + service: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + path: "{{ .Values.istiodRemote.injectionPath }}" + port: 443 + {{- end }} + caBundle: "" + sideEffects: None + rules: + - operations: [ "CREATE" ] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + failurePolicy: Fail + admissionReviewVersions: ["v1beta1", "v1"] +{{- end }} +{{- /* Installed for each revision - not installed for cluster resources ( cluster roles, bindings, crds) */}} +{{- if not .Values.global.operatorManageWebhooks }} +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: +{{- if eq .Release.Namespace "istio-system"}} + name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} +{{- else }} + name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} +{{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} + install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }} + operator.istio.io/component: "Pilot" + app: sidecar-injector + release: {{ .Release.Name }} +webhooks: +{{- /* Set up the selectors. First section is for revision, rest is for "default" revision */}} + +{{- /* Case 1: namespace selector matches, and object doesn't disable */}} +{{- /* Note: if both revision and legacy selector, we give precedence to the legacy one */}} +{{- include "core" (mergeOverwrite (deepCopy .) (dict "Prefix" "rev.namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + {{- if (eq .Values.revision "") }} + - "default" + {{- else }} + - "{{ .Values.revision }}" + {{- end }} + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + +{{- /* Case 2: No namespace selector, but object selects our revision (and doesn't disable) */}} +{{- include "core" (mergeOverwrite (deepCopy .) (dict "Prefix" "rev.object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: DoesNotExist + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + - key: istio.io/rev + operator: In + values: + {{- if (eq .Values.revision "") }} + - "default" + {{- else }} + - "{{ .Values.revision }}" + {{- end }} + + +{{- /* Webhooks for default revision */}} +{{- if (eq .Values.revision "") }} + +{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} +{{- include "core" (mergeOverwrite (deepCopy .) (dict "Prefix" "namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: In + values: + - enabled + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + +{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} +{{- include "core" (mergeOverwrite (deepCopy .) (dict "Prefix" "object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: In + values: + - "true" + - key: istio.io/rev + operator: DoesNotExist + +{{- if .Values.sidecarInjectorWebhook.enableNamespacesByDefault }} +{{- /* Special case 3: no labels at all */}} +{{- include "core" (mergeOverwrite (deepCopy .) (dict "Prefix" "auto.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist +{{- end }} + +{{- end }} +{{- end }} diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istiod-remote/templates/reader-clusterrole.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istiod-remote/templates/reader-clusterrole.yaml new file mode 100644 index 000000000..69e4dd381 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istiod-remote/templates/reader-clusterrole.yaml @@ -0,0 +1,54 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istio-reader + release: {{ .Release.Name }} +rules: + - apiGroups: + - "config.istio.io" + - "security.istio.io" + - "networking.istio.io" + - "authentication.istio.io" + - "rbac.istio.io" + resources: ["*"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets"] + verbs: ["get", "list", "watch"] + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list" ] + resources: [ "workloadentries" ] + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "list", "watch"] + - apiGroups: ["discovery.k8s.io"] + resources: ["endpointslices"] + verbs: ["get", "list", "watch"] + - apiGroups: ["multicluster.x-k8s.io"] + resources: ["serviceexports"] + verbs: ["get", "list", "watch"] + - apiGroups: ["multicluster.x-k8s.io"] + resources: ["serviceimports"] + verbs: ["get", "list", "watch"] + - apiGroups: ["apps"] + resources: ["replicasets"] + verbs: ["get", "list", "watch"] + - apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] + - apiGroups: ["authorization.k8s.io"] + resources: ["subjectaccessreviews"] + verbs: ["create"] +{{- if .Values.global.externalIstiod }} + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["create", "get", "list", "watch", "update"] + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update"] +{{- end}} diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istiod-remote/templates/reader-clusterrolebinding.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istiod-remote/templates/reader-clusterrolebinding.yaml new file mode 100644 index 000000000..4f9925c9d --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istiod-remote/templates/reader-clusterrolebinding.yaml @@ -0,0 +1,15 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istio-reader + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} +subjects: + - kind: ServiceAccount + name: istio-reader-service-account + namespace: {{ .Values.global.istioNamespace }} diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istiod-remote/templates/reader-serviceaccount.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istiod-remote/templates/reader-serviceaccount.yaml new file mode 100644 index 000000000..d9ce18c27 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istiod-remote/templates/reader-serviceaccount.yaml @@ -0,0 +1,16 @@ +# This service account aggregates reader permissions for the revisions in a given cluster +# Should be used for remote secret creation. +apiVersion: v1 +kind: ServiceAccount + {{- if .Values.global.imagePullSecrets }} +imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +metadata: + name: istio-reader-service-account + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istio-reader + release: {{ .Release.Name }} diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istiod-remote/templates/role.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istiod-remote/templates/role.yaml new file mode 100644 index 000000000..699491275 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istiod-remote/templates/role.yaml @@ -0,0 +1,22 @@ +{{- if .Values.global.configCluster }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} +rules: +# permissions to verify the webhook is ready and rejecting +# invalid config. We use --server-dry-run so no config is persisted. +- apiGroups: ["networking.istio.io"] + verbs: ["create"] + resources: ["gateways"] + +# For storing CA secret +- apiGroups: [""] + resources: ["secrets"] + # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config + verbs: ["create", "get", "watch", "list", "update", "delete"] +{{- end }} diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istiod-remote/templates/rolebinding.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istiod-remote/templates/rolebinding.yaml new file mode 100644 index 000000000..f65b3b122 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istiod-remote/templates/rolebinding.yaml @@ -0,0 +1,18 @@ +{{- if .Values.global.configCluster }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} +subjects: + - kind: ServiceAccount + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} +{{- end }} diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istiod-remote/templates/serviceaccount.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istiod-remote/templates/serviceaccount.yaml new file mode 100644 index 000000000..4f8d20f6a --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istiod-remote/templates/serviceaccount.yaml @@ -0,0 +1,17 @@ +{{- if .Values.global.configCluster }} +apiVersion: v1 +kind: ServiceAccount + {{- if .Values.global.imagePullSecrets }} +imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} +--- +{{- end }} diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istiod-remote/templates/telemetryv2_1.10.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istiod-remote/templates/telemetryv2_1.10.yaml new file mode 100644 index 000000000..65f0eddf8 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istiod-remote/templates/telemetryv2_1.10.yaml @@ -0,0 +1,601 @@ +{{- if and .Values.telemetry.enabled .Values.telemetry.v2.enabled }} +--- +# Note: http stats filter is wasm enabled only in sidecars. +{{- if .Values.telemetry.v2.prometheus.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: stats-filter-1.10{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- if .Values.meshConfig.rootNamespace }} + namespace: {{ .Values.meshConfig.rootNamespace }} + {{- else }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} +spec: + configPatches: + - applyTo: HTTP_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.10.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }} + { + "debug": "false", + "stat_prefix": "istio" + } + {{- else }} + {{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }} + {{- end }} + vm_config: + vm_id: stats_outbound + {{- if .Values.telemetry.v2.prometheus.wasmEnabled }} + runtime: envoy.wasm.runtime.v8 + allow_precompiled: true + code: + local: + filename: /etc/istio/extensions/stats-filter.compiled.wasm + {{- else }} + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats + {{- end }} + - applyTo: HTTP_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.10.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stats_inbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.prometheus.configOverride.inboundSidecar }} + { + "debug": "false", + "stat_prefix": "istio", + "disable_host_header_fallback": true, + "metrics": [ + { + "dimensions": { + "destination_cluster": "node.metadata['CLUSTER_ID']", + "source_cluster": "downstream_peer.cluster_id" + } + } + ] + } + {{- else }} + {{ toJson .Values.telemetry.v2.prometheus.configOverride.inboundSidecar | indent 18 }} + {{- end }} + vm_config: + vm_id: stats_inbound + {{- if .Values.telemetry.v2.prometheus.wasmEnabled }} + runtime: envoy.wasm.runtime.v8 + allow_precompiled: true + code: + local: + filename: /etc/istio/extensions/stats-filter.compiled.wasm + {{- else }} + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats + {{- end }} + - applyTo: HTTP_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.10.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.prometheus.configOverride.gateway }} + { + "debug": "false", + "stat_prefix": "istio", + "disable_host_header_fallback": true + } + {{- else }} + {{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }} + {{- end }} + vm_config: + vm_id: stats_outbound + {{- if .Values.telemetry.v2.prometheus.wasmEnabled }} + runtime: envoy.wasm.runtime.v8 + allow_precompiled: true + code: + local: + filename: /etc/istio/extensions/stats-filter.compiled.wasm + {{- else }} + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats + {{- end }} +--- +# Note: tcp stats filter is wasm enabled only in sidecars. +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: tcp-stats-filter-1.10{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- if .Values.meshConfig.rootNamespace }} + namespace: {{ .Values.meshConfig.rootNamespace }} + {{- else }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} +spec: + configPatches: + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.10.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stats_inbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.prometheus.configOverride.inboundSidecar }} + { + "debug": "false", + "stat_prefix": "istio", + "metrics": [ + { + "dimensions": { + "destination_cluster": "node.metadata['CLUSTER_ID']", + "source_cluster": "downstream_peer.cluster_id" + } + } + ] + } + {{- else }} + {{ toJson .Values.telemetry.v2.prometheus.configOverride.inboundSidecar | indent 18 }} + {{- end }} + vm_config: + vm_id: tcp_stats_inbound + {{- if .Values.telemetry.v2.prometheus.wasmEnabled }} + runtime: envoy.wasm.runtime.v8 + allow_precompiled: true + code: + local: + filename: /etc/istio/extensions/stats-filter.compiled.wasm + {{- else }} + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: "envoy.wasm.stats" + {{- end }} + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.10.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }} + { + "debug": "false", + "stat_prefix": "istio" + } + {{- else }} + {{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }} + {{- end }} + vm_config: + vm_id: tcp_stats_outbound + {{- if .Values.telemetry.v2.prometheus.wasmEnabled }} + runtime: envoy.wasm.runtime.v8 + allow_precompiled: true + code: + local: + filename: /etc/istio/extensions/stats-filter.compiled.wasm + {{- else }} + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: "envoy.wasm.stats" + {{- end }} + - applyTo: NETWORK_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.10.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.prometheus.configOverride.gateway }} + { + "debug": "false", + "stat_prefix": "istio" + } + {{- else }} + {{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }} + {{- end }} + vm_config: + vm_id: tcp_stats_outbound + {{- if .Values.telemetry.v2.prometheus.wasmEnabled }} + runtime: envoy.wasm.runtime.v8 + allow_precompiled: true + code: + local: + filename: /etc/istio/extensions/stats-filter.compiled.wasm + {{- else }} + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: "envoy.wasm.stats" + {{- end }} +--- +{{- end }} +{{- if .Values.telemetry.v2.stackdriver.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: stackdriver-filter-1.10{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- if .Values.meshConfig.rootNamespace }} + namespace: {{ .Values.meshConfig.rootNamespace }} + {{- else }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} +spec: + configPatches: +{{- if not .Values.telemetry.v2.stackdriver.disableOutbound }} + - applyTo: HTTP_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.10.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stackdriver + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stackdriver_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.stackdriver.configOverride }} + {"access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}"} + {{- else }} + {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} + {{- end }} + vm_config: + vm_id: stackdriver_outbound + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: envoy.wasm.null.stackdriver } +{{- end }} + - applyTo: HTTP_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.10.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stackdriver + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stackdriver_inbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.stackdriver.configOverride }} + {"disable_server_access_logging": {{ not .Values.telemetry.v2.stackdriver.logging }}, "access_logging": "{{ .Values.telemetry.v2.stackdriver.inboundAccessLogging }}", "disable_host_header_fallback": true} + {{- else }} + {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} + {{- end }} + vm_config: + vm_id: stackdriver_inbound + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: envoy.wasm.null.stackdriver } + - applyTo: HTTP_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.10.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stackdriver + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stackdriver_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.stackdriver.configOverride }} + {"access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", "disable_host_header_fallback": true} + {{- else }} + {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} + {{- end }} + vm_config: + vm_id: stackdriver_outbound + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: envoy.wasm.null.stackdriver } +--- +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: tcp-stackdriver-filter-1.10{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- if .Values.meshConfig.rootNamespace }} + namespace: {{ .Values.meshConfig.rootNamespace }} + {{- else }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} +spec: + configPatches: + {{- if not .Values.telemetry.v2.stackdriver.disableOutbound }} + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.10.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stackdriver + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stackdriver_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.stackdriver.configOverride }} + {"access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}"} + {{- else }} + {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} + {{- end }} + vm_config: + vm_id: stackdriver_outbound + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: envoy.wasm.null.stackdriver } + {{- end }} + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.10.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stackdriver + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stackdriver_inbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.stackdriver.configOverride }} + {"disable_server_access_logging": {{ not .Values.telemetry.v2.stackdriver.logging }}, "access_logging": "{{ .Values.telemetry.v2.stackdriver.inboundAccessLogging }}"} + {{- else }} + {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} + {{- end }} + vm_config: + vm_id: stackdriver_inbound + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: envoy.wasm.null.stackdriver } + - applyTo: NETWORK_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.10.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stackdriver + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stackdriver_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.stackdriver.configOverride }} + {"access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}"} + {{- else }} + {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} + {{- end }} + vm_config: + vm_id: stackdriver_outbound + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: envoy.wasm.null.stackdriver } +--- +{{- if .Values.telemetry.v2.accessLogPolicy.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: stackdriver-sampling-accesslog-filter-1.10{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- if .Values.meshConfig.rootNamespace }} + namespace: {{ .Values.meshConfig.rootNamespace }} + {{- else }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} +spec: + configPatches: + - applyTo: HTTP_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '1\.10.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "istio.stackdriver" + patch: + operation: INSERT_BEFORE + value: + name: istio.access_log + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + { + "log_window_duration": "{{ .Values.telemetry.v2.accessLogPolicy.logWindowDuration }}" + } + vm_config: + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: "envoy.wasm.access_log_policy" } +--- +{{- end }} +{{- end }} +{{- end }} diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istiod-remote/templates/telemetryv2_1.11.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istiod-remote/templates/telemetryv2_1.11.yaml new file mode 100644 index 000000000..fba3a5ec2 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istiod-remote/templates/telemetryv2_1.11.yaml @@ -0,0 +1,601 @@ +{{- if and .Values.telemetry.enabled .Values.telemetry.v2.enabled }} +--- +# Note: http stats filter is wasm enabled only in sidecars. +{{- if .Values.telemetry.v2.prometheus.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: stats-filter-1.11{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- if .Values.meshConfig.rootNamespace }} + namespace: {{ .Values.meshConfig.rootNamespace }} + {{- else }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} +spec: + configPatches: + - applyTo: HTTP_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.11.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }} + { + "debug": "false", + "stat_prefix": "istio" + } + {{- else }} + {{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }} + {{- end }} + vm_config: + vm_id: stats_outbound + {{- if .Values.telemetry.v2.prometheus.wasmEnabled }} + runtime: envoy.wasm.runtime.v8 + allow_precompiled: true + code: + local: + filename: /etc/istio/extensions/stats-filter.compiled.wasm + {{- else }} + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats + {{- end }} + - applyTo: HTTP_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.11.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stats_inbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.prometheus.configOverride.inboundSidecar }} + { + "debug": "false", + "stat_prefix": "istio", + "disable_host_header_fallback": true, + "metrics": [ + { + "dimensions": { + "destination_cluster": "node.metadata['CLUSTER_ID']", + "source_cluster": "downstream_peer.cluster_id" + } + } + ] + } + {{- else }} + {{ toJson .Values.telemetry.v2.prometheus.configOverride.inboundSidecar | indent 18 }} + {{- end }} + vm_config: + vm_id: stats_inbound + {{- if .Values.telemetry.v2.prometheus.wasmEnabled }} + runtime: envoy.wasm.runtime.v8 + allow_precompiled: true + code: + local: + filename: /etc/istio/extensions/stats-filter.compiled.wasm + {{- else }} + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats + {{- end }} + - applyTo: HTTP_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.11.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.prometheus.configOverride.gateway }} + { + "debug": "false", + "stat_prefix": "istio", + "disable_host_header_fallback": true + } + {{- else }} + {{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }} + {{- end }} + vm_config: + vm_id: stats_outbound + {{- if .Values.telemetry.v2.prometheus.wasmEnabled }} + runtime: envoy.wasm.runtime.v8 + allow_precompiled: true + code: + local: + filename: /etc/istio/extensions/stats-filter.compiled.wasm + {{- else }} + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats + {{- end }} +--- +# Note: tcp stats filter is wasm enabled only in sidecars. +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: tcp-stats-filter-1.11{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- if .Values.meshConfig.rootNamespace }} + namespace: {{ .Values.meshConfig.rootNamespace }} + {{- else }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} +spec: + configPatches: + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.11.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stats_inbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.prometheus.configOverride.inboundSidecar }} + { + "debug": "false", + "stat_prefix": "istio", + "metrics": [ + { + "dimensions": { + "destination_cluster": "node.metadata['CLUSTER_ID']", + "source_cluster": "downstream_peer.cluster_id" + } + } + ] + } + {{- else }} + {{ toJson .Values.telemetry.v2.prometheus.configOverride.inboundSidecar | indent 18 }} + {{- end }} + vm_config: + vm_id: tcp_stats_inbound + {{- if .Values.telemetry.v2.prometheus.wasmEnabled }} + runtime: envoy.wasm.runtime.v8 + allow_precompiled: true + code: + local: + filename: /etc/istio/extensions/stats-filter.compiled.wasm + {{- else }} + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: "envoy.wasm.stats" + {{- end }} + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.11.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }} + { + "debug": "false", + "stat_prefix": "istio" + } + {{- else }} + {{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }} + {{- end }} + vm_config: + vm_id: tcp_stats_outbound + {{- if .Values.telemetry.v2.prometheus.wasmEnabled }} + runtime: envoy.wasm.runtime.v8 + allow_precompiled: true + code: + local: + filename: /etc/istio/extensions/stats-filter.compiled.wasm + {{- else }} + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: "envoy.wasm.stats" + {{- end }} + - applyTo: NETWORK_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.11.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.prometheus.configOverride.gateway }} + { + "debug": "false", + "stat_prefix": "istio" + } + {{- else }} + {{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }} + {{- end }} + vm_config: + vm_id: tcp_stats_outbound + {{- if .Values.telemetry.v2.prometheus.wasmEnabled }} + runtime: envoy.wasm.runtime.v8 + allow_precompiled: true + code: + local: + filename: /etc/istio/extensions/stats-filter.compiled.wasm + {{- else }} + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: "envoy.wasm.stats" + {{- end }} +--- +{{- end }} +{{- if .Values.telemetry.v2.stackdriver.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: stackdriver-filter-1.11{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- if .Values.meshConfig.rootNamespace }} + namespace: {{ .Values.meshConfig.rootNamespace }} + {{- else }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} +spec: + configPatches: +{{- if not .Values.telemetry.v2.stackdriver.disableOutbound }} + - applyTo: HTTP_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.11.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stackdriver + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stackdriver_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.stackdriver.configOverride }} + {"access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}"} + {{- else }} + {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} + {{- end }} + vm_config: + vm_id: stackdriver_outbound + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: envoy.wasm.null.stackdriver } +{{- end }} + - applyTo: HTTP_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.11.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stackdriver + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stackdriver_inbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.stackdriver.configOverride }} + {"disable_server_access_logging": {{ not .Values.telemetry.v2.stackdriver.logging }}, "access_logging": "{{ .Values.telemetry.v2.stackdriver.inboundAccessLogging }}", "disable_host_header_fallback": true} + {{- else }} + {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} + {{- end }} + vm_config: + vm_id: stackdriver_inbound + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: envoy.wasm.null.stackdriver } + - applyTo: HTTP_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.11.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stackdriver + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stackdriver_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.stackdriver.configOverride }} + {"access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", "disable_host_header_fallback": true} + {{- else }} + {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} + {{- end }} + vm_config: + vm_id: stackdriver_outbound + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: envoy.wasm.null.stackdriver } +--- +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: tcp-stackdriver-filter-1.11{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- if .Values.meshConfig.rootNamespace }} + namespace: {{ .Values.meshConfig.rootNamespace }} + {{- else }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} +spec: + configPatches: + {{- if not .Values.telemetry.v2.stackdriver.disableOutbound }} + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.11.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stackdriver + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stackdriver_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.stackdriver.configOverride }} + {"access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}"} + {{- else }} + {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} + {{- end }} + vm_config: + vm_id: stackdriver_outbound + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: envoy.wasm.null.stackdriver } + {{- end }} + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.11.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stackdriver + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stackdriver_inbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.stackdriver.configOverride }} + {"disable_server_access_logging": {{ not .Values.telemetry.v2.stackdriver.logging }}, "access_logging": "{{ .Values.telemetry.v2.stackdriver.inboundAccessLogging }}"} + {{- else }} + {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} + {{- end }} + vm_config: + vm_id: stackdriver_inbound + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: envoy.wasm.null.stackdriver } + - applyTo: NETWORK_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.11.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stackdriver + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stackdriver_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.stackdriver.configOverride }} + {"access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}"} + {{- else }} + {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} + {{- end }} + vm_config: + vm_id: stackdriver_outbound + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: envoy.wasm.null.stackdriver } +--- +{{- if .Values.telemetry.v2.accessLogPolicy.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: stackdriver-sampling-accesslog-filter-1.11{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- if .Values.meshConfig.rootNamespace }} + namespace: {{ .Values.meshConfig.rootNamespace }} + {{- else }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} +spec: + configPatches: + - applyTo: HTTP_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '1\.11.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "istio.stackdriver" + patch: + operation: INSERT_BEFORE + value: + name: istio.access_log + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + { + "log_window_duration": "{{ .Values.telemetry.v2.accessLogPolicy.logWindowDuration }}" + } + vm_config: + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: "envoy.wasm.access_log_policy" } +--- +{{- end }} +{{- end }} +{{- end }} diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istiod-remote/templates/telemetryv2_1.12.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istiod-remote/templates/telemetryv2_1.12.yaml new file mode 100644 index 000000000..aeb987f23 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istiod-remote/templates/telemetryv2_1.12.yaml @@ -0,0 +1,601 @@ +{{- if and .Values.telemetry.enabled .Values.telemetry.v2.enabled }} +--- +# Note: http stats filter is wasm enabled only in sidecars. +{{- if .Values.telemetry.v2.prometheus.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: stats-filter-1.12{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- if .Values.meshConfig.rootNamespace }} + namespace: {{ .Values.meshConfig.rootNamespace }} + {{- else }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} +spec: + configPatches: + - applyTo: HTTP_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.12.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }} + { + "debug": "false", + "stat_prefix": "istio" + } + {{- else }} + {{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }} + {{- end }} + vm_config: + vm_id: stats_outbound + {{- if .Values.telemetry.v2.prometheus.wasmEnabled }} + runtime: envoy.wasm.runtime.v8 + allow_precompiled: true + code: + local: + filename: /etc/istio/extensions/stats-filter.compiled.wasm + {{- else }} + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats + {{- end }} + - applyTo: HTTP_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.12.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stats_inbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.prometheus.configOverride.inboundSidecar }} + { + "debug": "false", + "stat_prefix": "istio", + "disable_host_header_fallback": true, + "metrics": [ + { + "dimensions": { + "destination_cluster": "node.metadata['CLUSTER_ID']", + "source_cluster": "downstream_peer.cluster_id" + } + } + ] + } + {{- else }} + {{ toJson .Values.telemetry.v2.prometheus.configOverride.inboundSidecar | indent 18 }} + {{- end }} + vm_config: + vm_id: stats_inbound + {{- if .Values.telemetry.v2.prometheus.wasmEnabled }} + runtime: envoy.wasm.runtime.v8 + allow_precompiled: true + code: + local: + filename: /etc/istio/extensions/stats-filter.compiled.wasm + {{- else }} + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats + {{- end }} + - applyTo: HTTP_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.12.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.prometheus.configOverride.gateway }} + { + "debug": "false", + "stat_prefix": "istio", + "disable_host_header_fallback": true + } + {{- else }} + {{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }} + {{- end }} + vm_config: + vm_id: stats_outbound + {{- if .Values.telemetry.v2.prometheus.wasmEnabled }} + runtime: envoy.wasm.runtime.v8 + allow_precompiled: true + code: + local: + filename: /etc/istio/extensions/stats-filter.compiled.wasm + {{- else }} + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: envoy.wasm.stats + {{- end }} +--- +# Note: tcp stats filter is wasm enabled only in sidecars. +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: tcp-stats-filter-1.12{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- if .Values.meshConfig.rootNamespace }} + namespace: {{ .Values.meshConfig.rootNamespace }} + {{- else }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} +spec: + configPatches: + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.12.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stats_inbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.prometheus.configOverride.inboundSidecar }} + { + "debug": "false", + "stat_prefix": "istio", + "metrics": [ + { + "dimensions": { + "destination_cluster": "node.metadata['CLUSTER_ID']", + "source_cluster": "downstream_peer.cluster_id" + } + } + ] + } + {{- else }} + {{ toJson .Values.telemetry.v2.prometheus.configOverride.inboundSidecar | indent 18 }} + {{- end }} + vm_config: + vm_id: tcp_stats_inbound + {{- if .Values.telemetry.v2.prometheus.wasmEnabled }} + runtime: envoy.wasm.runtime.v8 + allow_precompiled: true + code: + local: + filename: /etc/istio/extensions/stats-filter.compiled.wasm + {{- else }} + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: "envoy.wasm.stats" + {{- end }} + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.12.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.prometheus.configOverride.outboundSidecar }} + { + "debug": "false", + "stat_prefix": "istio" + } + {{- else }} + {{ toJson .Values.telemetry.v2.prometheus.configOverride.outboundSidecar | indent 18 }} + {{- end }} + vm_config: + vm_id: tcp_stats_outbound + {{- if .Values.telemetry.v2.prometheus.wasmEnabled }} + runtime: envoy.wasm.runtime.v8 + allow_precompiled: true + code: + local: + filename: /etc/istio/extensions/stats-filter.compiled.wasm + {{- else }} + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: "envoy.wasm.stats" + {{- end }} + - applyTo: NETWORK_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.12.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stats + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stats_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.prometheus.configOverride.gateway }} + { + "debug": "false", + "stat_prefix": "istio" + } + {{- else }} + {{ toJson .Values.telemetry.v2.prometheus.configOverride.gateway | indent 18 }} + {{- end }} + vm_config: + vm_id: tcp_stats_outbound + {{- if .Values.telemetry.v2.prometheus.wasmEnabled }} + runtime: envoy.wasm.runtime.v8 + allow_precompiled: true + code: + local: + filename: /etc/istio/extensions/stats-filter.compiled.wasm + {{- else }} + runtime: envoy.wasm.runtime.null + code: + local: + inline_string: "envoy.wasm.stats" + {{- end }} +--- +{{- end }} +{{- if .Values.telemetry.v2.stackdriver.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: stackdriver-filter-1.12{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- if .Values.meshConfig.rootNamespace }} + namespace: {{ .Values.meshConfig.rootNamespace }} + {{- else }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} +spec: + configPatches: +{{- if not .Values.telemetry.v2.stackdriver.disableOutbound }} + - applyTo: HTTP_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.12.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stackdriver + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stackdriver_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.stackdriver.configOverride }} + {"access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}"} + {{- else }} + {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} + {{- end }} + vm_config: + vm_id: stackdriver_outbound + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: envoy.wasm.null.stackdriver } +{{- end }} + - applyTo: HTTP_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.12.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stackdriver + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stackdriver_inbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.stackdriver.configOverride }} + {"disable_server_access_logging": {{ not .Values.telemetry.v2.stackdriver.logging }}, "access_logging": "{{ .Values.telemetry.v2.stackdriver.inboundAccessLogging }}", "disable_host_header_fallback": true} + {{- else }} + {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} + {{- end }} + vm_config: + vm_id: stackdriver_inbound + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: envoy.wasm.null.stackdriver } + - applyTo: HTTP_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.12.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "envoy.filters.http.router" + patch: + operation: INSERT_BEFORE + value: + name: istio.stackdriver + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + root_id: stackdriver_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.stackdriver.configOverride }} + {"access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}", "disable_host_header_fallback": true} + {{- else }} + {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} + {{- end }} + vm_config: + vm_id: stackdriver_outbound + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: envoy.wasm.null.stackdriver } +--- +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: tcp-stackdriver-filter-1.12{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- if .Values.meshConfig.rootNamespace }} + namespace: {{ .Values.meshConfig.rootNamespace }} + {{- else }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} +spec: + configPatches: + {{- if not .Values.telemetry.v2.stackdriver.disableOutbound }} + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_OUTBOUND + proxy: + proxyVersion: '^1\.12.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stackdriver + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stackdriver_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.stackdriver.configOverride }} + {"access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}"} + {{- else }} + {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} + {{- end }} + vm_config: + vm_id: stackdriver_outbound + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: envoy.wasm.null.stackdriver } + {{- end }} + - applyTo: NETWORK_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '^1\.12.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stackdriver + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stackdriver_inbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.stackdriver.configOverride }} + {"disable_server_access_logging": {{ not .Values.telemetry.v2.stackdriver.logging }}, "access_logging": "{{ .Values.telemetry.v2.stackdriver.inboundAccessLogging }}"} + {{- else }} + {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} + {{- end }} + vm_config: + vm_id: stackdriver_inbound + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: envoy.wasm.null.stackdriver } + - applyTo: NETWORK_FILTER + match: + context: GATEWAY + proxy: + proxyVersion: '^1\.12.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.tcp_proxy" + patch: + operation: INSERT_BEFORE + value: + name: istio.stackdriver + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.network.wasm.v3.Wasm + value: + config: + root_id: stackdriver_outbound + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + {{- if not .Values.telemetry.v2.stackdriver.configOverride }} + {"access_logging": "{{ .Values.telemetry.v2.stackdriver.outboundAccessLogging }}"} + {{- else }} + {{ toJson .Values.telemetry.v2.stackdriver.configOverride | indent 18 }} + {{- end }} + vm_config: + vm_id: stackdriver_outbound + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: envoy.wasm.null.stackdriver } +--- +{{- if .Values.telemetry.v2.accessLogPolicy.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: stackdriver-sampling-accesslog-filter-1.12{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- if .Values.meshConfig.rootNamespace }} + namespace: {{ .Values.meshConfig.rootNamespace }} + {{- else }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" }} +spec: + configPatches: + - applyTo: HTTP_FILTER + match: + context: SIDECAR_INBOUND + proxy: + proxyVersion: '1\.12.*' + listener: + filterChain: + filter: + name: "envoy.filters.network.http_connection_manager" + subFilter: + name: "istio.stackdriver" + patch: + operation: INSERT_BEFORE + value: + name: istio.access_log + typed_config: + "@type": type.googleapis.com/udpa.type.v1.TypedStruct + type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm + value: + config: + configuration: + "@type": "type.googleapis.com/google.protobuf.StringValue" + value: | + { + "log_window_duration": "{{ .Values.telemetry.v2.accessLogPolicy.logWindowDuration }}" + } + vm_config: + runtime: envoy.wasm.runtime.null + code: + local: { inline_string: "envoy.wasm.access_log_policy" } +--- +{{- end }} +{{- end }} +{{- end }} diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istiod-remote/templates/validatingwebhookconfiguration.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istiod-remote/templates/validatingwebhookconfiguration.yaml new file mode 100644 index 000000000..8e87383fa --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istiod-remote/templates/validatingwebhookconfiguration.yaml @@ -0,0 +1,58 @@ +{{- if .Values.global.configCluster }} +{{- if .Values.global.configValidation }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: istio-validator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} + istio: istiod + istio.io/rev: {{ .Values.revision | default "default" }} +webhooks: + # Webhook handling per-revision validation. Mostly here so we can determine whether webhooks + # are rejecting invalid configs on a per-revision basis. + - name: rev.validation.istio.io + clientConfig: + # Should change from base but cannot for API compat + {{- if .Values.base.validationURL }} + url: {{ .Values.base.validationURL }} + {{- else }} + service: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} + path: "/validate" + {{- end }} + caBundle: "" # patched at runtime when the webhook is ready. + rules: + - operations: + - CREATE + - UPDATE + apiGroups: + - security.istio.io + - networking.istio.io + - telemetry.istio.io + - extensions.istio.io + apiVersions: + - "*" + resources: + - "*" + # Fail open until the validation webhook is ready. The webhook controller + # will update this to `Fail` and patch in the `caBundle` when the webhook + # endpoint is ready. + failurePolicy: Ignore + sideEffects: None + admissionReviewVersions: ["v1beta1", "v1"] + objectSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + {{- if (eq .Values.revision "") }} + - "default" + {{- else }} + - "{{ .Values.revision }}" + {{- end }} +--- +{{- end }} +{{- end }} diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istiod-remote/values.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istiod-remote/values.yaml new file mode 100644 index 000000000..f02e66763 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/charts/istiod-remote/values.yaml @@ -0,0 +1,460 @@ +#.Values.pilot for discovery and mesh wide config + +## Discovery Settings +pilot: + autoscaleEnabled: true + autoscaleMin: 1 + autoscaleMax: 5 + replicaCount: 1 + rollingMaxSurge: 100% + rollingMaxUnavailable: 25% + hub: "" + tag: "" + # Can be a full hub/image:tag + image: pilot + traceSampling: 1.0 + # Resources for a small pilot install + resources: + requests: + cpu: 500m + memory: 2048Mi + env: {} + cpu: + targetAverageUtilization: 80 + # if protocol sniffing is enabled for outbound + enableProtocolSniffingForOutbound: true + # if protocol sniffing is enabled for inbound + enableProtocolSniffingForInbound: true + nodeSelector: {} + podAnnotations: {} + serviceAnnotations: {} + # You can use jwksResolverExtraRootCA to provide a root certificate + # in PEM format. This will then be trusted by pilot when resolving + # JWKS URIs. + jwksResolverExtraRootCA: "" + # This is used to set the source of configuration for + # the associated address in configSource, if nothing is specificed + # the default MCP is assumed. + configSource: + subscribedResources: [] + plugins: [] + # The following is used to limit how long a sidecar can be connected + # to a pilot. It balances out load across pilot instances at the cost of + # increasing system churn. + keepaliveMaxServerConnectionAge: 30m + # Additional labels to apply to the deployment. + deploymentLabels: {} + ## Mesh config settings + + # Install the mesh config map, generated from values.yaml. + # If false, pilot wil use default values (by default) or user-supplied values. + configMap: false + # Additional labels to apply on the pod level for monitoring and logging configuration. + podLabels: {} +sidecarInjectorWebhook: + # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or + # always skip the injection on pods that match that label selector, regardless of the global policy. + # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions + neverInjectSelector: [] + alwaysInjectSelector: [] + # injectedAnnotations are additional annotations that will be added to the pod spec after injection + # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations: + # + # annotations: + # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default + # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default + # + # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before + # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify: + # injectedAnnotations: + # container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default + # container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default + injectedAnnotations: {} + # This enables injection of sidecar in all namespaces, + # with the exception of namespaces with "istio-injection:disabled" annotation + # Only one environment should have this enabled. + enableNamespacesByDefault: false + # Enable objectSelector to filter out pods with no need for sidecar before calling istiod. + # It is enabled by default as the minimum supported Kubernetes version is 1.15+ + objectSelector: + enabled: true + autoInject: true + rewriteAppHTTPProbe: true + # Templates defines a set of custom injection templates that can be used. For example, defining: + # + # templates: + # hello: | + # metadata: + # labels: + # hello: world + # + # Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod + # being injected with the hello=world labels. + # This is intended for advanced configuration only; most users should use the built in template + templates: {} + # Default templates specifies a set of default templates that are used in sidecar injection. + # By default, a template `sidecar` is always provided, which contains the template of default sidecar. + # To inject other additional templates, define it using the `templates` option, and add it to + # the default templates list. + # For example: + # + # templates: + # hello: | + # metadata: + # labels: + # hello: world + # + # defaultTemplates: ["sidecar", "hello"] + defaultTemplates: [] +istiodRemote: + # Sidecar injector mutating webhook configuration clientConfig.url value. + # For example: https://$remotePilotAddress:15017/inject + # The host should not refer to a service running in the cluster; use a service reference by specifying + # the clientConfig.service field instead. + injectionURL: "" + # Sidecar injector mutating webhook configuration path value for the clientConfig.service field. + # Override to pass env variables, for example: /inject/cluster/remote/net/network2 + injectionPath: "/inject" +telemetry: + enabled: false + v2: + # For Null VM case now. + # This also enables metadata exchange. + enabled: true + metadataExchange: + # Indicates whether to enable WebAssembly runtime for metadata exchange filter. + wasmEnabled: false + # Indicate if prometheus stats filter is enabled or not + prometheus: + enabled: true + # Indicates whether to enable WebAssembly runtime for stats filter. + wasmEnabled: false + # overrides stats EnvoyFilter configuration. + configOverride: + gateway: {} + inboundSidecar: {} + outboundSidecar: {} + # stackdriver filter settings. + stackdriver: + enabled: false + logging: false + monitoring: false + topology: false # deprecated. setting this to true will have no effect, as this option is no longer supported. + disableOutbound: false + # configOverride parts give you the ability to override the low level configuration params passed to envoy filter. + + configOverride: {} + # e.g. + # disable_server_access_logging: false + # disable_host_header_fallback: true + # Access Log Policy Filter Settings. This enables filtering of access logs from stackdriver. + accessLogPolicy: + enabled: false + # To reduce the number of successful logs, default log window duration is + # set to 12 hours. + logWindowDuration: "43200s" +# Revision is set as 'version' label and part of the resource names when installing multiple control planes. +revision: "" +# Revision tags are aliases to Istio control plane revisions +revisionTags: [] +# For Helm compatibility. +ownerName: "" +# meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior +# See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options +meshConfig: + enablePrometheusMerge: true + # Config for the default ProxyConfig. + # Initially using directly the proxy metadata - can also be activated using annotations + # on the pod. This is an unsupported low-level API, pending review and decisions on + # enabling the feature. Enabling the DNS listener is safe - and allows further testing + # and gradual adoption by setting capture only on specific workloads. It also allows + # VMs to use other DNS options, like dnsmasq or unbound. + + # The namespace to treat as the administrative root namespace for Istio configuration. + # When processing a leaf namespace Istio will search for declarations in that namespace first + # and if none are found it will search in the root namespace. Any matching declaration found in the root namespace + # is processed as if it were declared in the leaf namespace. + rootNamespace: + # The trust domain corresponds to the trust root of a system + # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain + trustDomain: "cluster.local" + # TODO: the intent is to eventually have this enabled by default when security is used. + # It is not clear if user should normally need to configure - the metadata is typically + # used as an escape and to control testing and rollout, but it is not intended as a long-term + # stable API. +# What we may configure in mesh config is the ".global" - and use of other suffixes. +# No hurry to do this in 1.6, we're trying to prove the code. + +global: + # Used to locate istiod. + istioNamespace: istio-system + # enable pod disruption budget for the control plane, which is used to + # ensure Istio control plane components are gradually upgraded or recovered. + defaultPodDisruptionBudget: + enabled: true + # The values aren't mutable due to a current PodDisruptionBudget limitation + # minAvailable: 1 + # A minimal set of requested resources to applied to all deployments so that + # Horizontal Pod Autoscaler will be able to function (if set). + # Each component can overwrite these default values by adding its own resources + # block in the relevant section below and setting the desired resources values. + defaultResources: + requests: + cpu: 10m + # memory: 128Mi + # limits: + # cpu: 100m + # memory: 128Mi + # Default hub for Istio images. + # Releases are published to docker hub under 'istio' project. + # Dev builds from prow are on gcr.io + hub: docker.io/istio + # Default tag for Istio images. + tag: 1.12.6 + # Specify image pull policy if default behavior isn't desired. + # Default behavior: latest images will be Always else IfNotPresent. + imagePullPolicy: "" + # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace + # to use for pulling any images in pods that reference this ServiceAccount. + # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) + # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. + # Must be set for any cluster configured with private docker registry. + imagePullSecrets: [] + # - private-registry-key + + # Enabled by default in master for maximising testing. + istiod: + enableAnalysis: false + # To output all istio components logs in json format by adding --log_as_json argument to each container argument + logAsJson: false + # Comma-separated minimum per-scope logging level of messages to output, in the form of :,: + # The control plane has different scopes depending on component, but can configure default log level across all components + # If empty, default scope and level will be used as configured in code + logging: + level: "default:info" + omitSidecarInjectorConfigMap: true + # Whether to restrict the applications namespace the controller manages; + # If not set, controller watches all namespaces + oneNamespace: false + # Configure whether Operator manages webhook configurations. The current behavior + # of Istiod is to manage its own webhook configurations. + # When this option is set as true, Istio Operator, instead of webhooks, manages the + # webhook configurations. When this option is set as false, webhooks manage their + # own webhook configurations. + operatorManageWebhooks: false + # Custom DNS config for the pod to resolve names of services in other + # clusters. Use this to add additional search domains, and other settings. + # see + # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config + # This does not apply to gateway pods as they typically need a different + # set of DNS settings than the normal application pods (e.g., in + # multicluster scenarios). + # NOTE: If using templates, follow the pattern in the commented example below. + #podDNSSearchNamespaces: + #- global + #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global" + + # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and + # system-node-critical, it is better to configure this in order to make sure your Istio pods + # will not be killed because of low priority class. + # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + # for more detail. + priorityClassName: "" + proxy: + image: proxyv2 + # This controls the 'policy' in the sidecar injector. + autoInject: enabled + # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value + # cluster domain. Default value is "cluster.local". + clusterDomain: "cluster.local" + # Per Component log level for proxy, applies to gateways and sidecars. If a component level is + # not set, then the global "logLevel" will be used. + componentLogLevel: "misc:error" + # If set, newly injected sidecars will have core dumps enabled. + enableCoreDump: false + # istio ingress capture allowlist + # examples: + # Redirect only selected ports: --includeInboundPorts="80,8080" + excludeInboundPorts: "" + includeInboundPorts: "*" + # istio egress capture allowlist + # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly + # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16" + # would only capture egress traffic on those two IP Ranges, all other outbound traffic would + # be allowed by the sidecar + includeIPRanges: "*" + excludeIPRanges: "" + includeOutboundPorts: "" + excludeOutboundPorts: "" + # Log level for proxy, applies to gateways and sidecars. + # Expected values are: trace|debug|info|warning|error|critical|off + logLevel: warning + #If set to true, istio-proxy container will have privileged securityContext + privileged: false + # The number of successive failed probes before indicating readiness failure. + readinessFailureThreshold: 30 + # The initial delay for readiness probes in seconds. + readinessInitialDelaySeconds: 1 + # The period between readiness probes. + readinessPeriodSeconds: 2 + # Resources for the sidecar. + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 2000m + memory: 1024Mi + # Default port for Pilot agent health checks. A value of 0 will disable health checking. + statusPort: 15020 + # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver. + # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file. + tracer: "zipkin" + # Controls if sidecar is injected at the front of the container list and blocks the start of the other containers until the proxy is ready + holdApplicationUntilProxyStarts: false + proxy_init: + # Base name for the proxy_init container, used to configure iptables. + image: proxyv2 + resources: + limits: + cpu: 2000m + memory: 1024Mi + requests: + cpu: 10m + memory: 10Mi + # configure remote pilot and istiod service and endpoint + remotePilotAddress: "" + ############################################################################################## + # The following values are found in other charts. To effectively modify these values, make # + # make sure they are consistent across your Istio helm charts # + ############################################################################################## + + # The customized CA address to retrieve certificates for the pods in the cluster. + # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. + # If not set explicitly, default to the Istio discovery address. + caAddress: "" + # Configure a remote cluster data plane controlled by an external istiod. + # When set to true, istiod is not deployed locally and only a subset of the other + # discovery charts are enabled. + externalIstiod: true + # Configure a remote cluster as the config cluster for an external istiod. + configCluster: false + # Configure the policy for validating JWT. + # Currently, two options are supported: "third-party-jwt" and "first-party-jwt". + jwtPolicy: "third-party-jwt" + # Mesh ID means Mesh Identifier. It should be unique within the scope where + # meshes will interact with each other, but it is not required to be + # globally/universally unique. For example, if any of the following are true, + # then two meshes must have different Mesh IDs: + # - Meshes will have their telemetry aggregated in one place + # - Meshes will be federated together + # - Policy will be written referencing one mesh from the other + # + # If an administrator expects that any of these conditions may become true in + # the future, they should ensure their meshes have different Mesh IDs + # assigned. + # + # Within a multicluster mesh, each cluster must be (manually or auto) + # configured to have the same Mesh ID value. If an existing cluster 'joins' a + # multicluster mesh, it will need to be migrated to the new mesh ID. Details + # of migration TBD, and it may be a disruptive operation to change the Mesh + # ID post-install. + # + # If the mesh admin does not specify a value, Istio will use the value of the + # mesh's Trust Domain. The best practice is to select a proper Trust Domain + # value. + meshID: "" + # Configure the mesh networks to be used by the Split Horizon EDS. + # + # The following example defines two networks with different endpoints association methods. + # For `network1` all endpoints that their IP belongs to the provided CIDR range will be + # mapped to network1. The gateway for this network example is specified by its public IP + # address and port. + # The second network, `network2`, in this example is defined differently with all endpoints + # retrieved through the specified Multi-Cluster registry being mapped to network2. The + # gateway is also defined differently with the name of the gateway service on the remote + # cluster. The public IP for the gateway will be determined from that remote service (only + # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service, + # it still need to be configured manually). + # + # meshNetworks: + # network1: + # endpoints: + # - fromCidr: "192.168.0.1/24" + # gateways: + # - address: 1.1.1.1 + # port: 80 + # network2: + # endpoints: + # - fromRegistry: reg1 + # gateways: + # - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local + # port: 443 + # + meshNetworks: {} + # Use the user-specified, secret volume mounted key and certs for Pilot and workloads. + mountMtlsCerts: false + multiCluster: + # Set to true to connect two kubernetes clusters via their respective + # ingressgateway services when pods in each cluster cannot directly + # talk to one another. All clusters should be using Istio mTLS and must + # have a shared root CA for this model to work. + enabled: false + # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection + # to properly label proxies + clusterName: "" + # Network defines the network this cluster belong to. This name + # corresponds to the networks in the map of mesh networks. + network: "" + # Configure the certificate provider for control plane communication. + # Currently, two providers are supported: "kubernetes" and "istiod". + # As some platforms may not have kubernetes signing APIs, + # Istiod is the default + pilotCertProvider: istiod + sds: + # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. + # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the + # JWT is intended for the CA. + token: + aud: istio-ca + sts: + # The service port used by Security Token Service (STS) server to handle token exchange requests. + # Setting this port to a non-zero value enables STS server. + servicePort: 0 + # Configuration for each of the supported tracers + tracer: + # Configuration for envoy to send trace data to LightStep. + # Disabled by default. + # address: the : of the satellite pool + # accessToken: required for sending data to the pool + # + datadog: + # Host:Port for submitting traces to the Datadog agent. + address: "$(HOST_IP):8126" + lightstep: + address: "" # example: lightstep-satellite:443 + accessToken: "" # example: abcdefg1234567 + stackdriver: + # enables trace output to stdout. + debug: false + # The global default max number of message events per span. + maxNumberOfMessageEvents: 200 + # The global default max number of annotation events per span. + maxNumberOfAnnotations: 200 + # The global default max number of attributes per span. + maxNumberOfAttributes: 200 + zipkin: + # Host:Port for reporting trace data in zipkin format. If not specified, will default to + # zipkin service (port 9411) in the same namespace as the other istio components. + address: "" + # Use the Mesh Control Protocol (MCP) for configuring Istiod. Requires an MCP source. + useMCP: false + # The name of the CA for workload certificates. + # For example, when caName=GkeWorkloadCertificate, GKE workload certificates + # will be used as the certificates for workloads. + # The default value is "" and when caName="", the CA will be configured by other + # mechanisms (e.g., environmental variable CA_PROVIDER). + caName: "" +base: + # For istioctl usage to disable istio config crds in base + enableIstioConfigCRDs: true diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/examples/customresource/istio_v1alpha1_istiooperator_cr.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/examples/customresource/istio_v1alpha1_istiooperator_cr.yaml new file mode 100644 index 000000000..48303976e --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/examples/customresource/istio_v1alpha1_istiooperator_cr.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: install.istio.io/v1alpha1 +kind: IstioOperator +metadata: + namespace: istio-system + name: example-istiocontrolplane +spec: + profile: demo +... diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/examples/user-gateway/ingress-gateway-only.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/examples/user-gateway/ingress-gateway-only.yaml new file mode 100644 index 000000000..c37e85b01 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/examples/user-gateway/ingress-gateway-only.yaml @@ -0,0 +1,8 @@ +apiVersion: install.istio.io/v1alpha1 +kind: IstioOperator +spec: + profile: empty + components: + ingressGateways: + - enabled: true + namespace: my-namespace diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/profiles/default.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/profiles/default.yaml new file mode 100644 index 000000000..cca69d0e7 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/profiles/default.yaml @@ -0,0 +1,184 @@ +apiVersion: install.istio.io/v1alpha1 +kind: IstioOperator +metadata: + namespace: istio-system +spec: + hub: docker.io/istio + tag: 1.12.6 + + # You may override parts of meshconfig by uncommenting the following lines. + meshConfig: + defaultConfig: + proxyMetadata: {} + enablePrometheusMerge: true + # Opt-out of global http2 upgrades. + # Destination rule is used to opt-in. + # h2_upgrade_policy: DO_NOT_UPGRADE + + # Traffic management feature + components: + base: + enabled: true + pilot: + enabled: true + + # Istio Gateway feature + ingressGateways: + - name: istio-ingressgateway + enabled: true + egressGateways: + - name: istio-egressgateway + enabled: false + + # Istio CNI feature + cni: + enabled: false + + # Remote and config cluster configuration for an external istiod + istiodRemote: + enabled: false + + # Global values passed through to helm global.yaml. + # Please keep this in sync with manifests/charts/global.yaml + values: + defaultRevision: "" + global: + istioNamespace: istio-system + istiod: + enableAnalysis: false + logging: + level: "default:info" + logAsJson: false + pilotCertProvider: istiod + jwtPolicy: third-party-jwt + proxy: + image: proxyv2 + clusterDomain: "cluster.local" + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 2000m + memory: 1024Mi + logLevel: warning + componentLogLevel: "misc:error" + privileged: false + enableCoreDump: false + statusPort: 15020 + readinessInitialDelaySeconds: 1 + readinessPeriodSeconds: 2 + readinessFailureThreshold: 30 + includeIPRanges: "*" + excludeIPRanges: "" + excludeOutboundPorts: "" + excludeInboundPorts: "" + autoInject: enabled + tracer: "zipkin" + proxy_init: + image: proxyv2 + resources: + limits: + cpu: 2000m + memory: 1024Mi + requests: + cpu: 10m + memory: 10Mi + # Specify image pull policy if default behavior isn't desired. + # Default behavior: latest images will be Always else IfNotPresent. + imagePullPolicy: "" + operatorManageWebhooks: false + tracer: + lightstep: {} + zipkin: {} + datadog: {} + stackdriver: {} + imagePullSecrets: [] + oneNamespace: false + defaultNodeSelector: {} + configValidation: true + multiCluster: + enabled: false + clusterName: "" + omitSidecarInjectorConfigMap: false + network: "" + defaultResources: + requests: + cpu: 10m + defaultPodDisruptionBudget: + enabled: true + priorityClassName: "" + useMCP: false + sds: + token: + aud: istio-ca + sts: + servicePort: 0 + meshNetworks: {} + mountMtlsCerts: false + base: + enableCRDTemplates: false + validationURL: "" + pilot: + autoscaleEnabled: true + autoscaleMin: 1 + autoscaleMax: 5 + replicaCount: 1 + image: pilot + traceSampling: 1.0 + env: {} + cpu: + targetAverageUtilization: 80 + nodeSelector: {} + keepaliveMaxServerConnectionAge: 30m + enableProtocolSniffingForOutbound: true + enableProtocolSniffingForInbound: true + deploymentLabels: + podLabels: {} + configMap: true + + telemetry: + enabled: true + v2: + enabled: true + metadataExchange: + wasmEnabled: false + prometheus: + wasmEnabled: false + enabled: true + stackdriver: + enabled: false + logging: false + monitoring: false + topology: false + configOverride: {} + + istiodRemote: + injectionURL: "" + + gateways: + istio-egressgateway: + env: {} + autoscaleEnabled: true + type: ClusterIP + name: istio-egressgateway + secretVolumes: + - name: egressgateway-certs + secretName: istio-egressgateway-certs + mountPath: /etc/istio/egressgateway-certs + - name: egressgateway-ca-certs + secretName: istio-egressgateway-ca-certs + mountPath: /etc/istio/egressgateway-ca-certs + + istio-ingressgateway: + autoscaleEnabled: true + type: LoadBalancer + name: istio-ingressgateway + env: {} + secretVolumes: + - name: ingressgateway-certs + secretName: istio-ingressgateway-certs + mountPath: /etc/istio/ingressgateway-certs + - name: ingressgateway-ca-certs + secretName: istio-ingressgateway-ca-certs + mountPath: /etc/istio/ingressgateway-ca-certs diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/profiles/demo.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/profiles/demo.yaml new file mode 100644 index 000000000..0dd56210d --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/profiles/demo.yaml @@ -0,0 +1,72 @@ +apiVersion: install.istio.io/v1alpha1 +kind: IstioOperator +spec: + meshConfig: + accessLogFile: /dev/stdout + components: + egressGateways: + - name: istio-egressgateway + enabled: true + k8s: + resources: + requests: + cpu: 10m + memory: 40Mi + + ingressGateways: + - name: istio-ingressgateway + enabled: true + k8s: + resources: + requests: + cpu: 10m + memory: 40Mi + service: + ports: + ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. + # Note that AWS ELB will by default perform health checks on the first port + # on this list. Setting this to the health check port will ensure that health + # checks always work. https://github.com/istio/istio/issues/12503 + - port: 15021 + targetPort: 15021 + name: status-port + - port: 80 + targetPort: 8080 + name: http2 + - port: 443 + targetPort: 8443 + name: https + - port: 31400 + targetPort: 31400 + name: tcp + # This is the port where sni routing happens + - port: 15443 + targetPort: 15443 + name: tls + + pilot: + k8s: + env: + - name: PILOT_TRACE_SAMPLING + value: "100" + resources: + requests: + cpu: 10m + memory: 100Mi + + values: + global: + proxy: + resources: + requests: + cpu: 10m + memory: 40Mi + + pilot: + autoscaleEnabled: false + + gateways: + istio-egressgateway: + autoscaleEnabled: false + istio-ingressgateway: + autoscaleEnabled: false diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/profiles/empty.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/profiles/empty.yaml new file mode 100644 index 000000000..07de5b1e0 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/profiles/empty.yaml @@ -0,0 +1,13 @@ +# The empty profile has everything disabled +# This is useful as a base for custom user configuration +apiVersion: install.istio.io/v1alpha1 +kind: IstioOperator +spec: + components: + base: + enabled: false + pilot: + enabled: false + ingressGateways: + - name: istio-ingressgateway + enabled: false diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/profiles/external.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/profiles/external.yaml new file mode 100644 index 000000000..00c951680 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/profiles/external.yaml @@ -0,0 +1,24 @@ +# The external profile is used to configure a mesh using an external control plane. +# Only the injector mutating webhook configuration is installed. +apiVersion: install.istio.io/v1alpha1 +kind: IstioOperator +spec: + components: + base: + enabled: false + pilot: + enabled: false + ingressGateways: + - name: istio-ingressgateway + enabled: false + istiodRemote: + enabled: true + values: + global: + externalIstiod: true + omitSidecarInjectorConfigMap: true + configCluster: false + pilot: + configMap: false + telemetry: + enabled: false diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/profiles/minimal.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/profiles/minimal.yaml new file mode 100644 index 000000000..075881ee0 --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/profiles/minimal.yaml @@ -0,0 +1,8 @@ +# The minimal profile will install just the core control plane +apiVersion: install.istio.io/v1alpha1 +kind: IstioOperator +spec: + components: + ingressGateways: + - name: istio-ingressgateway + enabled: false diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/profiles/openshift.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/profiles/openshift.yaml new file mode 100644 index 000000000..e483e346c --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/profiles/openshift.yaml @@ -0,0 +1,21 @@ +apiVersion: install.istio.io/v1alpha1 +kind: IstioOperator +spec: + components: + cni: + enabled: true + namespace: kube-system + values: + cni: + cniBinDir: /var/lib/cni/bin + cniConfDir: /etc/cni/multus/net.d + chained: false + cniConfFileName: "istio-cni.conf" + excludeNamespaces: + - istio-system + - kube-system + logLevel: info + privileged: true + sidecarInjectorWebhook: + injectedAnnotations: + k8s.v1.cni.cncf.io/networks: istio-cni diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/profiles/preview.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/profiles/preview.yaml new file mode 100644 index 000000000..e0d9b636a --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/profiles/preview.yaml @@ -0,0 +1,21 @@ +# The preview profile contains features that are experimental. +# This is intended to explore new features coming to Istio. +# Stability, security, and performance are not guaranteed - use at your own risk. +apiVersion: install.istio.io/v1alpha1 +kind: IstioOperator +spec: + meshConfig: + defaultConfig: + proxyMetadata: + # Enable Istio agent to handle DNS requests for known hosts + # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf + ISTIO_META_DNS_CAPTURE: "true" + # Enable dynamic bootstrap generation. + BOOTSTRAP_XDS_AGENT: "true" + values: + telemetry: + v2: + metadataExchange: + wasmEnabled: true + prometheus: + wasmEnabled: true diff --git a/terraform-modules/aws/istio/istio-1.12.6/manifests/profiles/remote.yaml b/terraform-modules/aws/istio/istio-1.12.6/manifests/profiles/remote.yaml new file mode 100644 index 000000000..dbbc49aea --- /dev/null +++ b/terraform-modules/aws/istio/istio-1.12.6/manifests/profiles/remote.yaml @@ -0,0 +1,4 @@ +# Deprecated. Use the `default` profile instead. +apiVersion: install.istio.io/v1alpha1 +kind: IstioOperator +spec: {} diff --git a/terraform-modules/aws/istio/main.tf b/terraform-modules/aws/istio/main.tf new file mode 100644 index 000000000..a35632dfd --- /dev/null +++ b/terraform-modules/aws/istio/main.tf @@ -0,0 +1,78 @@ +resource "kubernetes_namespace" "namespace" { + count = var.create_namespace + metadata { + annotations = var.namespace_annotations + + labels = var.namespace_labels + + name = var.namespace_name + } +} + +resource "helm_release" "helm_chart_istio_base" { + count = var.install_helm_chart_istio_base + chart = "${path.module}/istio-${var.istio_version}/manifests/charts/base" + namespace = var.namespace_name + create_namespace = false + name = var.istio_base_chart_name + verify = var.verify + + values = [ + var.helm_values_istio_base, + ] + + depends_on = [ + kubernetes_namespace.namespace + ] +} + +resource "helm_release" "helm_chart_istio_discovery" { + count = var.install_helm_chart_istio_discovery + chart = "${path.module}/istio-${var.istio_version}/manifests/charts/istio-control/istio-discovery" + namespace = var.namespace_name + create_namespace = false + name = var.istio_discovery_chart_name + verify = var.verify + + values = [ + var.helm_values_istiod, + ] + + depends_on = [ + helm_release.helm_chart_istio_base + ] +} + +resource "helm_release" "helm_chart_istio_ingress" { + count = var.install_helm_chart_istio_ingress + chart = "${path.module}/istio-${var.istio_version}/manifests/charts/gateways/istio-ingress" + namespace = var.namespace_name + create_namespace = false + name = var.istio_ingress_chart_name + verify = var.verify + + values = [ + var.helm_values_istio_ingress, + ] + + depends_on = [ + helm_release.helm_chart_istio_base + ] +} + +resource "helm_release" "helm_chart_istio_egress" { + count = var.install_helm_chart_istio_egress + chart = "${path.module}/istio-${var.istio_version}/manifests/charts/gateways/istio-egress" + namespace = var.namespace_name + create_namespace = false + name = var.istio_egress_chart_name + verify = var.verify + + values = [ + var.helm_values_istio_egress, + ] + + depends_on = [ + helm_release.helm_chart_istio_base + ] +} diff --git a/terraform-modules/aws/istio/variables.tf b/terraform-modules/aws/istio/variables.tf new file mode 100644 index 000000000..c913531c4 --- /dev/null +++ b/terraform-modules/aws/istio/variables.tf @@ -0,0 +1,115 @@ +variable "tags" { + type = map(any) + default = {} + description = "Tags" +} + +variable "verify" { + type = bool + default = false + description = "Verify the helm download" +} + +variable "create_namespace" { + type = number + default = 1 + description = "To create a namespace or not" +} + +variable "namespace_name" { + type = string + default = "istio-system" + description = "The namespace name" +} + +variable "namespace_labels" { + type = map(any) + default = { + managed_by = "terraform" + } + description = "Labels for the namespace" +} + +variable "namespace_annotations" { + type = map(any) + default = { + name = "istio" + } + description = "Annotations for the namespace" +} + +variable "istio_version" { + type = string + default = "1.12.6" + description = "The version of istio to install" +} + +variable "install_helm_chart_istio_base" { + type = number + default = 1 + description = "Install this helm chart or not" +} +variable "istio_base_chart_name" { + type = string + default = "istio-base" + description = "The chart name for the istio-base helm install" +} + +variable "helm_values_istio_base" { + type = string + default = "" + description = "Additional helm values to pass in. These values would override the default in this module." +} + +variable "install_helm_chart_istio_discovery" { + type = number + default = 1 + description = "Install this helm chart or not" +} +variable "istio_discovery_chart_name" { + type = string + default = "istiod" + description = "The chart name for the istio-discovery helm install" +} + +variable "helm_values_istiod" { + type = string + default = "" + description = "Additional helm values to pass in. These values would override the default in this module." +} + +variable "install_helm_chart_istio_ingress" { + type = number + default = 1 + description = "Install this helm chart or not" +} + +variable "istio_ingress_chart_name" { + type = string + default = "istio-ingress" + description = "The chart name for the istio-discovery helm install" +} + +variable "helm_values_istio_ingress" { + type = string + default = "" + description = "Additional helm values to pass in. These values would override the default in this module." +} + +variable "install_helm_chart_istio_egress" { + type = number + default = 1 + description = "Install this helm chart or not" +} + +variable "istio_egress_chart_name" { + type = string + default = "istio-egress" + description = "The chart name for the istio-discovery helm install" +} + +variable "helm_values_istio_egress" { + type = string + default = "" + description = "Additional helm values to pass in. These values would override the default in this module." +} diff --git a/terraform-modules/aws/kms/cloudtrail/README.md b/terraform-modules/aws/kms/cloudtrail/README.md new file mode 100644 index 000000000..8b9c92469 --- /dev/null +++ b/terraform-modules/aws/kms/cloudtrail/README.md @@ -0,0 +1,39 @@ +## Requirements + +No requirements. + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | n/a | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [aws_kms_alias.a](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource | +| [aws_kms_key.kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource | +| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | +| [aws_iam_policy_document.kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source | +| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [cloudtrail\_name](#input\_cloudtrail\_name) | Cloudtrail/trail for attaching currently kms | `string` | `"cloudtrail-default"` | no | +| [kms\_deletion\_window\_in\_days](#input\_kms\_deletion\_window\_in\_days) | The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key. | `number` | `30` | no | +| [kms\_enable\_key\_rotation](#input\_kms\_enable\_key\_rotation) | Specifies whether key rotation is enabled. Defaults to false. | `bool` | `true` | no | +| [tags](#input\_tags) | n/a | `map(any)` | n/a | yes | + +## Outputs + +| Name | Description | +|------|-------------| +| [kms\_arn](#output\_kms\_arn) | Arn of kms created | diff --git a/terraform-modules/aws/kms/cloudtrail/main.tf b/terraform-modules/aws/kms/cloudtrail/main.tf new file mode 100644 index 000000000..7ef9ed034 --- /dev/null +++ b/terraform-modules/aws/kms/cloudtrail/main.tf @@ -0,0 +1,81 @@ +# This is a standard kms that frees any cloudtrail/trails from vulnerabilities. +# Docs: https://dev.to/aws-builders/encrypt-cloudtrail-logs-with-multi-region-key-with-terraform-1hln + +locals { + arn_format = "arn:${data.aws_partition.current.partition}" +} + +data "aws_partition" "current" {} +data "aws_caller_identity" "current" {} +data "aws_region" "current" {} + +data "aws_iam_policy_document" "kms" { + statement { + sid = "Enable Root User Permissions" + effect = "Allow" + + actions = [ + "kms:Create*", + "kms:Describe*", + "kms:Enable*", + "kms:List*", + "kms:Put*", + "kms:Update*", + "kms:Revoke*", + "kms:Disable*", + "kms:Get*", + "kms:Delete*", + "kms:Tag*", + "kms:Untag*", + "kms:ScheduleKeyDeletion", + "kms:CancelKeyDeletion" + ] + + #bridgecrew:skip=CKV_AWS_109:This policy applies only to the key it is attached to + #bridgecrew:skip=CKV_AWS_111:This policy applies only to the key it is attached to + resources = [ + "*" + ] + + principals { + type = "AWS" + + identifiers = [ + "${local.arn_format}:iam::${data.aws_caller_identity.current.account_id}:root" + ] + } + } + statement { + sid = "Allow CloudTrail to encrypt - ${var.cloudtrail_name}" + effect = "Allow" + actions = ["kms:GenerateDataKey*"] + resources = ["*"] + principals { + type = "Service" + identifiers = ["cloudtrail.amazonaws.com"] + } + condition { + test = "StringLike" + variable = "kms:EncryptionContext:aws:cloudtrail:arn" + values = ["arn:aws:cloudtrail:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:trail/${var.cloudtrail_name}"] + } + condition { + test = "StringEquals" + variable = "aws:SourceArn" + values = ["arn:aws:cloudtrail:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:trail/${var.cloudtrail_name}"] + } + } +} + +resource "aws_kms_alias" "a" { + name = "alias/${var.cloudtrail_name}" + target_key_id = aws_kms_key.kms.key_id +} + +resource "aws_kms_key" "kms" { + description = "KMS key for cloudtrail: ${var.cloudtrail_name}" + deletion_window_in_days = var.kms_deletion_window_in_days + enable_key_rotation = var.kms_enable_key_rotation + policy = join("", data.aws_iam_policy_document.kms.*.json) + tags = var.tags +} diff --git a/terraform-modules/aws/kms/cloudtrail/outputs.tf b/terraform-modules/aws/kms/cloudtrail/outputs.tf new file mode 100644 index 000000000..512e7b3d0 --- /dev/null +++ b/terraform-modules/aws/kms/cloudtrail/outputs.tf @@ -0,0 +1,4 @@ +output "kms_arn" { + description = "Arn of kms created" + value = aws_kms_key.kms.arn +} \ No newline at end of file diff --git a/terraform-modules/aws/kms/cloudtrail/variables.tf b/terraform-modules/aws/kms/cloudtrail/variables.tf new file mode 100644 index 000000000..1688752c6 --- /dev/null +++ b/terraform-modules/aws/kms/cloudtrail/variables.tf @@ -0,0 +1,21 @@ +variable "cloudtrail_name" { + type = string + default = "cloudtrail-default" + description = "Cloudtrail/trail for attaching currently kms" +} + +variable "kms_deletion_window_in_days" { + type = number + default = 30 + description = "The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key." +} + +variable "kms_enable_key_rotation" { + type = bool + default = true + description = "Specifies whether key rotation is enabled. Defaults to false." +} + +variable "tags" { + type = map(any) +} \ No newline at end of file diff --git a/terraform-modules/aws/kms/cloudwatch_log_group/README.md b/terraform-modules/aws/kms/cloudwatch_log_group/README.md new file mode 100644 index 000000000..39fd63a69 --- /dev/null +++ b/terraform-modules/aws/kms/cloudwatch_log_group/README.md @@ -0,0 +1,38 @@ +## Requirements + +No requirements. + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | n/a | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [aws_kms_key.kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource | +| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | +| [aws_iam_policy_document.kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source | +| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [kms\_deletion\_window\_in\_days](#input\_kms\_deletion\_window\_in\_days) | The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key. | `number` | `30` | no | +| [kms\_enable\_key\_rotation](#input\_kms\_enable\_key\_rotation) | Specifies whether key rotation is enabled. Defaults to false. | `bool` | `true` | no | +| [log\_group\_name](#input\_log\_group\_name) | Log group name of cloud watch | `string` | `"log-group-default"` | no | +| [tags](#input\_tags) | n/a | `map(any)` | n/a | yes | + +## Outputs + +| Name | Description | +|------|-------------| +| [kms\_arn](#output\_kms\_arn) | Arn of kms for log group of cloudwatch | diff --git a/terraform-modules/aws/kms/cloudwatch_log_group/main.tf b/terraform-modules/aws/kms/cloudwatch_log_group/main.tf new file mode 100644 index 000000000..0373378a8 --- /dev/null +++ b/terraform-modules/aws/kms/cloudwatch_log_group/main.tf @@ -0,0 +1,89 @@ +# This is a standard kms that frees any cloud watch log group from vulnerabilities. +# Docs: https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/encrypt-log-data-kms.html + +locals { + arn_format = "arn:${data.aws_partition.current.partition}" +} +data "aws_partition" "current" {} +data "aws_caller_identity" "current" {} +data "aws_region" "current" {} + +# --------------------------------------------------------------------------------------------------------------------- +# CREATE A KMS +# We can attach KMS to CloudWatch Log. +# --------------------------------------------------------------------------------------------------------------------- +data "aws_iam_policy_document" "kms" { + statement { + sid = "Enable Root User Permissions" + effect = "Allow" + + actions = [ + "kms:Create*", + "kms:Describe*", + "kms:Enable*", + "kms:List*", + "kms:Put*", + "kms:Update*", + "kms:Revoke*", + "kms:Disable*", + "kms:Get*", + "kms:Delete*", + "kms:Tag*", + "kms:Untag*", + "kms:ScheduleKeyDeletion", + "kms:CancelKeyDeletion" + ] + + #bridgecrew:skip=CKV_AWS_109:This policy applies only to the key it is attached to + #bridgecrew:skip=CKV_AWS_111:This policy applies only to the key it is attached to + resources = [ + "*" + ] + + principals { + type = "AWS" + + identifiers = [ + "${local.arn_format}:iam::${data.aws_caller_identity.current.account_id}:root" + ] + } + } + + statement { + sid = "Allow KMS to CloudWatch Log Group ${var.log_group_name}" + effect = "Allow" + + actions = [ + "kms:Encrypt*", + "kms:Decrypt*", + "kms:ReEncrypt*", + "kms:GenerateDataKey*", + "kms:Describe*" + ] + + resources = [ + "*" + ] + + principals { + type = "Service" + + identifiers = [ + "logs.${data.aws_region.current.name}.amazonaws.com" + ] + } + condition { + test = "ArnEquals" + variable = "kms:EncryptionContext:aws:logs:arn" + values = ["arn:aws:logs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:log-group:${var.log_group_name}"] + } + } +} + +resource "aws_kms_key" "kms" { + description = "KMS key for log-group: ${var.log_group_name}" + deletion_window_in_days = var.kms_deletion_window_in_days + enable_key_rotation = var.kms_enable_key_rotation + policy = join("", data.aws_iam_policy_document.kms.*.json) + tags = var.tags +} diff --git a/terraform-modules/aws/kms/cloudwatch_log_group/outputs.tf b/terraform-modules/aws/kms/cloudwatch_log_group/outputs.tf new file mode 100644 index 000000000..aa9305d75 --- /dev/null +++ b/terraform-modules/aws/kms/cloudwatch_log_group/outputs.tf @@ -0,0 +1,4 @@ +output "kms_arn" { + description = "Arn of kms for log group of cloudwatch" + value = aws_kms_key.kms.arn +} \ No newline at end of file diff --git a/terraform-modules/aws/kms/cloudwatch_log_group/variables.tf b/terraform-modules/aws/kms/cloudwatch_log_group/variables.tf new file mode 100644 index 000000000..42ed7e677 --- /dev/null +++ b/terraform-modules/aws/kms/cloudwatch_log_group/variables.tf @@ -0,0 +1,22 @@ +variable "log_group_name" { + type = string + default = "log-group-default" + description = "Log group name of cloud watch" +} + +variable "kms_deletion_window_in_days" { + type = number + default = 30 + description = "The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key." +} + +variable "kms_enable_key_rotation" { + type = bool + default = true + description = "Specifies whether key rotation is enabled. Defaults to false." +} + + +variable "tags" { + type = map(any) +} \ No newline at end of file diff --git a/terraform-modules/aws/kubernetes-efs-volume/README.md b/terraform-modules/aws/kubernetes-efs-volume/README.md new file mode 100644 index 000000000..11585f6e0 --- /dev/null +++ b/terraform-modules/aws/kubernetes-efs-volume/README.md @@ -0,0 +1,10 @@ +# kubernetes-efs-volume + +Depends on the `eks-efs-csi-driver` module to be instantiated in the cluster first. + +This module will: +* Create an AWS EFS resource with the appropriate security group and IAM permisisons +* Create a persistent volume (pv) pointing to this EFS endpoint +* Create a persistent volume claim (pvc) pointing to the `pv` + +You can then readily use the `pvc` to mount to any resources in Kubernetes. diff --git a/terraform-modules/aws/kubernetes-efs-volume/main.tf b/terraform-modules/aws/kubernetes-efs-volume/main.tf new file mode 100644 index 000000000..9438bb193 --- /dev/null +++ b/terraform-modules/aws/kubernetes-efs-volume/main.tf @@ -0,0 +1,98 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 3.37.0" + } + kubernetes = { + source = "hashicorp/kubernetes" + version = ">= 2.1.0" + } + } +} + + +module "efs" { + source = "cloudposse/efs/aws" + version = "0.30.1" + + namespace = var.efs_namespace + stage = var.environment_name + name = var.efs_name + region = var.aws_region + vpc_id = var.vpc_id + subnets = var.subnets + security_groups = var.security_groups + + tags = var.tags +} + +resource "kubernetes_storage_class" "storage_class" { + metadata { + name = "${var.efs_name}-sc" + } + storage_provisioner = "efs.csi.aws.com" + reclaim_policy = var.reclaim_policy + # https://github.com/kubernetes-sigs/aws-efs-csi-driver/tree/master/examples/kubernetes/dynamic_provisioning#dynamic-provisioning + parameters = { + provisioningMode = var.storage_class_parameters_provisioningMode + directoryPerms = var.storage_class_parameters_directoryPerms + gidRangeStart = var.storage_class_parameters_gidRangeStart + gidRangeEnd = var.storage_class_parameters_gidRangeEnd + basePath = var.storage_class_parameters_basePath + } + mount_options = ["tls"] + + depends_on = [ + module.efs + ] +} + +resource "kubernetes_persistent_volume" "pv" { + metadata { + name = var.efs_name + } + spec { + storage_class_name = "${var.efs_name}-sc" + persistent_volume_reclaim_policy = var.persistent_volume_reclaim_policy + capacity = { + storage = var.storage_capacity + } + access_modes = var.access_modes + mount_options = ["tls"] + persistent_volume_source { + csi { + driver = "efs.csi.aws.com" + volume_handle = module.efs.id + volume_attributes = { + encryptInTransit = true + } + } + } + } + + depends_on = [ + kubernetes_storage_class.storage_class + ] +} + +resource "kubernetes_persistent_volume_claim" "pvc" { + metadata { + name = var.efs_name + namespace = var.kubernetes_namespace + } + spec { + access_modes = var.access_modes + resources { + requests = { + storage = var.storage_capacity + } + } + volume_name = kubernetes_persistent_volume.pv.metadata.0.name + storage_class_name = "${var.efs_name}-sc" + } + + depends_on = [ + kubernetes_persistent_volume.pv + ] +} diff --git a/terraform-modules/aws/kubernetes-efs-volume/outputs.tf b/terraform-modules/aws/kubernetes-efs-volume/outputs.tf new file mode 100644 index 000000000..7293a5e18 --- /dev/null +++ b/terraform-modules/aws/kubernetes-efs-volume/outputs.tf @@ -0,0 +1,8 @@ +output "kubernetes_persistent_volume_claim_name" { + value = var.efs_name + description = "Name of the pvc claim" +} + +output "kubernetes_persistent_volume_name" { + value = var.efs_name +} \ No newline at end of file diff --git a/terraform-modules/aws/kubernetes-efs-volume/variables.tf b/terraform-modules/aws/kubernetes-efs-volume/variables.tf new file mode 100644 index 000000000..9ea4743ff --- /dev/null +++ b/terraform-modules/aws/kubernetes-efs-volume/variables.tf @@ -0,0 +1,107 @@ +variable "efs_namespace" { + type = string + default = "kubernetes-ops" + description = "Delimiter for EFS naming" +} + +variable "environment_name" { + type = string + default = "env" + description = "A name for this environment" +} + +variable "efs_name" { + type = string + default = "efs" + description = "A name for the EFS volume" +} + +variable "aws_region" { + type = string + default = "us-east-1" + description = "AWS region this EFS will go into" +} + +variable "vpc_id" { + type = string + default = "vcp-xxx" + description = "VPC ID that this EFS will go into" +} + +variable "subnets" { + type = list(string) + default = [] + description = "A list of subnets to place the EFS mount points at (can not have multiple subnets in the same availability zone" +} + +variable "security_groups" { + type = list(string) + default = [] + description = "A list of security groups to allow access to this EFS resource" +} + +variable "kubernetes_namespace" { + type = string + default = "kubernetes-ops" + description = "The namespaces the pvc should be deployed into" +} + + +variable "tags" { + type = map(any) + default = {} +} + +variable "reclaim_policy" { + type = string + default = "Retain" + description = "Storage class reclaim policy" +} + +variable "storage_class_parameters_provisioningMode" { + type = string + default = "efs-ap" + description = "description" +} + +variable "storage_class_parameters_directoryPerms" { + type = string + default = "700" + description = "description" +} + +variable "storage_class_parameters_gidRangeStart" { + type = string + default = "1000" + description = "description" +} + +variable "storage_class_parameters_gidRangeEnd" { + type = string + default = "2000" + description = "description" +} + +variable "storage_class_parameters_basePath" { + type = string + default = "/" + description = "description" +} + +variable "persistent_volume_reclaim_policy" { + type = string + default = "Retain" + description = "persistent_volume_reclaim_policy" +} + +variable "storage_capacity" { + type = string + default = "2Gi" + description = "Size of the nfs disk" +} + +variable "access_modes" { + type = list(any) + default = ["ReadWriteMany"] + description = "access_modes" +} diff --git a/terraform-modules/aws/kubernetes/manifest/main.tf b/terraform-modules/aws/kubernetes/manifest/main.tf new file mode 100644 index 000000000..d00a56081 --- /dev/null +++ b/terraform-modules/aws/kubernetes/manifest/main.tf @@ -0,0 +1,3 @@ +resource "kubernetes_manifest" "manifest" { + manifest = yamldecode(var.manifest) +} diff --git a/terraform-modules/aws/kubernetes/manifest/variables.tf b/terraform-modules/aws/kubernetes/manifest/variables.tf new file mode 100644 index 000000000..a857c2343 --- /dev/null +++ b/terraform-modules/aws/kubernetes/manifest/variables.tf @@ -0,0 +1,14 @@ +variable "manifest" { + type = string + default = < [aws](#provider\_aws) | n/a | + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [iam\_assumable\_role](#module\_iam\_assumable\_role) | terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc | 4.20.3 | + +## Resources + +| Name | Type | +|------|------| +| [aws_iam_policy.iam_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [eks\_cluster\_oidc\_issuer\_url](#input\_eks\_cluster\_oidc\_issuer\_url) | EKS cluster oidc issuer url | `string` | `""` | no | +| [iam\_policy\_description](#input\_iam\_policy\_description) | The description to place onto the IAM policy | `string` | `"The policy created by the pod_assumable_role Terraform module"` | no | +| [iam\_policy\_json](#input\_iam\_policy\_json) | The IAM policy json | `string` | `"{}"` | no | +| [k8s\_namespace](#input\_k8s\_namespace) | The namespace that this service account will be used in | `string` | `"my_namespace"` | no | +| [name](#input\_name) | The name to use for the various resources: IAM role, policy, etc | `string` | n/a | yes | +| [tags](#input\_tags) | Set of tags to place on the resources | `map(any)` | `{}` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [arn](#output\_arn) | n/a | +| [name](#output\_name) | n/a | diff --git a/terraform-modules/aws/kubernetes/pod_assumable_role/main.tf b/terraform-modules/aws/kubernetes/pod_assumable_role/main.tf new file mode 100644 index 000000000..bacacb1e9 --- /dev/null +++ b/terraform-modules/aws/kubernetes/pod_assumable_role/main.tf @@ -0,0 +1,17 @@ +module "iam_assumable_role" { + source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc" + version = "4.20.3" + create_role = true + role_name = var.name + provider_url = replace(var.eks_cluster_oidc_issuer_url, "https://", "") + role_policy_arns = concat(var.iam_policy_arns, [aws_iam_policy.iam_policy.arn]) + oidc_fully_qualified_subjects = ["system:serviceaccount:${var.k8s_namespace}:${var.name}"] + tags = var.tags +} + +resource "aws_iam_policy" "iam_policy" { + name_prefix = var.name + description = var.iam_policy_description + policy = var.iam_policy_json + tags = var.tags +} diff --git a/terraform-modules/aws/kubernetes/pod_assumable_role/outputs.tf b/terraform-modules/aws/kubernetes/pod_assumable_role/outputs.tf new file mode 100644 index 000000000..e6d7f2e66 --- /dev/null +++ b/terraform-modules/aws/kubernetes/pod_assumable_role/outputs.tf @@ -0,0 +1,7 @@ +output "arn" { + value = module.iam_assumable_role.iam_role_arn +} + +output "name" { + value = module.iam_assumable_role.iam_role_name +} \ No newline at end of file diff --git a/terraform-modules/aws/kubernetes/pod_assumable_role/variables.tf b/terraform-modules/aws/kubernetes/pod_assumable_role/variables.tf new file mode 100644 index 000000000..0e61d363d --- /dev/null +++ b/terraform-modules/aws/kubernetes/pod_assumable_role/variables.tf @@ -0,0 +1,40 @@ +variable "name" { + type = string + description = "The name to use for the various resources: IAM role, policy, etc" +} + +variable "eks_cluster_oidc_issuer_url" { + type = string + default = "" + description = "EKS cluster oidc issuer url" +} + +variable "k8s_namespace" { + type = string + description = "The namespace that this service account will be used in" + default = "my_namespace" +} + +variable "iam_policy_description" { + type = string + description = "The description to place onto the IAM policy" + default = "The policy created by the pod_assumable_role Terraform module" +} + +variable "tags" { + type = map(any) + description = "Set of tags to place on the resources" + default = {} +} + +variable "iam_policy_json" { + type = string + description = "The IAM policy json" + default = "{}" +} + +variable "iam_policy_arns" { + type = list(string) + description = "The IAM policy readonly list" + default = [] +} diff --git a/terraform-modules/aws/loki-stack/README.md b/terraform-modules/aws/loki-stack/README.md new file mode 100644 index 000000000..d0d9640df --- /dev/null +++ b/terraform-modules/aws/loki-stack/README.md @@ -0,0 +1,40 @@ +## Requirements + +No requirements. + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | n/a | +| [template](#provider\_template) | n/a | + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [iam\_assumable\_role\_admin](#module\_iam\_assumable\_role\_admin) | terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc | 3.6.0 | +| [loki](#module\_loki) | github.com/ManagedKube/kubernetes-ops//terraform-modules/aws/helm/helm_generic | v1.0.30 | + +## Resources + +| Name | Type | +|------|------| +| [aws_iam_policy.loki-stack](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_kms_key.loki-stack](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource | +| [aws_s3_bucket.loki-stack](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource | +| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | +| [aws_iam_policy_document.loki-stack](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [template_file.helm_values](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [aws\_region](#input\_aws\_region) | AWS region | `string` | `"us-east-1"` | no | +| [cluster\_name](#input\_cluster\_name) | EKS cluster name | `string` | `"cluster"` | no | +| [eks\_cluster\_oidc\_issuer\_url](#input\_eks\_cluster\_oidc\_issuer\_url) | EKS cluster oidc issuer url | `string` | `""` | no | + +## Outputs + +No outputs. diff --git a/terraform-modules/aws/loki-stack/main.tf b/terraform-modules/aws/loki-stack/main.tf new file mode 100644 index 000000000..3ea31e17d --- /dev/null +++ b/terraform-modules/aws/loki-stack/main.tf @@ -0,0 +1,105 @@ +locals { + name = "loki-stack" +} + +resource "aws_kms_key" "loki-stack" { + description = "${local.name}-${var.cluster_name}" + deletion_window_in_days = 10 +} + +resource "aws_s3_bucket" "loki-stack" { + bucket = "${local.name}-${var.cluster_name}" + acl = "private" + + versioning { + enabled = true + } + + server_side_encryption_configuration { + rule { + apply_server_side_encryption_by_default { + kms_master_key_id = aws_kms_key.loki-stack.arn + sse_algorithm = "aws:kms" + } + } + } + + depends_on = [aws_kms_key.loki-stack] +} + +module "iam_assumable_role_admin" { + source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc" + version = "3.6.0" + create_role = true + role_name = "loki-stack-${var.cluster_name}" + provider_url = replace(var.eks_cluster_oidc_issuer_url, "https://", "") + role_policy_arns = [aws_iam_policy.loki-stack.arn] + oidc_fully_qualified_subjects = ["system:serviceaccount:monitoring:${local.name}"] +} + +resource "aws_iam_policy" "loki-stack" { + name_prefix = "${local.name}-${var.cluster_name}" + description = "IAM policy for ${local.name}" + policy = data.aws_iam_policy_document.loki-stack.json +} + +data "aws_iam_policy_document" "loki-stack" { + statement { + sid = replace(local.name, "-", "") + effect = "Allow" + + # https://grafana.com/docs/loki/latest/operations/storage/ + actions = [ + "s3:ListBucket", + "s3:PutObject", + "s3:GetObject", + "dynamodb:ListTables", + "dynamodb:BatchGetItem", + "dynamodb:BatchWriteItem", + "dynamodb:DeleteItem", + "dynamodb:DescribeTable", + "dynamodb:GetItem", + "dynamodb:ListTagsOfResource", + "dynamodb:PutItem", + "dynamodb:Query", + "dynamodb:TagResource", + "dynamodb:UntagResource", + "dynamodb:UpdateItem", + "dynamodb:UpdateTable", + "dynamodb:CreateTable", + "dynamodb:DeleteTable" + ] + + resources = ["*"] + } +} + +data "aws_caller_identity" "current" {} + +# +# Helm - ${local.name} +# +data "template_file" "helm_values" { + template = file("${path.module}/values.yaml") + vars = { + s3 = aws_s3_bucket.loki-stack.bucket + awsAccountID = data.aws_caller_identity.current.account_id + awsRegion = var.aws_region + clusterName = var.cluster_name + } +} + +module "loki" { + source = "github.com/ManagedKube/kubernetes-ops//terraform-modules/aws/helm/helm_generic?ref=v1.0.30" + + repository = "https://grafana.github.io/helm-charts" + official_chart_name = local.name + user_chart_name = local.name + helm_version = "2.5.0" + namespace = "monitoring" + helm_values = data.template_file.helm_values.rendered + + depends_on = [ + aws_s3_bucket.loki-stack, aws_iam_policy.loki-stack + ] +} diff --git a/terraform-modules/aws/loki-stack/values.yaml b/terraform-modules/aws/loki-stack/values.yaml new file mode 100644 index 000000000..848dd8770 --- /dev/null +++ b/terraform-modules/aws/loki-stack/values.yaml @@ -0,0 +1,62 @@ +--- +loki: + enabled: true + + serviceAccount: + annotations: + eks.amazonaws.com/role-arn: "arn:aws:iam::${awsAccountID}:role/loki-stack-${clusterName}" + + config: + schema_config: + configs: + - from: 2021-11-09 + store: aws + object_store: s3 + schema: v11 + index: + prefix: index_ + period: 24h + tags: {} + + storage_config: + aws: + s3: ${s3} + region: ${awsRegion} + s3forcepathstyle: true + dynamodb: + dynamodb_url: dynamodb://${awsRegion} + +promtail: + enabled: true + image: + tag: 2.3.0 + # https://grafana.com/docs/loki/latest/installation/helm/#run-promtail-with-systemd-journal-support + extraScrapeConfigs: + - job_name: journal + journal: + path: /var/log/journal + max_age: 12h + labels: + job: systemd-journal + relabel_configs: + - source_labels: ['__journal__systemd_unit'] + target_label: 'unit' + - source_labels: ['__journal__hostname'] + target_label: 'hostname' + + # Mount journal directory into promtail pods + extraVolumes: + - name: journal + hostPath: + path: /var/log/journal + + extraVolumeMounts: + - name: journal + mountPath: /var/log/journal + readOnly: true + +fluent-bit: + enabled: false + +grafana: + enabled: false diff --git a/terraform-modules/aws/loki-stack/variables.tf b/terraform-modules/aws/loki-stack/variables.tf new file mode 100644 index 000000000..f3f69ca2e --- /dev/null +++ b/terraform-modules/aws/loki-stack/variables.tf @@ -0,0 +1,17 @@ +variable "aws_region" { + type = string + default = "us-east-1" + description = "AWS region" +} + +variable "cluster_name" { + type = string + default = "cluster" + description = "EKS cluster name" +} + +variable "eks_cluster_oidc_issuer_url" { + type = string + default = "" + description = "EKS cluster oidc issuer url" +} diff --git a/terraform-modules/aws/mongodb-atlas-alerts/README.md b/terraform-modules/aws/mongodb-atlas-alerts/README.md new file mode 100644 index 000000000..159b03ea4 --- /dev/null +++ b/terraform-modules/aws/mongodb-atlas-alerts/README.md @@ -0,0 +1,64 @@ +# MongoDB Atlas Alerts +This module is here to help you add in a list of alerts and it also recreates all of the +default MongoDB Atlas alerts. The reason to recreate it is to allow you to setup the +notifications for all of these alerts with Terraform. Currently there is no way to +set those alerts with default notification without going into each one and setting it. + + +## var.default_alerts +The default alerts are the set of alerts that Mongo Atlas provides to your project when +you create it. These are basic standard alerts applicable to any installation + +## Creating a Mongo Atlas API key + +https://www.mongodb.com/docs/atlas/configure-api-access/#create-an-api-key-for-a-project + + +## Creating the list of default alerts +Since we have to translate the alerts in the GUI to terraform/API configuration, the +easiest way is to get the list of alerts: + +Mongo API to get the list of alerts: +``` +curl --user "${MONGODB_ATLAS_PUBLIC_KEY}:${MONGODB_ATLAS_PRIVATE_KEY}" --digest \ + --header 'Accept: application/json' \ + --include \ + --request GET "https://cloud.mongodb.com/api/atlas/v1.0/groups/61e2162831a32a210d907b76/alertConfigs?pretty=true" +``` + +# Slack API Token + +You can follow this doc to create the token: https://api.slack.com/authentication/basics + +The token will be in the form of: `xoxb-xxxx-xxxxx-xxxxx` + +## Testing the token +Get a list of the Slack channel: + +``` +curl https://slack.com/api/conversations.list -H "Authorization: Bearer " +``` + +You will need to get the channel string from this list and put it into the next request to send a message. + +You will need to @ the bot and add the bot to the channel you want to send the message to. + +Send a message to the channel: +``` +curl -X POST -F channel=CGM7387SP -F text="test test" https://slack.com/api/chat.postMessage -H "Authorization: Bearer " +``` + +## TL;DR generating the API Token + +Without having to read that entire doc =) + +1. Create a new app “from scratch” +1. Name: MongoAtlasAlerting +1. Select the ExactPay workspace +1. Click on create app +1. This will bring you to the app’s management page +1. On the left hand side click on: OAuth & Permissions +1. Go down to Scopes → Bot Token Scopes +1. Add the “chat:write,channels:read,groups:read,mpim:read,im:read” scope +1. Go back up to “OAuth Tokens for Your Workspace” and click on “Install into Workspace” and allow the app to access our workspace +1. This will bring you back to the app’s management page and now there is a token there with the format of: xoxb-xxxx-xxx-xxx diff --git a/terraform-modules/aws/mongodb-atlas-alerts/alert_list_041122.json b/terraform-modules/aws/mongodb-atlas-alerts/alert_list_041122.json new file mode 100644 index 000000000..85da2c83b --- /dev/null +++ b/terraform-modules/aws/mongodb-atlas-alerts/alert_list_041122.json @@ -0,0 +1,447 @@ +{ + "links": [ + { + "href": "https://cloud.mongodb.com/api/atlas/v1.0/groups/111111111111111111/alertConfigs?pretty=true&pageNum=1&itemsPerPage=100", + "rel": "self" + } + ], + "results": [ + { + "created": "2022-01-15T00:32:40Z", + "enabled": true, + "eventTypeName": "REPLICATION_OPLOG_WINDOW_RUNNING_OUT", + "groupId": "111111111111111111", + "id": "61e2162831a32a210d907b79", + "links": [ + { + "href": "https://cloud.mongodb.com/api/public/v1.0/groups/111111111111111111/alertConfigs/61e2162831a32a210d907b79", + "rel": "self" + } + ], + "matchers": [], + "notifications": [ + { + "delayMin": 0, + "emailEnabled": true, + "intervalMin": 60, + "roles": [ + "GROUP_OWNER" + ], + "smsEnabled": false, + "typeName": "GROUP" + } + ], + "threshold": { + "operator": "LESS_THAN", + "threshold": 1, + "units": "HOURS" + }, + "typeName": "REPLICA_SET", + "updated": "2022-01-15T00:32:40Z" + }, + { + "created": "2022-01-15T00:32:40Z", + "enabled": true, + "eventTypeName": "NO_PRIMARY", + "groupId": "111111111111111111", + "id": "61e2162831a32a210d907b7b", + "links": [ + { + "href": "https://cloud.mongodb.com/api/public/v1.0/groups/111111111111111111/alertConfigs/61e2162831a32a210d907b7b", + "rel": "self" + } + ], + "matchers": [], + "notifications": [ + { + "delayMin": 15, + "emailEnabled": true, + "intervalMin": 60, + "roles": [ + "GROUP_OWNER" + ], + "smsEnabled": false, + "typeName": "GROUP" + } + ], + "typeName": "REPLICA_SET", + "updated": "2022-01-15T00:32:40Z" + }, + { + "created": "2022-01-15T00:32:40Z", + "enabled": true, + "eventTypeName": "CLUSTER_MONGOS_IS_MISSING", + "groupId": "111111111111111111", + "id": "61e2162831a32a210d907b7d", + "links": [ + { + "href": "https://cloud.mongodb.com/api/public/v1.0/groups/111111111111111111/alertConfigs/61e2162831a32a210d907b7d", + "rel": "self" + } + ], + "matchers": [], + "notifications": [ + { + "delayMin": 15, + "emailEnabled": true, + "intervalMin": 60, + "roles": [ + "GROUP_OWNER" + ], + "smsEnabled": false, + "typeName": "GROUP" + } + ], + "typeName": "CLUSTER", + "updated": "2022-01-15T00:32:40Z" + }, + { + "created": "2022-01-15T00:32:40Z", + "enabled": true, + "eventTypeName": "OUTSIDE_METRIC_THRESHOLD", + "groupId": "111111111111111111", + "id": "61e2162831a32a210d907b7f", + "links": [ + { + "href": "https://cloud.mongodb.com/api/public/v1.0/groups/111111111111111111/alertConfigs/61e2162831a32a210d907b7f", + "rel": "self" + } + ], + "matchers": [], + "metricThreshold": { + "metricName": "CONNECTIONS_PERCENT", + "mode": "AVERAGE", + "operator": "GREATER_THAN", + "threshold": 80, + "units": "RAW" + }, + "notifications": [ + { + "delayMin": 0, + "emailEnabled": true, + "intervalMin": 60, + "roles": [ + "GROUP_OWNER" + ], + "smsEnabled": false, + "typeName": "GROUP" + } + ], + "typeName": "HOST_METRIC", + "updated": "2022-01-15T00:32:40Z" + }, + { + "created": "2022-01-15T00:32:40Z", + "enabled": true, + "eventTypeName": "OUTSIDE_METRIC_THRESHOLD", + "groupId": "111111111111111111", + "id": "61e2162831a32a210d907b82", + "links": [ + { + "href": "https://cloud.mongodb.com/api/public/v1.0/groups/111111111111111111/alertConfigs/61e2162831a32a210d907b82", + "rel": "self" + } + ], + "matchers": [], + "metricThreshold": { + "metricName": "DISK_PARTITION_SPACE_USED_DATA", + "mode": "AVERAGE", + "operator": "GREATER_THAN", + "threshold": 90, + "units": "RAW" + }, + "notifications": [ + { + "delayMin": 0, + "emailEnabled": true, + "intervalMin": 60, + "roles": [ + "GROUP_OWNER" + ], + "smsEnabled": false, + "typeName": "GROUP" + } + ], + "typeName": "HOST_METRIC", + "updated": "2022-01-15T00:32:40Z" + }, + { + "created": "2022-01-15T00:32:40Z", + "enabled": true, + "eventTypeName": "OUTSIDE_METRIC_THRESHOLD", + "groupId": "111111111111111111", + "id": "61e2162831a32a210d907b84", + "links": [ + { + "href": "https://cloud.mongodb.com/api/public/v1.0/groups/111111111111111111/alertConfigs/61e2162831a32a210d907b84", + "rel": "self" + } + ], + "matchers": [], + "metricThreshold": { + "metricName": "QUERY_TARGETING_SCANNED_OBJECTS_PER_RETURNED", + "mode": "AVERAGE", + "operator": "GREATER_THAN", + "threshold": 1000, + "units": "RAW" + }, + "notifications": [ + { + "delayMin": 0, + "emailEnabled": true, + "intervalMin": 60, + "roles": [ + "GROUP_OWNER" + ], + "smsEnabled": false, + "typeName": "GROUP" + } + ], + "typeName": "HOST_METRIC", + "updated": "2022-01-15T00:32:40Z" + }, + { + "created": "2022-01-15T00:32:40Z", + "enabled": true, + "eventTypeName": "CREDIT_CARD_ABOUT_TO_EXPIRE", + "groupId": "111111111111111111", + "id": "61e2162831a32a210d907b86", + "links": [ + { + "href": "https://cloud.mongodb.com/api/public/v1.0/groups/111111111111111111/alertConfigs/61e2162831a32a210d907b86", + "rel": "self" + } + ], + "matchers": [], + "notifications": [ + { + "delayMin": 0, + "emailEnabled": true, + "intervalMin": 1440, + "roles": [ + "GROUP_OWNER" + ], + "smsEnabled": false, + "typeName": "GROUP" + } + ], + "typeName": "BILLING", + "updated": "2022-01-15T00:32:40Z" + }, + { + "created": "2022-01-15T00:32:40Z", + "enabled": true, + "eventTypeName": "OUTSIDE_METRIC_THRESHOLD", + "groupId": "111111111111111111", + "id": "61e2162831a32a210d907b88", + "links": [ + { + "href": "https://cloud.mongodb.com/api/public/v1.0/groups/111111111111111111/alertConfigs/61e2162831a32a210d907b88", + "rel": "self" + } + ], + "matchers": [], + "metricThreshold": { + "metricName": "NORMALIZED_SYSTEM_CPU_USER", + "mode": "AVERAGE", + "operator": "GREATER_THAN", + "threshold": 95, + "units": "RAW" + }, + "notifications": [ + { + "delayMin": 0, + "emailEnabled": true, + "intervalMin": 60, + "roles": [ + "GROUP_OWNER" + ], + "smsEnabled": false, + "typeName": "GROUP" + } + ], + "typeName": "HOST_METRIC", + "updated": "2022-01-15T00:32:40Z" + }, + { + "created": "2022-01-15T00:32:40Z", + "enabled": true, + "eventTypeName": "HOST_HAS_INDEX_SUGGESTIONS", + "groupId": "111111111111111111", + "id": "61e2162831a32a210d907b8a", + "links": [ + { + "href": "https://cloud.mongodb.com/api/public/v1.0/groups/111111111111111111/alertConfigs/61e2162831a32a210d907b8a", + "rel": "self" + } + ], + "matchers": [], + "notifications": [ + { + "delayMin": 10, + "emailEnabled": true, + "intervalMin": 60, + "roles": [ + "GROUP_OWNER" + ], + "smsEnabled": false, + "typeName": "GROUP" + } + ], + "typeName": "HOST", + "updated": "2022-01-15T00:32:40Z" + }, + { + "created": "2022-01-15T00:32:40Z", + "enabled": true, + "eventTypeName": "HOST_MONGOT_CRASHING_OOM", + "groupId": "111111111111111111", + "id": "61e2162831a32a210d907b8c", + "links": [ + { + "href": "https://cloud.mongodb.com/api/public/v1.0/groups/111111111111111111/alertConfigs/61e2162831a32a210d907b8c", + "rel": "self" + } + ], + "matchers": [], + "notifications": [ + { + "delayMin": 0, + "emailEnabled": true, + "intervalMin": 60, + "roles": [ + "GROUP_OWNER" + ], + "smsEnabled": false, + "typeName": "GROUP" + } + ], + "typeName": "HOST", + "updated": "2022-01-15T00:32:40Z" + }, + { + "created": "2022-01-15T00:32:40Z", + "enabled": true, + "eventTypeName": "OUTSIDE_SERVERLESS_METRIC_THRESHOLD", + "groupId": "111111111111111111", + "id": "61e2162831a32a210d907b8e", + "links": [ + { + "href": "https://cloud.mongodb.com/api/public/v1.0/groups/111111111111111111/alertConfigs/61e2162831a32a210d907b8e", + "rel": "self" + } + ], + "matchers": [], + "metricThreshold": { + "metricName": "SERVERLESS_CONNECTIONS_PERCENT", + "mode": "AVERAGE", + "operator": "GREATER_THAN", + "threshold": 80, + "units": "RAW" + }, + "notifications": [ + { + "delayMin": 0, + "emailEnabled": true, + "intervalMin": 60, + "roles": [ + "GROUP_OWNER" + ], + "smsEnabled": false, + "typeName": "GROUP" + } + ], + "typeName": "SERVERLESS_METRIC", + "updated": "2022-01-15T00:32:40Z" + }, + { + "created": "2022-01-15T00:32:40Z", + "enabled": true, + "eventTypeName": "OUTSIDE_SERVERLESS_METRIC_THRESHOLD", + "groupId": "111111111111111111", + "id": "61e2162831a32a210d907b90", + "links": [ + { + "href": "https://cloud.mongodb.com/api/public/v1.0/groups/111111111111111111/alertConfigs/61e2162831a32a210d907b90", + "rel": "self" + } + ], + "matchers": [], + "metricThreshold": { + "metricName": "SERVERLESS_DATA_SIZE_TOTAL", + "mode": "AVERAGE", + "operator": "GREATER_THAN", + "threshold": 0.75, + "units": "TERABYTES" + }, + "notifications": [ + { + "delayMin": 0, + "emailEnabled": true, + "intervalMin": 60, + "roles": [ + "GROUP_OWNER" + ], + "smsEnabled": false, + "typeName": "GROUP" + } + ], + "typeName": "SERVERLESS_METRIC", + "updated": "2022-01-15T00:32:40Z" + }, + { + "created": "2022-01-15T00:32:40Z", + "enabled": true, + "eventTypeName": "HOST_NOT_ENOUGH_DISK_SPACE", + "groupId": "111111111111111111", + "id": "61e2162831a32a210d907b92", + "links": [ + { + "href": "https://cloud.mongodb.com/api/public/v1.0/groups/111111111111111111/alertConfigs/61e2162831a32a210d907b92", + "rel": "self" + } + ], + "matchers": [], + "notifications": [ + { + "delayMin": 0, + "emailEnabled": true, + "intervalMin": 60, + "roles": [ + "GROUP_OWNER" + ], + "smsEnabled": false, + "typeName": "GROUP" + } + ], + "typeName": "HOST", + "updated": "2022-01-15T00:32:40Z" + }, + { + "created": "2022-01-15T00:32:40Z", + "enabled": true, + "eventTypeName": "JOINED_GROUP", + "groupId": "111111111111111111", + "id": "61e2162831a32a210d907b94", + "links": [ + { + "href": "https://cloud.mongodb.com/api/public/v1.0/groups/111111111111111111/alertConfigs/61e2162831a32a210d907b94", + "rel": "self" + } + ], + "matchers": [], + "notifications": [ + { + "delayMin": 0, + "emailEnabled": true, + "intervalMin": 60, + "smsEnabled": false, + "typeName": "GROUP" + } + ], + "typeName": "USER", + "updated": "2022-01-15T00:32:40Z" + } + ], + "totalCount": 14 +} \ No newline at end of file diff --git a/terraform-modules/aws/mongodb-atlas-alerts/main.tf b/terraform-modules/aws/mongodb-atlas-alerts/main.tf new file mode 100644 index 000000000..1b12415ef --- /dev/null +++ b/terraform-modules/aws/mongodb-atlas-alerts/main.tf @@ -0,0 +1,76 @@ + +terraform { + required_providers { + mongodbatlas = { + source = "mongodb/mongodbatlas" + version = "1.0.1" + } + } +} + +locals { + all_alerts = "merge of the default and user alerts" +} + +resource "mongodbatlas_alert_configuration" "defaults" { + count = var.enable_default_alerts ? length(var.default_alerts) : 0 + + project_id = var.mongodbatlas_projectid + event_type = var.default_alerts[count.index].event_type + enabled = var.default_alerts[count.index].enabled + + dynamic "notification" { + for_each = var.use_global_notification_settings ? var.global_notification_settings : var.default_alerts[count.index].notification + content { + type_name = try(notification.value.type_name, null) + interval_min = try(notification.value.interval_min, null) + delay_min = try(notification.value.delay_min, null) + sms_enabled = try(notification.value.sms_enabled, null) + email_enabled = try(notification.value.email_enabled, null) + roles = try(notification.value.roles, null) + api_token = try(notification.value.api_token, null) + channel_name = try(notification.value.channel_name, null) + datadog_region = try(notification.value.datadog_region, null) + email_address = try(notification.value.email_address, null) + flowdock_api_token = try(notification.value.flowdock_api_token, null) + flow_name = try(notification.value.flow_name, null) + mobile_number = try(notification.value.mobile_number, null) + ops_genie_api_key = try(notification.value.ops_genie_api_key, null) + ops_genie_region = try(notification.value.ops_genie_region, null) + # team_id = try(notification.value.team_id, null) + # team_name = try(notification.value.team_name, null) + username = try(notification.value.username, null) + victor_ops_api_key = try(notification.value.victor_ops_api_key, null) + victor_ops_routing_key = try(notification.value.victor_ops_routing_key, null) + } + } + + dynamic "matcher" { + for_each = var.default_alerts[count.index].matcher + content { + field_name = matcher.value.field_name + operator = matcher.value.operator + value = matcher.value.value + } + } + + dynamic "metric_threshold_config" { + for_each = var.default_alerts[count.index].metric_threshold_config + content { + metric_name = metric_threshold_config.value.metric_name + operator = metric_threshold_config.value.operator + threshold = metric_threshold_config.value.threshold + units = metric_threshold_config.value.units + mode = metric_threshold_config.value.mode + } + } + + dynamic "threshold_config" { + for_each = var.default_alerts[count.index].threshold_config + content { + operator = try(threshold_config.value.operator, null) + threshold = try(threshold_config.value.threshold, null) + units = try(threshold_config.value.units, null) + } + } +} diff --git a/terraform-modules/aws/mongodb-atlas-alerts/variables.tf b/terraform-modules/aws/mongodb-atlas-alerts/variables.tf new file mode 100644 index 000000000..efcf6f63e --- /dev/null +++ b/terraform-modules/aws/mongodb-atlas-alerts/variables.tf @@ -0,0 +1,281 @@ +variable "mongodbatlas_projectid" { + type = string + description = "The unique ID for the project to create the database user." +} + +variable "use_global_notification_settings" { + type = bool + default = true + description = "This will override all notification settings with the global_notification_settings variable" +} + +variable "global_notification_settings" { + type = list(any) + # The items in the list all has to have the same number of items or the apply will fail + # due to Terraform deaming the items in the list being inconsistent + default = [ + { + type_name = "GROUP" + interval_min = 5 + delay_min = 0 + sms_enabled = false + email_enabled = true + roles = ["GROUP_DATA_ACCESS_READ_ONLY", "GROUP_CLUSTER_MANAGER", "GROUP_DATA_ACCESS_ADMIN"] + }, + { + type_name = "ORG" + interval_min = 5 + delay_min = 0 + sms_enabled = true + email_enabled = false + roles = [] + }, + ] + description = "Global notification setting that is applied to all alerts created by this module" +} + +variable "enable_default_alerts" { + type = bool + default = true + description = "To use the set of default alerts or not" +} + +# Alerts vars: https://www.mongodb.com/docs/atlas/reference/api/alert-configurations-create-config/#request-body-parameters +# MongoDB Host Metric reference: https://www.mongodb.com/docs/atlas/reference/alert-host-metrics/ +variable "default_alerts" { + type = list(any) + default = [ + { + event_type = "REPLICATION_OPLOG_WINDOW_RUNNING_OUT" + enabled = true + notification = [] + matcher = [] + # This can only be a list of 1 + # If is "metric_threshold_config" set, then "threshold_config" is not needed + metric_threshold_config = [] + # This can only be a list of 1 + # If is "metric_threshold_config" set, then "threshold_config" is not needed + threshold_config = [ + { + operator = "LESS_THAN" + threshold = 1 + units = "HOURS" + } + ] + }, + { + event_type = "NO_PRIMARY" + enabled = true + notification = [] + matcher = [] + # This can only be a list of 1 + # If is "metric_threshold_config" set, then "threshold_config" is not needed + metric_threshold_config = [] + # This can only be a list of 1 + # If is "metric_threshold_config" set, then "threshold_config" is not needed + threshold_config = [] + }, + { + event_type = "CLUSTER_MONGOS_IS_MISSING" + enabled = true + notification = [] + matcher = [] + # This can only be a list of 1 + # If is "metric_threshold_config" set, then "threshold_config" is not needed + metric_threshold_config = [] + # This can only be a list of 1 + # If is "metric_threshold_config" set, then "threshold_config" is not needed + threshold_config = [] + }, + { + event_type = "OUTSIDE_METRIC_THRESHOLD" + enabled = true + notification = [] + matcher = [] + # This can only be a list of 1 + # If is "metric_threshold_config" set, then "threshold_config" is not needed + metric_threshold_config = [ + { + metric_name = "CONNECTIONS_PERCENT" + operator = "GREATER_THAN" + threshold = 80 + units = "RAW" + mode = "AVERAGE" + } + ] + # This can only be a list of 1 + # If is "metric_threshold_config" set, then "threshold_config" is not needed + threshold_config = [] + }, + { + event_type = "OUTSIDE_METRIC_THRESHOLD" + enabled = true + notification = [] + matcher = [] + # This can only be a list of 1 + # If is "metric_threshold_config" set, then "threshold_config" is not needed + metric_threshold_config = [ + { + metric_name = "DISK_PARTITION_SPACE_USED_DATA" + operator = "GREATER_THAN" + threshold = 90 + units = "RAW" + mode = "AVERAGE" + } + ] + # This can only be a list of 1 + # If is "metric_threshold_config" set, then "threshold_config" is not needed + threshold_config = [] + }, + { + event_type = "OUTSIDE_METRIC_THRESHOLD" + enabled = true + notification = [] + matcher = [] + # This can only be a list of 1 + # If is "metric_threshold_config" set, then "threshold_config" is not needed + metric_threshold_config = [ + { + metric_name = "QUERY_TARGETING_SCANNED_OBJECTS_PER_RETURNED" + operator = "GREATER_THAN" + threshold = 1000 + units = "RAW" + mode = "AVERAGE" + } + ] + # This can only be a list of 1 + # If is "metric_threshold_config" set, then "threshold_config" is not needed + threshold_config = [] + }, + { + event_type = "CREDIT_CARD_ABOUT_TO_EXPIRE" + enabled = true + notification = [] + matcher = [] + # This can only be a list of 1 + # If is "metric_threshold_config" set, then "threshold_config" is not needed + metric_threshold_config = [] + # This can only be a list of 1 + # If is "metric_threshold_config" set, then "threshold_config" is not needed + threshold_config = [] + }, + { + event_type = "OUTSIDE_METRIC_THRESHOLD" + enabled = true + notification = [] + matcher = [] + # This can only be a list of 1 + # If is "metric_threshold_config" set, then "threshold_config" is not needed + metric_threshold_config = [ + { + metric_name = "NORMALIZED_SYSTEM_CPU_USER" + operator = "GREATER_THAN" + threshold = 95 + units = "RAW" + mode = "AVERAGE" + } + ] + # This can only be a list of 1 + # If is "metric_threshold_config" set, then "threshold_config" is not needed + threshold_config = [] + }, + { + event_type = "HOST_HAS_INDEX_SUGGESTIONS" + enabled = true + notification = [] + matcher = [] + # This can only be a list of 1 + # If is "metric_threshold_config" set, then "threshold_config" is not needed + metric_threshold_config = [] + # This can only be a list of 1 + # If is "metric_threshold_config" set, then "threshold_config" is not needed + threshold_config = [] + }, + { + event_type = "HOST_MONGOT_CRASHING_OOM" + enabled = true + notification = [] + matcher = [] + # This can only be a list of 1 + # If is "metric_threshold_config" set, then "threshold_config" is not needed + metric_threshold_config = [] + # This can only be a list of 1 + # If is "metric_threshold_config" set, then "threshold_config" is not needed + threshold_config = [] + }, + # These alerts didnt work when trying to apply it. Leaving it out for now. + # Returned a nondescriptive generic error. + # { + # event_type = "OUTSIDE_SERVERLESS_METRIC_THRESHOLD" + # enabled = true + # notification = [] + # matcher = [] + # # This can only be a list of 1 + # # If is "metric_threshold_config" set, then "threshold_config" is not needed + # metric_threshold_config = [] + # # This can only be a list of 1 + # # If is "metric_threshold_config" set, then "threshold_config" is not needed + # threshold_config = [ + # { + # metric_name = "SERVERLESS_CONNECTIONS_PERCENT" + # operator = "GREATER_THAN" + # threshold = 80 + # units = "RAW" + # mode = "AVERAGE" + # } + # ] + # }, + # { + # event_type = "OUTSIDE_SERVERLESS_METRIC_THRESHOLD" + # enabled = true + # notification = [] + # matcher = [] + # # This can only be a list of 1 + # # If is "metric_threshold_config" set, then "threshold_config" is not needed + # metric_threshold_config = [] + # # This can only be a list of 1 + # # If is "metric_threshold_config" set, then "threshold_config" is not needed + # threshold_config = [ + # { + # metric_name = "SERVERLESS_DATA_SIZE_TOTAL" + # operator = "GREATER_THAN" + # threshold = 0.75 + # units = "TERABYTES" + # mode = "AVERAGE" + # } + # ] + # }, + { + event_type = "HOST_NOT_ENOUGH_DISK_SPACE" + enabled = true + notification = [] + matcher = [] + # This can only be a list of 1 + # If is "metric_threshold_config" set, then "threshold_config" is not needed + metric_threshold_config = [] + # This can only be a list of 1 + # If is "metric_threshold_config" set, then "threshold_config" is not needed + threshold_config = [] + }, + { + event_type = "JOINED_GROUP" + enabled = true + notification = [] + matcher = [] + # This can only be a list of 1 + # If is "metric_threshold_config" set, then "threshold_config" is not needed + metric_threshold_config = [] + # This can only be a list of 1 + # If is "metric_threshold_config" set, then "threshold_config" is not needed + threshold_config = [] + }, + ] + description = "description" +} + +variable "user_alerts" { + type = string + default = "" + description = "description" +} + diff --git a/terraform-modules/aws/mongodb-atlas-user-list/README.md b/terraform-modules/aws/mongodb-atlas-user-list/README.md new file mode 100644 index 000000000..d24c68f0b --- /dev/null +++ b/terraform-modules/aws/mongodb-atlas-user-list/README.md @@ -0,0 +1,6 @@ +# mongodb-atlas-user-list + +This creates a list of users with username and passwords. + +Optional to put the password into an AWS Secret. + diff --git a/terraform-modules/aws/mongodb-atlas-user-list/main.tf b/terraform-modules/aws/mongodb-atlas-user-list/main.tf new file mode 100644 index 000000000..4994ce294 --- /dev/null +++ b/terraform-modules/aws/mongodb-atlas-user-list/main.tf @@ -0,0 +1,56 @@ + +terraform { + required_providers { + mongodbatlas = { + source = "mongodb/mongodbatlas" + version = "1.0.1" + } + } +} + +resource "mongodbatlas_database_user" "this" { + count = length(var.database_users) + username = var.database_users[count.index].username + password = var.enable_aws_secret ? random_password.password[count.index].result : var.database_users[count.index].user_password + project_id = var.mongodbatlas_projectid + auth_database_name = var.database_users[count.index].auth_database_name + + dynamic "roles" { + for_each = var.database_users[count.index].roles + content { + role_name = roles.value["role_name"] + database_name = roles.value["database_name"] + } + } +} + +################################################ +# AWS Secret +# +# Option to add the password into AWS secret +################################################ +resource "aws_secretsmanager_secret" "this" { + count = var.enable_aws_secret ? length(var.database_users) : 0 + name = var.database_users[count.index].aws_secret_name + description = var.database_users[count.index].aws_secret_description + recovery_window_in_days = var.database_users[count.index].recovery_window_in_days + tags = var.database_users[count.index].tags +} + +resource "random_password" "password" { + count = length(var.database_users) + length = 16 + min_lower = 2 + min_numeric = 2 + min_special = 2 + min_upper = 2 + number = true + special = true + override_special = "!@#$%&*()-_=+[]{}<>:?" +} + +resource "aws_secretsmanager_secret_version" "this" { + count = var.enable_aws_secret ? length(var.database_users) : 0 + secret_id = aws_secretsmanager_secret.this[count.index].id + secret_string = var.enable_percent_encoding_password ? urlencode(random_password.password[count.index].result) : random_password.password[count.index].result +} diff --git a/terraform-modules/aws/mongodb-atlas-user-list/outputs.tf b/terraform-modules/aws/mongodb-atlas-user-list/outputs.tf new file mode 100644 index 000000000..a15a3a261 --- /dev/null +++ b/terraform-modules/aws/mongodb-atlas-user-list/outputs.tf @@ -0,0 +1,3 @@ +output "mongodbatlas_database_user_list" { + value = mongodbatlas_database_user.this.*.id +} diff --git a/terraform-modules/aws/mongodb-atlas-user-list/variables.tf b/terraform-modules/aws/mongodb-atlas-user-list/variables.tf new file mode 100644 index 000000000..6b1218b80 --- /dev/null +++ b/terraform-modules/aws/mongodb-atlas-user-list/variables.tf @@ -0,0 +1,60 @@ +variable "mongodbatlas_projectid" { + type = string + description = "The unique ID for the project to create the database user." +} + +variable "tags" { + description = "A list of Tags" + type = map(any) +} + +variable "roles" { + type = list(any) + default = [ + { + role_name = "readWrite" + database_name = "my_db" + }, + ] + description = "The set of roles that are applied to the user" +} + +variable "enable_aws_secret" { + type = bool + default = false + description = "A flag to denote that we will put the password secret into aws secret" +} + +variable "enable_percent_encoding_password" { + type = bool + default = false + description = "A flag to denote that we will put the password secret into aws secret in percent encoding according mongodb documentation: https://www.mongodb.com/docs/manual/reference/connection-string/#examples" +} + +variable "database_users" { + # type = map(object({ + # cidr_block = string + # })) + type = any + description = "description" + default = [ + { + username = "foo" + aws_secret_name = "my_secret" + aws_secret_description = "my secret description" + # (Optional) Number of days that AWS Secrets Manager waits before it can delete the secret. This value can be 0 to force deletion without recovery or range from 7 to 30 days. The default value is 30. + recovery_window_in_days = 0 + # Only needed if enable_aws_secret==false, then all user needs to have + # this password filled out. + user_password = null + auth_database_name = "admin" + roles = [ + { + role_name = "readWrite" + database_name = "my_db" + }, + ] + tags = {} + }, + ] +} diff --git a/terraform-modules/aws/mongodb-atlas-users/README.md b/terraform-modules/aws/mongodb-atlas-users/README.md new file mode 100644 index 000000000..be567910d --- /dev/null +++ b/terraform-modules/aws/mongodb-atlas-users/README.md @@ -0,0 +1,45 @@ +## Requirements + +| Name | Version | +|------|---------| +| [mongodbatlas](#requirement\_mongodbatlas) | 1.0.1 | + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | n/a | +| [mongodbatlas](#provider\_mongodbatlas) | 1.0.1 | +| [random](#provider\_random) | n/a | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [aws_secretsmanager_secret.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret) | resource | +| [aws_secretsmanager_secret_version.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_version) | resource | +| [mongodbatlas_database_user.admin](https://registry.terraform.io/providers/mongodb/mongodbatlas/1.0.1/docs/resources/database_user) | resource | +| [mongodbatlas_database_user.test](https://registry.terraform.io/providers/mongodb/mongodbatlas/1.0.1/docs/resources/database_user) | resource | +| [random_password.password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [aws\_secret\_description](#input\_aws\_secret\_description) | The aws secret description | `string` | `""` | no | +| [aws\_secret\_name](#input\_aws\_secret\_name) | The name for the AWS secret | `string` | n/a | yes | +| [cluster\_name](#input\_cluster\_name) | Name of the cluster as it appears in Atlas. | `string` | n/a | yes | +| [create\_aws\_secret](#input\_create\_aws\_secret) | To create an AWS secret or not | `bool` | `false` | no | +| [iam\_role\_name](#input\_iam\_role\_name) | The IAM Role name to assign an auth user to the DB | `string` | n/a | yes | +| [mongodbatlas\_projectid](#input\_mongodbatlas\_projectid) | The unique ID for the project to create the database user. | `string` | n/a | yes | +| [recovery\_window\_in\_days](#input\_recovery\_window\_in\_days) | (Optional) Number of days that AWS Secrets Manager waits before it can delete the secret. This value can be 0 to force deletion without recovery or range from 7 to 30 days. The default value is 30. | `number` | `0` | no | +| [tags](#input\_tags) | A list of Tags | `map(any)` | n/a | yes | +| [user\_password](#input\_user\_password) | The password for the user | `string` | `null` | no | + +## Outputs + +No outputs. diff --git a/terraform-modules/aws/mongodb-atlas-users/main.tf b/terraform-modules/aws/mongodb-atlas-users/main.tf new file mode 100644 index 000000000..ed30f772a --- /dev/null +++ b/terraform-modules/aws/mongodb-atlas-users/main.tf @@ -0,0 +1,140 @@ + +terraform { + required_providers { + mongodbatlas = { + source = "mongodb/mongodbatlas" + version = "1.0.1" + } + } +} + +resource "mongodbatlas_database_user" "admin" { + username = var.database_username + password = var.create_aws_secret ? aws_secretsmanager_secret_version.this[0].secret_string : var.user_password + project_id = var.mongodbatlas_projectid + auth_database_name = "admin" + + roles { + role_name = "atlasAdmin" + database_name = "admin" + } +} + +# This user is created from an AWS IAM Role, which is also provisioned by this module +# (see the "AWS Role" section at the end of this file) +# Due to limitations of current MongoDB drivers (see https://jira.mongodb.org/browse/DRIVERS-2011) +# this setup doesn't work as intended as of 2022-02-09, but it is expected to work once +# the MongoDB drivers are updated. +resource "mongodbatlas_database_user" "app_user" { + username = aws_iam_role.this.arn + project_id = var.mongodbatlas_projectid + auth_database_name = "$external" + aws_iam_type = "ROLE" + + roles { + role_name = "readAnyDatabase" + database_name = "admin" + } + + labels { + key = "%s" + value = "%s" + } + + scopes { + name = var.cluster_name + type = "CLUSTER" + } +} + +# This additional user can be customized with any given AWS IAM Role +# This can be useful when there is the need to use a Role that was created elsewhere +resource "mongodbatlas_database_user" "custom_user" { + count = var.create_custom_user ? 1 : 0 + username = var.custom_user_iam_role + project_id = var.mongodbatlas_projectid + auth_database_name = "$external" + aws_iam_type = "ROLE" + + dynamic "roles" { + for_each = var.custom_user_roles + content { + role_name = roles.value["role_name"] + database_name = roles.value["database_name"] + } + } + + dynamic "labels" { + for_each = var.custom_user_labels + content { + key = labels.value["key"] + value = labels.value["value"] + } + } + + dynamic "scopes" { + for_each = var.custom_user_scopes + content { + name = scopes.value["name"] + type = scopes.value["type"] + } + } +} + +################################################ +# AWS Secret +# +# Option to add the password into AWS secret +################################################ +resource "aws_secretsmanager_secret" "this" { + count = var.create_aws_secret ? 1 : 0 + name = var.aws_secret_name + description = var.aws_secret_description + recovery_window_in_days = var.recovery_window_in_days + tags = var.tags +} + +resource "random_password" "password" { + count = var.create_aws_secret ? 1 : 0 + length = 16 + min_lower = 2 + min_numeric = 2 + min_special = 2 + min_upper = 2 + number = true + special = true + override_special = "!@#$%&*()-_=+[]{}<>:?" +} + +resource "aws_secretsmanager_secret_version" "this" { + count = var.create_aws_secret ? 1 : 0 + secret_id = aws_secretsmanager_secret.this[0].id + secret_string = random_password.password[0].result +} + +################################################ +# AWS role +# +# Using Mongo Atlas IAM authentication. This would be the role that is given access to the databases. +################################################ +data "aws_caller_identity" "current" {} + +resource "aws_iam_role" "this" { + name = "mongo-atlas-${var.cluster_name}" + + assume_role_policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + "Effect": "Allow", + "Principal": { + "AWS": data.aws_caller_identity.current.account_id + }, + "Action": "sts:AssumeRole", + "Condition": {} + } + ] + }) + + tags = var.tags +} diff --git a/terraform-modules/aws/mongodb-atlas-users/outputs.tf b/terraform-modules/aws/mongodb-atlas-users/outputs.tf new file mode 100644 index 000000000..794776c78 --- /dev/null +++ b/terraform-modules/aws/mongodb-atlas-users/outputs.tf @@ -0,0 +1,3 @@ +output "aws_iam_role_arn" { + value = aws_iam_role.this.arn +} diff --git a/terraform-modules/aws/mongodb-atlas-users/variables.tf b/terraform-modules/aws/mongodb-atlas-users/variables.tf new file mode 100644 index 000000000..d25e12be6 --- /dev/null +++ b/terraform-modules/aws/mongodb-atlas-users/variables.tf @@ -0,0 +1,95 @@ +variable "mongodbatlas_projectid" { + type = string + description = "The unique ID for the project to create the database user." +} + +variable "cluster_name" { + type = string + description = "Name of the cluster as it appears in Atlas." +} + +variable "create_aws_secret" { + type = bool + description = "To create an AWS secret or not" + default = false +} + +variable "aws_secret_name" { + type = string + description = "The name for the AWS secret" + default = null +} + +variable "aws_secret_description" { + type = string + description = "The aws secret description" + default = "" +} + +variable "recovery_window_in_days" { + type = number + description = "(Optional) Number of days that AWS Secrets Manager waits before it can delete the secret. This value can be 0 to force deletion without recovery or range from 7 to 30 days. The default value is 30." + default = 0 +} + +variable "user_password" { + type = string + description = "The password for the user" + default = null +} + +variable "tags" { + description = "A list of Tags" + type = map(any) +} + +variable "database_username" { + description = "The username to create" + type = string + default = "admin" +} + +variable "create_custom_user" { + type = bool + description = "To create a custom user or not" + default = false +} + +variable "custom_user_iam_role" { + type = string + description = "The AWS IAM Role of the custom user" + default = null +} + +variable "custom_user_roles" { + type = list(any) + description = "A list mapping roles to databases for the custom user" + default = [ + { + role_name = "readWriteAnyDatabase" + database_name = "admin" + } + ] +} + +variable "custom_user_labels" { + type = list(any) + description = "A list of key-value pairs for tagging the custom user" + default = [ + { + key = "%s" + value = "%s" + } + ] +} + +variable "custom_user_scopes" { + type = list(any) + description = "A list of clusters and data lakes the custom user" + default = [ + { + name = "my_cluster" + type = "CLUSTER" + } + ] +} diff --git a/terraform-modules/aws/mongodb-atlas/README.md b/terraform-modules/aws/mongodb-atlas/README.md new file mode 100644 index 000000000..06f9c5e01 --- /dev/null +++ b/terraform-modules/aws/mongodb-atlas/README.md @@ -0,0 +1,69 @@ +## Requirements + +| Name | Version | +|------|---------| +| [mongodbatlas](#requirement\_mongodbatlas) | 1.0.1 | + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | n/a | +| [mongodbatlas](#provider\_mongodbatlas) | 1.0.1 | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [aws_security_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | +| [aws_vpc_endpoint.mongodbatlas](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource | +| [mongodbatlas_cluster.cluster](https://registry.terraform.io/providers/mongodb/mongodbatlas/1.0.1/docs/resources/cluster) | resource | +| [mongodbatlas_privatelink_endpoint.mongodbatlas](https://registry.terraform.io/providers/mongodb/mongodbatlas/1.0.1/docs/resources/privatelink_endpoint) | resource | +| [mongodbatlas_privatelink_endpoint_service.atlasplink](https://registry.terraform.io/providers/mongodb/mongodbatlas/1.0.1/docs/resources/privatelink_endpoint_service) | resource | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [auto\_scaling\_compute\_enabled](#input\_auto\_scaling\_compute\_enabled) | Specifies whether compute auto-scaling is enabled. The default is true. | `bool` | `false` | no | +| [auto\_scaling\_compute\_scale\_down\_enabled](#input\_auto\_scaling\_compute\_scale\_down\_enabled) | Set to true to enable the cluster tier to scale down. This option is only available if autoScaling.compute.enabled is true. | `bool` | `false` | no | +| [auto\_scaling\_disk\_gb\_enabled](#input\_auto\_scaling\_disk\_gb\_enabled) | Specifies whether disk auto-scaling is enabled. The default is true. | `bool` | n/a | yes | +| [aws\_region](#input\_aws\_region) | The AWS region | `string` | n/a | yes | +| [cloud\_backup](#input\_cloud\_backup) | n/a | `bool` | n/a | yes | +| [cluster\_name](#input\_cluster\_name) | Name of the cluster as it appears in Atlas. Once the cluster is created, its name cannot be changed. | `string` | n/a | yes | +| [cluster\_type](#input\_cluster\_type) | Specifies the type of the cluster that you want to modify. You cannot convert a sharded cluster deployment to a replica set deployment. You should use cluster type When you set replication\_specs, when you are deploying Global Clusters or when you are deploying non-Global replica sets and sharded clusters. Accepted values include: REPLICASET Replica set, SHARDED Sharded cluster, GEOSHARDED Global Cluster | `string` | n/a | yes | +| [disk\_size\_gb](#input\_disk\_size\_gb) | GCP/AWS Only) Capacity, in gigabytes, of the host’s root volume. Increase this number to add capacity, up to a maximum possible value of 4096 (i.e., 4 TB). This value must be a positive integer. The minimum disk size for dedicated clusters is 10GB for AWS and GCP. If you specify diskSizeGB with a lower disk size, Atlas defaults to the minimum disk size value. Note: The maximum value for disk storage cannot exceed 50 times the maximum RAM for the selected cluster. If you require additional storage space beyond this limitation, consider upgrading your cluster to a higher tier. Cannot be used with clusters with local NVMe SSDs | `number` | n/a | yes | +| [egress\_rule](#input\_egress\_rule) | A list of ingress rules | `list(any)` | 
[
  {
    "cidr_blocks": [
      "0.0.0.0/0"
    ],
    "description": "All",
    "from_port": 0,
    "ipv6_cidr_blocks": [
      "::/0"
    ],
    "protocol": "-1",
    "to_port": 0
  }
]
| no | +| [electable\_nodes](#input\_electable\_nodes) | Number of electable nodes for Atlas to deploy to the region. Electable nodes can become the primary and can facilitate local reads. The total number of electableNodes across all replication spec regions must total 3, 5, or 7. Specify 0 if you do not want any electable nodes in the region. You cannot create electable nodes in a region if priority is 0. | `number` | n/a | yes | +| [iam\_role\_name](#input\_iam\_role\_name) | The IAM Role name to assign an auth user to the DB | `string` | n/a | yes | +| [ingress\_rule](#input\_ingress\_rule) | A list of ingress rules | `list(any)` | 
[
  {
    "cidr_blocks": [
      "10.0.0.0/8",
      "172.16.0.0/12",
      "192.168.0.0/16",
      "100.64.0.0/16"
    ],
    "description": "All ports from internal addresses",
    "from_port": 0,
    "ipv6_cidr_blocks": [],
    "protocol": "tcp",
    "to_port": 65535
  }
]
| no | +| [javascript\_enabled](#input\_javascript\_enabled) | When true, the cluster allows execution of operations that perform server-side executions of JavaScript. When false, the cluster disables execution of those operations. | `bool` | n/a | yes | +| [minimum\_enabled\_tls\_protocol](#input\_minimum\_enabled\_tls\_protocol) | Sets the minimum Transport Layer Security (TLS) version the cluster accepts for incoming connections.Valid values are: TLS1\_0, TLS1\_1, TLS1\_2 | `string` | n/a | yes | +| [mongo\_db\_major\_version](#input\_mongo\_db\_major\_version) | Version of the cluster to deploy. Atlas supports the following MongoDB versions for M10+ clusters: 3.6, 4.0, or 4.2. You must set this value to 4.2 if provider\_instance\_size\_name is either M2 or M5. | `string` | `"5.0"` | no | +| [mongodbatlas\_projectid](#input\_mongodbatlas\_projectid) | The unique ID for the project to create the database user. | `string` | n/a | yes | +| [num\_shards](#input\_num\_shards) | Selects whether the cluster is a replica set or a sharded cluster. If you use the replicationSpecs parameter, you must set num\_shards. | `string` | n/a | yes | +| [priority](#input\_priority) | Election priority of the region. For regions with only read-only nodes, set this value to 0. For regions where electable\_nodes is at least 1, each region must have a priority of exactly one (1) less than the previous region. The first region must have a priority of 7. The lowest possible priority is 1. The priority 7 region identifies the Preferred Region of the cluster. Atlas places the primary node in the Preferred Region. Priorities 1 through 7 are exclusive - no more than one region per cluster can be assigned a given priority. Example: If you have three regions, their priorities would be 7, 6, and 5 respectively. If you added two more regions for supporting electable nodes, the priorities of those regions would be 4 and 3 respectively. | `number` | n/a | yes | +| [provider\_auto\_scaling\_compute\_max\_instance\_size](#input\_provider\_auto\_scaling\_compute\_max\_instance\_size) | The maximum instance size when scaling up | `string` | `null` | no | +| [provider\_auto\_scaling\_compute\_min\_instance\_size](#input\_provider\_auto\_scaling\_compute\_min\_instance\_size) | The minimum instance size when scaling down | `string` | `null` | no | +| [provider\_instance\_size\_name](#input\_provider\_instance\_size\_name) | Atlas provides different instance sizes, each with a default storage capacity and RAM size. The instance size you select is used for all the data-bearing servers in your cluster. See Create a Cluster providerSettings.instanceSizeName for valid values and default resources. Note free tier (M0) creation is not supported by the Atlas API and hence not supported by this provider.) | `string` | n/a | yes | +| [provider\_name](#input\_provider\_name) | Cloud service provider on which the servers are provisioned. The possible values are: AWS - Amazon AWS, GCP - Google Cloud Platform, AZURE - Microsoft Azure, TENANT - A multi-tenant deployment on one of the supported cloud service providers. Only valid when providerSettings.instanceSizeName is either M2 or M5. | `string` | n/a | yes | +| [read\_only\_nodes](#input\_read\_only\_nodes) | Number of read-only nodes for Atlas to deploy to the region. Read-only nodes can never become the primary, but can facilitate local-reads. Specify 0 if you do not want any read-only nodes in the region. | `number` | n/a | yes | +| [region\_name](#input\_region\_name) | n/a | `string` | n/a | yes | +| [subnet\_ids](#input\_subnet\_ids) | Set of EC2 Subnet IDs. | `list(string)` | n/a | yes | +| [tags](#input\_tags) | A list of Tags | `map(any)` | n/a | yes | +| [user\_password](#input\_user\_password) | The default password for all Aric MongoDB users. | `string` | `null` | no | +| [vpc\_id](#input\_vpc\_id) | VPC id | `string` | n/a | yes | + +## Outputs + +| Name | Description | +|------|-------------| +| [endpoint\_service\_name](#output\_endpoint\_service\_name) | n/a | +| [name](#output\_name) | n/a | +| [private\_link\_id](#output\_private\_link\_id) | n/a | +| [service\_endpoint\_dns](#output\_service\_endpoint\_dns) | n/a | +| [status](#output\_status) | n/a | diff --git a/terraform-modules/aws/mongodb-atlas/main.tf b/terraform-modules/aws/mongodb-atlas/main.tf new file mode 100644 index 000000000..96d9ddbf1 --- /dev/null +++ b/terraform-modules/aws/mongodb-atlas/main.tf @@ -0,0 +1,94 @@ +terraform { + required_providers { + mongodbatlas = { + source = "mongodb/mongodbatlas" + version = "1.0.1" + } + } +} + + +resource "mongodbatlas_cluster" "cluster" { + project_id = var.mongodbatlas_projectid + name = var.cluster_name + cluster_type = var.cluster_type + replication_specs { + num_shards = var.num_shards + regions_config { + region_name = var.region_name + electable_nodes = var.electable_nodes + priority = var.priority + read_only_nodes = var.read_only_nodes + } + } + cloud_backup = var.cloud_backup + auto_scaling_disk_gb_enabled = var.auto_scaling_disk_gb_enabled + auto_scaling_compute_enabled = var.auto_scaling_compute_enabled + auto_scaling_compute_scale_down_enabled = var.auto_scaling_compute_scale_down_enabled + provider_auto_scaling_compute_max_instance_size = var.provider_auto_scaling_compute_max_instance_size + provider_auto_scaling_compute_min_instance_size = var.provider_auto_scaling_compute_min_instance_size + mongo_db_major_version = var.mongo_db_major_version + + //Provider Settings "block" + provider_name = var.provider_name + disk_size_gb = var.disk_size_gb + provider_instance_size_name = var.provider_instance_size_name + advanced_configuration { + javascript_enabled = var.javascript_enabled + minimum_enabled_tls_protocol = var.minimum_enabled_tls_protocol + } +} + +resource "mongodbatlas_privatelink_endpoint" "mongodbatlas" { + project_id = var.mongodbatlas_projectid + provider_name = var.provider_name + region = var.aws_region +} + +resource "aws_security_group" "this" { + name = "MongoDB - ${var.cluster_name}" + description = "Allow inbound traffic" + vpc_id = var.vpc_id + + dynamic "ingress" { + for_each = var.ingress_rule + content { + description = ingress.value["description"] + from_port = ingress.value["from_port"] + to_port = ingress.value["to_port"] + protocol = ingress.value["protocol"] + cidr_blocks = ingress.value["cidr_blocks"] + ipv6_cidr_blocks = ingress.value["ipv6_cidr_blocks"] + } + } + + dynamic "egress" { + for_each = var.egress_rule + content { + description = egress.value["description"] + from_port = egress.value["from_port"] + to_port = egress.value["to_port"] + protocol = egress.value["protocol"] + cidr_blocks = egress.value["cidr_blocks"] + ipv6_cidr_blocks = egress.value["ipv6_cidr_blocks"] + } + } + + tags = var.tags +} + +resource "aws_vpc_endpoint" "mongodbatlas" { + vpc_id = var.vpc_id + service_name = mongodbatlas_privatelink_endpoint.mongodbatlas.endpoint_service_name + vpc_endpoint_type = "Interface" + subnet_ids = var.subnet_ids + security_group_ids = [aws_security_group.this.id] + tags = var.tags +} + +resource "mongodbatlas_privatelink_endpoint_service" "atlasplink" { + project_id = mongodbatlas_privatelink_endpoint.mongodbatlas.project_id + endpoint_service_id = aws_vpc_endpoint.mongodbatlas.id + private_link_id = mongodbatlas_privatelink_endpoint.mongodbatlas.id + provider_name = var.provider_name +} diff --git a/terraform-modules/aws/mongodb-atlas/outputs.tf b/terraform-modules/aws/mongodb-atlas/outputs.tf new file mode 100644 index 000000000..1ebc6fbfc --- /dev/null +++ b/terraform-modules/aws/mongodb-atlas/outputs.tf @@ -0,0 +1,28 @@ +output "private_link_id" { + value = mongodbatlas_privatelink_endpoint.mongodbatlas.id +} + +output "endpoint_service_name" { + value = aws_vpc_endpoint.mongodbatlas.service_name +} + +output "status" { + value = mongodbatlas_privatelink_endpoint.mongodbatlas.status +} + +output "name" { + value = mongodbatlas_cluster.cluster.name +} + +output "service_endpoint_dns" { + value = aws_vpc_endpoint.mongodbatlas.dns_entry[0]["dns_name"] +} + +# https://registry.terraform.io/providers/mongodb/mongodbatlas/latest/docs/resources/cluster#example---return-a-connection-string +output "connect_string_aws_private_endpoint" { + value = mongodbatlas_cluster.cluster.connection_strings[0].private_endpoint[0].srv_connection_string +} + +output "connect_string_standard" { + value = mongodbatlas_cluster.cluster.connection_strings[0].standard +} diff --git a/terraform-modules/aws/mongodb-atlas/variables.tf b/terraform-modules/aws/mongodb-atlas/variables.tf new file mode 100644 index 000000000..d7706fbe7 --- /dev/null +++ b/terraform-modules/aws/mongodb-atlas/variables.tf @@ -0,0 +1,154 @@ +variable "aws_region" { + type = string + description = "The AWS region" +} + +variable "mongodbatlas_projectid" { + type = string + description = "The unique ID for the project to create the database user." +} + +variable "cluster_name" { + type = string + description = "Name of the cluster as it appears in Atlas. Once the cluster is created, its name cannot be changed." +} + +variable "cluster_type" { + type = string + description = "Specifies the type of the cluster that you want to modify. You cannot convert a sharded cluster deployment to a replica set deployment. You should use cluster type When you set replication_specs, when you are deploying Global Clusters or when you are deploying non-Global replica sets and sharded clusters. Accepted values include: REPLICASET Replica set, SHARDED Sharded cluster, GEOSHARDED Global Cluster" +} + +variable "num_shards" { + type = string + description = "Selects whether the cluster is a replica set or a sharded cluster. If you use the replicationSpecs parameter, you must set num_shards." +} + +variable "region_name" { + type = string + description = "" +} + +variable "cloud_backup" { + type = bool + description = "" +} + +variable "auto_scaling_disk_gb_enabled" { + type = bool + description = "Specifies whether disk auto-scaling is enabled. The default is true." +} + +variable "auto_scaling_compute_enabled" { + type = bool + default = false + description = "Specifies whether compute auto-scaling is enabled. The default is true." +} + +variable "auto_scaling_compute_scale_down_enabled" { + type = bool + default = false + description = "Set to true to enable the cluster tier to scale down. This option is only available if autoScaling.compute.enabled is true." +} + +variable "provider_auto_scaling_compute_max_instance_size" { + type = string + default = null + description = "The maximum instance size when scaling up" +} + +variable "provider_auto_scaling_compute_min_instance_size" { + type = string + default = null + description = "The minimum instance size when scaling down" +} + +variable "mongo_db_major_version" { + type = string + default = "5.0" + description = "Version of the cluster to deploy. Atlas supports the following MongoDB versions for M10+ clusters: 3.6, 4.0, or 4.2. You must set this value to 4.2 if provider_instance_size_name is either M2 or M5." +} + +variable "provider_name" { + type = string + description = "Cloud service provider on which the servers are provisioned. The possible values are: AWS - Amazon AWS, GCP - Google Cloud Platform, AZURE - Microsoft Azure, TENANT - A multi-tenant deployment on one of the supported cloud service providers. Only valid when providerSettings.instanceSizeName is either M2 or M5." +} + +variable "disk_size_gb" { + type = number + description = "GCP/AWS Only) Capacity, in gigabytes, of the host’s root volume. Increase this number to add capacity, up to a maximum possible value of 4096 (i.e., 4 TB). This value must be a positive integer. The minimum disk size for dedicated clusters is 10GB for AWS and GCP. If you specify diskSizeGB with a lower disk size, Atlas defaults to the minimum disk size value. Note: The maximum value for disk storage cannot exceed 50 times the maximum RAM for the selected cluster. If you require additional storage space beyond this limitation, consider upgrading your cluster to a higher tier. Cannot be used with clusters with local NVMe SSDs" +} + +variable "provider_instance_size_name" { + type = string + description = "Atlas provides different instance sizes, each with a default storage capacity and RAM size. The instance size you select is used for all the data-bearing servers in your cluster. See Create a Cluster providerSettings.instanceSizeName for valid values and default resources. Note free tier (M0) creation is not supported by the Atlas API and hence not supported by this provider.)" +} + +variable "javascript_enabled" { + type = bool + description = "When true, the cluster allows execution of operations that perform server-side executions of JavaScript. When false, the cluster disables execution of those operations." +} + +variable "minimum_enabled_tls_protocol" { + type = string + description = "Sets the minimum Transport Layer Security (TLS) version the cluster accepts for incoming connections.Valid values are: TLS1_0, TLS1_1, TLS1_2 " +} + +variable "vpc_id" { + type = string + description = "VPC id" +} + +variable "subnet_ids" { + description = "Set of EC2 Subnet IDs." + type = list(string) +} + +variable "tags" { + description = "A list of Tags" + type = map(any) +} + +variable "electable_nodes" { + type = number + description = "Number of electable nodes for Atlas to deploy to the region. Electable nodes can become the primary and can facilitate local reads. The total number of electableNodes across all replication spec regions must total 3, 5, or 7. Specify 0 if you do not want any electable nodes in the region. You cannot create electable nodes in a region if priority is 0." +} + +variable "priority" { + type = number + description = " Election priority of the region. For regions with only read-only nodes, set this value to 0. For regions where electable_nodes is at least 1, each region must have a priority of exactly one (1) less than the previous region. The first region must have a priority of 7. The lowest possible priority is 1. The priority 7 region identifies the Preferred Region of the cluster. Atlas places the primary node in the Preferred Region. Priorities 1 through 7 are exclusive - no more than one region per cluster can be assigned a given priority. Example: If you have three regions, their priorities would be 7, 6, and 5 respectively. If you added two more regions for supporting electable nodes, the priorities of those regions would be 4 and 3 respectively." +} + +variable "read_only_nodes" { + type = number + description = "Number of read-only nodes for Atlas to deploy to the region. Read-only nodes can never become the primary, but can facilitate local-reads. Specify 0 if you do not want any read-only nodes in the region." +} + +variable "ingress_rule" { + type = list(any) + description = "A list of ingress rules" + default = [ + { + description = "All ports from internal addresses" + from_port = 0 + to_port = 65535 + protocol = "tcp" + cidr_blocks = ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "100.64.0.0/16"] + ipv6_cidr_blocks = [] + }, + ] +} + +variable "egress_rule" { + type = list(any) + description = "A list of ingress rules" + default = [ + { + description = "All" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + ipv6_cidr_blocks = ["::/0"] + }, + ] +} diff --git a/terraform-modules/aws/msk/README.md b/terraform-modules/aws/msk/README.md new file mode 100644 index 000000000..ce71a612f --- /dev/null +++ b/terraform-modules/aws/msk/README.md @@ -0,0 +1,28 @@ +# msk +This module creates an AWS Managed Streaming for Apache Kafka (MSK). + +This module is based off the work of another module located here: +https://github.com/cloudposse/terraform-aws-msk-apache-kafka-cluster + +In addition to creating an MSK broker, running this module will create: +* An MSK broker with 2 nodes in each defined subnet, maximum of 3 subnets. +* Creates an s3 bucket if the user decides MSK logs should be delivered to an S3 bucket +* A Cloudwatch Log group if Cloudwatch logging is enabled and a group is specified. + + +# How to run the unit tests +Note that the provisioning of an MSK cluster takes about 30 minutes. + +``` +cd test +go test ./ -v -timeout=999m +``` + +no cache run +``` +go test ./ -v -count=1 +``` + +## How to run the debugger + +TBD diff --git a/terraform-modules/aws/msk/main.tf b/terraform-modules/aws/msk/main.tf new file mode 100644 index 000000000..79a205d98 --- /dev/null +++ b/terraform-modules/aws/msk/main.tf @@ -0,0 +1,163 @@ +locals{ + years_valid = 10 +} + +resource "aws_cloudwatch_log_group" "msk_cloudwatch_log_group" { + name = var.cloudwatch_logs_log_group + tags = var.tags +} + +####################################### +# S3 bucket +####################################### +resource "aws_kms_key" "this" { + description = "This key is used to encrypt bucket objects" + deletion_window_in_days = 10 +} + +resource "aws_s3_bucket" "this" { + bucket = var.s3_logs_bucket + tags = var.tags +} + +# resource "aws_s3_bucket_acl" "this" { +# bucket = aws_s3_bucket.this.id +# acl = "private" +# } + +# When turning on server side encryption the ACM creation failes with: +# │ Error: error creating ACM PCA Certificate Authority: ValidationException: Permission error with your S3 bucket '476264532441-us-west-2-msk-logs'. Check that your bucket policy, encryption settings, S3 Block Public Access settings, and global account permissions are configured correctly. For more information, check the service documentation. +# │ status code: 400, request id: 3ba26851-f96a-48b6-a9a2-ca7a68be8e5f +# │ +# │ with aws_acmpca_certificate_authority.this, +# │ on main.tf line 91, in resource "aws_acmpca_certificate_authority" "this": +# │ 91: resource "aws_acmpca_certificate_authority" "this" { +# resource "aws_s3_bucket_server_side_encryption_configuration" "this" { +# bucket = aws_s3_bucket.this.bucket + +# rule { +# apply_server_side_encryption_by_default { +# kms_master_key_id = aws_kms_key.this.arn +# sse_algorithm = "aws:kms" +# } +# } +# } + +data "aws_iam_policy_document" "acmpca_bucket_access" { + statement { + actions = [ + "s3:GetBucketAcl", + "s3:GetBucketLocation", + "s3:PutObject", + "s3:PutObjectAcl", + ] + + resources = [ + aws_s3_bucket.this.arn, + "${aws_s3_bucket.this.arn}/*", + ] + + principals { + identifiers = ["acm-pca.amazonaws.com"] + type = "Service" + } + } +} + +resource "aws_s3_bucket_policy" "this" { + bucket = aws_s3_bucket.this.id + policy = data.aws_iam_policy_document.acmpca_bucket_access.json +} + +####################################### +# Private CA +####################################### +data "aws_partition" "current" { +} + +resource "aws_acmpca_certificate_authority_certificate" "cacert" { + certificate_authority_arn = aws_acmpca_certificate_authority.this.arn + + certificate = aws_acmpca_certificate.cert.certificate + certificate_chain = aws_acmpca_certificate.cert.certificate_chain +} + +resource "aws_acmpca_certificate" "cert" { + certificate_authority_arn = aws_acmpca_certificate_authority.this.arn + certificate_signing_request = aws_acmpca_certificate_authority.this.certificate_signing_request + signing_algorithm = "SHA512WITHRSA" + + template_arn = "arn:${data.aws_partition.current.partition}:acm-pca:::template/RootCACertificate/V1" + + validity { + type = "YEARS" + value = local.years_valid + } +} + +resource "aws_acmpca_certificate_authority" "this" { + certificate_authority_configuration { + key_algorithm = var.key_algorithm + signing_algorithm = var.signing_algorithm + + subject { + common_name = var.common_name + } + } + + type = "ROOT" + + revocation_configuration { + crl_configuration { + custom_cname = "crl.${var.common_name}" + enabled = true + expiration_in_days = var.expiration_in_days + s3_bucket_name = aws_s3_bucket.this.id + } + } + + tags = var.tags + + depends_on = [aws_s3_bucket_policy.this] +} + +####################################### +# MSK Cluster +####################################### +module "msk" { + source = "cloudposse/msk-apache-kafka-cluster/aws" + version = "v0.8.4" + namespace = var.namespace + name = var.name + vpc_id = var.vpc_id + client_broker = var.client_broker + zone_id = var.zone_id + security_groups = var.security_groups + subnet_ids = var.subnet_ids + kafka_version = var.kafka_version + number_of_broker_nodes = var.number_of_broker_nodes + broker_instance_type = var.broker_instance_type + broker_volume_size = var.broker_volume_size + tags = var.tags + certificate_authority_arns = [aws_acmpca_certificate_authority.this.arn] + client_tls_auth_enabled = var.client_tls_auth_enabled + client_sasl_iam_enabled = var.client_sasl_iam_enabled + encryption_in_cluster = var.encryption_in_cluster + encryption_at_rest_kms_key_arn = var.encryption_at_rest_kms_key_arn != null ? var.encryption_at_rest_kms_key_arn : aws_kms_key.this.arn + cloudwatch_logs_enabled = var.cloudwatch_logs_enabled + cloudwatch_logs_log_group = var.cloudwatch_logs_enabled == true ? var.cloudwatch_logs_log_group : "" + enhanced_monitoring = var.enhanced_monitoring + node_exporter_enabled = var.node_exporter_enabled + jmx_exporter_enabled = var.jmx_exporter_enabled + s3_logs_bucket = var.s3_logs_enabled == true ? aws_s3_bucket.this.id : "" + s3_logs_enabled = var.s3_logs_enabled + s3_logs_prefix = var.s3_logs_enabled == true ? var.s3_logs_prefix : "" + + depends_on = [ + aws_cloudwatch_log_group.msk_cloudwatch_log_group, + aws_s3_bucket.this, + aws_acmpca_certificate.cert + ] +} + + diff --git a/terraform-modules/aws/msk/outputs.tf b/terraform-modules/aws/msk/outputs.tf new file mode 100644 index 000000000..fb500caac --- /dev/null +++ b/terraform-modules/aws/msk/outputs.tf @@ -0,0 +1,15 @@ +output "cluster_name" { + description = "MSK Cluster name" + value = module.msk.cluster_name +} + + +output "cluster_arn" { + description = "Amazon Resource Name (ARN) of the MSK cluster" + value = module.msk.cluster_arn +} + +output "zookeeper_connect_string" { + description = "A comma separated list of one or more hostname:port pairs to use to connect to the Apache Zookeeper cluster" + value = module.msk.zookeeper_connect_string +} \ No newline at end of file diff --git a/terraform-modules/aws/msk/test/go.mod b/terraform-modules/aws/msk/test/go.mod new file mode 100644 index 000000000..29a3fbdd0 --- /dev/null +++ b/terraform-modules/aws/msk/test/go.mod @@ -0,0 +1,8 @@ +module github.com/ManagedKube/kubernetes-ops + +go 1.16 + +require ( + github.com/gruntwork-io/terratest v0.36.8 + github.com/stretchr/testify v1.7.0 +) diff --git a/terraform-modules/aws/msk/test/go.sum b/terraform-modules/aws/msk/test/go.sum new file mode 100644 index 000000000..c2d9b1c70 --- /dev/null +++ b/terraform-modules/aws/msk/test/go.sum @@ -0,0 +1,631 @@ +cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= +cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= +cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU= +cloud.google.com/go v0.44.1/go.mod h1:iSa0KzasP4Uvy3f1mN/7PiObzGgflwredwwASm/v6AU= +cloud.google.com/go v0.44.2/go.mod h1:60680Gw3Yr4ikxnPRS/oxxkBccT6SA1yMk63TGekxKY= +cloud.google.com/go v0.45.1/go.mod h1:RpBamKRgapWJb87xiFSdk4g1CME7QZg3uwTez+TSTjc= +cloud.google.com/go v0.46.3/go.mod h1:a6bKKbmY7er1mI7TEI4lsAkts/mkhTSZK8w33B4RAg0= +cloud.google.com/go v0.51.0/go.mod h1:hWtGJ6gnXH+KgDv+V0zFGDvpi07n3z8ZNj3T1RW0Gcw= +cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o= +cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE= +cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I= +cloud.google.com/go/storage v1.0.0/go.mod h1:IhtSnM/ZTZV8YYJWCY8RULGVqBDmpoyjwiyrjsg+URw= +dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= +github.com/Azure/azure-sdk-for-go v35.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= +github.com/Azure/azure-sdk-for-go v38.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= +github.com/Azure/azure-sdk-for-go v46.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= +github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78/go.mod h1:LmzpDX56iTiv29bbRTIsUNlaFfuhWRQBWjQdVyAevI8= +github.com/Azure/go-autorest v14.2.0+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSWATqVooLgysK6ZNox3g/xq24= +github.com/Azure/go-autorest/autorest v0.9.0/go.mod h1:xyHB1BMZT0cuDHU7I0+g046+BFDTQ8rEZB0s4Yfa6bI= +github.com/Azure/go-autorest/autorest v0.9.3/go.mod h1:GsRuLYvwzLjjjRoWEIyMUaYq8GNUx2nRB378IPt/1p0= +github.com/Azure/go-autorest/autorest v0.9.6/go.mod h1:/FALq9T/kS7b5J5qsQ+RSTUdAmGFqi0vUdVNNx8q630= +github.com/Azure/go-autorest/autorest v0.11.0/go.mod h1:JFgpikqFJ/MleTTxwepExTKnFUKKszPS8UavbQYUMuw= +github.com/Azure/go-autorest/autorest v0.11.5/go.mod h1:foo3aIXRQ90zFve3r0QiDsrjGDUwWhKl0ZOQy1CT14k= +github.com/Azure/go-autorest/autorest/adal v0.5.0/go.mod h1:8Z9fGy2MpX0PvDjB1pEgQTmVqjGhiHBW7RJJEciWzS0= +github.com/Azure/go-autorest/autorest/adal v0.8.0/go.mod h1:Z6vX6WXXuyieHAXwMj0S6HY6e6wcHn37qQMBQlvY3lc= +github.com/Azure/go-autorest/autorest/adal v0.8.1/go.mod h1:ZjhuQClTqx435SRJ2iMlOxPYt3d2C/T/7TiQCVZSn3Q= +github.com/Azure/go-autorest/autorest/adal v0.8.2/go.mod h1:ZjhuQClTqx435SRJ2iMlOxPYt3d2C/T/7TiQCVZSn3Q= +github.com/Azure/go-autorest/autorest/adal v0.9.0/go.mod h1:/c022QCutn2P7uY+/oQWWNcK9YU+MH96NgK+jErpbcg= +github.com/Azure/go-autorest/autorest/adal v0.9.2/go.mod h1:/3SMAM86bP6wC9Ev35peQDUeqFZBMH07vvUOmg4z/fE= +github.com/Azure/go-autorest/autorest/azure/auth v0.5.1/go.mod h1:ea90/jvmnAwDrSooLH4sRIehEPtG/EPUXavDh31MnA4= +github.com/Azure/go-autorest/autorest/azure/cli v0.4.0/go.mod h1:JljT387FplPzBA31vUcvsetLKF3pec5bdAxjVU4kI2s= +github.com/Azure/go-autorest/autorest/date v0.1.0/go.mod h1:plvfp3oPSKwf2DNjlBjWF/7vwR+cUD/ELuzDCXwHUVA= +github.com/Azure/go-autorest/autorest/date v0.2.0/go.mod h1:vcORJHLJEh643/Ioh9+vPmf1Ij9AEBM5FuBIXLmIy0g= +github.com/Azure/go-autorest/autorest/date v0.3.0/go.mod h1:BI0uouVdmngYNUzGWeSYnokU+TrmwEsOqdt8Y6sso74= +github.com/Azure/go-autorest/autorest/mocks v0.1.0/go.mod h1:OTyCOPRA2IgIlWxVYxBee2F5Gr4kF2zd2J5cFRaIDN0= +github.com/Azure/go-autorest/autorest/mocks v0.2.0/go.mod h1:OTyCOPRA2IgIlWxVYxBee2F5Gr4kF2zd2J5cFRaIDN0= +github.com/Azure/go-autorest/autorest/mocks v0.3.0/go.mod h1:a8FDP3DYzQ4RYfVAxAN3SVSiiO77gL2j2ronKKP0syM= +github.com/Azure/go-autorest/autorest/mocks v0.4.0/go.mod h1:LTp+uSrOhSkaKrUy935gNZuuIPPVsHlr9DSOxSayd+k= +github.com/Azure/go-autorest/autorest/mocks v0.4.1/go.mod h1:LTp+uSrOhSkaKrUy935gNZuuIPPVsHlr9DSOxSayd+k= +github.com/Azure/go-autorest/autorest/to v0.2.0/go.mod h1:GunWKJp1AEqgMaGLV+iocmRAJWqST1wQYhyyjXJ3SJc= +github.com/Azure/go-autorest/autorest/to v0.3.0/go.mod h1:MgwOyqaIuKdG4TL/2ywSsIWKAfJfgHDo8ObuUk3t5sA= +github.com/Azure/go-autorest/autorest/validation v0.1.0/go.mod h1:Ha3z/SqBeaalWQvokg3NZAlQTalVMtOIAs1aGK7G6u8= +github.com/Azure/go-autorest/autorest/validation v0.3.0/go.mod h1:yhLgjC0Wda5DYXl6JAsWyUe4KVNffhoDhG0zVzUMo3E= +github.com/Azure/go-autorest/logger v0.1.0/go.mod h1:oExouG+K6PryycPJfVSxi/koC6LSNgds39diKLz7Vrc= +github.com/Azure/go-autorest/logger v0.2.0/go.mod h1:T9E3cAhj2VqvPOtCYAvby9aBXkZmbF5NWuPV8+WeEW8= +github.com/Azure/go-autorest/tracing v0.5.0/go.mod h1:r/s2XiOKccPW3HrqB+W0TQzfbtp2fGCgRFtBroKn4Dk= +github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBpUA79WCAKPPZVC2DeU= +github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= +github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= +github.com/GoogleCloudPlatform/k8s-cloud-provider v0.0.0-20190822182118-27a4ced34534/go.mod h1:iroGtC8B3tQiqtds1l+mgk/BBOrxbqjH+eUfFQYRc14= +github.com/Microsoft/go-winio v0.4.14/go.mod h1:qXqCSQ3Xa7+6tgxaGTIe4Kpcdsi+P8jBhyzoq1bpyYA= +github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ= +github.com/PuerkitoBio/purell v1.0.0/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0= +github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0= +github.com/PuerkitoBio/urlesc v0.0.0-20160726150825-5bd2802263f2/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE= +github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE= +github.com/agext/levenshtein v1.2.1 h1:QmvMAjj2aEICytGiWzmxoE0x2KZvE0fvmqMOfy2tjT8= +github.com/agext/levenshtein v1.2.1/go.mod h1:JEDfjyjHDjOF/1e4FlBE/PkbqA9OfWu2ki2W0IB5558= +github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= +github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= +github.com/apparentlymart/go-dump v0.0.0-20180507223929-23540a00eaa3/go.mod h1:oL81AME2rN47vu18xqj1S1jPIPuN7afo62yKTNn3XMM= +github.com/apparentlymart/go-textseg v1.0.0 h1:rRmlIsPEEhUTIKQb7T++Nz/A5Q6C9IuX2wFoYVvnCs0= +github.com/apparentlymart/go-textseg v1.0.0/go.mod h1:z96Txxhf3xSFMPmb5X/1W05FF/Nj9VFpLOpjS5yuumk= +github.com/apparentlymart/go-textseg/v12 v12.0.0 h1:bNEQyAGak9tojivJNkoqWErVCQbjdL7GzRt3F8NvfJ0= +github.com/apparentlymart/go-textseg/v12 v12.0.0/go.mod h1:S/4uRK2UtaQttw1GenVJEynmyUenKwP++x/+DdGV/Ec= +github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8= +github.com/aws/aws-lambda-go v1.13.3/go.mod h1:4UKl9IzQMoD+QF79YdCuzCwp8VbmG4VAQwij/eHl5CU= +github.com/aws/aws-sdk-go v1.16.26/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo= +github.com/aws/aws-sdk-go v1.27.1/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo= +github.com/aws/aws-sdk-go v1.38.28/go.mod h1:hcU610XS61/+aQV88ixoOzUoG7v3b31pl2zKMmprdro= +github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q= +github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8= +github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs= +github.com/blang/semver v3.5.0+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk= +github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8= +github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= +github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI= +github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI= +github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU= +github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= +github.com/cockroachdb/datadriven v0.0.0-20190809214429-80d97fb3cbaa/go.mod h1:zn76sxSg3SzpJ0PPJaLDCu+Bu0Lg3sKTORVIj19EIF8= +github.com/containerd/containerd v1.3.0/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA= +github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE= +github.com/coreos/go-etcd v2.0.0+incompatible/go.mod h1:Jez6KQU2B/sWsbdaef3ED8NzMklzPG4d5KIOhIy30Tk= +github.com/coreos/go-oidc v2.1.0+incompatible/go.mod h1:CgnwVTmzoESiwO9qyAFEMiHoZ1nMCKZlZ9V6mm3/LKc= +github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk= +github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk= +github.com/coreos/go-systemd v0.0.0-20180511133405-39ca1b05acc7/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= +github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= +github.com/coreos/pkg v0.0.0-20160727233714-3ac0863d7acf/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA= +github.com/coreos/pkg v0.0.0-20180108230652-97fdf19511ea/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA= +github.com/cpuguy83/go-md2man v1.0.10/go.mod h1:SmD6nW6nTyfqj6ABTjUi3V3JVMnlJmwcJI5acqYI6dE= +github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU= +github.com/cpuguy83/go-md2man/v2 v2.0.0/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU= +github.com/creack/pty v1.1.7/go.mod h1:lj5s0c3V2DBrqTV7llrYr5NG6My20zk30Fl46Y7DoTY= +github.com/davecgh/go-spew v0.0.0-20151105211317-5215b55f46b2/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= +github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ= +github.com/dimchansky/utfbom v1.1.0/go.mod h1:rO41eb7gLfo8SF1jd9F8HplJm1Fewwi4mQvIirEdv+8= +github.com/dnaeon/go-vcr v1.0.1/go.mod h1:aBB1+wY4s93YsC3HHjMBMrwTj2R9FHDzUr9KyGc8n1E= +github.com/docker/cli v0.0.0-20191017083524-a8ff7f821017/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= +github.com/docker/cli v0.0.0-20200109221225-a4f60165b7a3/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= +github.com/docker/distribution v2.7.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= +github.com/docker/docker v0.7.3-0.20190327010347-be7ac8be2ae0/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +github.com/docker/docker v1.4.2-0.20190924003213-a8608b5b67c7/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +github.com/docker/docker-credential-helpers v0.6.3/go.mod h1:WRaJzqw3CTB9bk10avuGsjVBZsD05qeibJ1/TYlvc0Y= +github.com/docker/go-connections v0.4.0/go.mod h1:Gbd7IOopHjR8Iph03tsViu4nIes5XhDvyHbTtUxmeec= +github.com/docker/go-units v0.4.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk= +github.com/docker/spdystream v0.0.0-20160310174837-449fdfce4d96/go.mod h1:Qh8CwZgvJUkLughtfhJv5dyTYa91l1fOUCrgjqmcifM= +github.com/docker/spdystream v0.0.0-20181023171402-6480d4af844c/go.mod h1:Qh8CwZgvJUkLughtfhJv5dyTYa91l1fOUCrgjqmcifM= +github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE= +github.com/dustin/go-humanize v0.0.0-20171111073723-bb3d318650d4/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk= +github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk= +github.com/elazarl/goproxy v0.0.0-20170405201442-c4fc26588b6e/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc= +github.com/elazarl/goproxy v0.0.0-20180725130230-947c36da3153/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc= +github.com/elazarl/goproxy v0.0.0-20190911111923-ecfe977594f1/go.mod h1:Ro8st/ElPeALwNFlcTpWmkr6IoMFfkjXAvTHpevnDsM= +github.com/elazarl/goproxy/ext v0.0.0-20190711103511-473e67f1d7d2/go.mod h1:gNh8nYJoAm43RfaxurUnxr+N1PwuFV3ZMl/efxlIlY8= +github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs= +github.com/emicklei/go-restful v2.9.5+incompatible/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs= +github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= +github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= +github.com/evanphx/json-patch v4.2.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= +github.com/evanphx/json-patch v4.9.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= +github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4= +github.com/fatih/color v1.9.0/go.mod h1:eQcE1qtQxscV5RaZvpXrrb8Drkc3/DdQ+uUYCNjL+zU= +github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= +github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ= +github.com/ghodss/yaml v0.0.0-20150909031657-73d445a93680/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= +github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= +github.com/go-errors/errors v1.0.1/go.mod h1:f4zRHt4oKfwPJE5k8C9vpYG+aDHdBFUsgrm6/TyX73Q= +github.com/go-errors/errors v1.0.2-0.20180813162953-d98b870cc4e0/go.mod h1:f4zRHt4oKfwPJE5k8C9vpYG+aDHdBFUsgrm6/TyX73Q= +github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= +github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= +github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE= +github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas= +github.com/go-logr/logr v0.2.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU= +github.com/go-openapi/jsonpointer v0.0.0-20160704185906-46af16f9f7b1/go.mod h1:+35s3my2LFTysnkMfxsJBAMHj/DoqoB9knIWoYG/Vk0= +github.com/go-openapi/jsonpointer v0.19.2/go.mod h1:3akKfEdA7DF1sugOqz1dVQHBcuDBPKZGEoHC/NkiQRg= +github.com/go-openapi/jsonpointer v0.19.3/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg= +github.com/go-openapi/jsonreference v0.0.0-20160704190145-13c6e3589ad9/go.mod h1:W3Z9FmVs9qj+KR4zFKmDPGiLdk1D9Rlm7cyMvf57TTg= +github.com/go-openapi/jsonreference v0.19.2/go.mod h1:jMjeRr2HHw6nAVajTXJ4eiUwohSTlpa0o73RUL1owJc= +github.com/go-openapi/jsonreference v0.19.3/go.mod h1:rjx6GuL8TTa9VaixXglHmQmIL98+wF9xc8zWvFonSJ8= +github.com/go-openapi/spec v0.0.0-20160808142527-6aced65f8501/go.mod h1:J8+jY1nAiCcj+friV/PDoE1/3eeccG9LYBs0tYvLOWc= +github.com/go-openapi/spec v0.19.3/go.mod h1:FpwSN1ksY1eteniUU7X0N/BgJ7a4WvBFVA8Lj9mJglo= +github.com/go-openapi/swag v0.0.0-20160704191624-1d0bd113de87/go.mod h1:DXUve3Dpr1UfpPtxFw+EFuQ41HhCWZfha5jSVRG7C7I= +github.com/go-openapi/swag v0.19.2/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk= +github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk= +github.com/go-sql-driver/mysql v1.4.1/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w= +github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= +github.com/go-test/deep v1.0.3 h1:ZrJSEWsXzPOxaZnFteGEfooLba+ju3FYIbOrS+rQd68= +github.com/go-test/deep v1.0.3/go.mod h1:wGDj63lr65AM2AQyKZd/NYHGb0R+1RLqB8NKt3aSFNA= +github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= +github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4= +github.com/gogo/protobuf v1.2.2-0.20190723190241-65acae22fc9d/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o= +github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o= +github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= +github.com/golang/groupcache v0.0.0-20160516000752-02826c3e7903/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= +github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= +github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= +github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= +github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= +github.com/golang/mock v1.3.1/go.mod h1:sBzyDLLjw3U8JLTeZvSv8jJB+tU5PVekmnlKIyFUx0Y= +github.com/golang/protobuf v0.0.0-20161109072736-4bd1920723d7/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.1.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.3.3/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw= +github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8= +github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA= +github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs= +github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w= +github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0= +github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8= +github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= +github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= +github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= +github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= +github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= +github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= +github.com/google/go-cmp v0.4.0 h1:xsAVV57WRhGj6kEIi8ReJzQlHHqcBYCElAvkovg3B/4= +github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-containerregistry v0.0.0-20200110202235-f4fb41bf00a3/go.mod h1:2wIuQute9+hhWqvL3vEI7YB0EKluF4WcPzI1eAliazk= +github.com/google/gofuzz v0.0.0-20161122191042-44d81051d367/go.mod h1:HP5RmnzzSNb993RKQDq4+1A4ia9nllfqcQFTQJedwGI= +github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= +github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= +github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs= +github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= +github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= +github.com/google/pprof v0.0.0-20191218002539-d4f498aebedc/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= +github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= +github.com/google/uuid v1.0.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg= +github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk= +github.com/googleapis/gnostic v0.0.0-20170729233727-0c5108395e2d/go.mod h1:sJBsCZ4ayReDTBIg8b9dl28c5xFWyhBTVRp3pOg5EKY= +github.com/googleapis/gnostic v0.2.2/go.mod h1:sJBsCZ4ayReDTBIg8b9dl28c5xFWyhBTVRp3pOg5EKY= +github.com/googleapis/gnostic v0.4.1/go.mod h1:LRhVm6pbyptWbWbuZ38d1eyptfvIytN3ir6b65WBswg= +github.com/gophercloud/gophercloud v0.1.0/go.mod h1:vxM41WHh5uqHVBMZHzuwNOHh8XEoIEcSTewFxm1c5g8= +github.com/gorilla/mux v1.7.3/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs= +github.com/gorilla/websocket v0.0.0-20170926233335-4201258b820c/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ= +github.com/gorilla/websocket v1.4.0/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ= +github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA= +github.com/grpc-ecosystem/go-grpc-middleware v1.0.1-0.20190118093823-f849b5445de4/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs= +github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk= +github.com/grpc-ecosystem/grpc-gateway v1.9.5/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY= +github.com/gruntwork-io/go-commons v0.8.0/go.mod h1:gtp0yTtIBExIZp7vyIV9I0XQkVwiQZze678hvDXof78= +github.com/gruntwork-io/terratest v0.36.8 h1:V4vuJSK23iTDGpu6mkLDUK9xSTWRblABX4RMI9kh+SU= +github.com/gruntwork-io/terratest v0.36.8/go.mod h1:3zzDkmFBGDcSwQRaXS/LKnobwnff09oo5z/B6SVwRy8= +github.com/hashicorp/errwrap v1.0.0 h1:hLrqtEDnRye3+sgx6z4qVLNuviH3MR5aQ0ykNJa/UYA= +github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= +github.com/hashicorp/go-multierror v1.1.0 h1:B9UzwGQJehnUY1yNrnwREHc3fGbC2xefo8g4TbElacI= +github.com/hashicorp/go-multierror v1.1.0/go.mod h1:spPvp8C1qA32ftKqdAHm4hHTbPw+vmowP0z+KUhOZdA= +github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= +github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= +github.com/hashicorp/golang-lru v0.5.3/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4= +github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4= +github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ= +github.com/hashicorp/hcl/v2 v2.8.2 h1:wmFle3D1vu0okesm8BTLVDyJ6/OL9DCLUwn0b2OptiY= +github.com/hashicorp/hcl/v2 v2.8.2/go.mod h1:bQTN5mpo+jewjJgh8jr0JUguIi7qPHUF6yIfAEN3jqY= +github.com/hashicorp/terraform-json v0.12.0 h1:8czPgEEWWPROStjkWPUnTQDXmpmZPlkQAwYYLETaTvw= +github.com/hashicorp/terraform-json v0.12.0/go.mod h1:pmbq9o4EuL43db5+0ogX10Yofv1nozM+wskr/bGFJpI= +github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU= +github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= +github.com/imdario/mergo v0.3.5/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA= +github.com/imdario/mergo v0.3.7/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA= +github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8= +github.com/jinzhu/copier v0.0.0-20190924061706-b57f9002281a h1:zPPuIq2jAWWPTrGt70eK/BSch+gFAGrNzecsoENgu2o= +github.com/jinzhu/copier v0.0.0-20190924061706-b57f9002281a/go.mod h1:yL958EeXv8Ylng6IfnvG4oflryUi3vgA3xPs9hmII1s= +github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k= +github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo= +github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U= +github.com/joefitzgerald/rainbow-reporter v0.1.0/go.mod h1:481CNgqmVHQZzdIbN52CupLJyoVwB10FQ/IQlF1pdL8= +github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo= +github.com/json-iterator/go v0.0.0-20180612202835-f2b4162afba3/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU= +github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU= +github.com/json-iterator/go v1.1.7/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= +github.com/json-iterator/go v1.1.8/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= +github.com/json-iterator/go v1.1.10/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= +github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU= +github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk= +github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w= +github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q= +github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00= +github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= +github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= +github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= +github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc= +github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= +github.com/kr/pretty v0.2.0 h1:s5hAObm+yFO5uHYt5dYjxi2rXrsnmRpJx4OYvIWUaQs= +github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= +github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= +github.com/kr/pty v1.1.5/go.mod h1:9r2w37qlBe7rQ6e1fg1S/9xpWHSnaqNdHD3WcMdbPDA= +github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE= +github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= +github.com/kylelemons/godebug v0.0.0-20170820004349-d65d576e9348 h1:MtvEpTB6LX3vkb4ax0b5D2DHbNAUsen0Gx5wZoq3lV4= +github.com/kylelemons/godebug v0.0.0-20170820004349-d65d576e9348/go.mod h1:B69LEHPfb2qLo0BaaOLcbitczOKLWTsrBG9LczfCD4k= +github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ= +github.com/mailru/easyjson v0.0.0-20160728113105-d5b7844b561a/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= +github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= +github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= +github.com/mailru/easyjson v0.7.0/go.mod h1:KAzv3t3aY1NaHWoQz1+4F1ccyAH66Jk7yos7ldAVICs= +github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU= +github.com/mattn/go-colorable v0.1.4/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE= +github.com/mattn/go-isatty v0.0.4/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4= +github.com/mattn/go-isatty v0.0.8/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s= +github.com/mattn/go-isatty v0.0.11/go.mod h1:PhnuNfih5lzO57/f3n+odYbM4JtupLOxQOAqxQCu2WE= +github.com/mattn/go-runewidth v0.0.2/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU= +github.com/mattn/go-zglob v0.0.1/go.mod h1:9fxibJccNxU2cnpIKLRRFA7zX7qhkJIQWBb449FYHOo= +github.com/mattn/go-zglob v0.0.2-0.20190814121620-e3c945676326/go.mod h1:9fxibJccNxU2cnpIKLRRFA7zX7qhkJIQWBb449FYHOo= +github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0= +github.com/maxbrunsfeld/counterfeiter/v6 v6.2.2/go.mod h1:eD9eIE7cdwcMi9rYluz88Jz2VyhSmden33/aXg4oVIY= +github.com/miekg/dns v1.1.31/go.mod h1:KNUDUusw/aVsxyTYZM1oqvCicbwhgbNgztCETuNZ7xM= +github.com/mitchellh/copystructure v1.2.0/go.mod h1:qLl+cE2AmVv+CoeAwDPye/v+N2HKCj9FbZEVFJRxO9s= +github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= +github.com/mitchellh/go-wordwrap v0.0.0-20150314170334-ad45545899c7 h1:DpOJ2HYzCv8LZP15IdmG+YdwD2luVPHITV96TkirNBM= +github.com/mitchellh/go-wordwrap v0.0.0-20150314170334-ad45545899c7/go.mod h1:ZXFpozHsX6DPmq2I0TCekCxypsnAUbP2oI0UX1GXzOo= +github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y= +github.com/mitchellh/reflectwalk v1.0.2/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw= +github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= +github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= +github.com/modern-go/reflect2 v0.0.0-20180320133207-05fbef0ca5da/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= +github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= +github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= +github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc= +github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= +github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= +github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= +github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw= +github.com/olekukonko/tablewriter v0.0.0-20170122224234-a0225b3f23b5/go.mod h1:vsDQFd/mU46D+Z4whnwzcISnGGzXWMclvtLoiIKAKIo= +github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= +github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= +github.com/onsi/ginkgo v1.8.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= +github.com/onsi/ginkgo v1.10.1/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= +github.com/onsi/ginkgo v1.11.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= +github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA= +github.com/onsi/gomega v1.5.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= +github.com/onsi/gomega v1.7.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= +github.com/opencontainers/go-digest v1.0.0-rc1/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s= +github.com/opencontainers/image-spec v1.0.1/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0= +github.com/oracle/oci-go-sdk v7.1.0+incompatible/go.mod h1:VQb79nF8Z2cwLkLS35ukwStZIg5F66tcBccjip/j888= +github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic= +github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU= +github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/pmezard/go-difflib v0.0.0-20151028094244-d8ed2627bdf0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= +github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/pquerna/cachecontrol v0.0.0-20171018203845-0dec1b30a021/go.mod h1:prYjPmNq4d1NPVmpShWobRqXY3q7Vp+80DqgxxUrUIA= +github.com/pquerna/otp v1.2.0/go.mod h1:dkJfzwRKNiegxyNb54X/3fLwhCynbMspSyWKnvi1AEg= +github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw= +github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo= +github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= +github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= +github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= +github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= +github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= +github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= +github.com/remyoudompheng/bigfft v0.0.0-20170806203942-52369c62f446/go.mod h1:uYEyJGbgTkfkS4+E/PavXkNJcbFIpEtjt2B0KDQ5+9M= +github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg= +github.com/rogpeppe/go-charset v0.0.0-20180617210344-2471d30d28b4/go.mod h1:qgYeAmZ5ZIpBWTGllZSQnw97Dj+woV0toclVaRGI8pc= +github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= +github.com/rubiojr/go-vhd v0.0.0-20160810183302-0bfd3b39853c/go.mod h1:DM5xW0nvfNNm2uytzsvhI3OnX8uzaRAg8UX/CnDqbto= +github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR/rfWxYHBV53g= +github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= +github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0= +github.com/sclevine/spec v1.2.0/go.mod h1:W4J29eT/Kzv7/b9IWLB055Z+qvVC9vt0Arko24q7p+U= +github.com/sebdah/goldie v1.0.0/go.mod h1:jXP4hmWywNEwZzhMuv2ccnqTSFpuq8iyQhtQdkkZBH4= +github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo= +github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc= +github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo= +github.com/sirupsen/logrus v1.4.1/go.mod h1:ni0Sbl8bgC9z8RoU9G6nDWqqs/fq4eDPysMBDgk/93Q= +github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE= +github.com/soheilhy/cmux v0.1.4/go.mod h1:IM3LyeVVIOuxMH7sFAkER9+bJ4dT7Ms6E4xg4kGIyLM= +github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ= +github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk= +github.com/spf13/cast v1.3.0/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE= +github.com/spf13/cobra v0.0.3/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ= +github.com/spf13/cobra v0.0.5/go.mod h1:3K3wKZymM7VvHMDS9+Akkh4K60UwM26emMESw8tLCHU= +github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo= +github.com/spf13/pflag v0.0.0-20170130214245-9ff6c6923cff/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= +github.com/spf13/pflag v1.0.1/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= +github.com/spf13/pflag v1.0.2/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= +github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= +github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= +github.com/spf13/viper v1.3.2/go.mod h1:ZiWeW+zYFKm7srdB9IoDzzZXaJaI5eL9QjNiN/DMA2s= +github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE= +github.com/stretchr/testify v0.0.0-20151208002404-e3a8ff8ce365/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= +github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= +github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= +github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= +github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY= +github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/tmc/grpc-websocket-proxy v0.0.0-20170815181823-89b8d40f7ca8/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= +github.com/ugorji/go/codec v0.0.0-20181204163529-d75b2dcb6bc8/go.mod h1:VFNgLljTbGfSG7qAOspJ7OScBnGdDN/yBr0sguwnwf0= +github.com/urfave/cli v1.20.0/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA= +github.com/urfave/cli v1.22.1/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0= +github.com/urfave/cli v1.22.2/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0= +github.com/vdemeester/k8s-pkg-credentialprovider v0.0.0-20200107171650-7c61ffa44238/go.mod h1:JwQJCMWpUDqjZrB5jpw0f5VbN7U95zxFy1ZDpoEarGo= +github.com/vmihailenco/msgpack v3.3.3+incompatible/go.mod h1:fy3FlTQTDXWkZ7Bh6AcGMlsjHatGryHQYUTf1ShIgkk= +github.com/vmware/govmomi v0.20.3/go.mod h1:URlwyTFZX72RmxtxuaFL2Uj3fD1JTvZdx59bHWk6aFU= +github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU= +github.com/xordataexchange/crypt v0.0.3-0.20170626215501-b2862e3d0a77/go.mod h1:aYKd//L2LvnjZzWKhF00oedf4jCCReLcmhLdhm1A27Q= +github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= +github.com/zclconf/go-cty v1.2.0/go.mod h1:hOPWgoHbaTUnI5k4D2ld+GRpFJSCe6bCM7m1q/N4PQ8= +github.com/zclconf/go-cty v1.2.1 h1:vGMsygfmeCl4Xb6OA5U5XVAaQZ69FvoG7X2jUtQujb8= +github.com/zclconf/go-cty v1.2.1/go.mod h1:hOPWgoHbaTUnI5k4D2ld+GRpFJSCe6bCM7m1q/N4PQ8= +go.etcd.io/bbolt v1.3.3/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU= +go.etcd.io/etcd v0.0.0-20191023171146-3cf2f69b5738/go.mod h1:dnLIgRNXwCJa5e+c6mIZCrds/GIG4ncV9HhK5PX7jPg= +go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= +go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8= +go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= +go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= +go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0= +go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q= +golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= +golang.org/x/crypto v0.0.0-20181203042331-505ab145d0a9/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= +golang.org/x/crypto v0.0.0-20190211182817-74369b46fc67/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= +golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= +golang.org/x/crypto v0.0.0-20190426145343-a29dc8fdc734/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20190611184440-5c40567a22f8/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20190820162420-60c769a6c586/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20191206172530-e9b2fee46413/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= +golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9 h1:psW17arqaxU48Z5kZ0CQnkZWQJsqcURM6tKiBApRjXI= +golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= +golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= +golang.org/x/exp v0.0.0-20190125153040-c74c464bbbf2/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= +golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= +golang.org/x/exp v0.0.0-20190312203227-4b39c73a6495/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= +golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= +golang.org/x/exp v0.0.0-20190829153037-c13cbed26979/go.mod h1:86+5VVa7VpoJ4kLfm080zCjGlMRFzhUhsZKEZO7MGek= +golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= +golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js= +golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0= +golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= +golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU= +golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= +golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= +golang.org/x/lint v0.0.0-20190409202823-959b441ac422/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= +golang.org/x/lint v0.0.0-20190909230951-414d861bb4ac/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= +golang.org/x/lint v0.0.0-20191125180803-fdd1cda4f05f/go.mod h1:5qLYkcX4OjUUV8bRuDixDT3tpyyb+LUpUlRWLxfhWrs= +golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE= +golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028/go.mod h1:E/iHnbuqvinMTCcRqshq8CkpyQDoeVncDDYHnLhea+o= +golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc= +golang.org/x/mod v0.1.0/go.mod h1:0QHyrYULN0/3qlju5TqG8bIK38QM8yzMo5ekMj3DlcY= +golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg= +golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/net v0.0.0-20170114055629-f2499483f923/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20180811021610-c39426892332/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20181220203305-927f97764cc3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= +golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20190628185345-da137c7871d7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20190813141303-74dc4d7220e7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20190923162816-aa69164e4478/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20191004110552-13f9640d40b9/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= +golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= +golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= +golang.org/x/net v0.0.0-20201110031124-69a78807bb2b h1:uwuIcX0g4Yl1NC5XAz37xsr2lTtcqevgzYNVt49waME= +golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= +golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= +golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= +golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= +golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= +golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= +golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sys v0.0.0-20170830134202-bb24a47a89ea/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20181107165924-66b7b1311ac8/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20181205085412-a5c9d58dba9a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190209173611-3b5209105503/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190502145724-3ef323f4f1fd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190502175342-a43fa875dd82/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190616124812-15dcb6c0061f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190626221950-04f50cda93cb/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190826190057-c7b8b68b1456/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190924154521-2837fb4f24fe/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191010194322-b09406accb47/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200622214017-ed371f2e16b4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f h1:+Nyd8tzPX9R7BWHguqsrbFdRx3WQ/1ib8I44HXV5yTA= +golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/text v0.0.0-20160726164857-2910a502d2bf/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= +golang.org/x/text v0.3.3 h1:cokOdA+Jmi5PJGXLlLllQSgYigAEfHXJAERHVMaCc2k= +golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20181011042414-1f849cf54d09/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20181030221726-6c7e314b6563/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20190206041539-40960b6deb8e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY= +golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= +golang.org/x/tools v0.0.0-20190312151545-0bb0c0a6e846/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= +golang.org/x/tools v0.0.0-20190312170243-e65039ee4138/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= +golang.org/x/tools v0.0.0-20190425150028-36563e24a262/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= +golang.org/x/tools v0.0.0-20190506145303-2d16b83fe98c/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= +golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= +golang.org/x/tools v0.0.0-20190606124116-d0a3d012864b/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= +golang.org/x/tools v0.0.0-20190614205625-5aca471b1d59/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= +golang.org/x/tools v0.0.0-20190621195816-6e04913cbbac/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= +golang.org/x/tools v0.0.0-20190628153133-6cdbf07be9d0/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= +golang.org/x/tools v0.0.0-20190706070813-72ffa07ba3db/go.mod h1:jcCCGcm9btYwXyDqrUWc6MKQKKGJCWEQ3AfLSRIbEuI= +golang.org/x/tools v0.0.0-20190816200558-6889da9d5479/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20190911174233-4f2ddba30aff/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20190920225731-5eefd052ad72/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191012152004-8de300cfc20a/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191125144606-a911d9008d1f/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191205215504-7b8c8591a921/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191216052735-49a3e744a425/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= +golang.org/x/tools v0.0.0-20191227053925-7b8e75db28f4/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= +golang.org/x/tools v0.0.0-20201110201400-7099162a900a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= +golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +gonum.org/v1/gonum v0.0.0-20190331200053-3d26580ed485/go.mod h1:2ltnJ7xHfj0zHS40VVPYEAAMTa3ZGguvHGBSJeRWqE0= +gonum.org/v1/netlib v0.0.0-20190313105609-8cb42192e0e0/go.mod h1:wa6Ws7BG/ESfp6dHfk7C6KdzKA7wR7u/rKwOGE66zvw= +gonum.org/v1/netlib v0.0.0-20190331212654-76723241ea4e/go.mod h1:kS+toOQn6AQKjmKJ7gzohV1XkqsFehRA2FbsbkopSuQ= +google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE= +google.golang.org/api v0.6.1-0.20190607001116-5213b8090861/go.mod h1:btoxGiFvQNVUZQ8W08zLtrVS08CNpINPEfxXxgJL1Q4= +google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M= +google.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg= +google.golang.org/api v0.9.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg= +google.golang.org/api v0.15.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI= +google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= +google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= +google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= +google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0= +google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= +google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= +google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= +google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= +google.golang.org/genproto v0.0.0-20190425155659-357c62f0e4bb/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= +google.golang.org/genproto v0.0.0-20190502173448-54afdca5d873/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= +google.golang.org/genproto v0.0.0-20190801165951-fa694d86fc64/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= +google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= +google.golang.org/genproto v0.0.0-20190911173649-1774047e7e51/go.mod h1:IbNlFCBrqXvoKpeg0TB2l7cyZUmoaFKYIwrEpbDKLA8= +google.golang.org/genproto v0.0.0-20191230161307-f3c370f40bfb/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= +google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo= +google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= +google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38= +google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM= +google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= +google.golang.org/grpc v1.23.1/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= +google.golang.org/grpc v1.24.0/go.mod h1:XDChyiUovWa60DnaeDeZmSW86xtLtjtZbwvSiRnRtcA= +google.golang.org/grpc v1.26.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= +google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= +google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= +google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= +google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= +google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE= +google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo= +google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= +google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= +google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= +google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGjtUeSXeh4= +gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= +gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 h1:YR8cESwS4TdDjEe65xsg0ogRM/Nc3DYOhEAlW+xobZo= +gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/cheggaaa/pb.v1 v1.0.25/go.mod h1:V/YB90LKu/1FcN3WVnfiiE5oMCibMjukxqG/qStrOgw= +gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI= +gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys= +gopkg.in/gcfg.v1 v1.2.0/go.mod h1:yesOnuUOFQAhST5vPY4nbZsb/huCgGGXlipJsBn0b3o= +gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= +gopkg.in/natefinch/lumberjack.v2 v2.0.0/go.mod h1:l0ndWWf7gzL7RNwBG7wST/UCcT4T24xpD6X8LsfU/+k= +gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo= +gopkg.in/square/go-jose.v2 v2.2.2/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI= +gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw= +gopkg.in/warnings.v0 v0.1.1/go.mod h1:jksf8JmL6Qr/oQM2OXTHunEvvTAsrWBLb6OOjuVWRNI= +gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7/go.mod h1:JAlM8MvJe8wmxCU4Bli9HhUf9+ttbYbLASfIpnQbh74= +gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo= +gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81HFBacw= +honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= +honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= +honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= +honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= +honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg= +k8s.io/api v0.17.0/go.mod h1:npsyOePkeP0CPwyGfXDHxvypiYMJxBWAMpQxCaJ4ZxI= +k8s.io/api v0.19.3/go.mod h1:VF+5FT1B74Pw3KxMdKyinLo+zynBaMBiAfGMuldcNDs= +k8s.io/apimachinery v0.17.0/go.mod h1:b9qmWdKlLuU9EBh+06BtLcSf/Mu89rWL33naRxs1uZg= +k8s.io/apimachinery v0.19.3/go.mod h1:DnPGDnARWFvYa3pMHgSxtbZb7gpzzAZ1pTfaUNDVlmA= +k8s.io/apiserver v0.17.0/go.mod h1:ABM+9x/prjINN6iiffRVNCBR2Wk7uY4z+EtEGZD48cg= +k8s.io/client-go v0.17.0/go.mod h1:TYgR6EUHs6k45hb6KWjVD6jFZvJV4gHDikv/It0xz+k= +k8s.io/client-go v0.19.3/go.mod h1:+eEMktZM+MG0KO+PTkci8xnbCZHvj9TqR6Q1XDUIJOM= +k8s.io/cloud-provider v0.17.0/go.mod h1:Ze4c3w2C0bRsjkBUoHpFi+qWe3ob1wI2/7cUn+YQIDE= +k8s.io/code-generator v0.0.0-20191121015212-c4c8f8345c7e/go.mod h1:DVmfPQgxQENqDIzVR2ddLXMH34qeszkKSdH/N+s+38s= +k8s.io/component-base v0.17.0/go.mod h1:rKuRAokNMY2nn2A6LP/MiwpoaMRHpfRnrPaUJJj1Yoc= +k8s.io/csi-translation-lib v0.17.0/go.mod h1:HEF7MEz7pOLJCnxabi45IPkhSsE/KmxPQksuCrHKWls= +k8s.io/gengo v0.0.0-20190128074634-0689ccc1d7d6/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0= +k8s.io/gengo v0.0.0-20190822140433-26a664648505/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0= +k8s.io/gengo v0.0.0-20200413195148-3a45101e95ac/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0= +k8s.io/klog v0.0.0-20181102134211-b9b56d5dfc92/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk= +k8s.io/klog v0.3.0/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk= +k8s.io/klog v1.0.0/go.mod h1:4Bi6QPql/J/LkTDqv7R/cd3hPo4k2DG6Ptcz060Ez5I= +k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE= +k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y= +k8s.io/kube-openapi v0.0.0-20191107075043-30be4d16710a/go.mod h1:1TqjTSzOxsLGIKfj0lK8EeCP7K1iUG65v09OM0/WG5E= +k8s.io/kube-openapi v0.0.0-20200805222855-6aeccd4b50c6/go.mod h1:UuqjUnNftUyPE5H64/qeyjQoUZhGpeFDVdxjTeEVN2o= +k8s.io/legacy-cloud-providers v0.17.0/go.mod h1:DdzaepJ3RtRy+e5YhNtrCYwlgyK87j/5+Yfp0L9Syp8= +k8s.io/utils v0.0.0-20191114184206-e782cd3c129f/go.mod h1:sZAwmy6armz5eXlNoLmJcl4F1QuKu7sr+mFQ0byX7Ew= +k8s.io/utils v0.0.0-20200729134348-d5654de09c73/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= +modernc.org/cc v1.0.0/go.mod h1:1Sk4//wdnYJiUIxnW8ddKpaOJCF37yAdqYnkxUpaYxw= +modernc.org/golex v1.0.0/go.mod h1:b/QX9oBD/LhixY6NDh+IdGv17hgB+51fET1i2kPSmvk= +modernc.org/mathutil v1.0.0/go.mod h1:wU0vUrJsVWBZ4P6e7xtFJEhFSNsfRLJ8H458uRjg03k= +modernc.org/strutil v1.0.0/go.mod h1:lstksw84oURvj9y3tn8lGvRxyRC1S2+g5uuIzNfIOBs= +modernc.org/xc v1.0.0/go.mod h1:mRNCo0bvLjGhHO9WsyuKVU4q0ceiDDDoEeWDJHrNx8I= +rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= +sigs.k8s.io/structured-merge-diff v0.0.0-20190525122527-15d366b2352e/go.mod h1:wWxsB5ozmmv/SG7nM11ayaAW51xMvak/t1r0CSlcokI= +sigs.k8s.io/structured-merge-diff v1.0.1-0.20191108220359-b1b620dd3f06/go.mod h1:/ULNhyfzRopfcjskuui0cTITekDduZ7ycKN3oUT9R18= +sigs.k8s.io/structured-merge-diff/v4 v4.0.1/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw= +sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o= +sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc= diff --git a/terraform-modules/aws/msk/test/terratest_test.go b/terraform-modules/aws/msk/test/terratest_test.go new file mode 100644 index 000000000..b27e058eb --- /dev/null +++ b/terraform-modules/aws/msk/test/terratest_test.go @@ -0,0 +1,117 @@ +package test + +import ( + "math/rand" + "testing" + "time" + + // "github.com/gruntwork-io/terratest/modules/aws" + "github.com/gruntwork-io/terratest/modules/terraform" + "github.com/stretchr/testify/assert" +) + +// Default test +func TestTerraformDefault(t *testing.T) { + t.Parallel() + + stringRand := randomString(8) + + aws_region := "us-east-1" + zone_id := "Z00728331PNYVN1WW537D" + vpc_id := "vpc-07f9e885659e500a3" + private_subnet_zone_a1 := "subnet-00ef641516b153b07" + private_subnet_zone_b1 := "subnet-05d35441add280470" + private_subnet_zone_c1 := "subnet-0195ee284970febc7" + security_group_1 := "sg-04cf9aad443ba81d8" + security_group_2 := "sg-05ba88c62deee78f0" + name := "test-broker-name-" + stringRand + client_broker := "TLS" + namespace := "test-broker-namespace" + number_of_broker_nodes := 3 + broker_volume_size := 10 + broker_instance_type := "kafka.t3.small" + encryption_in_cluster := true + encryption_at_rest_kms_key_arn := "" + cloudwatch_logs_enabled := false + cloudwatch_logs_log_group := "managedkube/qa/us-east-1/msk-test-" + stringRand + kafka_version := "2.3.1" + node_exporter_enabled := false + enhanced_monitoring := "DEFAULT" + s3_logs_bucket := "" + s3_logs_enabled := false + s3_logs_prefix := "" + client_tls_auth_enabled := false + certificate_authority_arns := "" + + terraformOptions := terraform.WithDefaultRetryableErrors(t, &terraform.Options{ + // The path to where our Terraform code is located + TerraformDir: "../", + + // Dynamic Variables that we should pass in addition to varfile.tfvars + // VarFiles: []string{ + // "./test/var1.tfvars", + // }, + + Vars: map[string]interface{}{ + "aws_region": aws_region, + "zone_id": zone_id, + "vpc_id": vpc_id, + "subnet_ids": []string{private_subnet_zone_a1, private_subnet_zone_b1, private_subnet_zone_c1}, + "security_groups": []string{security_group_1, security_group_2}, + "name": name, + "client_broker": client_broker, + "namespace": namespace, + "number_of_broker_nodes": number_of_broker_nodes, + "broker_volume_size": broker_volume_size, + "broker_instance_type": broker_instance_type, + "encryption_in_cluster": encryption_in_cluster, + "encryption_at_rest_kms_key_arn": encryption_at_rest_kms_key_arn, + "cloudwatch_logs_enabled": cloudwatch_logs_enabled, + "cloudwatch_logs_log_group": cloudwatch_logs_log_group, + "kafka_version": kafka_version, + "node_exporter_enabled": node_exporter_enabled, + "enhanced_monitoring": enhanced_monitoring, + "s3_logs_bucket": s3_logs_bucket, + "s3_logs_enabled": s3_logs_enabled, + "s3_logs_prefix": s3_logs_prefix, + "client_tls_auth_enabled": client_tls_auth_enabled, + "certificate_authority_arns": []string{certificate_authority_arns}, + "tags": map[string]interface{}{ + "purpose": "terratest", + "repo": "managedkube", + "repo-path": "terraform-modules/aws/msk/test", + }, + }, + + // Disable colors in Terraform commands so its easier to parse stdout/stderr + NoColor: true, + }) + + // At the end of the test, run `terraform destroy` to clean up any resources that were created + defer terraform.Destroy(t, terraformOptions) + + // This will run `terraform init` and `terraform apply` and fail the test if there are any errors + terraform.InitAndApply(t, terraformOptions) + + // Run `terraform output` to get the values of output variables + mskName := terraform.Output(t, terraformOptions, "cluster_name") + assert.Equal(t, namespace+"-"+name, mskName) + +} + +func randomString(len int) string { + + rand.Seed(time.Now().UTC().UnixNano()) + bytes := make([]byte, len) + + for i := 0; i < len; i++ { + bytes[i] = byte(randInt(97, 122)) + } + + return string(bytes) +} + +func randInt(min int, max int) int { + + return min + rand.Intn(max-min) +} diff --git a/terraform-modules/aws/msk/variables.tf b/terraform-modules/aws/msk/variables.tf new file mode 100644 index 000000000..cc2075141 --- /dev/null +++ b/terraform-modules/aws/msk/variables.tf @@ -0,0 +1,157 @@ +variable "aws_region" { + type = string + description = "The AWS region you want to deploy to" +} + +variable "vpc_id" { + type = string + description = "The VPC id of where you want to provision MSK" +} + +variable "name" { + type = string + description = "Solution name" +} + + +variable "namespace" { + type = string + description = "Namespace, which could be your organization name or abbreviation," +} + +variable "client_broker" { + type = string + description = "Encryption setting for data in transit between clients and brokers. Valid values: TLS, TLS_PLAINTEXT, and PLAINTEXT" +} + +variable "zone_id" { + type = string + description = "Route53 DNS Zone ID for MSK broker hostnames" +} + +variable "subnet_ids" { + type = list(string) + description = "Subnet IDs for Client Broker" +} + +# Supported versions: https://docs.aws.amazon.com/msk/latest/developerguide/supported-kafka-versions.html +variable "kafka_version" { + type = string + default = "2.8.1" + description = "The desired Kafka software version" +} + +variable "number_of_broker_nodes" { + type = number + description = "The desired total number of broker nodes in the kafka cluster. It must be a multiple of the number of specified client subnets." +} + +# https://docs.aws.amazon.com/msk/latest/developerguide/msk-create-cluster.html#broker-instance-types +variable "broker_instance_type" { + type = string + default = "kafka.t3.small" + description = "The instance type to use for the Kafka brokers" +} + +variable "broker_volume_size" { + type = number + description = "The size in GiB of the EBS volume for the data drive on each broker node" +} + +variable "tags" { + type = map(any) + description = "Additional tags" +} + +variable "encryption_in_cluster" { + type = bool + description = "Whether data communication among broker nodes is encrypted" +} + +variable "encryption_at_rest_kms_key_arn" { + type = string + default = null + description = "You may specify a KMS key short ID or ARN (it will always output an ARN) to use for encrypting your data at rest. If null the key created in this module will be used." +} + +variable "cloudwatch_logs_enabled" { + type = bool + description = "Indicates whether you want to enable or disable streaming broker logs to Cloudwatch Logs" +} + +variable "cloudwatch_logs_log_group" { + type = string + description = "Name of the Cloudwatch Log Group to deliver logs to" +} + +variable "enhanced_monitoring" { + type = string + description = "Specify the desired enhanced MSK CloudWatch monitoring level. Valid values: DEFAULT, PER_BROKER, and PER_TOPIC_PER_BROKER" +} + +variable "s3_logs_bucket" { + type = string + description = "Name of the S3 bucket to deliver logs to" +} + +variable "s3_logs_enabled" { + type = bool + description = "Indicates whether you want to enable or disable streaming broker logs to S3" +} + +variable "s3_logs_prefix" { + type = string + description = "Prefix to append to the S3 folder name logs are delivered to" +} + +variable "security_groups" { + type = list(string) + description = "The security_group_id_list output from the security_groups module" +} + +variable "client_tls_auth_enabled" { + type = bool + description = "Set true to enable the Client TLS Authentication" +} + +variable "client_sasl_iam_enabled" { + type = bool + default = false + description = "Enables client authentication via IAM policies (cannot be set to true at the same time as client_sasl_*_enabled)." +} + +variable "common_name" { + type = string + description = "The common name for the CA" + default = "example.com" +} + +variable "expiration_in_days" { + type = number + description = "The CA expiration in days" + default = 7 +} + +variable "key_algorithm" { + type = string + description = "The CA key algorithm" + default = "RSA_4096" +} + +variable "signing_algorithm" { + type = string + description = "The CA signing algorithm" + default = "SHA512WITHRSA" +} + +variable "node_exporter_enabled" { + type = bool + default = false + description = "Set true to enable the Prometheus Node Exporter" +} + +variable "jmx_exporter_enabled" { + type = bool + default = false + description = "Set true to enable the Prometheus JMX Exporter" +} diff --git a/terraform-modules/aws/postgres/README.md b/terraform-modules/aws/postgres/README.md new file mode 100644 index 000000000..1e2fab3c1 --- /dev/null +++ b/terraform-modules/aws/postgres/README.md @@ -0,0 +1,52 @@ +## Requirements + +No requirements. + +## Providers + +No providers. + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [db](#module\_db) | terraform-aws-modules/rds/aws | ~> 3.0 | +| [security\_group](#module\_security\_group) | terraform-aws-modules/security-group/aws | ~> 4 | + +## Resources + +No resources. + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [allocated\_storage](#input\_allocated\_storage) | The allocated storage in gigabytes | `string` | `100` | no | +| [backup\_retention\_period](#input\_backup\_retention\_period) | The days to retain backups for | `number` | `"0"` | no | +| [backup\_window](#input\_backup\_window) | The daily time range (in UTC) during which automated backups are created if they are enabled. Example: '09:46-10:16'. Must not overlap with maintenance\_window | `string` | `"03:00-06:00"` | no | +| [deletion\_protection](#input\_deletion\_protection) | The database can't be deleted when this value is set to true. | `bool` | `true` | no | +| [engine](#input\_engine) | The database engine to use | `string` | `"postgres"` | no | +| [engine\_version](#input\_engine\_version) | The engine version to use | `string` | `"11.12"` | no | +| [family](#input\_family) | The family of the DB parameter group | `string` | `"postgres11"` | no | +| [identifier](#input\_identifier) | The name of the RDS instance, if omitted, Terraform will assign a random, unique identifier | `string` | n/a | yes | +| [instance\_class](#input\_instance\_class) | The instance type of the RDS instance | `string` | `"db.t3.large"` | no | +| [maintenance\_window](#input\_maintenance\_window) | The window to perform maintenance in. Syntax: 'ddd:hh24:mi-ddd:hh24:mi'. Eg: 'Mon:00:00-Mon:03:00' | `string` | `"Mon:00:00-Mon:03:00"` | no | +| [major\_engine\_version](#input\_major\_engine\_version) | Specifies the major version of the engine that this option group should be associated with | `string` | `"11"` | no | +| [max\_allocated\_storage](#input\_max\_allocated\_storage) | Specifies the value for Storage Autoscaling | `number` | `1024` | no | +| [name](#input\_name) | The DB name to create. If omitted, no database is created initially | `string` | `null` | no | +| [parameters](#input\_parameters) | A list of DB parameters (map) to apply | `list(map(string))` | 
[
  {
    "name": "autovacuum",
    "value": 1
  },
  {
    "name": "client_encoding",
    "value": "utf8"
  }
]
| no | +| [password](#input\_password) | Password for the master DB user. Note that this may show up in logs, and it will be stored in the state file | `string` | `null` | no | +| [private\_subnets](#input\_private\_subnets) | A list of private subnets | `list(any)` | n/a | yes | +| [skip\_final\_snapshot](#input\_skip\_final\_snapshot) | Determines whether a final DB snapshot is created before the DB instance is deleted. If true is specified, no DBSnapshot is created. If false is specified, a DB snapshot is created before the DB instance is deleted, using the value from final\_snapshot\_identifier | `bool` | `false` | no | +| [storage\_encrypted](#input\_storage\_encrypted) | Specifies whether the DB instance is encrypted | `bool` | `true` | no | +| [storage\_type](#input\_storage\_type) | One of 'standard' (magnetic), 'gp2' (general purpose SSD), or 'io1' (provisioned IOPS SSD). The default is 'io1' if iops is specified, 'gp2' if not. | `string` | `"gp2"` | no | +| [tags](#input\_tags) | n/a | `map(any)` | 
{
  "ops_env": "staging",
  "ops_managed_by": "terraform",
  "ops_owners": "devops",
  "ops_source_repo": "kubernetes-ops",
  "ops_source_repo_path": "terraform-module/aws/postgres"
}
| no | +| [username](#input\_username) | Username for the master DB user | `string` | `null` | no | +| [vpc\_cidr\_block](#input\_vpc\_cidr\_block) | The CIDR block of the VPC | `any` | n/a | yes | +| [vpc\_id](#input\_vpc\_id) | The ID of the VPC | `any` | n/a | yes | + +## Outputs + +| Name | Description | +|------|-------------| +| [db\_instance\_endpoint](#output\_db\_instance\_endpoint) | The connection endpoint | diff --git a/terraform-modules/aws/postgres/main.tf b/terraform-modules/aws/postgres/main.tf new file mode 100644 index 000000000..a55602686 --- /dev/null +++ b/terraform-modules/aws/postgres/main.tf @@ -0,0 +1,70 @@ +module "security_group" { + source = "terraform-aws-modules/security-group/aws" + version = "~> 4" + + name = "${var.identifier}-${var.name}" + description = "PostgreSQL security group" + vpc_id = var.vpc_id + + # ingress + ingress_with_cidr_blocks = [ + { + from_port = 5432 + to_port = 5432 + protocol = "tcp" + + description = "PostgreSQL access from within VPC" + cidr_blocks = var.vpc_cidr_block + }, + ] + + tags = var.tags +} + +module "db" { + source = "terraform-aws-modules/rds/aws" + version = "~> 3.0" + + identifier = var.identifier + + engine = var.engine + engine_version = var.engine_version + family = var.family + major_engine_version = var.major_engine_version + instance_class = var.instance_class + + storage_type = var.storage_type + allocated_storage = var.allocated_storage + max_allocated_storage = var.max_allocated_storage + storage_encrypted = var.storage_encrypted + + # NOTE: Do NOT use 'user' as the value for 'username' as it throws: + # "Error creating DB Instance: InvalidParameterValue: MasterUsername + # user cannot be used as it is a reserved word used by the engine" + name = var.name + username = var.username + password = var.password + port = 5432 + + multi_az = true + subnet_ids = var.private_subnets + vpc_security_group_ids = [module.security_group.security_group_id] + + maintenance_window = var.maintenance_window + backup_window = var.backup_window + enabled_cloudwatch_logs_exports = ["postgresql", "upgrade"] + + backup_retention_period = var.backup_retention_period + skip_final_snapshot = var.skip_final_snapshot + deletion_protection = var.deletion_protection + + performance_insights_enabled = true + performance_insights_retention_period = 7 + monitoring_role_name = "${var.identifier}-${var.name}" + create_monitoring_role = true + monitoring_interval = 60 + + parameters = var.parameters + + tags = var.tags +} diff --git a/terraform-modules/aws/postgres/output.tf b/terraform-modules/aws/postgres/output.tf new file mode 100644 index 000000000..36b6910d4 --- /dev/null +++ b/terraform-modules/aws/postgres/output.tf @@ -0,0 +1,4 @@ +output "db_instance_endpoint" { + description = "The connection endpoint" + value = module.db.db_instance_endpoint +} diff --git a/terraform-modules/aws/postgres/variables.tf b/terraform-modules/aws/postgres/variables.tf new file mode 100644 index 000000000..5353cd513 --- /dev/null +++ b/terraform-modules/aws/postgres/variables.tf @@ -0,0 +1,127 @@ +variable "vpc_id" { + description = "The ID of the VPC" +} + +variable "vpc_cidr_block" { + description = "The CIDR block of the VPC" +} + +variable "private_subnets" { + description = "A list of private subnets" + type = list(any) +} + +variable "identifier" { + description = "The name of the RDS instance, if omitted, Terraform will assign a random, unique identifier" + type = string +} +variable "engine" { + description = "The database engine to use" + type = string + default = "postgres" +} +variable "engine_version" { + description = "The engine version to use" + type = string + default = "11.12" +} +variable "family" { + description = "The family of the DB parameter group" + type = string + default = "postgres11" +} +variable "major_engine_version" { + description = "Specifies the major version of the engine that this option group should be associated with" + type = string + default = "11" +} +variable "instance_class" { + description = "The instance type of the RDS instance" + type = string + default = "db.t3.large" +} +variable "storage_type" { + description = "One of 'standard' (magnetic), 'gp2' (general purpose SSD), or 'io1' (provisioned IOPS SSD). The default is 'io1' if iops is specified, 'gp2' if not." + type = string + default = "gp2" +} +variable "allocated_storage" { + description = "The allocated storage in gigabytes" + type = string + default = 100 +} + +variable "max_allocated_storage" { + description = "Specifies the value for Storage Autoscaling" + type = number + default = 1024 +} +variable "storage_encrypted" { + description = "Specifies whether the DB instance is encrypted" + type = bool + default = true +} +variable "name" { + description = "The DB name to create. If omitted, no database is created initially" + type = string + default = null +} +variable "username" { + description = "Username for the master DB user" + type = string + default = null +} +variable "password" { + description = "Password for the master DB user. Note that this may show up in logs, and it will be stored in the state file" + type = string + default = null +} +variable "maintenance_window" { + description = "The window to perform maintenance in. Syntax: 'ddd:hh24:mi-ddd:hh24:mi'. Eg: 'Mon:00:00-Mon:03:00'" + type = string + default = "Mon:00:00-Mon:03:00" +} +variable "backup_window" { + description = "The daily time range (in UTC) during which automated backups are created if they are enabled. Example: '09:46-10:16'. Must not overlap with maintenance_window" + type = string + default = "03:00-06:00" +} +variable "backup_retention_period" { + description = "The days to retain backups for" + type = number + default = "0" +} +variable "deletion_protection" { + description = "The database can't be deleted when this value is set to true." + type = bool + default = true +} +variable "skip_final_snapshot" { + description = "Determines whether a final DB snapshot is created before the DB instance is deleted. If true is specified, no DBSnapshot is created. If false is specified, a DB snapshot is created before the DB instance is deleted, using the value from final_snapshot_identifier" + type = bool + default = false +} +variable "parameters" { + description = "A list of DB parameters (map) to apply" + type = list(map(string)) + default = [ + { + name = "autovacuum" + value = 1 + }, + { + name = "client_encoding" + value = "utf8" + } + ] +} +variable "tags" { + type = map(any) + default = { + ops_env = "staging" + ops_managed_by = "terraform", + ops_source_repo = "kubernetes-ops", + ops_owners = "devops", + ops_source_repo_path = "terraform-module/aws/postgres" + } +} diff --git a/terraform-modules/aws/qldb/main.tf b/terraform-modules/aws/qldb/main.tf new file mode 100644 index 000000000..8dcb87819 --- /dev/null +++ b/terraform-modules/aws/qldb/main.tf @@ -0,0 +1,6 @@ +resource "aws_qldb_ledger" "this" { + name = var.name + permissions_mode = var.permissions_mode + deletion_protection = var.deletion_protection + tags = var.tags +} diff --git a/terraform-modules/aws/qldb/outputs.tf b/terraform-modules/aws/qldb/outputs.tf new file mode 100644 index 000000000..9a28b8721 --- /dev/null +++ b/terraform-modules/aws/qldb/outputs.tf @@ -0,0 +1,7 @@ +output "id" { + value = aws_qldb_ledger.this.id +} + +output "arn" { + value = aws_qldb_ledger.this.arn +} diff --git a/terraform-modules/aws/qldb/variables.tf b/terraform-modules/aws/qldb/variables.tf new file mode 100644 index 000000000..08e8003c2 --- /dev/null +++ b/terraform-modules/aws/qldb/variables.tf @@ -0,0 +1,23 @@ +variable "name" { + type = string + default = "" + description = "(Optional) The friendly name for the QLDB Ledger instance. By default generated by Terraform." +} + +variable "permissions_mode" { + type = string + default = "STANDARD" + description = "(Required) The permissions mode for the QLDB ledger instance. Specify either ALLOW_ALL or STANDARD." +} + +variable "deletion_protection" { + type = bool + default = true + description = "(Optional) The deletion protection for the QLDB Ledger instance. By default it is true. To delete this resource via Terraform, this value must be configured to false and applied first before attempting deletion." +} + +variable "tags" { + type = any + default = {} + description = "AWS Tags" +} diff --git a/terraform-modules/aws/route53/hosted-zone/README.md b/terraform-modules/aws/route53/hosted-zone/README.md new file mode 100644 index 000000000..340488175 --- /dev/null +++ b/terraform-modules/aws/route53/hosted-zone/README.md @@ -0,0 +1,16 @@ +# Route53 Hosted Zone with DNSSEC + +You can verify the DNSSEC here after applying: https://dnssec-analyzer.verisignlabs.com + +## Provider +This module does not contain a provider and leaves it up to the instantiator to add this section into their Terraform. The reason is to keep this module reusable because you might have different provider settings than what this module would set and you can not have more than one of these in a Terraform run. + +You should add a section like this to your terraform instantiation: +``` +# Configure the AWS Provider +provider "aws" { + region = "us-east-1" +} +``` + +Setting the region to `us-east-1` is the eaiest thing to do beause it seems that AWS sets the route53 hosted region to this region and the signing keys for DNSSEC has to be in the same region. diff --git a/terraform-modules/aws/route53/hosted-zone/main.tf b/terraform-modules/aws/route53/hosted-zone/main.tf new file mode 100644 index 000000000..bfc40e90f --- /dev/null +++ b/terraform-modules/aws/route53/hosted-zone/main.tf @@ -0,0 +1,67 @@ +resource "aws_kms_key" "this" { + customer_master_key_spec = "ECC_NIST_P256" + deletion_window_in_days = 7 + key_usage = "SIGN_VERIFY" + policy = jsonencode({ + Statement = [ + { + Action = [ + "kms:DescribeKey", + "kms:GetPublicKey", + "kms:Sign", + ], + Effect = "Allow" + Principal = { + Service = "dnssec-route53.amazonaws.com" + } + Sid = "Allow Route 53 DNSSEC Service", + Resource = "*" + }, + { + Action = "kms:CreateGrant", + Effect = "Allow" + Principal = { + Service = "dnssec-route53.amazonaws.com" + } + Sid = "Allow Route 53 DNSSEC Service to CreateGrant", + Resource = "*" + Condition = { + Bool = { + "kms:GrantIsForAWSResource" = "true" + } + } + }, + { + Action = "kms:*" + Effect = "Allow" + Principal = { + AWS = "*" + } + Resource = "*" + Sid = "IAM User Permissions" + }, + ] + Version = "2012-10-17" + }) + + tags = var.tags +} + +resource "aws_route53_zone" "this" { + name = var.domain_name + + tags = var.tags +} + +resource "aws_route53_key_signing_key" "this" { + hosted_zone_id = aws_route53_zone.this.id + key_management_service_arn = aws_kms_key.this.arn + name = "key" +} + +resource "aws_route53_hosted_zone_dnssec" "this" { + depends_on = [ + aws_route53_key_signing_key.this + ] + hosted_zone_id = aws_route53_key_signing_key.this.hosted_zone_id +} diff --git a/terraform-modules/aws/route53/hosted-zone/outputs.tf b/terraform-modules/aws/route53/hosted-zone/outputs.tf new file mode 100644 index 000000000..5f63c1dd4 --- /dev/null +++ b/terraform-modules/aws/route53/hosted-zone/outputs.tf @@ -0,0 +1,7 @@ +output "zone_id" { + value = aws_route53_zone.this.zone_id +} + +output "name_servers" { + value = aws_route53_zone.this.name_servers +} diff --git a/terraform-modules/aws/route53/hosted-zone/test/go.mod b/terraform-modules/aws/route53/hosted-zone/test/go.mod new file mode 100644 index 000000000..4672cc929 --- /dev/null +++ b/terraform-modules/aws/route53/hosted-zone/test/go.mod @@ -0,0 +1,8 @@ +module github.com/ManagedKube/kubernetes-ops + +go 1.15 + +require ( + github.com/gruntwork-io/terratest v0.32.24 + github.com/stretchr/testify v1.7.0 +) diff --git a/terraform-modules/aws/route53/hosted-zone/test/go.sum b/terraform-modules/aws/route53/hosted-zone/test/go.sum new file mode 100644 index 000000000..df390bcb1 --- /dev/null +++ b/terraform-modules/aws/route53/hosted-zone/test/go.sum @@ -0,0 +1,617 @@ +cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= +cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= +cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU= +cloud.google.com/go v0.44.1/go.mod h1:iSa0KzasP4Uvy3f1mN/7PiObzGgflwredwwASm/v6AU= +cloud.google.com/go v0.44.2/go.mod h1:60680Gw3Yr4ikxnPRS/oxxkBccT6SA1yMk63TGekxKY= +cloud.google.com/go v0.45.1/go.mod h1:RpBamKRgapWJb87xiFSdk4g1CME7QZg3uwTez+TSTjc= +cloud.google.com/go v0.46.3/go.mod h1:a6bKKbmY7er1mI7TEI4lsAkts/mkhTSZK8w33B4RAg0= +cloud.google.com/go v0.51.0/go.mod h1:hWtGJ6gnXH+KgDv+V0zFGDvpi07n3z8ZNj3T1RW0Gcw= +cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o= +cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE= +cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I= +cloud.google.com/go/storage v1.0.0/go.mod h1:IhtSnM/ZTZV8YYJWCY8RULGVqBDmpoyjwiyrjsg+URw= +dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= +github.com/Azure/azure-sdk-for-go v35.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= +github.com/Azure/azure-sdk-for-go v38.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= +github.com/Azure/azure-sdk-for-go v46.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= +github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78/go.mod h1:LmzpDX56iTiv29bbRTIsUNlaFfuhWRQBWjQdVyAevI8= +github.com/Azure/go-autorest v14.2.0+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSWATqVooLgysK6ZNox3g/xq24= +github.com/Azure/go-autorest/autorest v0.9.0/go.mod h1:xyHB1BMZT0cuDHU7I0+g046+BFDTQ8rEZB0s4Yfa6bI= +github.com/Azure/go-autorest/autorest v0.9.3/go.mod h1:GsRuLYvwzLjjjRoWEIyMUaYq8GNUx2nRB378IPt/1p0= +github.com/Azure/go-autorest/autorest v0.9.6/go.mod h1:/FALq9T/kS7b5J5qsQ+RSTUdAmGFqi0vUdVNNx8q630= +github.com/Azure/go-autorest/autorest v0.11.0/go.mod h1:JFgpikqFJ/MleTTxwepExTKnFUKKszPS8UavbQYUMuw= +github.com/Azure/go-autorest/autorest v0.11.5/go.mod h1:foo3aIXRQ90zFve3r0QiDsrjGDUwWhKl0ZOQy1CT14k= +github.com/Azure/go-autorest/autorest/adal v0.5.0/go.mod h1:8Z9fGy2MpX0PvDjB1pEgQTmVqjGhiHBW7RJJEciWzS0= +github.com/Azure/go-autorest/autorest/adal v0.8.0/go.mod h1:Z6vX6WXXuyieHAXwMj0S6HY6e6wcHn37qQMBQlvY3lc= +github.com/Azure/go-autorest/autorest/adal v0.8.1/go.mod h1:ZjhuQClTqx435SRJ2iMlOxPYt3d2C/T/7TiQCVZSn3Q= +github.com/Azure/go-autorest/autorest/adal v0.8.2/go.mod h1:ZjhuQClTqx435SRJ2iMlOxPYt3d2C/T/7TiQCVZSn3Q= +github.com/Azure/go-autorest/autorest/adal v0.9.0/go.mod h1:/c022QCutn2P7uY+/oQWWNcK9YU+MH96NgK+jErpbcg= +github.com/Azure/go-autorest/autorest/adal v0.9.2/go.mod h1:/3SMAM86bP6wC9Ev35peQDUeqFZBMH07vvUOmg4z/fE= +github.com/Azure/go-autorest/autorest/azure/auth v0.5.1/go.mod h1:ea90/jvmnAwDrSooLH4sRIehEPtG/EPUXavDh31MnA4= +github.com/Azure/go-autorest/autorest/azure/cli v0.4.0/go.mod h1:JljT387FplPzBA31vUcvsetLKF3pec5bdAxjVU4kI2s= +github.com/Azure/go-autorest/autorest/date v0.1.0/go.mod h1:plvfp3oPSKwf2DNjlBjWF/7vwR+cUD/ELuzDCXwHUVA= +github.com/Azure/go-autorest/autorest/date v0.2.0/go.mod h1:vcORJHLJEh643/Ioh9+vPmf1Ij9AEBM5FuBIXLmIy0g= +github.com/Azure/go-autorest/autorest/date v0.3.0/go.mod h1:BI0uouVdmngYNUzGWeSYnokU+TrmwEsOqdt8Y6sso74= +github.com/Azure/go-autorest/autorest/mocks v0.1.0/go.mod h1:OTyCOPRA2IgIlWxVYxBee2F5Gr4kF2zd2J5cFRaIDN0= +github.com/Azure/go-autorest/autorest/mocks v0.2.0/go.mod h1:OTyCOPRA2IgIlWxVYxBee2F5Gr4kF2zd2J5cFRaIDN0= +github.com/Azure/go-autorest/autorest/mocks v0.3.0/go.mod h1:a8FDP3DYzQ4RYfVAxAN3SVSiiO77gL2j2ronKKP0syM= +github.com/Azure/go-autorest/autorest/mocks v0.4.0/go.mod h1:LTp+uSrOhSkaKrUy935gNZuuIPPVsHlr9DSOxSayd+k= +github.com/Azure/go-autorest/autorest/mocks v0.4.1/go.mod h1:LTp+uSrOhSkaKrUy935gNZuuIPPVsHlr9DSOxSayd+k= +github.com/Azure/go-autorest/autorest/to v0.2.0/go.mod h1:GunWKJp1AEqgMaGLV+iocmRAJWqST1wQYhyyjXJ3SJc= +github.com/Azure/go-autorest/autorest/to v0.3.0/go.mod h1:MgwOyqaIuKdG4TL/2ywSsIWKAfJfgHDo8ObuUk3t5sA= +github.com/Azure/go-autorest/autorest/validation v0.1.0/go.mod h1:Ha3z/SqBeaalWQvokg3NZAlQTalVMtOIAs1aGK7G6u8= +github.com/Azure/go-autorest/autorest/validation v0.3.0/go.mod h1:yhLgjC0Wda5DYXl6JAsWyUe4KVNffhoDhG0zVzUMo3E= +github.com/Azure/go-autorest/logger v0.1.0/go.mod h1:oExouG+K6PryycPJfVSxi/koC6LSNgds39diKLz7Vrc= +github.com/Azure/go-autorest/logger v0.2.0/go.mod h1:T9E3cAhj2VqvPOtCYAvby9aBXkZmbF5NWuPV8+WeEW8= +github.com/Azure/go-autorest/tracing v0.5.0/go.mod h1:r/s2XiOKccPW3HrqB+W0TQzfbtp2fGCgRFtBroKn4Dk= +github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBpUA79WCAKPPZVC2DeU= +github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= +github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= +github.com/GoogleCloudPlatform/k8s-cloud-provider v0.0.0-20190822182118-27a4ced34534/go.mod h1:iroGtC8B3tQiqtds1l+mgk/BBOrxbqjH+eUfFQYRc14= +github.com/Microsoft/go-winio v0.4.14/go.mod h1:qXqCSQ3Xa7+6tgxaGTIe4Kpcdsi+P8jBhyzoq1bpyYA= +github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ= +github.com/PuerkitoBio/purell v1.0.0/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0= +github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0= +github.com/PuerkitoBio/urlesc v0.0.0-20160726150825-5bd2802263f2/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE= +github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE= +github.com/agext/levenshtein v1.2.1 h1:QmvMAjj2aEICytGiWzmxoE0x2KZvE0fvmqMOfy2tjT8= +github.com/agext/levenshtein v1.2.1/go.mod h1:JEDfjyjHDjOF/1e4FlBE/PkbqA9OfWu2ki2W0IB5558= +github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= +github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= +github.com/apparentlymart/go-dump v0.0.0-20180507223929-23540a00eaa3/go.mod h1:oL81AME2rN47vu18xqj1S1jPIPuN7afo62yKTNn3XMM= +github.com/apparentlymart/go-textseg v1.0.0 h1:rRmlIsPEEhUTIKQb7T++Nz/A5Q6C9IuX2wFoYVvnCs0= +github.com/apparentlymart/go-textseg v1.0.0/go.mod h1:z96Txxhf3xSFMPmb5X/1W05FF/Nj9VFpLOpjS5yuumk= +github.com/apparentlymart/go-textseg/v12 v12.0.0 h1:bNEQyAGak9tojivJNkoqWErVCQbjdL7GzRt3F8NvfJ0= +github.com/apparentlymart/go-textseg/v12 v12.0.0/go.mod h1:S/4uRK2UtaQttw1GenVJEynmyUenKwP++x/+DdGV/Ec= +github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8= +github.com/aws/aws-lambda-go v1.13.3/go.mod h1:4UKl9IzQMoD+QF79YdCuzCwp8VbmG4VAQwij/eHl5CU= +github.com/aws/aws-sdk-go v1.16.26/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo= +github.com/aws/aws-sdk-go v1.27.1/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo= +github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q= +github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8= +github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs= +github.com/blang/semver v3.5.0+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk= +github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8= +github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= +github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI= +github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI= +github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU= +github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= +github.com/cockroachdb/datadriven v0.0.0-20190809214429-80d97fb3cbaa/go.mod h1:zn76sxSg3SzpJ0PPJaLDCu+Bu0Lg3sKTORVIj19EIF8= +github.com/containerd/containerd v1.3.0/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA= +github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE= +github.com/coreos/go-etcd v2.0.0+incompatible/go.mod h1:Jez6KQU2B/sWsbdaef3ED8NzMklzPG4d5KIOhIy30Tk= +github.com/coreos/go-oidc v2.1.0+incompatible/go.mod h1:CgnwVTmzoESiwO9qyAFEMiHoZ1nMCKZlZ9V6mm3/LKc= +github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk= +github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk= +github.com/coreos/go-systemd v0.0.0-20180511133405-39ca1b05acc7/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= +github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= +github.com/coreos/pkg v0.0.0-20160727233714-3ac0863d7acf/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA= +github.com/coreos/pkg v0.0.0-20180108230652-97fdf19511ea/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA= +github.com/cpuguy83/go-md2man v1.0.10/go.mod h1:SmD6nW6nTyfqj6ABTjUi3V3JVMnlJmwcJI5acqYI6dE= +github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU= +github.com/cpuguy83/go-md2man/v2 v2.0.0/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU= +github.com/creack/pty v1.1.7/go.mod h1:lj5s0c3V2DBrqTV7llrYr5NG6My20zk30Fl46Y7DoTY= +github.com/davecgh/go-spew v0.0.0-20151105211317-5215b55f46b2/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= +github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ= +github.com/dimchansky/utfbom v1.1.0/go.mod h1:rO41eb7gLfo8SF1jd9F8HplJm1Fewwi4mQvIirEdv+8= +github.com/dnaeon/go-vcr v1.0.1/go.mod h1:aBB1+wY4s93YsC3HHjMBMrwTj2R9FHDzUr9KyGc8n1E= +github.com/docker/cli v0.0.0-20191017083524-a8ff7f821017/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= +github.com/docker/cli v0.0.0-20200109221225-a4f60165b7a3/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= +github.com/docker/distribution v2.7.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= +github.com/docker/docker v0.7.3-0.20190327010347-be7ac8be2ae0/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +github.com/docker/docker v1.4.2-0.20190924003213-a8608b5b67c7/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +github.com/docker/docker-credential-helpers v0.6.3/go.mod h1:WRaJzqw3CTB9bk10avuGsjVBZsD05qeibJ1/TYlvc0Y= +github.com/docker/go-connections v0.4.0/go.mod h1:Gbd7IOopHjR8Iph03tsViu4nIes5XhDvyHbTtUxmeec= +github.com/docker/go-units v0.4.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk= +github.com/docker/spdystream v0.0.0-20160310174837-449fdfce4d96/go.mod h1:Qh8CwZgvJUkLughtfhJv5dyTYa91l1fOUCrgjqmcifM= +github.com/docker/spdystream v0.0.0-20181023171402-6480d4af844c/go.mod h1:Qh8CwZgvJUkLughtfhJv5dyTYa91l1fOUCrgjqmcifM= +github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE= +github.com/dustin/go-humanize v0.0.0-20171111073723-bb3d318650d4/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk= +github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk= +github.com/elazarl/goproxy v0.0.0-20170405201442-c4fc26588b6e/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc= +github.com/elazarl/goproxy v0.0.0-20180725130230-947c36da3153/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc= +github.com/elazarl/goproxy v0.0.0-20190911111923-ecfe977594f1/go.mod h1:Ro8st/ElPeALwNFlcTpWmkr6IoMFfkjXAvTHpevnDsM= +github.com/elazarl/goproxy/ext v0.0.0-20190711103511-473e67f1d7d2/go.mod h1:gNh8nYJoAm43RfaxurUnxr+N1PwuFV3ZMl/efxlIlY8= +github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs= +github.com/emicklei/go-restful v2.9.5+incompatible/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs= +github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= +github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= +github.com/evanphx/json-patch v4.2.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= +github.com/evanphx/json-patch v4.9.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= +github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4= +github.com/fatih/color v1.9.0/go.mod h1:eQcE1qtQxscV5RaZvpXrrb8Drkc3/DdQ+uUYCNjL+zU= +github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= +github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ= +github.com/ghodss/yaml v0.0.0-20150909031657-73d445a93680/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= +github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= +github.com/go-errors/errors v1.0.1/go.mod h1:f4zRHt4oKfwPJE5k8C9vpYG+aDHdBFUsgrm6/TyX73Q= +github.com/go-errors/errors v1.0.2-0.20180813162953-d98b870cc4e0/go.mod h1:f4zRHt4oKfwPJE5k8C9vpYG+aDHdBFUsgrm6/TyX73Q= +github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= +github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= +github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE= +github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas= +github.com/go-logr/logr v0.2.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU= +github.com/go-openapi/jsonpointer v0.0.0-20160704185906-46af16f9f7b1/go.mod h1:+35s3my2LFTysnkMfxsJBAMHj/DoqoB9knIWoYG/Vk0= +github.com/go-openapi/jsonpointer v0.19.2/go.mod h1:3akKfEdA7DF1sugOqz1dVQHBcuDBPKZGEoHC/NkiQRg= +github.com/go-openapi/jsonpointer v0.19.3/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg= +github.com/go-openapi/jsonreference v0.0.0-20160704190145-13c6e3589ad9/go.mod h1:W3Z9FmVs9qj+KR4zFKmDPGiLdk1D9Rlm7cyMvf57TTg= +github.com/go-openapi/jsonreference v0.19.2/go.mod h1:jMjeRr2HHw6nAVajTXJ4eiUwohSTlpa0o73RUL1owJc= +github.com/go-openapi/jsonreference v0.19.3/go.mod h1:rjx6GuL8TTa9VaixXglHmQmIL98+wF9xc8zWvFonSJ8= +github.com/go-openapi/spec v0.0.0-20160808142527-6aced65f8501/go.mod h1:J8+jY1nAiCcj+friV/PDoE1/3eeccG9LYBs0tYvLOWc= +github.com/go-openapi/spec v0.19.3/go.mod h1:FpwSN1ksY1eteniUU7X0N/BgJ7a4WvBFVA8Lj9mJglo= +github.com/go-openapi/swag v0.0.0-20160704191624-1d0bd113de87/go.mod h1:DXUve3Dpr1UfpPtxFw+EFuQ41HhCWZfha5jSVRG7C7I= +github.com/go-openapi/swag v0.19.2/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk= +github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk= +github.com/go-sql-driver/mysql v1.4.1/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w= +github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= +github.com/go-test/deep v1.0.3/go.mod h1:wGDj63lr65AM2AQyKZd/NYHGb0R+1RLqB8NKt3aSFNA= +github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= +github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4= +github.com/gogo/protobuf v1.2.2-0.20190723190241-65acae22fc9d/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o= +github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o= +github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= +github.com/golang/groupcache v0.0.0-20160516000752-02826c3e7903/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= +github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= +github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= +github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= +github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= +github.com/golang/mock v1.3.1/go.mod h1:sBzyDLLjw3U8JLTeZvSv8jJB+tU5PVekmnlKIyFUx0Y= +github.com/golang/protobuf v0.0.0-20161109072736-4bd1920723d7/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.1.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.3.3/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw= +github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8= +github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA= +github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs= +github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w= +github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0= +github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8= +github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= +github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= +github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= +github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= +github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= +github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= +github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-containerregistry v0.0.0-20200110202235-f4fb41bf00a3/go.mod h1:2wIuQute9+hhWqvL3vEI7YB0EKluF4WcPzI1eAliazk= +github.com/google/gofuzz v0.0.0-20161122191042-44d81051d367/go.mod h1:HP5RmnzzSNb993RKQDq4+1A4ia9nllfqcQFTQJedwGI= +github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= +github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= +github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs= +github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= +github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= +github.com/google/pprof v0.0.0-20191218002539-d4f498aebedc/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= +github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= +github.com/google/uuid v1.0.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg= +github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk= +github.com/googleapis/gnostic v0.0.0-20170729233727-0c5108395e2d/go.mod h1:sJBsCZ4ayReDTBIg8b9dl28c5xFWyhBTVRp3pOg5EKY= +github.com/googleapis/gnostic v0.2.2/go.mod h1:sJBsCZ4ayReDTBIg8b9dl28c5xFWyhBTVRp3pOg5EKY= +github.com/googleapis/gnostic v0.4.1/go.mod h1:LRhVm6pbyptWbWbuZ38d1eyptfvIytN3ir6b65WBswg= +github.com/gophercloud/gophercloud v0.1.0/go.mod h1:vxM41WHh5uqHVBMZHzuwNOHh8XEoIEcSTewFxm1c5g8= +github.com/gorilla/mux v1.7.3/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs= +github.com/gorilla/websocket v0.0.0-20170926233335-4201258b820c/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ= +github.com/gorilla/websocket v1.4.0/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ= +github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA= +github.com/grpc-ecosystem/go-grpc-middleware v1.0.1-0.20190118093823-f849b5445de4/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs= +github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk= +github.com/grpc-ecosystem/grpc-gateway v1.9.5/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY= +github.com/gruntwork-io/go-commons v0.8.0/go.mod h1:gtp0yTtIBExIZp7vyIV9I0XQkVwiQZze678hvDXof78= +github.com/gruntwork-io/terratest v0.32.24 h1:ihbpYh05VBNPtru2GGN36xTLrLkdMacCyRuvIOs3lsQ= +github.com/gruntwork-io/terratest v0.32.24/go.mod h1:IBb+b5b7p34oZLfpz/ZADyn8TSKeWSBu+vQMmNeePLE= +github.com/hashicorp/errwrap v1.0.0 h1:hLrqtEDnRye3+sgx6z4qVLNuviH3MR5aQ0ykNJa/UYA= +github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= +github.com/hashicorp/go-multierror v1.1.0 h1:B9UzwGQJehnUY1yNrnwREHc3fGbC2xefo8g4TbElacI= +github.com/hashicorp/go-multierror v1.1.0/go.mod h1:spPvp8C1qA32ftKqdAHm4hHTbPw+vmowP0z+KUhOZdA= +github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= +github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= +github.com/hashicorp/golang-lru v0.5.3/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4= +github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4= +github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ= +github.com/hashicorp/hcl/v2 v2.8.2 h1:wmFle3D1vu0okesm8BTLVDyJ6/OL9DCLUwn0b2OptiY= +github.com/hashicorp/hcl/v2 v2.8.2/go.mod h1:bQTN5mpo+jewjJgh8jr0JUguIi7qPHUF6yIfAEN3jqY= +github.com/hashicorp/terraform-json v0.9.0 h1:WE7+Wt93W93feOiCligElSyS0tlDzwZUtJuDGIBr8zg= +github.com/hashicorp/terraform-json v0.9.0/go.mod h1:3defM4kkMfttwiE7VakJDwCd4R+umhSQnvJwORXbprE= +github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU= +github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= +github.com/imdario/mergo v0.3.5/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA= +github.com/imdario/mergo v0.3.7/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA= +github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8= +github.com/jinzhu/copier v0.0.0-20190924061706-b57f9002281a h1:zPPuIq2jAWWPTrGt70eK/BSch+gFAGrNzecsoENgu2o= +github.com/jinzhu/copier v0.0.0-20190924061706-b57f9002281a/go.mod h1:yL958EeXv8Ylng6IfnvG4oflryUi3vgA3xPs9hmII1s= +github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k= +github.com/joefitzgerald/rainbow-reporter v0.1.0/go.mod h1:481CNgqmVHQZzdIbN52CupLJyoVwB10FQ/IQlF1pdL8= +github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo= +github.com/json-iterator/go v0.0.0-20180612202835-f2b4162afba3/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU= +github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU= +github.com/json-iterator/go v1.1.7/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= +github.com/json-iterator/go v1.1.8/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= +github.com/json-iterator/go v1.1.10/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= +github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU= +github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk= +github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w= +github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q= +github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00= +github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= +github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= +github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= +github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc= +github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= +github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= +github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= +github.com/kr/pty v1.1.5/go.mod h1:9r2w37qlBe7rQ6e1fg1S/9xpWHSnaqNdHD3WcMdbPDA= +github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= +github.com/kylelemons/godebug v0.0.0-20170820004349-d65d576e9348/go.mod h1:B69LEHPfb2qLo0BaaOLcbitczOKLWTsrBG9LczfCD4k= +github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ= +github.com/mailru/easyjson v0.0.0-20160728113105-d5b7844b561a/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= +github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= +github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= +github.com/mailru/easyjson v0.7.0/go.mod h1:KAzv3t3aY1NaHWoQz1+4F1ccyAH66Jk7yos7ldAVICs= +github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU= +github.com/mattn/go-colorable v0.1.4/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE= +github.com/mattn/go-isatty v0.0.4/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4= +github.com/mattn/go-isatty v0.0.8/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s= +github.com/mattn/go-isatty v0.0.11/go.mod h1:PhnuNfih5lzO57/f3n+odYbM4JtupLOxQOAqxQCu2WE= +github.com/mattn/go-runewidth v0.0.2/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU= +github.com/mattn/go-zglob v0.0.1/go.mod h1:9fxibJccNxU2cnpIKLRRFA7zX7qhkJIQWBb449FYHOo= +github.com/mattn/go-zglob v0.0.2-0.20190814121620-e3c945676326/go.mod h1:9fxibJccNxU2cnpIKLRRFA7zX7qhkJIQWBb449FYHOo= +github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0= +github.com/maxbrunsfeld/counterfeiter/v6 v6.2.2/go.mod h1:eD9eIE7cdwcMi9rYluz88Jz2VyhSmden33/aXg4oVIY= +github.com/miekg/dns v1.1.31/go.mod h1:KNUDUusw/aVsxyTYZM1oqvCicbwhgbNgztCETuNZ7xM= +github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= +github.com/mitchellh/go-wordwrap v0.0.0-20150314170334-ad45545899c7 h1:DpOJ2HYzCv8LZP15IdmG+YdwD2luVPHITV96TkirNBM= +github.com/mitchellh/go-wordwrap v0.0.0-20150314170334-ad45545899c7/go.mod h1:ZXFpozHsX6DPmq2I0TCekCxypsnAUbP2oI0UX1GXzOo= +github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y= +github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= +github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= +github.com/modern-go/reflect2 v0.0.0-20180320133207-05fbef0ca5da/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= +github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= +github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= +github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc= +github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= +github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= +github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= +github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw= +github.com/olekukonko/tablewriter v0.0.0-20170122224234-a0225b3f23b5/go.mod h1:vsDQFd/mU46D+Z4whnwzcISnGGzXWMclvtLoiIKAKIo= +github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= +github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= +github.com/onsi/ginkgo v1.8.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= +github.com/onsi/ginkgo v1.10.1/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= +github.com/onsi/ginkgo v1.11.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= +github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA= +github.com/onsi/gomega v1.5.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= +github.com/onsi/gomega v1.7.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= +github.com/opencontainers/go-digest v1.0.0-rc1/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s= +github.com/opencontainers/image-spec v1.0.1/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0= +github.com/oracle/oci-go-sdk v7.1.0+incompatible/go.mod h1:VQb79nF8Z2cwLkLS35ukwStZIg5F66tcBccjip/j888= +github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic= +github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU= +github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/pmezard/go-difflib v0.0.0-20151028094244-d8ed2627bdf0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= +github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/pquerna/cachecontrol v0.0.0-20171018203845-0dec1b30a021/go.mod h1:prYjPmNq4d1NPVmpShWobRqXY3q7Vp+80DqgxxUrUIA= +github.com/pquerna/otp v1.2.0/go.mod h1:dkJfzwRKNiegxyNb54X/3fLwhCynbMspSyWKnvi1AEg= +github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw= +github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo= +github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= +github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= +github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= +github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= +github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= +github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= +github.com/remyoudompheng/bigfft v0.0.0-20170806203942-52369c62f446/go.mod h1:uYEyJGbgTkfkS4+E/PavXkNJcbFIpEtjt2B0KDQ5+9M= +github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg= +github.com/rogpeppe/go-charset v0.0.0-20180617210344-2471d30d28b4/go.mod h1:qgYeAmZ5ZIpBWTGllZSQnw97Dj+woV0toclVaRGI8pc= +github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= +github.com/rubiojr/go-vhd v0.0.0-20160810183302-0bfd3b39853c/go.mod h1:DM5xW0nvfNNm2uytzsvhI3OnX8uzaRAg8UX/CnDqbto= +github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR/rfWxYHBV53g= +github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= +github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0= +github.com/sclevine/spec v1.2.0/go.mod h1:W4J29eT/Kzv7/b9IWLB055Z+qvVC9vt0Arko24q7p+U= +github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo= +github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc= +github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo= +github.com/sirupsen/logrus v1.4.1/go.mod h1:ni0Sbl8bgC9z8RoU9G6nDWqqs/fq4eDPysMBDgk/93Q= +github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE= +github.com/soheilhy/cmux v0.1.4/go.mod h1:IM3LyeVVIOuxMH7sFAkER9+bJ4dT7Ms6E4xg4kGIyLM= +github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ= +github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk= +github.com/spf13/cast v1.3.0/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE= +github.com/spf13/cobra v0.0.3/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ= +github.com/spf13/cobra v0.0.5/go.mod h1:3K3wKZymM7VvHMDS9+Akkh4K60UwM26emMESw8tLCHU= +github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo= +github.com/spf13/pflag v0.0.0-20170130214245-9ff6c6923cff/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= +github.com/spf13/pflag v1.0.1/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= +github.com/spf13/pflag v1.0.2/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= +github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= +github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= +github.com/spf13/viper v1.3.2/go.mod h1:ZiWeW+zYFKm7srdB9IoDzzZXaJaI5eL9QjNiN/DMA2s= +github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE= +github.com/stretchr/testify v0.0.0-20151208002404-e3a8ff8ce365/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= +github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= +github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= +github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= +github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY= +github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/tmc/grpc-websocket-proxy v0.0.0-20170815181823-89b8d40f7ca8/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= +github.com/ugorji/go/codec v0.0.0-20181204163529-d75b2dcb6bc8/go.mod h1:VFNgLljTbGfSG7qAOspJ7OScBnGdDN/yBr0sguwnwf0= +github.com/urfave/cli v1.20.0/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA= +github.com/urfave/cli v1.22.1/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0= +github.com/urfave/cli v1.22.2/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0= +github.com/vdemeester/k8s-pkg-credentialprovider v0.0.0-20200107171650-7c61ffa44238/go.mod h1:JwQJCMWpUDqjZrB5jpw0f5VbN7U95zxFy1ZDpoEarGo= +github.com/vmihailenco/msgpack v3.3.3+incompatible/go.mod h1:fy3FlTQTDXWkZ7Bh6AcGMlsjHatGryHQYUTf1ShIgkk= +github.com/vmware/govmomi v0.20.3/go.mod h1:URlwyTFZX72RmxtxuaFL2Uj3fD1JTvZdx59bHWk6aFU= +github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU= +github.com/xordataexchange/crypt v0.0.3-0.20170626215501-b2862e3d0a77/go.mod h1:aYKd//L2LvnjZzWKhF00oedf4jCCReLcmhLdhm1A27Q= +github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= +github.com/zclconf/go-cty v1.2.0/go.mod h1:hOPWgoHbaTUnI5k4D2ld+GRpFJSCe6bCM7m1q/N4PQ8= +github.com/zclconf/go-cty v1.2.1 h1:vGMsygfmeCl4Xb6OA5U5XVAaQZ69FvoG7X2jUtQujb8= +github.com/zclconf/go-cty v1.2.1/go.mod h1:hOPWgoHbaTUnI5k4D2ld+GRpFJSCe6bCM7m1q/N4PQ8= +go.etcd.io/bbolt v1.3.3/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU= +go.etcd.io/etcd v0.0.0-20191023171146-3cf2f69b5738/go.mod h1:dnLIgRNXwCJa5e+c6mIZCrds/GIG4ncV9HhK5PX7jPg= +go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= +go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8= +go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= +go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= +go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0= +go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q= +golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= +golang.org/x/crypto v0.0.0-20181203042331-505ab145d0a9/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= +golang.org/x/crypto v0.0.0-20190211182817-74369b46fc67/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= +golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= +golang.org/x/crypto v0.0.0-20190426145343-a29dc8fdc734/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20190611184440-5c40567a22f8/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20190820162420-60c769a6c586/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20191206172530-e9b2fee46413/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= +golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9 h1:psW17arqaxU48Z5kZ0CQnkZWQJsqcURM6tKiBApRjXI= +golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= +golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= +golang.org/x/exp v0.0.0-20190125153040-c74c464bbbf2/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= +golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= +golang.org/x/exp v0.0.0-20190312203227-4b39c73a6495/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= +golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= +golang.org/x/exp v0.0.0-20190829153037-c13cbed26979/go.mod h1:86+5VVa7VpoJ4kLfm080zCjGlMRFzhUhsZKEZO7MGek= +golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= +golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js= +golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0= +golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= +golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU= +golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= +golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= +golang.org/x/lint v0.0.0-20190409202823-959b441ac422/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= +golang.org/x/lint v0.0.0-20190909230951-414d861bb4ac/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= +golang.org/x/lint v0.0.0-20191125180803-fdd1cda4f05f/go.mod h1:5qLYkcX4OjUUV8bRuDixDT3tpyyb+LUpUlRWLxfhWrs= +golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE= +golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028/go.mod h1:E/iHnbuqvinMTCcRqshq8CkpyQDoeVncDDYHnLhea+o= +golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc= +golang.org/x/mod v0.1.0/go.mod h1:0QHyrYULN0/3qlju5TqG8bIK38QM8yzMo5ekMj3DlcY= +golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg= +golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/net v0.0.0-20170114055629-f2499483f923/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20180811021610-c39426892332/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20181220203305-927f97764cc3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= +golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20190628185345-da137c7871d7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20190813141303-74dc4d7220e7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20190923162816-aa69164e4478/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20191004110552-13f9640d40b9/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= +golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= +golang.org/x/net v0.0.0-20201021035429-f5854403a974 h1:IX6qOQeG5uLjB/hjjwjedwfjND0hgjPMMyO1RoIXQNI= +golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= +golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= +golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= +golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= +golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= +golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= +golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sys v0.0.0-20170830134202-bb24a47a89ea/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20181107165924-66b7b1311ac8/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20181205085412-a5c9d58dba9a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190209173611-3b5209105503/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190502145724-3ef323f4f1fd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190502175342-a43fa875dd82/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190616124812-15dcb6c0061f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190626221950-04f50cda93cb/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190826190057-c7b8b68b1456/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190924154521-2837fb4f24fe/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191010194322-b09406accb47/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200622214017-ed371f2e16b4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/text v0.0.0-20160726164857-2910a502d2bf/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= +golang.org/x/text v0.3.3 h1:cokOdA+Jmi5PJGXLlLllQSgYigAEfHXJAERHVMaCc2k= +golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20181011042414-1f849cf54d09/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20181030221726-6c7e314b6563/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20190206041539-40960b6deb8e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY= +golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= +golang.org/x/tools v0.0.0-20190312151545-0bb0c0a6e846/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= +golang.org/x/tools v0.0.0-20190312170243-e65039ee4138/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= +golang.org/x/tools v0.0.0-20190425150028-36563e24a262/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= +golang.org/x/tools v0.0.0-20190506145303-2d16b83fe98c/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= +golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= +golang.org/x/tools v0.0.0-20190606124116-d0a3d012864b/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= +golang.org/x/tools v0.0.0-20190614205625-5aca471b1d59/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= +golang.org/x/tools v0.0.0-20190621195816-6e04913cbbac/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= +golang.org/x/tools v0.0.0-20190628153133-6cdbf07be9d0/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= +golang.org/x/tools v0.0.0-20190706070813-72ffa07ba3db/go.mod h1:jcCCGcm9btYwXyDqrUWc6MKQKKGJCWEQ3AfLSRIbEuI= +golang.org/x/tools v0.0.0-20190816200558-6889da9d5479/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20190911174233-4f2ddba30aff/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20190920225731-5eefd052ad72/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191012152004-8de300cfc20a/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191125144606-a911d9008d1f/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191205215504-7b8c8591a921/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191216052735-49a3e744a425/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= +golang.org/x/tools v0.0.0-20191227053925-7b8e75db28f4/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= +golang.org/x/tools v0.0.0-20201110201400-7099162a900a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= +golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +gonum.org/v1/gonum v0.0.0-20190331200053-3d26580ed485/go.mod h1:2ltnJ7xHfj0zHS40VVPYEAAMTa3ZGguvHGBSJeRWqE0= +gonum.org/v1/netlib v0.0.0-20190313105609-8cb42192e0e0/go.mod h1:wa6Ws7BG/ESfp6dHfk7C6KdzKA7wR7u/rKwOGE66zvw= +gonum.org/v1/netlib v0.0.0-20190331212654-76723241ea4e/go.mod h1:kS+toOQn6AQKjmKJ7gzohV1XkqsFehRA2FbsbkopSuQ= +google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE= +google.golang.org/api v0.6.1-0.20190607001116-5213b8090861/go.mod h1:btoxGiFvQNVUZQ8W08zLtrVS08CNpINPEfxXxgJL1Q4= +google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M= +google.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg= +google.golang.org/api v0.9.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg= +google.golang.org/api v0.15.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI= +google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= +google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= +google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= +google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0= +google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= +google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= +google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= +google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= +google.golang.org/genproto v0.0.0-20190425155659-357c62f0e4bb/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= +google.golang.org/genproto v0.0.0-20190502173448-54afdca5d873/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= +google.golang.org/genproto v0.0.0-20190801165951-fa694d86fc64/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= +google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= +google.golang.org/genproto v0.0.0-20190911173649-1774047e7e51/go.mod h1:IbNlFCBrqXvoKpeg0TB2l7cyZUmoaFKYIwrEpbDKLA8= +google.golang.org/genproto v0.0.0-20191230161307-f3c370f40bfb/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= +google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo= +google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= +google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38= +google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM= +google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= +google.golang.org/grpc v1.23.1/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= +google.golang.org/grpc v1.24.0/go.mod h1:XDChyiUovWa60DnaeDeZmSW86xtLtjtZbwvSiRnRtcA= +google.golang.org/grpc v1.26.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= +google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= +google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= +google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= +google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= +google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE= +google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo= +google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= +google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= +google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= +google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGjtUeSXeh4= +gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= +gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/cheggaaa/pb.v1 v1.0.25/go.mod h1:V/YB90LKu/1FcN3WVnfiiE5oMCibMjukxqG/qStrOgw= +gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI= +gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys= +gopkg.in/gcfg.v1 v1.2.0/go.mod h1:yesOnuUOFQAhST5vPY4nbZsb/huCgGGXlipJsBn0b3o= +gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= +gopkg.in/natefinch/lumberjack.v2 v2.0.0/go.mod h1:l0ndWWf7gzL7RNwBG7wST/UCcT4T24xpD6X8LsfU/+k= +gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo= +gopkg.in/square/go-jose.v2 v2.2.2/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI= +gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw= +gopkg.in/warnings.v0 v0.1.1/go.mod h1:jksf8JmL6Qr/oQM2OXTHunEvvTAsrWBLb6OOjuVWRNI= +gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7/go.mod h1:JAlM8MvJe8wmxCU4Bli9HhUf9+ttbYbLASfIpnQbh74= +gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo= +gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81HFBacw= +honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= +honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= +honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= +honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= +honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg= +k8s.io/api v0.17.0/go.mod h1:npsyOePkeP0CPwyGfXDHxvypiYMJxBWAMpQxCaJ4ZxI= +k8s.io/api v0.19.3/go.mod h1:VF+5FT1B74Pw3KxMdKyinLo+zynBaMBiAfGMuldcNDs= +k8s.io/apimachinery v0.17.0/go.mod h1:b9qmWdKlLuU9EBh+06BtLcSf/Mu89rWL33naRxs1uZg= +k8s.io/apimachinery v0.19.3/go.mod h1:DnPGDnARWFvYa3pMHgSxtbZb7gpzzAZ1pTfaUNDVlmA= +k8s.io/apiserver v0.17.0/go.mod h1:ABM+9x/prjINN6iiffRVNCBR2Wk7uY4z+EtEGZD48cg= +k8s.io/client-go v0.17.0/go.mod h1:TYgR6EUHs6k45hb6KWjVD6jFZvJV4gHDikv/It0xz+k= +k8s.io/client-go v0.19.3/go.mod h1:+eEMktZM+MG0KO+PTkci8xnbCZHvj9TqR6Q1XDUIJOM= +k8s.io/cloud-provider v0.17.0/go.mod h1:Ze4c3w2C0bRsjkBUoHpFi+qWe3ob1wI2/7cUn+YQIDE= +k8s.io/code-generator v0.0.0-20191121015212-c4c8f8345c7e/go.mod h1:DVmfPQgxQENqDIzVR2ddLXMH34qeszkKSdH/N+s+38s= +k8s.io/component-base v0.17.0/go.mod h1:rKuRAokNMY2nn2A6LP/MiwpoaMRHpfRnrPaUJJj1Yoc= +k8s.io/csi-translation-lib v0.17.0/go.mod h1:HEF7MEz7pOLJCnxabi45IPkhSsE/KmxPQksuCrHKWls= +k8s.io/gengo v0.0.0-20190128074634-0689ccc1d7d6/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0= +k8s.io/gengo v0.0.0-20190822140433-26a664648505/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0= +k8s.io/gengo v0.0.0-20200413195148-3a45101e95ac/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0= +k8s.io/klog v0.0.0-20181102134211-b9b56d5dfc92/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk= +k8s.io/klog v0.3.0/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk= +k8s.io/klog v1.0.0/go.mod h1:4Bi6QPql/J/LkTDqv7R/cd3hPo4k2DG6Ptcz060Ez5I= +k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE= +k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y= +k8s.io/kube-openapi v0.0.0-20191107075043-30be4d16710a/go.mod h1:1TqjTSzOxsLGIKfj0lK8EeCP7K1iUG65v09OM0/WG5E= +k8s.io/kube-openapi v0.0.0-20200805222855-6aeccd4b50c6/go.mod h1:UuqjUnNftUyPE5H64/qeyjQoUZhGpeFDVdxjTeEVN2o= +k8s.io/legacy-cloud-providers v0.17.0/go.mod h1:DdzaepJ3RtRy+e5YhNtrCYwlgyK87j/5+Yfp0L9Syp8= +k8s.io/utils v0.0.0-20191114184206-e782cd3c129f/go.mod h1:sZAwmy6armz5eXlNoLmJcl4F1QuKu7sr+mFQ0byX7Ew= +k8s.io/utils v0.0.0-20200729134348-d5654de09c73/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= +modernc.org/cc v1.0.0/go.mod h1:1Sk4//wdnYJiUIxnW8ddKpaOJCF37yAdqYnkxUpaYxw= +modernc.org/golex v1.0.0/go.mod h1:b/QX9oBD/LhixY6NDh+IdGv17hgB+51fET1i2kPSmvk= +modernc.org/mathutil v1.0.0/go.mod h1:wU0vUrJsVWBZ4P6e7xtFJEhFSNsfRLJ8H458uRjg03k= +modernc.org/strutil v1.0.0/go.mod h1:lstksw84oURvj9y3tn8lGvRxyRC1S2+g5uuIzNfIOBs= +modernc.org/xc v1.0.0/go.mod h1:mRNCo0bvLjGhHO9WsyuKVU4q0ceiDDDoEeWDJHrNx8I= +rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= +sigs.k8s.io/structured-merge-diff v0.0.0-20190525122527-15d366b2352e/go.mod h1:wWxsB5ozmmv/SG7nM11ayaAW51xMvak/t1r0CSlcokI= +sigs.k8s.io/structured-merge-diff v1.0.1-0.20191108220359-b1b620dd3f06/go.mod h1:/ULNhyfzRopfcjskuui0cTITekDduZ7ycKN3oUT9R18= +sigs.k8s.io/structured-merge-diff/v4 v4.0.1/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw= +sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o= +sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc= diff --git a/terraform-modules/aws/route53/hosted-zone/test/terratest_test.go b/terraform-modules/aws/route53/hosted-zone/test/terratest_test.go new file mode 100644 index 000000000..b1324dab7 --- /dev/null +++ b/terraform-modules/aws/route53/hosted-zone/test/terratest_test.go @@ -0,0 +1,75 @@ +package test + +import ( + "math/rand" + "testing" + "time" + + // "github.com/gruntwork-io/terratest/modules/aws" + "github.com/gruntwork-io/terratest/modules/terraform" + "github.com/stretchr/testify/assert" +) + +// Default test +func TestTerraformDefault(t *testing.T) { + t.Parallel() + + // Random string for various dynamic bucket name usage + stringRand := randomString(8) + domainName := "unit-test-"+stringRand+".com" + + terraformOptions := terraform.WithDefaultRetryableErrors(t, &terraform.Options{ + // The path to where our Terraform code is located + TerraformDir: "../", + + // Dynamic Variables that we should pass in addition to varfile.tfvars + Vars: map[string]interface{}{ + "domain_name": domainName, + // "aws_region": "us-east-1", + // "environment_name": "unittest_aws_vpc_" + stringRand, + // "vpc_cidr": "10.0.0.0/16", + // "enable_nat_gateway": false, + // "enable_vpn_gateway": false, + "tags": map[string]interface{}{ + "ops_env": "unit-test", + "ops_managed_by": "terraform", + "ops_source_repo": "kubernetes-ops", + "ops_source_repo_path": "terraform-module/aws/route53/hosted-zone", + "ops_owners": "devops", + }, + }, + + // Disable colors in Terraform commands so its easier to parse stdout/stderr + NoColor: true, + }) + + // At the end of the test, run `terraform destroy` to clean up any resources that were created + defer terraform.Destroy(t, terraformOptions) + + // This will run `terraform init` and `terraform apply` and fail the test if there are any errors + terraform.InitAndApply(t, terraformOptions) + + // Run `terraform output` to get the values of output variables + actualZoneId := terraform.Output(t, terraformOptions, "zone_id") + + // awsAccountID := aws.GetAccountId(t) + // Check that the first letter in the zone_id is a capital Z. It always is =) + assert.Equal(t, "Z", string(actualZoneId[0])) +} + +func randomString(len int) string { + + rand.Seed(time.Now().UTC().UnixNano()) + bytes := make([]byte, len) + + for i := 0; i < len; i++ { + bytes[i] = byte(randInt(97, 122)) + } + + return string(bytes) +} + +func randInt(min int, max int) int { + + return min + rand.Intn(max-min) +} \ No newline at end of file diff --git a/terraform-modules/aws/route53/hosted-zone/variables.tf b/terraform-modules/aws/route53/hosted-zone/variables.tf new file mode 100644 index 000000000..f1090f803 --- /dev/null +++ b/terraform-modules/aws/route53/hosted-zone/variables.tf @@ -0,0 +1,8 @@ +variable "domain_name" { + description = "The domain name" + type = string +} + +variable "tags" { + type = map(any) +} diff --git a/terraform-modules/aws/s3_bucket/README.md b/terraform-modules/aws/s3_bucket/README.md new file mode 100644 index 000000000..7ffc92fbb --- /dev/null +++ b/terraform-modules/aws/s3_bucket/README.md @@ -0,0 +1,80 @@ +# s3_bucket +Create an S3 bucket: +* Versioning +* Encryption +* Logging +* HTTPS access only + +## HTTPS access only +This is a Prowler finding and cloud help with other compliancy. This will set the bucket +to accept HTTPS requests only. + +``` +var.policy = { + "Id": "ExamplePolicy", + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "AllowSSLRequestsOnly", + "Action": "s3:*", + "Effect": "Deny", + "Resource": [ + "arn:aws:s3:::${bucket_name}", + "arn:aws:s3:::${bucket_name}/*" + ], + "Condition": { + "Bool": { + "aws:SecureTransport": "false" + } + }, + "Principal": "*" + } + ] + } +``` + +## Requirements + +No requirements. + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | n/a | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [aws_kms_key.kms_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource | +| [aws_s3_bucket.bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource | +| [aws_s3_bucket_policy.bucket_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource | +| [aws_s3_bucket_public_access_block.acl](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource | +| [aws_s3_bucket_server_side_encryption_configuration.encryption_config](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [aws\_region](#input\_aws\_region) | n/a | `string` | `"us-east-1"` | no | +| [block\_public\_acls](#input\_block\_public\_acls) | Whether Amazon S3 should block public ACLs for this bucket. | `bool` | n/a | yes | +| [block\_public\_policy](#input\_block\_public\_policy) | Whether Amazon S3 should block public bucket policies for this bucket. | `bool` | n/a | yes | +| [bucket](#input\_bucket) | The name of the bucket. If omitted, Terraform will assign a random, unique name. Must be less than or equal to 63 characters in length. | `string` | n/a | yes | +| [deletion\_window\_in\_days](#input\_deletion\_window\_in\_days) | (Optional) The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key. | `number` | `10` | no | +| [enable\_key\_rotation](#input\_enable\_key\_rotation) | (Optional) Specifies whether key rotation is enabled. Defaults to false. | `bool` | `true` | no | +| [ignore\_public\_acls](#input\_ignore\_public\_acls) | Whether Amazon S3 should ignore public ACLs for this bucket. | `bool` | n/a | yes | +| [policy](#input\_policy) | n/a | `string` | `null` | no | +| [restrict\_public\_buckets](#input\_restrict\_public\_buckets) | Whether Amazon S3 should restrict public bucket policies for this bucket. | `bool` | n/a | yes | +| [tags](#input\_tags) | A map of tags to assign to the bucket. If configured with a provider default\_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level. | `map(any)` | `{}` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [bucket\_domain\_name](#output\_bucket\_domain\_name) | n/a | +| [bucket\_id](#output\_bucket\_id) | The ID of the bucket | diff --git a/terraform-modules/aws/s3_bucket/main.tf b/terraform-modules/aws/s3_bucket/main.tf new file mode 100644 index 000000000..082c7e626 --- /dev/null +++ b/terraform-modules/aws/s3_bucket/main.tf @@ -0,0 +1,67 @@ +resource "aws_kms_key" "kms_key" { + description = "This key is used to encrypt bucket objects" + deletion_window_in_days = var.deletion_window_in_days + + enable_key_rotation = var.enable_key_rotation + + tags = var.tags +} + +resource "aws_s3_bucket" "bucket" { + bucket = var.bucket + + tags = var.tags +} + +resource "aws_s3_bucket_server_side_encryption_configuration" "encryption_config" { + bucket = aws_s3_bucket.bucket.bucket + + rule { + apply_server_side_encryption_by_default { + sse_algorithm = "aws:kms" + } + } +} + +resource "aws_s3_bucket_public_access_block" "acl" { + bucket = aws_s3_bucket.bucket.id + + block_public_acls = var.block_public_acls + block_public_policy = var.block_public_policy + ignore_public_acls = var.ignore_public_acls + restrict_public_buckets = var.restrict_public_buckets + +} + +resource "aws_s3_bucket_policy" "bucket_policy" { + bucket = aws_s3_bucket.bucket.id + policy = var.policy +} + +resource "aws_s3_bucket_versioning" "versioning" { + count = var.enable_versioning ? 1 : 0 + + bucket = aws_s3_bucket.bucket.id + versioning_configuration { + status = var.versioning + } +} + +resource "aws_s3_bucket_logging" "logging" { + count = var.enable_logging ? 1 : 0 + + # Bucket to enable logging on + bucket = aws_s3_bucket.bucket.id + + # (Required) The name of the bucket where you want Amazon S3 to store server access logs. + target_bucket = var.logging_bucket_name + target_prefix = "log/" +} + +resource "aws_s3_bucket_ownership_controls" "bucket_ownership_controls" { + count = var.enable_bucket_owner_enforced ? 1 : 0 + bucket = aws_s3_bucket.bucket.id + rule { + object_ownership = "BucketOwnerEnforced" + } +} diff --git a/terraform-modules/aws/s3_bucket/outputs.tf b/terraform-modules/aws/s3_bucket/outputs.tf new file mode 100644 index 000000000..a93afd14d --- /dev/null +++ b/terraform-modules/aws/s3_bucket/outputs.tf @@ -0,0 +1,9 @@ +output "bucket_id" { + description = "The ID of the bucket" + value = aws_s3_bucket.bucket.id +} + +output "bucket_domain_name" { + value = aws_s3_bucket.bucket.bucket_domain_name +} + diff --git a/terraform-modules/aws/s3_bucket/test/go.mod b/terraform-modules/aws/s3_bucket/test/go.mod new file mode 100644 index 000000000..4672cc929 --- /dev/null +++ b/terraform-modules/aws/s3_bucket/test/go.mod @@ -0,0 +1,8 @@ +module github.com/ManagedKube/kubernetes-ops + +go 1.15 + +require ( + github.com/gruntwork-io/terratest v0.32.24 + github.com/stretchr/testify v1.7.0 +) diff --git a/terraform-modules/aws/s3_bucket/test/go.sum b/terraform-modules/aws/s3_bucket/test/go.sum new file mode 100644 index 000000000..f607bb444 --- /dev/null +++ b/terraform-modules/aws/s3_bucket/test/go.sum @@ -0,0 +1,631 @@ +cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= +cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= +cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU= +cloud.google.com/go v0.44.1/go.mod h1:iSa0KzasP4Uvy3f1mN/7PiObzGgflwredwwASm/v6AU= +cloud.google.com/go v0.44.2/go.mod h1:60680Gw3Yr4ikxnPRS/oxxkBccT6SA1yMk63TGekxKY= +cloud.google.com/go v0.45.1/go.mod h1:RpBamKRgapWJb87xiFSdk4g1CME7QZg3uwTez+TSTjc= +cloud.google.com/go v0.46.3/go.mod h1:a6bKKbmY7er1mI7TEI4lsAkts/mkhTSZK8w33B4RAg0= +cloud.google.com/go v0.51.0/go.mod h1:hWtGJ6gnXH+KgDv+V0zFGDvpi07n3z8ZNj3T1RW0Gcw= +cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o= +cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE= +cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I= +cloud.google.com/go/storage v1.0.0/go.mod h1:IhtSnM/ZTZV8YYJWCY8RULGVqBDmpoyjwiyrjsg+URw= +dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= +github.com/Azure/azure-sdk-for-go v35.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= +github.com/Azure/azure-sdk-for-go v38.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= +github.com/Azure/azure-sdk-for-go v46.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= +github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78/go.mod h1:LmzpDX56iTiv29bbRTIsUNlaFfuhWRQBWjQdVyAevI8= +github.com/Azure/go-autorest v14.2.0+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSWATqVooLgysK6ZNox3g/xq24= +github.com/Azure/go-autorest/autorest v0.9.0/go.mod h1:xyHB1BMZT0cuDHU7I0+g046+BFDTQ8rEZB0s4Yfa6bI= +github.com/Azure/go-autorest/autorest v0.9.3/go.mod h1:GsRuLYvwzLjjjRoWEIyMUaYq8GNUx2nRB378IPt/1p0= +github.com/Azure/go-autorest/autorest v0.9.6/go.mod h1:/FALq9T/kS7b5J5qsQ+RSTUdAmGFqi0vUdVNNx8q630= +github.com/Azure/go-autorest/autorest v0.11.0/go.mod h1:JFgpikqFJ/MleTTxwepExTKnFUKKszPS8UavbQYUMuw= +github.com/Azure/go-autorest/autorest v0.11.5/go.mod h1:foo3aIXRQ90zFve3r0QiDsrjGDUwWhKl0ZOQy1CT14k= +github.com/Azure/go-autorest/autorest/adal v0.5.0/go.mod h1:8Z9fGy2MpX0PvDjB1pEgQTmVqjGhiHBW7RJJEciWzS0= +github.com/Azure/go-autorest/autorest/adal v0.8.0/go.mod h1:Z6vX6WXXuyieHAXwMj0S6HY6e6wcHn37qQMBQlvY3lc= +github.com/Azure/go-autorest/autorest/adal v0.8.1/go.mod h1:ZjhuQClTqx435SRJ2iMlOxPYt3d2C/T/7TiQCVZSn3Q= +github.com/Azure/go-autorest/autorest/adal v0.8.2/go.mod h1:ZjhuQClTqx435SRJ2iMlOxPYt3d2C/T/7TiQCVZSn3Q= +github.com/Azure/go-autorest/autorest/adal v0.9.0/go.mod h1:/c022QCutn2P7uY+/oQWWNcK9YU+MH96NgK+jErpbcg= +github.com/Azure/go-autorest/autorest/adal v0.9.2/go.mod h1:/3SMAM86bP6wC9Ev35peQDUeqFZBMH07vvUOmg4z/fE= +github.com/Azure/go-autorest/autorest/azure/auth v0.5.1/go.mod h1:ea90/jvmnAwDrSooLH4sRIehEPtG/EPUXavDh31MnA4= +github.com/Azure/go-autorest/autorest/azure/cli v0.4.0/go.mod h1:JljT387FplPzBA31vUcvsetLKF3pec5bdAxjVU4kI2s= +github.com/Azure/go-autorest/autorest/date v0.1.0/go.mod h1:plvfp3oPSKwf2DNjlBjWF/7vwR+cUD/ELuzDCXwHUVA= +github.com/Azure/go-autorest/autorest/date v0.2.0/go.mod h1:vcORJHLJEh643/Ioh9+vPmf1Ij9AEBM5FuBIXLmIy0g= +github.com/Azure/go-autorest/autorest/date v0.3.0/go.mod h1:BI0uouVdmngYNUzGWeSYnokU+TrmwEsOqdt8Y6sso74= +github.com/Azure/go-autorest/autorest/mocks v0.1.0/go.mod h1:OTyCOPRA2IgIlWxVYxBee2F5Gr4kF2zd2J5cFRaIDN0= +github.com/Azure/go-autorest/autorest/mocks v0.2.0/go.mod h1:OTyCOPRA2IgIlWxVYxBee2F5Gr4kF2zd2J5cFRaIDN0= +github.com/Azure/go-autorest/autorest/mocks v0.3.0/go.mod h1:a8FDP3DYzQ4RYfVAxAN3SVSiiO77gL2j2ronKKP0syM= +github.com/Azure/go-autorest/autorest/mocks v0.4.0/go.mod h1:LTp+uSrOhSkaKrUy935gNZuuIPPVsHlr9DSOxSayd+k= +github.com/Azure/go-autorest/autorest/mocks v0.4.1/go.mod h1:LTp+uSrOhSkaKrUy935gNZuuIPPVsHlr9DSOxSayd+k= +github.com/Azure/go-autorest/autorest/to v0.2.0/go.mod h1:GunWKJp1AEqgMaGLV+iocmRAJWqST1wQYhyyjXJ3SJc= +github.com/Azure/go-autorest/autorest/to v0.3.0/go.mod h1:MgwOyqaIuKdG4TL/2ywSsIWKAfJfgHDo8ObuUk3t5sA= +github.com/Azure/go-autorest/autorest/validation v0.1.0/go.mod h1:Ha3z/SqBeaalWQvokg3NZAlQTalVMtOIAs1aGK7G6u8= +github.com/Azure/go-autorest/autorest/validation v0.3.0/go.mod h1:yhLgjC0Wda5DYXl6JAsWyUe4KVNffhoDhG0zVzUMo3E= +github.com/Azure/go-autorest/logger v0.1.0/go.mod h1:oExouG+K6PryycPJfVSxi/koC6LSNgds39diKLz7Vrc= +github.com/Azure/go-autorest/logger v0.2.0/go.mod h1:T9E3cAhj2VqvPOtCYAvby9aBXkZmbF5NWuPV8+WeEW8= +github.com/Azure/go-autorest/tracing v0.5.0/go.mod h1:r/s2XiOKccPW3HrqB+W0TQzfbtp2fGCgRFtBroKn4Dk= +github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBpUA79WCAKPPZVC2DeU= +github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= +github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= +github.com/GoogleCloudPlatform/k8s-cloud-provider v0.0.0-20190822182118-27a4ced34534/go.mod h1:iroGtC8B3tQiqtds1l+mgk/BBOrxbqjH+eUfFQYRc14= +github.com/Microsoft/go-winio v0.4.14/go.mod h1:qXqCSQ3Xa7+6tgxaGTIe4Kpcdsi+P8jBhyzoq1bpyYA= +github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ= +github.com/PuerkitoBio/purell v1.0.0/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0= +github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0= +github.com/PuerkitoBio/urlesc v0.0.0-20160726150825-5bd2802263f2/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE= +github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE= +github.com/agext/levenshtein v1.2.1 h1:QmvMAjj2aEICytGiWzmxoE0x2KZvE0fvmqMOfy2tjT8= +github.com/agext/levenshtein v1.2.1/go.mod h1:JEDfjyjHDjOF/1e4FlBE/PkbqA9OfWu2ki2W0IB5558= +github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= +github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= +github.com/apparentlymart/go-dump v0.0.0-20180507223929-23540a00eaa3/go.mod h1:oL81AME2rN47vu18xqj1S1jPIPuN7afo62yKTNn3XMM= +github.com/apparentlymart/go-textseg v1.0.0 h1:rRmlIsPEEhUTIKQb7T++Nz/A5Q6C9IuX2wFoYVvnCs0= +github.com/apparentlymart/go-textseg v1.0.0/go.mod h1:z96Txxhf3xSFMPmb5X/1W05FF/Nj9VFpLOpjS5yuumk= +github.com/apparentlymart/go-textseg/v12 v12.0.0 h1:bNEQyAGak9tojivJNkoqWErVCQbjdL7GzRt3F8NvfJ0= +github.com/apparentlymart/go-textseg/v12 v12.0.0/go.mod h1:S/4uRK2UtaQttw1GenVJEynmyUenKwP++x/+DdGV/Ec= +github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8= +github.com/aws/aws-lambda-go v1.13.3/go.mod h1:4UKl9IzQMoD+QF79YdCuzCwp8VbmG4VAQwij/eHl5CU= +github.com/aws/aws-sdk-go v1.16.26/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo= +github.com/aws/aws-sdk-go v1.27.1 h1:MXnqY6SlWySaZAqNnXThOvjRFdiiOuKtC6i7baFdNdU= +github.com/aws/aws-sdk-go v1.27.1/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo= +github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q= +github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8= +github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs= +github.com/blang/semver v3.5.0+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk= +github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc h1:biVzkmvwrH8WK8raXaxBx6fRVTlJILwEwQGL1I/ByEI= +github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8= +github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= +github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI= +github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI= +github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU= +github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= +github.com/cockroachdb/datadriven v0.0.0-20190809214429-80d97fb3cbaa/go.mod h1:zn76sxSg3SzpJ0PPJaLDCu+Bu0Lg3sKTORVIj19EIF8= +github.com/containerd/containerd v1.3.0/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA= +github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE= +github.com/coreos/go-etcd v2.0.0+incompatible/go.mod h1:Jez6KQU2B/sWsbdaef3ED8NzMklzPG4d5KIOhIy30Tk= +github.com/coreos/go-oidc v2.1.0+incompatible/go.mod h1:CgnwVTmzoESiwO9qyAFEMiHoZ1nMCKZlZ9V6mm3/LKc= +github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk= +github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk= +github.com/coreos/go-systemd v0.0.0-20180511133405-39ca1b05acc7/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= +github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= +github.com/coreos/pkg v0.0.0-20160727233714-3ac0863d7acf/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA= +github.com/coreos/pkg v0.0.0-20180108230652-97fdf19511ea/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA= +github.com/cpuguy83/go-md2man v1.0.10 h1:BSKMNlYxDvnunlTymqtgONjNnaRV1sTpcovwwjF22jk= +github.com/cpuguy83/go-md2man v1.0.10/go.mod h1:SmD6nW6nTyfqj6ABTjUi3V3JVMnlJmwcJI5acqYI6dE= +github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU= +github.com/cpuguy83/go-md2man/v2 v2.0.0 h1:EoUDS0afbrsXAZ9YQ9jdu/mZ2sXgT1/2yyNng4PGlyM= +github.com/cpuguy83/go-md2man/v2 v2.0.0/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU= +github.com/creack/pty v1.1.7/go.mod h1:lj5s0c3V2DBrqTV7llrYr5NG6My20zk30Fl46Y7DoTY= +github.com/davecgh/go-spew v0.0.0-20151105211317-5215b55f46b2/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= +github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ= +github.com/dimchansky/utfbom v1.1.0/go.mod h1:rO41eb7gLfo8SF1jd9F8HplJm1Fewwi4mQvIirEdv+8= +github.com/dnaeon/go-vcr v1.0.1/go.mod h1:aBB1+wY4s93YsC3HHjMBMrwTj2R9FHDzUr9KyGc8n1E= +github.com/docker/cli v0.0.0-20191017083524-a8ff7f821017/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= +github.com/docker/cli v0.0.0-20200109221225-a4f60165b7a3/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= +github.com/docker/distribution v2.7.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= +github.com/docker/docker v0.7.3-0.20190327010347-be7ac8be2ae0/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +github.com/docker/docker v1.4.2-0.20190924003213-a8608b5b67c7/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +github.com/docker/docker-credential-helpers v0.6.3/go.mod h1:WRaJzqw3CTB9bk10avuGsjVBZsD05qeibJ1/TYlvc0Y= +github.com/docker/go-connections v0.4.0/go.mod h1:Gbd7IOopHjR8Iph03tsViu4nIes5XhDvyHbTtUxmeec= +github.com/docker/go-units v0.4.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk= +github.com/docker/spdystream v0.0.0-20160310174837-449fdfce4d96/go.mod h1:Qh8CwZgvJUkLughtfhJv5dyTYa91l1fOUCrgjqmcifM= +github.com/docker/spdystream v0.0.0-20181023171402-6480d4af844c/go.mod h1:Qh8CwZgvJUkLughtfhJv5dyTYa91l1fOUCrgjqmcifM= +github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE= +github.com/dustin/go-humanize v0.0.0-20171111073723-bb3d318650d4/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk= +github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk= +github.com/elazarl/goproxy v0.0.0-20170405201442-c4fc26588b6e/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc= +github.com/elazarl/goproxy v0.0.0-20180725130230-947c36da3153/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc= +github.com/elazarl/goproxy v0.0.0-20190911111923-ecfe977594f1/go.mod h1:Ro8st/ElPeALwNFlcTpWmkr6IoMFfkjXAvTHpevnDsM= +github.com/elazarl/goproxy/ext v0.0.0-20190711103511-473e67f1d7d2/go.mod h1:gNh8nYJoAm43RfaxurUnxr+N1PwuFV3ZMl/efxlIlY8= +github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs= +github.com/emicklei/go-restful v2.9.5+incompatible/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs= +github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= +github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= +github.com/evanphx/json-patch v4.2.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= +github.com/evanphx/json-patch v4.9.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= +github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4= +github.com/fatih/color v1.9.0/go.mod h1:eQcE1qtQxscV5RaZvpXrrb8Drkc3/DdQ+uUYCNjL+zU= +github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= +github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ= +github.com/ghodss/yaml v0.0.0-20150909031657-73d445a93680/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= +github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= +github.com/go-errors/errors v1.0.1/go.mod h1:f4zRHt4oKfwPJE5k8C9vpYG+aDHdBFUsgrm6/TyX73Q= +github.com/go-errors/errors v1.0.2-0.20180813162953-d98b870cc4e0 h1:skJKxRtNmevLqnayafdLe2AsenqRupVmzZSqrvb5caU= +github.com/go-errors/errors v1.0.2-0.20180813162953-d98b870cc4e0/go.mod h1:f4zRHt4oKfwPJE5k8C9vpYG+aDHdBFUsgrm6/TyX73Q= +github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= +github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= +github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE= +github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas= +github.com/go-logr/logr v0.2.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU= +github.com/go-openapi/jsonpointer v0.0.0-20160704185906-46af16f9f7b1/go.mod h1:+35s3my2LFTysnkMfxsJBAMHj/DoqoB9knIWoYG/Vk0= +github.com/go-openapi/jsonpointer v0.19.2/go.mod h1:3akKfEdA7DF1sugOqz1dVQHBcuDBPKZGEoHC/NkiQRg= +github.com/go-openapi/jsonpointer v0.19.3/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg= +github.com/go-openapi/jsonreference v0.0.0-20160704190145-13c6e3589ad9/go.mod h1:W3Z9FmVs9qj+KR4zFKmDPGiLdk1D9Rlm7cyMvf57TTg= +github.com/go-openapi/jsonreference v0.19.2/go.mod h1:jMjeRr2HHw6nAVajTXJ4eiUwohSTlpa0o73RUL1owJc= +github.com/go-openapi/jsonreference v0.19.3/go.mod h1:rjx6GuL8TTa9VaixXglHmQmIL98+wF9xc8zWvFonSJ8= +github.com/go-openapi/spec v0.0.0-20160808142527-6aced65f8501/go.mod h1:J8+jY1nAiCcj+friV/PDoE1/3eeccG9LYBs0tYvLOWc= +github.com/go-openapi/spec v0.19.3/go.mod h1:FpwSN1ksY1eteniUU7X0N/BgJ7a4WvBFVA8Lj9mJglo= +github.com/go-openapi/swag v0.0.0-20160704191624-1d0bd113de87/go.mod h1:DXUve3Dpr1UfpPtxFw+EFuQ41HhCWZfha5jSVRG7C7I= +github.com/go-openapi/swag v0.19.2/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk= +github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk= +github.com/go-sql-driver/mysql v1.4.1 h1:g24URVg0OFbNUTx9qqY1IRZ9D9z3iPyi5zKhQZpNwpA= +github.com/go-sql-driver/mysql v1.4.1/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w= +github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= +github.com/go-test/deep v1.0.3/go.mod h1:wGDj63lr65AM2AQyKZd/NYHGb0R+1RLqB8NKt3aSFNA= +github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= +github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4= +github.com/gogo/protobuf v1.2.2-0.20190723190241-65acae22fc9d/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o= +github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o= +github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= +github.com/golang/groupcache v0.0.0-20160516000752-02826c3e7903/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= +github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= +github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= +github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= +github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= +github.com/golang/mock v1.3.1/go.mod h1:sBzyDLLjw3U8JLTeZvSv8jJB+tU5PVekmnlKIyFUx0Y= +github.com/golang/protobuf v0.0.0-20161109072736-4bd1920723d7/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.1.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.3.3/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw= +github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8= +github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA= +github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs= +github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w= +github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0= +github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8= +github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= +github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= +github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= +github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= +github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= +github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= +github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-containerregistry v0.0.0-20200110202235-f4fb41bf00a3/go.mod h1:2wIuQute9+hhWqvL3vEI7YB0EKluF4WcPzI1eAliazk= +github.com/google/gofuzz v0.0.0-20161122191042-44d81051d367/go.mod h1:HP5RmnzzSNb993RKQDq4+1A4ia9nllfqcQFTQJedwGI= +github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= +github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= +github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs= +github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= +github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= +github.com/google/pprof v0.0.0-20191218002539-d4f498aebedc/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= +github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= +github.com/google/uuid v1.0.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/google/uuid v1.1.1 h1:Gkbcsh/GbpXz7lPftLA3P6TYMwjCLYm83jiFQZF/3gY= +github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg= +github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk= +github.com/googleapis/gnostic v0.0.0-20170729233727-0c5108395e2d/go.mod h1:sJBsCZ4ayReDTBIg8b9dl28c5xFWyhBTVRp3pOg5EKY= +github.com/googleapis/gnostic v0.2.2/go.mod h1:sJBsCZ4ayReDTBIg8b9dl28c5xFWyhBTVRp3pOg5EKY= +github.com/googleapis/gnostic v0.4.1/go.mod h1:LRhVm6pbyptWbWbuZ38d1eyptfvIytN3ir6b65WBswg= +github.com/gophercloud/gophercloud v0.1.0/go.mod h1:vxM41WHh5uqHVBMZHzuwNOHh8XEoIEcSTewFxm1c5g8= +github.com/gorilla/mux v1.7.3/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs= +github.com/gorilla/websocket v0.0.0-20170926233335-4201258b820c/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ= +github.com/gorilla/websocket v1.4.0/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ= +github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA= +github.com/grpc-ecosystem/go-grpc-middleware v1.0.1-0.20190118093823-f849b5445de4/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs= +github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk= +github.com/grpc-ecosystem/grpc-gateway v1.9.5/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY= +github.com/gruntwork-io/go-commons v0.8.0 h1:k/yypwrPqSeYHevLlEDmvmgQzcyTwrlZGRaxEM6G0ro= +github.com/gruntwork-io/go-commons v0.8.0/go.mod h1:gtp0yTtIBExIZp7vyIV9I0XQkVwiQZze678hvDXof78= +github.com/gruntwork-io/terratest v0.32.24 h1:ihbpYh05VBNPtru2GGN36xTLrLkdMacCyRuvIOs3lsQ= +github.com/gruntwork-io/terratest v0.32.24/go.mod h1:IBb+b5b7p34oZLfpz/ZADyn8TSKeWSBu+vQMmNeePLE= +github.com/hashicorp/errwrap v1.0.0 h1:hLrqtEDnRye3+sgx6z4qVLNuviH3MR5aQ0ykNJa/UYA= +github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= +github.com/hashicorp/go-multierror v1.1.0 h1:B9UzwGQJehnUY1yNrnwREHc3fGbC2xefo8g4TbElacI= +github.com/hashicorp/go-multierror v1.1.0/go.mod h1:spPvp8C1qA32ftKqdAHm4hHTbPw+vmowP0z+KUhOZdA= +github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= +github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= +github.com/hashicorp/golang-lru v0.5.3/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4= +github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4= +github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ= +github.com/hashicorp/hcl/v2 v2.8.2 h1:wmFle3D1vu0okesm8BTLVDyJ6/OL9DCLUwn0b2OptiY= +github.com/hashicorp/hcl/v2 v2.8.2/go.mod h1:bQTN5mpo+jewjJgh8jr0JUguIi7qPHUF6yIfAEN3jqY= +github.com/hashicorp/terraform-json v0.9.0 h1:WE7+Wt93W93feOiCligElSyS0tlDzwZUtJuDGIBr8zg= +github.com/hashicorp/terraform-json v0.9.0/go.mod h1:3defM4kkMfttwiE7VakJDwCd4R+umhSQnvJwORXbprE= +github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU= +github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= +github.com/imdario/mergo v0.3.5/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA= +github.com/imdario/mergo v0.3.7/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA= +github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8= +github.com/jinzhu/copier v0.0.0-20190924061706-b57f9002281a h1:zPPuIq2jAWWPTrGt70eK/BSch+gFAGrNzecsoENgu2o= +github.com/jinzhu/copier v0.0.0-20190924061706-b57f9002281a/go.mod h1:yL958EeXv8Ylng6IfnvG4oflryUi3vgA3xPs9hmII1s= +github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af h1:pmfjZENx5imkbgOkpRUYLnmbU7UEFbjtDA2hxJ1ichM= +github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k= +github.com/joefitzgerald/rainbow-reporter v0.1.0/go.mod h1:481CNgqmVHQZzdIbN52CupLJyoVwB10FQ/IQlF1pdL8= +github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo= +github.com/json-iterator/go v0.0.0-20180612202835-f2b4162afba3/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU= +github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU= +github.com/json-iterator/go v1.1.7/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= +github.com/json-iterator/go v1.1.8/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= +github.com/json-iterator/go v1.1.10/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= +github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU= +github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk= +github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w= +github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q= +github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00= +github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= +github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= +github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= +github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc= +github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= +github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= +github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= +github.com/kr/pty v1.1.5/go.mod h1:9r2w37qlBe7rQ6e1fg1S/9xpWHSnaqNdHD3WcMdbPDA= +github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= +github.com/kylelemons/godebug v0.0.0-20170820004349-d65d576e9348/go.mod h1:B69LEHPfb2qLo0BaaOLcbitczOKLWTsrBG9LczfCD4k= +github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ= +github.com/mailru/easyjson v0.0.0-20160728113105-d5b7844b561a/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= +github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= +github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= +github.com/mailru/easyjson v0.7.0/go.mod h1:KAzv3t3aY1NaHWoQz1+4F1ccyAH66Jk7yos7ldAVICs= +github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU= +github.com/mattn/go-colorable v0.1.4/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE= +github.com/mattn/go-isatty v0.0.4/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4= +github.com/mattn/go-isatty v0.0.8/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s= +github.com/mattn/go-isatty v0.0.11/go.mod h1:PhnuNfih5lzO57/f3n+odYbM4JtupLOxQOAqxQCu2WE= +github.com/mattn/go-runewidth v0.0.2/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU= +github.com/mattn/go-zglob v0.0.1/go.mod h1:9fxibJccNxU2cnpIKLRRFA7zX7qhkJIQWBb449FYHOo= +github.com/mattn/go-zglob v0.0.2-0.20190814121620-e3c945676326/go.mod h1:9fxibJccNxU2cnpIKLRRFA7zX7qhkJIQWBb449FYHOo= +github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0= +github.com/maxbrunsfeld/counterfeiter/v6 v6.2.2/go.mod h1:eD9eIE7cdwcMi9rYluz88Jz2VyhSmden33/aXg4oVIY= +github.com/miekg/dns v1.1.31/go.mod h1:KNUDUusw/aVsxyTYZM1oqvCicbwhgbNgztCETuNZ7xM= +github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= +github.com/mitchellh/go-wordwrap v0.0.0-20150314170334-ad45545899c7 h1:DpOJ2HYzCv8LZP15IdmG+YdwD2luVPHITV96TkirNBM= +github.com/mitchellh/go-wordwrap v0.0.0-20150314170334-ad45545899c7/go.mod h1:ZXFpozHsX6DPmq2I0TCekCxypsnAUbP2oI0UX1GXzOo= +github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y= +github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= +github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= +github.com/modern-go/reflect2 v0.0.0-20180320133207-05fbef0ca5da/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= +github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= +github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= +github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc= +github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= +github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= +github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= +github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw= +github.com/olekukonko/tablewriter v0.0.0-20170122224234-a0225b3f23b5/go.mod h1:vsDQFd/mU46D+Z4whnwzcISnGGzXWMclvtLoiIKAKIo= +github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= +github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= +github.com/onsi/ginkgo v1.8.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= +github.com/onsi/ginkgo v1.10.1/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= +github.com/onsi/ginkgo v1.11.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= +github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA= +github.com/onsi/gomega v1.5.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= +github.com/onsi/gomega v1.7.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= +github.com/opencontainers/go-digest v1.0.0-rc1/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s= +github.com/opencontainers/image-spec v1.0.1/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0= +github.com/oracle/oci-go-sdk v7.1.0+incompatible/go.mod h1:VQb79nF8Z2cwLkLS35ukwStZIg5F66tcBccjip/j888= +github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic= +github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU= +github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/pmezard/go-difflib v0.0.0-20151028094244-d8ed2627bdf0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= +github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/pquerna/cachecontrol v0.0.0-20171018203845-0dec1b30a021/go.mod h1:prYjPmNq4d1NPVmpShWobRqXY3q7Vp+80DqgxxUrUIA= +github.com/pquerna/otp v1.2.0 h1:/A3+Jn+cagqayeR3iHs/L62m5ue7710D35zl1zJ1kok= +github.com/pquerna/otp v1.2.0/go.mod h1:dkJfzwRKNiegxyNb54X/3fLwhCynbMspSyWKnvi1AEg= +github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw= +github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo= +github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= +github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= +github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= +github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= +github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= +github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= +github.com/remyoudompheng/bigfft v0.0.0-20170806203942-52369c62f446/go.mod h1:uYEyJGbgTkfkS4+E/PavXkNJcbFIpEtjt2B0KDQ5+9M= +github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg= +github.com/rogpeppe/go-charset v0.0.0-20180617210344-2471d30d28b4/go.mod h1:qgYeAmZ5ZIpBWTGllZSQnw97Dj+woV0toclVaRGI8pc= +github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= +github.com/rubiojr/go-vhd v0.0.0-20160810183302-0bfd3b39853c/go.mod h1:DM5xW0nvfNNm2uytzsvhI3OnX8uzaRAg8UX/CnDqbto= +github.com/russross/blackfriday v1.5.2 h1:HyvC0ARfnZBqnXwABFeSZHpKvJHJJfPz81GNueLj0oo= +github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR/rfWxYHBV53g= +github.com/russross/blackfriday/v2 v2.0.1 h1:lPqVAte+HuHNfhJ/0LC98ESWRz8afy9tM/0RK8m9o+Q= +github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= +github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0= +github.com/sclevine/spec v1.2.0/go.mod h1:W4J29eT/Kzv7/b9IWLB055Z+qvVC9vt0Arko24q7p+U= +github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo= +github.com/shurcooL/sanitized_anchor_name v1.0.0 h1:PdmoCO6wvbs+7yrJyMORt4/BmY5IYyJwS/kOiWx8mHo= +github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc= +github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo= +github.com/sirupsen/logrus v1.4.1/go.mod h1:ni0Sbl8bgC9z8RoU9G6nDWqqs/fq4eDPysMBDgk/93Q= +github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE= +github.com/soheilhy/cmux v0.1.4/go.mod h1:IM3LyeVVIOuxMH7sFAkER9+bJ4dT7Ms6E4xg4kGIyLM= +github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ= +github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk= +github.com/spf13/cast v1.3.0/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE= +github.com/spf13/cobra v0.0.3/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ= +github.com/spf13/cobra v0.0.5/go.mod h1:3K3wKZymM7VvHMDS9+Akkh4K60UwM26emMESw8tLCHU= +github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo= +github.com/spf13/pflag v0.0.0-20170130214245-9ff6c6923cff/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= +github.com/spf13/pflag v1.0.1/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= +github.com/spf13/pflag v1.0.2/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= +github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= +github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= +github.com/spf13/viper v1.3.2/go.mod h1:ZiWeW+zYFKm7srdB9IoDzzZXaJaI5eL9QjNiN/DMA2s= +github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE= +github.com/stretchr/testify v0.0.0-20151208002404-e3a8ff8ce365/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= +github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= +github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= +github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= +github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY= +github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/tmc/grpc-websocket-proxy v0.0.0-20170815181823-89b8d40f7ca8/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= +github.com/ugorji/go/codec v0.0.0-20181204163529-d75b2dcb6bc8/go.mod h1:VFNgLljTbGfSG7qAOspJ7OScBnGdDN/yBr0sguwnwf0= +github.com/urfave/cli v1.20.0/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA= +github.com/urfave/cli v1.22.1/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0= +github.com/urfave/cli v1.22.2 h1:gsqYFH8bb9ekPA12kRo0hfjngWQjkJPlN9R0N78BoUo= +github.com/urfave/cli v1.22.2/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0= +github.com/vdemeester/k8s-pkg-credentialprovider v0.0.0-20200107171650-7c61ffa44238/go.mod h1:JwQJCMWpUDqjZrB5jpw0f5VbN7U95zxFy1ZDpoEarGo= +github.com/vmihailenco/msgpack v3.3.3+incompatible/go.mod h1:fy3FlTQTDXWkZ7Bh6AcGMlsjHatGryHQYUTf1ShIgkk= +github.com/vmware/govmomi v0.20.3/go.mod h1:URlwyTFZX72RmxtxuaFL2Uj3fD1JTvZdx59bHWk6aFU= +github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU= +github.com/xordataexchange/crypt v0.0.3-0.20170626215501-b2862e3d0a77/go.mod h1:aYKd//L2LvnjZzWKhF00oedf4jCCReLcmhLdhm1A27Q= +github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= +github.com/zclconf/go-cty v1.2.0/go.mod h1:hOPWgoHbaTUnI5k4D2ld+GRpFJSCe6bCM7m1q/N4PQ8= +github.com/zclconf/go-cty v1.2.1 h1:vGMsygfmeCl4Xb6OA5U5XVAaQZ69FvoG7X2jUtQujb8= +github.com/zclconf/go-cty v1.2.1/go.mod h1:hOPWgoHbaTUnI5k4D2ld+GRpFJSCe6bCM7m1q/N4PQ8= +go.etcd.io/bbolt v1.3.3/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU= +go.etcd.io/etcd v0.0.0-20191023171146-3cf2f69b5738/go.mod h1:dnLIgRNXwCJa5e+c6mIZCrds/GIG4ncV9HhK5PX7jPg= +go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= +go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8= +go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= +go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= +go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0= +go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q= +golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= +golang.org/x/crypto v0.0.0-20181203042331-505ab145d0a9/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= +golang.org/x/crypto v0.0.0-20190211182817-74369b46fc67/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= +golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= +golang.org/x/crypto v0.0.0-20190426145343-a29dc8fdc734/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20190611184440-5c40567a22f8/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20190820162420-60c769a6c586/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20191206172530-e9b2fee46413/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= +golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9 h1:psW17arqaxU48Z5kZ0CQnkZWQJsqcURM6tKiBApRjXI= +golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= +golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= +golang.org/x/exp v0.0.0-20190125153040-c74c464bbbf2/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= +golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= +golang.org/x/exp v0.0.0-20190312203227-4b39c73a6495/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= +golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= +golang.org/x/exp v0.0.0-20190829153037-c13cbed26979/go.mod h1:86+5VVa7VpoJ4kLfm080zCjGlMRFzhUhsZKEZO7MGek= +golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= +golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js= +golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0= +golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= +golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU= +golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= +golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= +golang.org/x/lint v0.0.0-20190409202823-959b441ac422/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= +golang.org/x/lint v0.0.0-20190909230951-414d861bb4ac/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= +golang.org/x/lint v0.0.0-20191125180803-fdd1cda4f05f/go.mod h1:5qLYkcX4OjUUV8bRuDixDT3tpyyb+LUpUlRWLxfhWrs= +golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE= +golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028/go.mod h1:E/iHnbuqvinMTCcRqshq8CkpyQDoeVncDDYHnLhea+o= +golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc= +golang.org/x/mod v0.1.0/go.mod h1:0QHyrYULN0/3qlju5TqG8bIK38QM8yzMo5ekMj3DlcY= +golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg= +golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/net v0.0.0-20170114055629-f2499483f923/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20180811021610-c39426892332/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20181220203305-927f97764cc3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= +golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20190628185345-da137c7871d7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20190813141303-74dc4d7220e7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20190923162816-aa69164e4478/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20191004110552-13f9640d40b9/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= +golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= +golang.org/x/net v0.0.0-20201021035429-f5854403a974 h1:IX6qOQeG5uLjB/hjjwjedwfjND0hgjPMMyO1RoIXQNI= +golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= +golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= +golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= +golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= +golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= +golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= +golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sys v0.0.0-20170830134202-bb24a47a89ea/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20181107165924-66b7b1311ac8/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20181205085412-a5c9d58dba9a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190209173611-3b5209105503/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190502145724-3ef323f4f1fd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190502175342-a43fa875dd82/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190616124812-15dcb6c0061f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190626221950-04f50cda93cb/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190826190057-c7b8b68b1456/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190924154521-2837fb4f24fe/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191010194322-b09406accb47/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200622214017-ed371f2e16b4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/text v0.0.0-20160726164857-2910a502d2bf/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= +golang.org/x/text v0.3.3 h1:cokOdA+Jmi5PJGXLlLllQSgYigAEfHXJAERHVMaCc2k= +golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20181011042414-1f849cf54d09/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20181030221726-6c7e314b6563/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20190206041539-40960b6deb8e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY= +golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= +golang.org/x/tools v0.0.0-20190312151545-0bb0c0a6e846/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= +golang.org/x/tools v0.0.0-20190312170243-e65039ee4138/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= +golang.org/x/tools v0.0.0-20190425150028-36563e24a262/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= +golang.org/x/tools v0.0.0-20190506145303-2d16b83fe98c/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= +golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= +golang.org/x/tools v0.0.0-20190606124116-d0a3d012864b/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= +golang.org/x/tools v0.0.0-20190614205625-5aca471b1d59/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= +golang.org/x/tools v0.0.0-20190621195816-6e04913cbbac/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= +golang.org/x/tools v0.0.0-20190628153133-6cdbf07be9d0/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= +golang.org/x/tools v0.0.0-20190706070813-72ffa07ba3db/go.mod h1:jcCCGcm9btYwXyDqrUWc6MKQKKGJCWEQ3AfLSRIbEuI= +golang.org/x/tools v0.0.0-20190816200558-6889da9d5479/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20190911174233-4f2ddba30aff/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20190920225731-5eefd052ad72/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191012152004-8de300cfc20a/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191125144606-a911d9008d1f/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191205215504-7b8c8591a921/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191216052735-49a3e744a425/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= +golang.org/x/tools v0.0.0-20191227053925-7b8e75db28f4/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= +golang.org/x/tools v0.0.0-20201110201400-7099162a900a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= +golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +gonum.org/v1/gonum v0.0.0-20190331200053-3d26580ed485/go.mod h1:2ltnJ7xHfj0zHS40VVPYEAAMTa3ZGguvHGBSJeRWqE0= +gonum.org/v1/netlib v0.0.0-20190313105609-8cb42192e0e0/go.mod h1:wa6Ws7BG/ESfp6dHfk7C6KdzKA7wR7u/rKwOGE66zvw= +gonum.org/v1/netlib v0.0.0-20190331212654-76723241ea4e/go.mod h1:kS+toOQn6AQKjmKJ7gzohV1XkqsFehRA2FbsbkopSuQ= +google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE= +google.golang.org/api v0.6.1-0.20190607001116-5213b8090861/go.mod h1:btoxGiFvQNVUZQ8W08zLtrVS08CNpINPEfxXxgJL1Q4= +google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M= +google.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg= +google.golang.org/api v0.9.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg= +google.golang.org/api v0.15.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI= +google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= +google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= +google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= +google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0= +google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= +google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= +google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= +google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= +google.golang.org/genproto v0.0.0-20190425155659-357c62f0e4bb/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= +google.golang.org/genproto v0.0.0-20190502173448-54afdca5d873/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= +google.golang.org/genproto v0.0.0-20190801165951-fa694d86fc64/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= +google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= +google.golang.org/genproto v0.0.0-20190911173649-1774047e7e51/go.mod h1:IbNlFCBrqXvoKpeg0TB2l7cyZUmoaFKYIwrEpbDKLA8= +google.golang.org/genproto v0.0.0-20191230161307-f3c370f40bfb/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= +google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo= +google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= +google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38= +google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM= +google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= +google.golang.org/grpc v1.23.1/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= +google.golang.org/grpc v1.24.0/go.mod h1:XDChyiUovWa60DnaeDeZmSW86xtLtjtZbwvSiRnRtcA= +google.golang.org/grpc v1.26.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= +google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= +google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= +google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= +google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= +google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE= +google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo= +google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= +google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= +google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= +google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGjtUeSXeh4= +gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= +gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/cheggaaa/pb.v1 v1.0.25/go.mod h1:V/YB90LKu/1FcN3WVnfiiE5oMCibMjukxqG/qStrOgw= +gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI= +gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys= +gopkg.in/gcfg.v1 v1.2.0/go.mod h1:yesOnuUOFQAhST5vPY4nbZsb/huCgGGXlipJsBn0b3o= +gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= +gopkg.in/natefinch/lumberjack.v2 v2.0.0/go.mod h1:l0ndWWf7gzL7RNwBG7wST/UCcT4T24xpD6X8LsfU/+k= +gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo= +gopkg.in/square/go-jose.v2 v2.2.2/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI= +gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw= +gopkg.in/warnings.v0 v0.1.1/go.mod h1:jksf8JmL6Qr/oQM2OXTHunEvvTAsrWBLb6OOjuVWRNI= +gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7/go.mod h1:JAlM8MvJe8wmxCU4Bli9HhUf9+ttbYbLASfIpnQbh74= +gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo= +gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81HFBacw= +honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= +honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= +honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= +honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= +honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg= +k8s.io/api v0.17.0/go.mod h1:npsyOePkeP0CPwyGfXDHxvypiYMJxBWAMpQxCaJ4ZxI= +k8s.io/api v0.19.3/go.mod h1:VF+5FT1B74Pw3KxMdKyinLo+zynBaMBiAfGMuldcNDs= +k8s.io/apimachinery v0.17.0/go.mod h1:b9qmWdKlLuU9EBh+06BtLcSf/Mu89rWL33naRxs1uZg= +k8s.io/apimachinery v0.19.3/go.mod h1:DnPGDnARWFvYa3pMHgSxtbZb7gpzzAZ1pTfaUNDVlmA= +k8s.io/apiserver v0.17.0/go.mod h1:ABM+9x/prjINN6iiffRVNCBR2Wk7uY4z+EtEGZD48cg= +k8s.io/client-go v0.17.0/go.mod h1:TYgR6EUHs6k45hb6KWjVD6jFZvJV4gHDikv/It0xz+k= +k8s.io/client-go v0.19.3/go.mod h1:+eEMktZM+MG0KO+PTkci8xnbCZHvj9TqR6Q1XDUIJOM= +k8s.io/cloud-provider v0.17.0/go.mod h1:Ze4c3w2C0bRsjkBUoHpFi+qWe3ob1wI2/7cUn+YQIDE= +k8s.io/code-generator v0.0.0-20191121015212-c4c8f8345c7e/go.mod h1:DVmfPQgxQENqDIzVR2ddLXMH34qeszkKSdH/N+s+38s= +k8s.io/component-base v0.17.0/go.mod h1:rKuRAokNMY2nn2A6LP/MiwpoaMRHpfRnrPaUJJj1Yoc= +k8s.io/csi-translation-lib v0.17.0/go.mod h1:HEF7MEz7pOLJCnxabi45IPkhSsE/KmxPQksuCrHKWls= +k8s.io/gengo v0.0.0-20190128074634-0689ccc1d7d6/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0= +k8s.io/gengo v0.0.0-20190822140433-26a664648505/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0= +k8s.io/gengo v0.0.0-20200413195148-3a45101e95ac/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0= +k8s.io/klog v0.0.0-20181102134211-b9b56d5dfc92/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk= +k8s.io/klog v0.3.0/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk= +k8s.io/klog v1.0.0/go.mod h1:4Bi6QPql/J/LkTDqv7R/cd3hPo4k2DG6Ptcz060Ez5I= +k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE= +k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y= +k8s.io/kube-openapi v0.0.0-20191107075043-30be4d16710a/go.mod h1:1TqjTSzOxsLGIKfj0lK8EeCP7K1iUG65v09OM0/WG5E= +k8s.io/kube-openapi v0.0.0-20200805222855-6aeccd4b50c6/go.mod h1:UuqjUnNftUyPE5H64/qeyjQoUZhGpeFDVdxjTeEVN2o= +k8s.io/legacy-cloud-providers v0.17.0/go.mod h1:DdzaepJ3RtRy+e5YhNtrCYwlgyK87j/5+Yfp0L9Syp8= +k8s.io/utils v0.0.0-20191114184206-e782cd3c129f/go.mod h1:sZAwmy6armz5eXlNoLmJcl4F1QuKu7sr+mFQ0byX7Ew= +k8s.io/utils v0.0.0-20200729134348-d5654de09c73/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= +modernc.org/cc v1.0.0/go.mod h1:1Sk4//wdnYJiUIxnW8ddKpaOJCF37yAdqYnkxUpaYxw= +modernc.org/golex v1.0.0/go.mod h1:b/QX9oBD/LhixY6NDh+IdGv17hgB+51fET1i2kPSmvk= +modernc.org/mathutil v1.0.0/go.mod h1:wU0vUrJsVWBZ4P6e7xtFJEhFSNsfRLJ8H458uRjg03k= +modernc.org/strutil v1.0.0/go.mod h1:lstksw84oURvj9y3tn8lGvRxyRC1S2+g5uuIzNfIOBs= +modernc.org/xc v1.0.0/go.mod h1:mRNCo0bvLjGhHO9WsyuKVU4q0ceiDDDoEeWDJHrNx8I= +rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= +sigs.k8s.io/structured-merge-diff v0.0.0-20190525122527-15d366b2352e/go.mod h1:wWxsB5ozmmv/SG7nM11ayaAW51xMvak/t1r0CSlcokI= +sigs.k8s.io/structured-merge-diff v1.0.1-0.20191108220359-b1b620dd3f06/go.mod h1:/ULNhyfzRopfcjskuui0cTITekDduZ7ycKN3oUT9R18= +sigs.k8s.io/structured-merge-diff/v4 v4.0.1/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw= +sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o= +sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc= diff --git a/terraform-modules/aws/s3_bucket/test/terratest_test.go b/terraform-modules/aws/s3_bucket/test/terratest_test.go new file mode 100644 index 000000000..b80481c5e --- /dev/null +++ b/terraform-modules/aws/s3_bucket/test/terratest_test.go @@ -0,0 +1,77 @@ +package test + +import ( + "math/rand" + "testing" + "time" + + // "github.com/gruntwork-io/terratest/modules/aws" + "github.com/gruntwork-io/terratest/modules/terraform" + "github.com/stretchr/testify/assert" +) + +// Default test +func TestTerraformDefault(t *testing.T) { + t.Parallel() + + // Random string for various dynamic bucket name usage + stringRand := randomString(8) + + terraformOptions := terraform.WithDefaultRetryableErrors(t, &terraform.Options{ + // The path to where our Terraform code is located + TerraformDir: "../", + + // Dynamic Variables that we should pass in addition to varfile.tfvars + Vars: map[string]interface{}{ + "aws_region": "us-east-1", + "environment_name": "unittest_aws_vpc_" + stringRand, + "vpc_cidr": "10.0.0.0/16", + "enable_nat_gateway": false, + "enable_vpn_gateway": false, + "tags": `{ + ops_env = "unit-test" + ops_managed_by = "terraform", + ops_source_repo = "kubernetes-ops", + ops_source_repo_path = "terraform-module/aws/vpc", + ops_owners = "devops" + }`, + }, + + // Disable colors in Terraform commands so its easier to parse stdout/stderr + NoColor: true, + }) + + // At the end of the test, run `terraform destroy` to clean up any resources that were created + defer terraform.Destroy(t, terraformOptions) + + // This will run `terraform init` and `terraform apply` and fail the test if there are any errors + terraform.InitAndApply(t, terraformOptions) + + // Run `terraform output` to get the values of output variables + actualVPCId := terraform.Output(t, terraformOptions, "vpc_id") + // actualPrivateSubnets := terraform.Output(t, terraformOptions, "private_subnets") + + // awsAccountID := aws.GetAccountId(t) + + // assert.Equal(t, "unittest_aws_iam_policy_"+stringRand, actualPolicyName) + // assert.Equal(t, "arn:aws:iam::"+awsAccountID+":policy/unittest_aws_iam_policy_"+stringRand, actualPolicyArn) + assert.Equal(t, "vpc-", actualVPCId[0:4]) + // assert.Equal(t, 3, len(actualPrivateSubnets)) +} + +func randomString(len int) string { + + rand.Seed(time.Now().UTC().UnixNano()) + bytes := make([]byte, len) + + for i := 0; i < len; i++ { + bytes[i] = byte(randInt(97, 122)) + } + + return string(bytes) +} + +func randInt(min int, max int) int { + + return min + rand.Intn(max-min) +} \ No newline at end of file diff --git a/terraform-modules/aws/s3_bucket/variables.tf b/terraform-modules/aws/s3_bucket/variables.tf new file mode 100644 index 000000000..4d0327a61 --- /dev/null +++ b/terraform-modules/aws/s3_bucket/variables.tf @@ -0,0 +1,94 @@ +variable "aws_region" { + default = "us-east-1" +} + +variable "tags" { + type = map(any) + description = "A map of tags to assign to the bucket. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level." + default = {} +} + +variable "bucket" { + type = string + description = "The name of the bucket. If omitted, Terraform will assign a random, unique name. Must be less than or equal to 63 characters in length." +} + +variable "block_public_acls" { + type = bool + description = "Whether Amazon S3 should block public ACLs for this bucket." +} + +variable "block_public_policy" { + type = bool + description = "Whether Amazon S3 should block public bucket policies for this bucket." +} + +variable "ignore_public_acls" { + type = bool + description = "Whether Amazon S3 should ignore public ACLs for this bucket." +} + +variable "restrict_public_buckets" { + type = bool + description = "Whether Amazon S3 should restrict public bucket policies for this bucket." +} + +variable "policy" { + type = string + default = null +} + +variable "enable_key_rotation" { + type = bool + description = "(Optional) Specifies whether key rotation is enabled. Defaults to false." + default = true +} + +variable "deletion_window_in_days" { + type = number + description = "(Optional) The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key." + default = 10 +} + +variable "enable_versioning" { + type = bool + description = "Enable S3 versioning" + default = true +} + +variable "versioning" { + type = string + description = "(Required) The versioning state of the bucket. Valid values: Enabled, Suspended, or Disabled. Disabled should only be used when creating or importing resources that correspond to unversioned S3 buckets." + default = "Enabled" +} + +variable "enable_logging" { + type = bool + description = "Enable S3 logging" + default = false +} + +variable "logging_bucket_name" { + type = string + description = "(Required) The name of the bucket where you want Amazon S3 to store server access logs. Could be the same as the bucket name." + default = "can-be-the-same-as-the-bucket-name" +} + +variable "logging_bucket_prefix" { + type = string + description = "The prefix to add to the logs" + default = "s3-log/" +} + +variable "enable_bucket_owner_enforced" { + type = bool + description = "BucketOwnerEnforced choice of object ownership, which is used to disable ACL-s." + #Bucket owner enforced (recommended) – ACLs are disabled, and the bucket + #owner automatically owns and has full control over every object in the bucket. + #ACLs no longer affect permissions to data in the S3 bucket. The bucket uses policies + #to define access control. + #https://docs.aws.amazon.com/AmazonS3/latest/userguide/about-object-ownership.html + default = true + +} + diff --git a/terraform-modules/aws/security_groups/README.md b/terraform-modules/aws/security_groups/README.md new file mode 100644 index 000000000..fb7868689 --- /dev/null +++ b/terraform-modules/aws/security_groups/README.md @@ -0,0 +1,26 @@ +# AWS Security Group +This creates a set of security groups that can be used on other items. + +## Retrieving the security group by name: + +The `sg_list` output data structure: +``` +sg_list = { + "id" = [ + "sg-0978d62cacw3e8b21", + "sg-06f385f8d8w319d59", + "sg-033cc7d494w3cbe47", + "sg-0071a0c41bwaea18e", + ] + "name" = [ + "dev-foo", + "dev-app", + "dev-bar", + "dev-ami", + ] +``` + +Can use the `index` function to find an index by the name: +``` +module.security_groups.sg_list["id"][index(module.security_groups.sg_list["name"], "dev-app")] +``` \ No newline at end of file diff --git a/terraform-modules/aws/security_groups/main.tf b/terraform-modules/aws/security_groups/main.tf new file mode 100644 index 000000000..e14bd6dd2 --- /dev/null +++ b/terraform-modules/aws/security_groups/main.tf @@ -0,0 +1,23 @@ +// Create the list of all security groups +resource "aws_security_group" "sg" { + count = length(var.security_groups) + name = var.security_groups[count.index].name + vpc_id = var.vpc_id + tags = merge(var.security_groups[count.index].tags, {Name=var.security_groups[count.index].name}) +} + +// loop through the security groups to create the security group rules +// pass source source security group id and name down +module "security_group_loop" { + source = "./security_group_loop" + + count = length(aws_security_group.sg) + + source_security_group_id = aws_security_group.sg[count.index].id + source_security_group_name = var.security_groups[count.index].name + + security_group_list = aws_security_group.sg + + security_group_rule_list = var.security_groups[count.index].config + +} diff --git a/terraform-modules/aws/security_groups/outputs.tf b/terraform-modules/aws/security_groups/outputs.tf new file mode 100644 index 000000000..5c22a4c37 --- /dev/null +++ b/terraform-modules/aws/security_groups/outputs.tf @@ -0,0 +1,18 @@ +output "security_group_id_list" { + value = aws_security_group.sg.*.id +} + +output "security_group_arn_list" { + value = aws_security_group.sg.*.arn +} + +output "security_group_name_list" { + value = aws_security_group.sg.*.name +} + +output "sg_list" { + value = { + name = aws_security_group.sg[*].name + id = aws_security_group.sg[*].id + } +} diff --git a/terraform-modules/aws/security_groups/security_group_loop/main.tf b/terraform-modules/aws/security_groups/security_group_loop/main.tf new file mode 100644 index 000000000..2072e07b0 --- /dev/null +++ b/terraform-modules/aws/security_groups/security_group_loop/main.tf @@ -0,0 +1,15 @@ +// loop through the sg rules list +// pass the allow_group_name name +module "sg_rules_list_loop" { + source = "./sg_rules_list_loop" + + count = length(var.security_group_rule_list) + + security_group_list = var.security_group_list + + source_security_group_id = var.source_security_group_id + source_security_group_name = var.source_security_group_name + + security_group_rule_config = var.security_group_rule_list[count.index] +} + \ No newline at end of file diff --git a/terraform-modules/aws/security_groups/security_group_loop/sg_rules_list_loop/allow_sg_group_creation/main.tf b/terraform-modules/aws/security_groups/security_group_loop/sg_rules_list_loop/allow_sg_group_creation/main.tf new file mode 100644 index 000000000..6b56f82ff --- /dev/null +++ b/terraform-modules/aws/security_groups/security_group_loop/sg_rules_list_loop/allow_sg_group_creation/main.tf @@ -0,0 +1,12 @@ +// If the allow group name matches the allowed security group name then add it in +resource "aws_security_group_rule" "sg_rule_from_groups" { + count = var.security_group_rule_config.allow_group_name == var.allow_security_group_name ? 1 : 0 + + type = var.security_group_rule_config.sg_type + from_port = var.security_group_rule_config.from_port + to_port = var.security_group_rule_config.to_port + protocol = var.security_group_rule_config.protocol + description = var.security_group_rule_config.description + security_group_id = var.source_security_group_id + source_security_group_id = var.allow_security_group_id +} diff --git a/terraform-modules/aws/security_groups/security_group_loop/sg_rules_list_loop/allow_sg_group_creation/variables.tf b/terraform-modules/aws/security_groups/security_group_loop/sg_rules_list_loop/allow_sg_group_creation/variables.tf new file mode 100644 index 000000000..06b5b09ac --- /dev/null +++ b/terraform-modules/aws/security_groups/security_group_loop/sg_rules_list_loop/allow_sg_group_creation/variables.tf @@ -0,0 +1,19 @@ +variable "source_security_group_id" { + description = "The source security group id of the security group to add the rules to" +} + +variable "source_security_group_name" { + description = "The source security group name of the security group to add the rules to" +} + +variable "security_group_rule_config" { + description = "The security group rule configuration for one rule" +} + +variable "allow_security_group_id" { + description = "The allowed security group ID of the security group to allow to this source_security_group_id" +} + +variable "allow_security_group_name" { + description = "The allowed security group name of the security group to allow to this source_security_group_id" +} diff --git a/terraform-modules/aws/security_groups/security_group_loop/sg_rules_list_loop/main.tf b/terraform-modules/aws/security_groups/security_group_loop/sg_rules_list_loop/main.tf new file mode 100644 index 000000000..f05737801 --- /dev/null +++ b/terraform-modules/aws/security_groups/security_group_loop/sg_rules_list_loop/main.tf @@ -0,0 +1,40 @@ +// loop through the security groups again to get the sg name/id and pass that down. +module "allow_sg_group_creation" { + source = "./allow_sg_group_creation" + + count = length(var.security_group_list) + + source_security_group_id = var.source_security_group_id + source_security_group_name = var.source_security_group_name + + security_group_rule_config = var.security_group_rule_config + + allow_security_group_id = var.security_group_list[count.index].id + allow_security_group_name = var.security_group_list[count.index].name +} + +// Add cidr block rules +resource "aws_security_group_rule" "sg_rule_from_cidr" { + count = length(var.security_group_rule_config.cidr_blocks) > 0 ? 1 : 0 + + type = var.security_group_rule_config.sg_type + from_port = var.security_group_rule_config.from_port + to_port = var.security_group_rule_config.to_port + protocol = var.security_group_rule_config.protocol + description = var.security_group_rule_config.description + security_group_id = var.source_security_group_id + cidr_blocks = var.security_group_rule_config.cidr_blocks +} + +// Add external sg group +resource "aws_security_group_rule" "sg_rule_from_external_sg" { + count = var.security_group_rule_config.group_type == "external_sg" ? 1 : 0 + + type = var.security_group_rule_config.sg_type + from_port = var.security_group_rule_config.from_port + to_port = var.security_group_rule_config.to_port + protocol = var.security_group_rule_config.protocol + description = var.security_group_rule_config.description + security_group_id = var.source_security_group_id + source_security_group_id = var.security_group_rule_config.allow_group_name +} diff --git a/terraform-modules/aws/security_groups/security_group_loop/sg_rules_list_loop/variables.tf b/terraform-modules/aws/security_groups/security_group_loop/sg_rules_list_loop/variables.tf new file mode 100644 index 000000000..b165defe9 --- /dev/null +++ b/terraform-modules/aws/security_groups/security_group_loop/sg_rules_list_loop/variables.tf @@ -0,0 +1,15 @@ +variable "security_group_list" { + description = "The security groups list that was created in the previous step" +} + +variable "source_security_group_id" { + description = "The source security group id of the security group to add the rules to" +} + +variable "source_security_group_name" { + description = "The source security group name of the security group to add the rules to" +} + +variable "security_group_rule_config" { + description = "The security group rule configuration for one rule" +} diff --git a/terraform-modules/aws/security_groups/security_group_loop/variables.tf b/terraform-modules/aws/security_groups/security_group_loop/variables.tf new file mode 100644 index 000000000..e5c75670e --- /dev/null +++ b/terraform-modules/aws/security_groups/security_group_loop/variables.tf @@ -0,0 +1,15 @@ +variable "source_security_group_id" { + description = "The source security group id of the security group to add the rules to" +} + +variable "source_security_group_name" { + description = "The source security group name of the security group to add the rules to" +} + +variable "security_group_list" { + description = "The security groups list that was created in the previous step" +} + +variable "security_group_rule_list" { + description = "Security group rules list to add to this security group" +} diff --git a/terraform-modules/aws/security_groups/test/go.mod b/terraform-modules/aws/security_groups/test/go.mod new file mode 100644 index 000000000..4672cc929 --- /dev/null +++ b/terraform-modules/aws/security_groups/test/go.mod @@ -0,0 +1,8 @@ +module github.com/ManagedKube/kubernetes-ops + +go 1.15 + +require ( + github.com/gruntwork-io/terratest v0.32.24 + github.com/stretchr/testify v1.7.0 +) diff --git a/terraform-modules/aws/security_groups/test/go.sum b/terraform-modules/aws/security_groups/test/go.sum new file mode 100644 index 000000000..f607bb444 --- /dev/null +++ b/terraform-modules/aws/security_groups/test/go.sum @@ -0,0 +1,631 @@ +cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= +cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= +cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU= +cloud.google.com/go v0.44.1/go.mod h1:iSa0KzasP4Uvy3f1mN/7PiObzGgflwredwwASm/v6AU= +cloud.google.com/go v0.44.2/go.mod h1:60680Gw3Yr4ikxnPRS/oxxkBccT6SA1yMk63TGekxKY= +cloud.google.com/go v0.45.1/go.mod h1:RpBamKRgapWJb87xiFSdk4g1CME7QZg3uwTez+TSTjc= +cloud.google.com/go v0.46.3/go.mod h1:a6bKKbmY7er1mI7TEI4lsAkts/mkhTSZK8w33B4RAg0= +cloud.google.com/go v0.51.0/go.mod h1:hWtGJ6gnXH+KgDv+V0zFGDvpi07n3z8ZNj3T1RW0Gcw= +cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o= +cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE= +cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I= +cloud.google.com/go/storage v1.0.0/go.mod h1:IhtSnM/ZTZV8YYJWCY8RULGVqBDmpoyjwiyrjsg+URw= +dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= +github.com/Azure/azure-sdk-for-go v35.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= +github.com/Azure/azure-sdk-for-go v38.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= +github.com/Azure/azure-sdk-for-go v46.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= +github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78/go.mod h1:LmzpDX56iTiv29bbRTIsUNlaFfuhWRQBWjQdVyAevI8= +github.com/Azure/go-autorest v14.2.0+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSWATqVooLgysK6ZNox3g/xq24= +github.com/Azure/go-autorest/autorest v0.9.0/go.mod h1:xyHB1BMZT0cuDHU7I0+g046+BFDTQ8rEZB0s4Yfa6bI= +github.com/Azure/go-autorest/autorest v0.9.3/go.mod h1:GsRuLYvwzLjjjRoWEIyMUaYq8GNUx2nRB378IPt/1p0= +github.com/Azure/go-autorest/autorest v0.9.6/go.mod h1:/FALq9T/kS7b5J5qsQ+RSTUdAmGFqi0vUdVNNx8q630= +github.com/Azure/go-autorest/autorest v0.11.0/go.mod h1:JFgpikqFJ/MleTTxwepExTKnFUKKszPS8UavbQYUMuw= +github.com/Azure/go-autorest/autorest v0.11.5/go.mod h1:foo3aIXRQ90zFve3r0QiDsrjGDUwWhKl0ZOQy1CT14k= +github.com/Azure/go-autorest/autorest/adal v0.5.0/go.mod h1:8Z9fGy2MpX0PvDjB1pEgQTmVqjGhiHBW7RJJEciWzS0= +github.com/Azure/go-autorest/autorest/adal v0.8.0/go.mod h1:Z6vX6WXXuyieHAXwMj0S6HY6e6wcHn37qQMBQlvY3lc= +github.com/Azure/go-autorest/autorest/adal v0.8.1/go.mod h1:ZjhuQClTqx435SRJ2iMlOxPYt3d2C/T/7TiQCVZSn3Q= +github.com/Azure/go-autorest/autorest/adal v0.8.2/go.mod h1:ZjhuQClTqx435SRJ2iMlOxPYt3d2C/T/7TiQCVZSn3Q= +github.com/Azure/go-autorest/autorest/adal v0.9.0/go.mod h1:/c022QCutn2P7uY+/oQWWNcK9YU+MH96NgK+jErpbcg= +github.com/Azure/go-autorest/autorest/adal v0.9.2/go.mod h1:/3SMAM86bP6wC9Ev35peQDUeqFZBMH07vvUOmg4z/fE= +github.com/Azure/go-autorest/autorest/azure/auth v0.5.1/go.mod h1:ea90/jvmnAwDrSooLH4sRIehEPtG/EPUXavDh31MnA4= +github.com/Azure/go-autorest/autorest/azure/cli v0.4.0/go.mod h1:JljT387FplPzBA31vUcvsetLKF3pec5bdAxjVU4kI2s= +github.com/Azure/go-autorest/autorest/date v0.1.0/go.mod h1:plvfp3oPSKwf2DNjlBjWF/7vwR+cUD/ELuzDCXwHUVA= +github.com/Azure/go-autorest/autorest/date v0.2.0/go.mod h1:vcORJHLJEh643/Ioh9+vPmf1Ij9AEBM5FuBIXLmIy0g= +github.com/Azure/go-autorest/autorest/date v0.3.0/go.mod h1:BI0uouVdmngYNUzGWeSYnokU+TrmwEsOqdt8Y6sso74= +github.com/Azure/go-autorest/autorest/mocks v0.1.0/go.mod h1:OTyCOPRA2IgIlWxVYxBee2F5Gr4kF2zd2J5cFRaIDN0= +github.com/Azure/go-autorest/autorest/mocks v0.2.0/go.mod h1:OTyCOPRA2IgIlWxVYxBee2F5Gr4kF2zd2J5cFRaIDN0= +github.com/Azure/go-autorest/autorest/mocks v0.3.0/go.mod h1:a8FDP3DYzQ4RYfVAxAN3SVSiiO77gL2j2ronKKP0syM= +github.com/Azure/go-autorest/autorest/mocks v0.4.0/go.mod h1:LTp+uSrOhSkaKrUy935gNZuuIPPVsHlr9DSOxSayd+k= +github.com/Azure/go-autorest/autorest/mocks v0.4.1/go.mod h1:LTp+uSrOhSkaKrUy935gNZuuIPPVsHlr9DSOxSayd+k= +github.com/Azure/go-autorest/autorest/to v0.2.0/go.mod h1:GunWKJp1AEqgMaGLV+iocmRAJWqST1wQYhyyjXJ3SJc= +github.com/Azure/go-autorest/autorest/to v0.3.0/go.mod h1:MgwOyqaIuKdG4TL/2ywSsIWKAfJfgHDo8ObuUk3t5sA= +github.com/Azure/go-autorest/autorest/validation v0.1.0/go.mod h1:Ha3z/SqBeaalWQvokg3NZAlQTalVMtOIAs1aGK7G6u8= +github.com/Azure/go-autorest/autorest/validation v0.3.0/go.mod h1:yhLgjC0Wda5DYXl6JAsWyUe4KVNffhoDhG0zVzUMo3E= +github.com/Azure/go-autorest/logger v0.1.0/go.mod h1:oExouG+K6PryycPJfVSxi/koC6LSNgds39diKLz7Vrc= +github.com/Azure/go-autorest/logger v0.2.0/go.mod h1:T9E3cAhj2VqvPOtCYAvby9aBXkZmbF5NWuPV8+WeEW8= +github.com/Azure/go-autorest/tracing v0.5.0/go.mod h1:r/s2XiOKccPW3HrqB+W0TQzfbtp2fGCgRFtBroKn4Dk= +github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBpUA79WCAKPPZVC2DeU= +github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= +github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= +github.com/GoogleCloudPlatform/k8s-cloud-provider v0.0.0-20190822182118-27a4ced34534/go.mod h1:iroGtC8B3tQiqtds1l+mgk/BBOrxbqjH+eUfFQYRc14= +github.com/Microsoft/go-winio v0.4.14/go.mod h1:qXqCSQ3Xa7+6tgxaGTIe4Kpcdsi+P8jBhyzoq1bpyYA= +github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ= +github.com/PuerkitoBio/purell v1.0.0/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0= +github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0= +github.com/PuerkitoBio/urlesc v0.0.0-20160726150825-5bd2802263f2/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE= +github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE= +github.com/agext/levenshtein v1.2.1 h1:QmvMAjj2aEICytGiWzmxoE0x2KZvE0fvmqMOfy2tjT8= +github.com/agext/levenshtein v1.2.1/go.mod h1:JEDfjyjHDjOF/1e4FlBE/PkbqA9OfWu2ki2W0IB5558= +github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= +github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= +github.com/apparentlymart/go-dump v0.0.0-20180507223929-23540a00eaa3/go.mod h1:oL81AME2rN47vu18xqj1S1jPIPuN7afo62yKTNn3XMM= +github.com/apparentlymart/go-textseg v1.0.0 h1:rRmlIsPEEhUTIKQb7T++Nz/A5Q6C9IuX2wFoYVvnCs0= +github.com/apparentlymart/go-textseg v1.0.0/go.mod h1:z96Txxhf3xSFMPmb5X/1W05FF/Nj9VFpLOpjS5yuumk= +github.com/apparentlymart/go-textseg/v12 v12.0.0 h1:bNEQyAGak9tojivJNkoqWErVCQbjdL7GzRt3F8NvfJ0= +github.com/apparentlymart/go-textseg/v12 v12.0.0/go.mod h1:S/4uRK2UtaQttw1GenVJEynmyUenKwP++x/+DdGV/Ec= +github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8= +github.com/aws/aws-lambda-go v1.13.3/go.mod h1:4UKl9IzQMoD+QF79YdCuzCwp8VbmG4VAQwij/eHl5CU= +github.com/aws/aws-sdk-go v1.16.26/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo= +github.com/aws/aws-sdk-go v1.27.1 h1:MXnqY6SlWySaZAqNnXThOvjRFdiiOuKtC6i7baFdNdU= +github.com/aws/aws-sdk-go v1.27.1/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo= +github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q= +github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8= +github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs= +github.com/blang/semver v3.5.0+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk= +github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc h1:biVzkmvwrH8WK8raXaxBx6fRVTlJILwEwQGL1I/ByEI= +github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8= +github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= +github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI= +github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI= +github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU= +github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= +github.com/cockroachdb/datadriven v0.0.0-20190809214429-80d97fb3cbaa/go.mod h1:zn76sxSg3SzpJ0PPJaLDCu+Bu0Lg3sKTORVIj19EIF8= +github.com/containerd/containerd v1.3.0/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA= +github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE= +github.com/coreos/go-etcd v2.0.0+incompatible/go.mod h1:Jez6KQU2B/sWsbdaef3ED8NzMklzPG4d5KIOhIy30Tk= +github.com/coreos/go-oidc v2.1.0+incompatible/go.mod h1:CgnwVTmzoESiwO9qyAFEMiHoZ1nMCKZlZ9V6mm3/LKc= +github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk= +github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk= +github.com/coreos/go-systemd v0.0.0-20180511133405-39ca1b05acc7/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= +github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= +github.com/coreos/pkg v0.0.0-20160727233714-3ac0863d7acf/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA= +github.com/coreos/pkg v0.0.0-20180108230652-97fdf19511ea/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA= +github.com/cpuguy83/go-md2man v1.0.10 h1:BSKMNlYxDvnunlTymqtgONjNnaRV1sTpcovwwjF22jk= +github.com/cpuguy83/go-md2man v1.0.10/go.mod h1:SmD6nW6nTyfqj6ABTjUi3V3JVMnlJmwcJI5acqYI6dE= +github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU= +github.com/cpuguy83/go-md2man/v2 v2.0.0 h1:EoUDS0afbrsXAZ9YQ9jdu/mZ2sXgT1/2yyNng4PGlyM= +github.com/cpuguy83/go-md2man/v2 v2.0.0/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU= +github.com/creack/pty v1.1.7/go.mod h1:lj5s0c3V2DBrqTV7llrYr5NG6My20zk30Fl46Y7DoTY= +github.com/davecgh/go-spew v0.0.0-20151105211317-5215b55f46b2/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= +github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ= +github.com/dimchansky/utfbom v1.1.0/go.mod h1:rO41eb7gLfo8SF1jd9F8HplJm1Fewwi4mQvIirEdv+8= +github.com/dnaeon/go-vcr v1.0.1/go.mod h1:aBB1+wY4s93YsC3HHjMBMrwTj2R9FHDzUr9KyGc8n1E= +github.com/docker/cli v0.0.0-20191017083524-a8ff7f821017/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= +github.com/docker/cli v0.0.0-20200109221225-a4f60165b7a3/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= +github.com/docker/distribution v2.7.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= +github.com/docker/docker v0.7.3-0.20190327010347-be7ac8be2ae0/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +github.com/docker/docker v1.4.2-0.20190924003213-a8608b5b67c7/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +github.com/docker/docker-credential-helpers v0.6.3/go.mod h1:WRaJzqw3CTB9bk10avuGsjVBZsD05qeibJ1/TYlvc0Y= +github.com/docker/go-connections v0.4.0/go.mod h1:Gbd7IOopHjR8Iph03tsViu4nIes5XhDvyHbTtUxmeec= +github.com/docker/go-units v0.4.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk= +github.com/docker/spdystream v0.0.0-20160310174837-449fdfce4d96/go.mod h1:Qh8CwZgvJUkLughtfhJv5dyTYa91l1fOUCrgjqmcifM= +github.com/docker/spdystream v0.0.0-20181023171402-6480d4af844c/go.mod h1:Qh8CwZgvJUkLughtfhJv5dyTYa91l1fOUCrgjqmcifM= +github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE= +github.com/dustin/go-humanize v0.0.0-20171111073723-bb3d318650d4/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk= +github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk= +github.com/elazarl/goproxy v0.0.0-20170405201442-c4fc26588b6e/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc= +github.com/elazarl/goproxy v0.0.0-20180725130230-947c36da3153/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc= +github.com/elazarl/goproxy v0.0.0-20190911111923-ecfe977594f1/go.mod h1:Ro8st/ElPeALwNFlcTpWmkr6IoMFfkjXAvTHpevnDsM= +github.com/elazarl/goproxy/ext v0.0.0-20190711103511-473e67f1d7d2/go.mod h1:gNh8nYJoAm43RfaxurUnxr+N1PwuFV3ZMl/efxlIlY8= +github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs= +github.com/emicklei/go-restful v2.9.5+incompatible/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs= +github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= +github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= +github.com/evanphx/json-patch v4.2.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= +github.com/evanphx/json-patch v4.9.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= +github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4= +github.com/fatih/color v1.9.0/go.mod h1:eQcE1qtQxscV5RaZvpXrrb8Drkc3/DdQ+uUYCNjL+zU= +github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= +github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ= +github.com/ghodss/yaml v0.0.0-20150909031657-73d445a93680/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= +github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= +github.com/go-errors/errors v1.0.1/go.mod h1:f4zRHt4oKfwPJE5k8C9vpYG+aDHdBFUsgrm6/TyX73Q= +github.com/go-errors/errors v1.0.2-0.20180813162953-d98b870cc4e0 h1:skJKxRtNmevLqnayafdLe2AsenqRupVmzZSqrvb5caU= +github.com/go-errors/errors v1.0.2-0.20180813162953-d98b870cc4e0/go.mod h1:f4zRHt4oKfwPJE5k8C9vpYG+aDHdBFUsgrm6/TyX73Q= +github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= +github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= +github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE= +github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas= +github.com/go-logr/logr v0.2.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU= +github.com/go-openapi/jsonpointer v0.0.0-20160704185906-46af16f9f7b1/go.mod h1:+35s3my2LFTysnkMfxsJBAMHj/DoqoB9knIWoYG/Vk0= +github.com/go-openapi/jsonpointer v0.19.2/go.mod h1:3akKfEdA7DF1sugOqz1dVQHBcuDBPKZGEoHC/NkiQRg= +github.com/go-openapi/jsonpointer v0.19.3/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg= +github.com/go-openapi/jsonreference v0.0.0-20160704190145-13c6e3589ad9/go.mod h1:W3Z9FmVs9qj+KR4zFKmDPGiLdk1D9Rlm7cyMvf57TTg= +github.com/go-openapi/jsonreference v0.19.2/go.mod h1:jMjeRr2HHw6nAVajTXJ4eiUwohSTlpa0o73RUL1owJc= +github.com/go-openapi/jsonreference v0.19.3/go.mod h1:rjx6GuL8TTa9VaixXglHmQmIL98+wF9xc8zWvFonSJ8= +github.com/go-openapi/spec v0.0.0-20160808142527-6aced65f8501/go.mod h1:J8+jY1nAiCcj+friV/PDoE1/3eeccG9LYBs0tYvLOWc= +github.com/go-openapi/spec v0.19.3/go.mod h1:FpwSN1ksY1eteniUU7X0N/BgJ7a4WvBFVA8Lj9mJglo= +github.com/go-openapi/swag v0.0.0-20160704191624-1d0bd113de87/go.mod h1:DXUve3Dpr1UfpPtxFw+EFuQ41HhCWZfha5jSVRG7C7I= +github.com/go-openapi/swag v0.19.2/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk= +github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk= +github.com/go-sql-driver/mysql v1.4.1 h1:g24URVg0OFbNUTx9qqY1IRZ9D9z3iPyi5zKhQZpNwpA= +github.com/go-sql-driver/mysql v1.4.1/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w= +github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= +github.com/go-test/deep v1.0.3/go.mod h1:wGDj63lr65AM2AQyKZd/NYHGb0R+1RLqB8NKt3aSFNA= +github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= +github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4= +github.com/gogo/protobuf v1.2.2-0.20190723190241-65acae22fc9d/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o= +github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o= +github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= +github.com/golang/groupcache v0.0.0-20160516000752-02826c3e7903/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= +github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= +github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= +github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= +github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= +github.com/golang/mock v1.3.1/go.mod h1:sBzyDLLjw3U8JLTeZvSv8jJB+tU5PVekmnlKIyFUx0Y= +github.com/golang/protobuf v0.0.0-20161109072736-4bd1920723d7/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.1.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.3.3/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw= +github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8= +github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA= +github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs= +github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w= +github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0= +github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8= +github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= +github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= +github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= +github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= +github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= +github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= +github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-containerregistry v0.0.0-20200110202235-f4fb41bf00a3/go.mod h1:2wIuQute9+hhWqvL3vEI7YB0EKluF4WcPzI1eAliazk= +github.com/google/gofuzz v0.0.0-20161122191042-44d81051d367/go.mod h1:HP5RmnzzSNb993RKQDq4+1A4ia9nllfqcQFTQJedwGI= +github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= +github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= +github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs= +github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= +github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= +github.com/google/pprof v0.0.0-20191218002539-d4f498aebedc/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= +github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= +github.com/google/uuid v1.0.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/google/uuid v1.1.1 h1:Gkbcsh/GbpXz7lPftLA3P6TYMwjCLYm83jiFQZF/3gY= +github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg= +github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk= +github.com/googleapis/gnostic v0.0.0-20170729233727-0c5108395e2d/go.mod h1:sJBsCZ4ayReDTBIg8b9dl28c5xFWyhBTVRp3pOg5EKY= +github.com/googleapis/gnostic v0.2.2/go.mod h1:sJBsCZ4ayReDTBIg8b9dl28c5xFWyhBTVRp3pOg5EKY= +github.com/googleapis/gnostic v0.4.1/go.mod h1:LRhVm6pbyptWbWbuZ38d1eyptfvIytN3ir6b65WBswg= +github.com/gophercloud/gophercloud v0.1.0/go.mod h1:vxM41WHh5uqHVBMZHzuwNOHh8XEoIEcSTewFxm1c5g8= +github.com/gorilla/mux v1.7.3/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs= +github.com/gorilla/websocket v0.0.0-20170926233335-4201258b820c/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ= +github.com/gorilla/websocket v1.4.0/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ= +github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA= +github.com/grpc-ecosystem/go-grpc-middleware v1.0.1-0.20190118093823-f849b5445de4/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs= +github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk= +github.com/grpc-ecosystem/grpc-gateway v1.9.5/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY= +github.com/gruntwork-io/go-commons v0.8.0 h1:k/yypwrPqSeYHevLlEDmvmgQzcyTwrlZGRaxEM6G0ro= +github.com/gruntwork-io/go-commons v0.8.0/go.mod h1:gtp0yTtIBExIZp7vyIV9I0XQkVwiQZze678hvDXof78= +github.com/gruntwork-io/terratest v0.32.24 h1:ihbpYh05VBNPtru2GGN36xTLrLkdMacCyRuvIOs3lsQ= +github.com/gruntwork-io/terratest v0.32.24/go.mod h1:IBb+b5b7p34oZLfpz/ZADyn8TSKeWSBu+vQMmNeePLE= +github.com/hashicorp/errwrap v1.0.0 h1:hLrqtEDnRye3+sgx6z4qVLNuviH3MR5aQ0ykNJa/UYA= +github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= +github.com/hashicorp/go-multierror v1.1.0 h1:B9UzwGQJehnUY1yNrnwREHc3fGbC2xefo8g4TbElacI= +github.com/hashicorp/go-multierror v1.1.0/go.mod h1:spPvp8C1qA32ftKqdAHm4hHTbPw+vmowP0z+KUhOZdA= +github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= +github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= +github.com/hashicorp/golang-lru v0.5.3/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4= +github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4= +github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ= +github.com/hashicorp/hcl/v2 v2.8.2 h1:wmFle3D1vu0okesm8BTLVDyJ6/OL9DCLUwn0b2OptiY= +github.com/hashicorp/hcl/v2 v2.8.2/go.mod h1:bQTN5mpo+jewjJgh8jr0JUguIi7qPHUF6yIfAEN3jqY= +github.com/hashicorp/terraform-json v0.9.0 h1:WE7+Wt93W93feOiCligElSyS0tlDzwZUtJuDGIBr8zg= +github.com/hashicorp/terraform-json v0.9.0/go.mod h1:3defM4kkMfttwiE7VakJDwCd4R+umhSQnvJwORXbprE= +github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU= +github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= +github.com/imdario/mergo v0.3.5/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA= +github.com/imdario/mergo v0.3.7/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA= +github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8= +github.com/jinzhu/copier v0.0.0-20190924061706-b57f9002281a h1:zPPuIq2jAWWPTrGt70eK/BSch+gFAGrNzecsoENgu2o= +github.com/jinzhu/copier v0.0.0-20190924061706-b57f9002281a/go.mod h1:yL958EeXv8Ylng6IfnvG4oflryUi3vgA3xPs9hmII1s= +github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af h1:pmfjZENx5imkbgOkpRUYLnmbU7UEFbjtDA2hxJ1ichM= +github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k= +github.com/joefitzgerald/rainbow-reporter v0.1.0/go.mod h1:481CNgqmVHQZzdIbN52CupLJyoVwB10FQ/IQlF1pdL8= +github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo= +github.com/json-iterator/go v0.0.0-20180612202835-f2b4162afba3/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU= +github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU= +github.com/json-iterator/go v1.1.7/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= +github.com/json-iterator/go v1.1.8/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= +github.com/json-iterator/go v1.1.10/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= +github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU= +github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk= +github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w= +github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q= +github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00= +github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= +github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= +github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= +github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc= +github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= +github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= +github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= +github.com/kr/pty v1.1.5/go.mod h1:9r2w37qlBe7rQ6e1fg1S/9xpWHSnaqNdHD3WcMdbPDA= +github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= +github.com/kylelemons/godebug v0.0.0-20170820004349-d65d576e9348/go.mod h1:B69LEHPfb2qLo0BaaOLcbitczOKLWTsrBG9LczfCD4k= +github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ= +github.com/mailru/easyjson v0.0.0-20160728113105-d5b7844b561a/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= +github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= +github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= +github.com/mailru/easyjson v0.7.0/go.mod h1:KAzv3t3aY1NaHWoQz1+4F1ccyAH66Jk7yos7ldAVICs= +github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU= +github.com/mattn/go-colorable v0.1.4/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE= +github.com/mattn/go-isatty v0.0.4/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4= +github.com/mattn/go-isatty v0.0.8/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s= +github.com/mattn/go-isatty v0.0.11/go.mod h1:PhnuNfih5lzO57/f3n+odYbM4JtupLOxQOAqxQCu2WE= +github.com/mattn/go-runewidth v0.0.2/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU= +github.com/mattn/go-zglob v0.0.1/go.mod h1:9fxibJccNxU2cnpIKLRRFA7zX7qhkJIQWBb449FYHOo= +github.com/mattn/go-zglob v0.0.2-0.20190814121620-e3c945676326/go.mod h1:9fxibJccNxU2cnpIKLRRFA7zX7qhkJIQWBb449FYHOo= +github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0= +github.com/maxbrunsfeld/counterfeiter/v6 v6.2.2/go.mod h1:eD9eIE7cdwcMi9rYluz88Jz2VyhSmden33/aXg4oVIY= +github.com/miekg/dns v1.1.31/go.mod h1:KNUDUusw/aVsxyTYZM1oqvCicbwhgbNgztCETuNZ7xM= +github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= +github.com/mitchellh/go-wordwrap v0.0.0-20150314170334-ad45545899c7 h1:DpOJ2HYzCv8LZP15IdmG+YdwD2luVPHITV96TkirNBM= +github.com/mitchellh/go-wordwrap v0.0.0-20150314170334-ad45545899c7/go.mod h1:ZXFpozHsX6DPmq2I0TCekCxypsnAUbP2oI0UX1GXzOo= +github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y= +github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= +github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= +github.com/modern-go/reflect2 v0.0.0-20180320133207-05fbef0ca5da/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= +github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= +github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= +github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc= +github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= +github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= +github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= +github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw= +github.com/olekukonko/tablewriter v0.0.0-20170122224234-a0225b3f23b5/go.mod h1:vsDQFd/mU46D+Z4whnwzcISnGGzXWMclvtLoiIKAKIo= +github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= +github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= +github.com/onsi/ginkgo v1.8.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= +github.com/onsi/ginkgo v1.10.1/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= +github.com/onsi/ginkgo v1.11.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= +github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA= +github.com/onsi/gomega v1.5.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= +github.com/onsi/gomega v1.7.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= +github.com/opencontainers/go-digest v1.0.0-rc1/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s= +github.com/opencontainers/image-spec v1.0.1/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0= +github.com/oracle/oci-go-sdk v7.1.0+incompatible/go.mod h1:VQb79nF8Z2cwLkLS35ukwStZIg5F66tcBccjip/j888= +github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic= +github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU= +github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/pmezard/go-difflib v0.0.0-20151028094244-d8ed2627bdf0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= +github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/pquerna/cachecontrol v0.0.0-20171018203845-0dec1b30a021/go.mod h1:prYjPmNq4d1NPVmpShWobRqXY3q7Vp+80DqgxxUrUIA= +github.com/pquerna/otp v1.2.0 h1:/A3+Jn+cagqayeR3iHs/L62m5ue7710D35zl1zJ1kok= +github.com/pquerna/otp v1.2.0/go.mod h1:dkJfzwRKNiegxyNb54X/3fLwhCynbMspSyWKnvi1AEg= +github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw= +github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo= +github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= +github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= +github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= +github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= +github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= +github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= +github.com/remyoudompheng/bigfft v0.0.0-20170806203942-52369c62f446/go.mod h1:uYEyJGbgTkfkS4+E/PavXkNJcbFIpEtjt2B0KDQ5+9M= +github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg= +github.com/rogpeppe/go-charset v0.0.0-20180617210344-2471d30d28b4/go.mod h1:qgYeAmZ5ZIpBWTGllZSQnw97Dj+woV0toclVaRGI8pc= +github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= +github.com/rubiojr/go-vhd v0.0.0-20160810183302-0bfd3b39853c/go.mod h1:DM5xW0nvfNNm2uytzsvhI3OnX8uzaRAg8UX/CnDqbto= +github.com/russross/blackfriday v1.5.2 h1:HyvC0ARfnZBqnXwABFeSZHpKvJHJJfPz81GNueLj0oo= +github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR/rfWxYHBV53g= +github.com/russross/blackfriday/v2 v2.0.1 h1:lPqVAte+HuHNfhJ/0LC98ESWRz8afy9tM/0RK8m9o+Q= +github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= +github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0= +github.com/sclevine/spec v1.2.0/go.mod h1:W4J29eT/Kzv7/b9IWLB055Z+qvVC9vt0Arko24q7p+U= +github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo= +github.com/shurcooL/sanitized_anchor_name v1.0.0 h1:PdmoCO6wvbs+7yrJyMORt4/BmY5IYyJwS/kOiWx8mHo= +github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc= +github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo= +github.com/sirupsen/logrus v1.4.1/go.mod h1:ni0Sbl8bgC9z8RoU9G6nDWqqs/fq4eDPysMBDgk/93Q= +github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE= +github.com/soheilhy/cmux v0.1.4/go.mod h1:IM3LyeVVIOuxMH7sFAkER9+bJ4dT7Ms6E4xg4kGIyLM= +github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ= +github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk= +github.com/spf13/cast v1.3.0/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE= +github.com/spf13/cobra v0.0.3/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ= +github.com/spf13/cobra v0.0.5/go.mod h1:3K3wKZymM7VvHMDS9+Akkh4K60UwM26emMESw8tLCHU= +github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo= +github.com/spf13/pflag v0.0.0-20170130214245-9ff6c6923cff/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= +github.com/spf13/pflag v1.0.1/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= +github.com/spf13/pflag v1.0.2/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= +github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= +github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= +github.com/spf13/viper v1.3.2/go.mod h1:ZiWeW+zYFKm7srdB9IoDzzZXaJaI5eL9QjNiN/DMA2s= +github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE= +github.com/stretchr/testify v0.0.0-20151208002404-e3a8ff8ce365/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= +github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= +github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= +github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= +github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY= +github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/tmc/grpc-websocket-proxy v0.0.0-20170815181823-89b8d40f7ca8/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= +github.com/ugorji/go/codec v0.0.0-20181204163529-d75b2dcb6bc8/go.mod h1:VFNgLljTbGfSG7qAOspJ7OScBnGdDN/yBr0sguwnwf0= +github.com/urfave/cli v1.20.0/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA= +github.com/urfave/cli v1.22.1/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0= +github.com/urfave/cli v1.22.2 h1:gsqYFH8bb9ekPA12kRo0hfjngWQjkJPlN9R0N78BoUo= +github.com/urfave/cli v1.22.2/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0= +github.com/vdemeester/k8s-pkg-credentialprovider v0.0.0-20200107171650-7c61ffa44238/go.mod h1:JwQJCMWpUDqjZrB5jpw0f5VbN7U95zxFy1ZDpoEarGo= +github.com/vmihailenco/msgpack v3.3.3+incompatible/go.mod h1:fy3FlTQTDXWkZ7Bh6AcGMlsjHatGryHQYUTf1ShIgkk= +github.com/vmware/govmomi v0.20.3/go.mod h1:URlwyTFZX72RmxtxuaFL2Uj3fD1JTvZdx59bHWk6aFU= +github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU= +github.com/xordataexchange/crypt v0.0.3-0.20170626215501-b2862e3d0a77/go.mod h1:aYKd//L2LvnjZzWKhF00oedf4jCCReLcmhLdhm1A27Q= +github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= +github.com/zclconf/go-cty v1.2.0/go.mod h1:hOPWgoHbaTUnI5k4D2ld+GRpFJSCe6bCM7m1q/N4PQ8= +github.com/zclconf/go-cty v1.2.1 h1:vGMsygfmeCl4Xb6OA5U5XVAaQZ69FvoG7X2jUtQujb8= +github.com/zclconf/go-cty v1.2.1/go.mod h1:hOPWgoHbaTUnI5k4D2ld+GRpFJSCe6bCM7m1q/N4PQ8= +go.etcd.io/bbolt v1.3.3/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU= +go.etcd.io/etcd v0.0.0-20191023171146-3cf2f69b5738/go.mod h1:dnLIgRNXwCJa5e+c6mIZCrds/GIG4ncV9HhK5PX7jPg= +go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= +go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8= +go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= +go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= +go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0= +go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q= +golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= +golang.org/x/crypto v0.0.0-20181203042331-505ab145d0a9/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= +golang.org/x/crypto v0.0.0-20190211182817-74369b46fc67/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= +golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= +golang.org/x/crypto v0.0.0-20190426145343-a29dc8fdc734/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20190611184440-5c40567a22f8/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20190820162420-60c769a6c586/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20191206172530-e9b2fee46413/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= +golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9 h1:psW17arqaxU48Z5kZ0CQnkZWQJsqcURM6tKiBApRjXI= +golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= +golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= +golang.org/x/exp v0.0.0-20190125153040-c74c464bbbf2/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= +golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= +golang.org/x/exp v0.0.0-20190312203227-4b39c73a6495/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= +golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= +golang.org/x/exp v0.0.0-20190829153037-c13cbed26979/go.mod h1:86+5VVa7VpoJ4kLfm080zCjGlMRFzhUhsZKEZO7MGek= +golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= +golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js= +golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0= +golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= +golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU= +golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= +golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= +golang.org/x/lint v0.0.0-20190409202823-959b441ac422/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= +golang.org/x/lint v0.0.0-20190909230951-414d861bb4ac/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= +golang.org/x/lint v0.0.0-20191125180803-fdd1cda4f05f/go.mod h1:5qLYkcX4OjUUV8bRuDixDT3tpyyb+LUpUlRWLxfhWrs= +golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE= +golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028/go.mod h1:E/iHnbuqvinMTCcRqshq8CkpyQDoeVncDDYHnLhea+o= +golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc= +golang.org/x/mod v0.1.0/go.mod h1:0QHyrYULN0/3qlju5TqG8bIK38QM8yzMo5ekMj3DlcY= +golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg= +golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/net v0.0.0-20170114055629-f2499483f923/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20180811021610-c39426892332/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20181220203305-927f97764cc3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= +golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20190628185345-da137c7871d7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20190813141303-74dc4d7220e7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20190923162816-aa69164e4478/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20191004110552-13f9640d40b9/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= +golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= +golang.org/x/net v0.0.0-20201021035429-f5854403a974 h1:IX6qOQeG5uLjB/hjjwjedwfjND0hgjPMMyO1RoIXQNI= +golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= +golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= +golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= +golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= +golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= +golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= +golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sys v0.0.0-20170830134202-bb24a47a89ea/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20181107165924-66b7b1311ac8/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20181205085412-a5c9d58dba9a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190209173611-3b5209105503/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190502145724-3ef323f4f1fd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190502175342-a43fa875dd82/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190616124812-15dcb6c0061f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190626221950-04f50cda93cb/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190826190057-c7b8b68b1456/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190924154521-2837fb4f24fe/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191010194322-b09406accb47/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200622214017-ed371f2e16b4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/text v0.0.0-20160726164857-2910a502d2bf/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= +golang.org/x/text v0.3.3 h1:cokOdA+Jmi5PJGXLlLllQSgYigAEfHXJAERHVMaCc2k= +golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20181011042414-1f849cf54d09/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20181030221726-6c7e314b6563/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20190206041539-40960b6deb8e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY= +golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= +golang.org/x/tools v0.0.0-20190312151545-0bb0c0a6e846/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= +golang.org/x/tools v0.0.0-20190312170243-e65039ee4138/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= +golang.org/x/tools v0.0.0-20190425150028-36563e24a262/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= +golang.org/x/tools v0.0.0-20190506145303-2d16b83fe98c/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= +golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= +golang.org/x/tools v0.0.0-20190606124116-d0a3d012864b/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= +golang.org/x/tools v0.0.0-20190614205625-5aca471b1d59/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= +golang.org/x/tools v0.0.0-20190621195816-6e04913cbbac/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= +golang.org/x/tools v0.0.0-20190628153133-6cdbf07be9d0/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= +golang.org/x/tools v0.0.0-20190706070813-72ffa07ba3db/go.mod h1:jcCCGcm9btYwXyDqrUWc6MKQKKGJCWEQ3AfLSRIbEuI= +golang.org/x/tools v0.0.0-20190816200558-6889da9d5479/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20190911174233-4f2ddba30aff/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20190920225731-5eefd052ad72/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191012152004-8de300cfc20a/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191125144606-a911d9008d1f/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191205215504-7b8c8591a921/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191216052735-49a3e744a425/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= +golang.org/x/tools v0.0.0-20191227053925-7b8e75db28f4/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= +golang.org/x/tools v0.0.0-20201110201400-7099162a900a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= +golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +gonum.org/v1/gonum v0.0.0-20190331200053-3d26580ed485/go.mod h1:2ltnJ7xHfj0zHS40VVPYEAAMTa3ZGguvHGBSJeRWqE0= +gonum.org/v1/netlib v0.0.0-20190313105609-8cb42192e0e0/go.mod h1:wa6Ws7BG/ESfp6dHfk7C6KdzKA7wR7u/rKwOGE66zvw= +gonum.org/v1/netlib v0.0.0-20190331212654-76723241ea4e/go.mod h1:kS+toOQn6AQKjmKJ7gzohV1XkqsFehRA2FbsbkopSuQ= +google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE= +google.golang.org/api v0.6.1-0.20190607001116-5213b8090861/go.mod h1:btoxGiFvQNVUZQ8W08zLtrVS08CNpINPEfxXxgJL1Q4= +google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M= +google.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg= +google.golang.org/api v0.9.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg= +google.golang.org/api v0.15.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI= +google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= +google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= +google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= +google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0= +google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= +google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= +google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= +google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= +google.golang.org/genproto v0.0.0-20190425155659-357c62f0e4bb/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= +google.golang.org/genproto v0.0.0-20190502173448-54afdca5d873/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= +google.golang.org/genproto v0.0.0-20190801165951-fa694d86fc64/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= +google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= +google.golang.org/genproto v0.0.0-20190911173649-1774047e7e51/go.mod h1:IbNlFCBrqXvoKpeg0TB2l7cyZUmoaFKYIwrEpbDKLA8= +google.golang.org/genproto v0.0.0-20191230161307-f3c370f40bfb/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= +google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo= +google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= +google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38= +google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM= +google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= +google.golang.org/grpc v1.23.1/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= +google.golang.org/grpc v1.24.0/go.mod h1:XDChyiUovWa60DnaeDeZmSW86xtLtjtZbwvSiRnRtcA= +google.golang.org/grpc v1.26.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= +google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= +google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= +google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= +google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= +google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE= +google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo= +google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= +google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= +google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= +google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGjtUeSXeh4= +gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= +gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/cheggaaa/pb.v1 v1.0.25/go.mod h1:V/YB90LKu/1FcN3WVnfiiE5oMCibMjukxqG/qStrOgw= +gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI= +gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys= +gopkg.in/gcfg.v1 v1.2.0/go.mod h1:yesOnuUOFQAhST5vPY4nbZsb/huCgGGXlipJsBn0b3o= +gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= +gopkg.in/natefinch/lumberjack.v2 v2.0.0/go.mod h1:l0ndWWf7gzL7RNwBG7wST/UCcT4T24xpD6X8LsfU/+k= +gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo= +gopkg.in/square/go-jose.v2 v2.2.2/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI= +gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw= +gopkg.in/warnings.v0 v0.1.1/go.mod h1:jksf8JmL6Qr/oQM2OXTHunEvvTAsrWBLb6OOjuVWRNI= +gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7/go.mod h1:JAlM8MvJe8wmxCU4Bli9HhUf9+ttbYbLASfIpnQbh74= +gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo= +gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81HFBacw= +honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= +honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= +honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= +honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= +honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg= +k8s.io/api v0.17.0/go.mod h1:npsyOePkeP0CPwyGfXDHxvypiYMJxBWAMpQxCaJ4ZxI= +k8s.io/api v0.19.3/go.mod h1:VF+5FT1B74Pw3KxMdKyinLo+zynBaMBiAfGMuldcNDs= +k8s.io/apimachinery v0.17.0/go.mod h1:b9qmWdKlLuU9EBh+06BtLcSf/Mu89rWL33naRxs1uZg= +k8s.io/apimachinery v0.19.3/go.mod h1:DnPGDnARWFvYa3pMHgSxtbZb7gpzzAZ1pTfaUNDVlmA= +k8s.io/apiserver v0.17.0/go.mod h1:ABM+9x/prjINN6iiffRVNCBR2Wk7uY4z+EtEGZD48cg= +k8s.io/client-go v0.17.0/go.mod h1:TYgR6EUHs6k45hb6KWjVD6jFZvJV4gHDikv/It0xz+k= +k8s.io/client-go v0.19.3/go.mod h1:+eEMktZM+MG0KO+PTkci8xnbCZHvj9TqR6Q1XDUIJOM= +k8s.io/cloud-provider v0.17.0/go.mod h1:Ze4c3w2C0bRsjkBUoHpFi+qWe3ob1wI2/7cUn+YQIDE= +k8s.io/code-generator v0.0.0-20191121015212-c4c8f8345c7e/go.mod h1:DVmfPQgxQENqDIzVR2ddLXMH34qeszkKSdH/N+s+38s= +k8s.io/component-base v0.17.0/go.mod h1:rKuRAokNMY2nn2A6LP/MiwpoaMRHpfRnrPaUJJj1Yoc= +k8s.io/csi-translation-lib v0.17.0/go.mod h1:HEF7MEz7pOLJCnxabi45IPkhSsE/KmxPQksuCrHKWls= +k8s.io/gengo v0.0.0-20190128074634-0689ccc1d7d6/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0= +k8s.io/gengo v0.0.0-20190822140433-26a664648505/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0= +k8s.io/gengo v0.0.0-20200413195148-3a45101e95ac/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0= +k8s.io/klog v0.0.0-20181102134211-b9b56d5dfc92/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk= +k8s.io/klog v0.3.0/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk= +k8s.io/klog v1.0.0/go.mod h1:4Bi6QPql/J/LkTDqv7R/cd3hPo4k2DG6Ptcz060Ez5I= +k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE= +k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y= +k8s.io/kube-openapi v0.0.0-20191107075043-30be4d16710a/go.mod h1:1TqjTSzOxsLGIKfj0lK8EeCP7K1iUG65v09OM0/WG5E= +k8s.io/kube-openapi v0.0.0-20200805222855-6aeccd4b50c6/go.mod h1:UuqjUnNftUyPE5H64/qeyjQoUZhGpeFDVdxjTeEVN2o= +k8s.io/legacy-cloud-providers v0.17.0/go.mod h1:DdzaepJ3RtRy+e5YhNtrCYwlgyK87j/5+Yfp0L9Syp8= +k8s.io/utils v0.0.0-20191114184206-e782cd3c129f/go.mod h1:sZAwmy6armz5eXlNoLmJcl4F1QuKu7sr+mFQ0byX7Ew= +k8s.io/utils v0.0.0-20200729134348-d5654de09c73/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= +modernc.org/cc v1.0.0/go.mod h1:1Sk4//wdnYJiUIxnW8ddKpaOJCF37yAdqYnkxUpaYxw= +modernc.org/golex v1.0.0/go.mod h1:b/QX9oBD/LhixY6NDh+IdGv17hgB+51fET1i2kPSmvk= +modernc.org/mathutil v1.0.0/go.mod h1:wU0vUrJsVWBZ4P6e7xtFJEhFSNsfRLJ8H458uRjg03k= +modernc.org/strutil v1.0.0/go.mod h1:lstksw84oURvj9y3tn8lGvRxyRC1S2+g5uuIzNfIOBs= +modernc.org/xc v1.0.0/go.mod h1:mRNCo0bvLjGhHO9WsyuKVU4q0ceiDDDoEeWDJHrNx8I= +rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= +sigs.k8s.io/structured-merge-diff v0.0.0-20190525122527-15d366b2352e/go.mod h1:wWxsB5ozmmv/SG7nM11ayaAW51xMvak/t1r0CSlcokI= +sigs.k8s.io/structured-merge-diff v1.0.1-0.20191108220359-b1b620dd3f06/go.mod h1:/ULNhyfzRopfcjskuui0cTITekDduZ7ycKN3oUT9R18= +sigs.k8s.io/structured-merge-diff/v4 v4.0.1/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw= +sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o= +sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc= diff --git a/terraform-modules/aws/security_groups/test/kubernetes-ops.test b/terraform-modules/aws/security_groups/test/kubernetes-ops.test new file mode 100755 index 000000000..463d29659 Binary files /dev/null and b/terraform-modules/aws/security_groups/test/kubernetes-ops.test differ diff --git a/terraform-modules/aws/security_groups/test/terratest_test.go b/terraform-modules/aws/security_groups/test/terratest_test.go new file mode 100644 index 000000000..7cb8d4f00 --- /dev/null +++ b/terraform-modules/aws/security_groups/test/terratest_test.go @@ -0,0 +1,185 @@ +package test + +import ( + "math/rand" + "testing" + "time" + + // "github.com/gruntwork-io/terratest/modules/aws" + "github.com/gruntwork-io/terratest/modules/terraform" + "github.com/stretchr/testify/assert" +) + +// Default test +func TestTerraformDefault(t *testing.T) { + t.Parallel() + + // Random string for various dynamic bucket name usage + stringRand := randomString(8) + vpc := "vpc-0b8751c278512e5c3" + securityGroupForExternalSGTest := "sg-0522d4b134c4a719b" // Default security group for the VPC + group0Name := "group0-" + stringRand + group1Name := "group1-" + stringRand + + terraformOptions := terraform.WithDefaultRetryableErrors(t, &terraform.Options{ + // The path to where our Terraform code is located + TerraformDir: "../", + + // Dynamic Variables that we should pass in addition to varfile.tfvars + // VarFiles: []string{ + // "./test/var1.tfvars", + // }, + + Vars: map[string]interface{}{ + "vpc_id": vpc, + "security_groups": []interface{}{ + 0: map[string]interface{}{ + "name": group0Name, + "config": []interface{}{ + 0: map[string]interface{}{ + "enabled": "true", + "sg_type": "ingress", + "allow_group_name": group1Name, + "group_type": "internal_mapping", + "from_port": "10111", + "to_port": "10111", + "protocol": "tcp", + "cidr_blocks": []interface{}{}, + "description": "Allowing group " + group1Name + " on port 10111", + }, + 1: map[string]interface{}{ + "enabled": "true", + "sg_type": "ingress", + "allow_group_name": group1Name, + "group_type": "internal_mapping", + "from_port": "10112", + "to_port": "10112", + "protocol": "tcp", + "cidr_blocks": []interface{}{}, + "description": "Allowing group " + group1Name + " on port 10112", + }, + 2: map[string]interface{}{ + "enabled": "true", + "sg_type": "egress", + "allow_group_name": "", + "group_type": "cidr_blocks", + "from_port": "-1", + "to_port": "-1", + "protocol": "-1", + // "cidr_blocks": []interface{}{}, + "cidr_blocks": []interface{}{ + "0.0.0.0/0", + }, + "description": "Allowing egress", + }, + 3: map[string]interface{}{ + "enabled": "true", + "sg_type": "egress", + "allow_group_name": "", + "group_type": "cidr_blocks", + "from_port": "-1", + "to_port": "-1", + "protocol": "-1", + "cidr_blocks": []interface{}{}, + "description": "Allowing egress", + }, + 4: map[string]interface{}{ + "enabled": "true", + "sg_type": "egress", + "allow_group_name": securityGroupForExternalSGTest, + "group_type": "external_sg", + "from_port": "-1", + "to_port": "-1", + "protocol": "-1", + "cidr_blocks": []interface{}{}, + "description": "Allowing egress from externally created SG", + }, + }, + "tags": map[string]interface{}{ + "purpose": "terratest", + "repo": "managedkube", + "repo-path": "terraform-modules/aws/node_list/test", + "node_group": group0Name, + }, + }, + 1: map[string]interface{}{ + "name": group1Name, + "config": []interface{}{ + 0: map[string]interface{}{ + "enabled": "true", + "sg_type": "ingress", + "allow_group_name": group0Name, + "group_type": "internal_mapping", + "from_port": "10011", + "to_port": "10011", + "protocol": "tcp", + "cidr_blocks": []interface{}{}, + "description": "Allowing group " + group0Name + " on port 10011", + }, + 1: map[string]interface{}{ + "enabled": "true", + "sg_type": "ingress", + "allow_group_name": group0Name, + "group_type": "internal_mapping", + "from_port": "10022", + "to_port": "10022", + "protocol": "tcp", + "cidr_blocks": []interface{}{}, + "description": "Allowing group " + group0Name + " on port 10022", + }, + }, + "tags": map[string]interface{}{ + "purpose": "terratest", + "repo": "managedkube", + "repo-path": "terraform-modules/aws/node_list/test", + "node_group": group1Name, + }, + }, + }, + }, + + // Disable colors in Terraform commands so its easier to parse stdout/stderr + NoColor: true, + }) + + // At the end of the test, run `terraform destroy` to clean up any resources that were created + defer terraform.Destroy(t, terraformOptions) + + // This will run `terraform init` and `terraform apply` and fail the test if there are any errors + terraform.InitAndApply(t, terraformOptions) + + // Run `terraform output` to get the values of output variables + outputSecurityGroupModuleNameList := terraform.OutputList(t, terraformOptions, "security_group_name_list") + outputSecurityGroupRuleModuleSGList := terraform.OutputList(t, terraformOptions, "security_group_id_list") + + // awsAccountID := aws.GetAccountId(t) + + // check if node0's name is accurate + assert.Equal(t, outputSecurityGroupModuleNameList[0], group0Name) + // check if node1's name is accurate + assert.Equal(t, outputSecurityGroupModuleNameList[1], group1Name) + + // Check that there are 3 SG rules total for the items above + // This is checking how many SG rule set groups are being created. There should be one for each + // security group. + numberOfSGRulesExpected := 2 + assert.Equal(t, len(outputSecurityGroupRuleModuleSGList), numberOfSGRulesExpected) + +} + +func randomString(len int) string { + + rand.Seed(time.Now().UTC().UnixNano()) + bytes := make([]byte, len) + + for i := 0; i < len; i++ { + bytes[i] = byte(randInt(97, 122)) + } + + return string(bytes) +} + +func randInt(min int, max int) int { + + return min + rand.Intn(max-min) +} diff --git a/terraform-modules/aws/security_groups/variables.tf b/terraform-modules/aws/security_groups/variables.tf new file mode 100644 index 000000000..240daba44 --- /dev/null +++ b/terraform-modules/aws/security_groups/variables.tf @@ -0,0 +1,78 @@ +variable "vpc_id" { + type = string + description = "VPC ID" +} + +variable "security_groups" { + # type = any + type = list(object({ + name = string, + config = list(object({ + enabled = bool, + sg_type = string, + allow_group_name = string, + group_type = string, + from_port = string, + to_port = string, + protocol = string, + cidr_blocks = list(string), + description = string, + })), + tags = map(any), + })) + + description = "Security groups grouping config" + + # default = [ + # { + # name = "group-name", + # config = [ + # { + # enabled = true, + # sg_type = "ingress", + # allow_group_name = "node2", + # group_type = "internal_mapping" + # from_port = "1234", + # to_port = "1234" + # protocol = "tcp", + # cidr_blocks = [], + # description = "Allowing node2 on port 1234" + # }, + # { + # enabled = true, + # sg_type = "ingress", + # allow_group_name = "node2", + # group_type = "internal_mapping" + # from_port = "1234", + # to_port = "1234" + # protocol = "tcp", + # cidr_blocks = [], + # description = "Allowing node2 on port 1234" + # }, + # { + # enabled = true, + # sg_type = "ingress", + # allow_group_name = "null", + # group_type = "cidr_blocks" + # from_port = "-1", + # to_port = "-1" + # protocol = "tcp", + # cidr_blocks = ["0.0.0.0/0"], + # description = "Allowing cidr block" + # }, + # { + # enabled = true, + # sg_type = "ingress", + # allow_group_name = "sg-xxxxxx", + # group_type = "external_sg" + # from_port = "-1", + # to_port = "-1" + # protocol = "-1", + # cidr_blocks = [], + # description = "Allowing an externally created sg group" + # }, + # ], + # tags = {} + # } + # ], +} diff --git a/terraform-modules/aws/ses/email_identity/main.tf b/terraform-modules/aws/ses/email_identity/main.tf new file mode 100644 index 000000000..aa4365700 --- /dev/null +++ b/terraform-modules/aws/ses/email_identity/main.tf @@ -0,0 +1,3 @@ +resource "aws_ses_email_identity" "this" { + email = var.email +} diff --git a/terraform-modules/aws/ses/email_identity/variables.tf b/terraform-modules/aws/ses/email_identity/variables.tf new file mode 100644 index 000000000..cbb1a1bff --- /dev/null +++ b/terraform-modules/aws/ses/email_identity/variables.tf @@ -0,0 +1,3 @@ +variable "email" { + description = "The email to add" +} \ No newline at end of file diff --git a/terraform-modules/aws/sns/suscription/README.md b/terraform-modules/aws/sns/suscription/README.md new file mode 100644 index 000000000..d1d721682 --- /dev/null +++ b/terraform-modules/aws/sns/suscription/README.md @@ -0,0 +1,31 @@ +## Requirements + +No requirements. + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | n/a | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [aws_sns_topic_subscription.user_updates_sqs_target](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_subscription) | resource | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [endpoint](#input\_endpoint) | (Required) In email endpoint is an email address. | `any` | n/a | yes | +| [protocol](#input\_protocol) | (Required) Protocol to use. Valid values are: sqs, sms, lambda, firehose, and application. Protocols email, email-json, http and https | `any` | n/a | yes | +| [topic\_arn](#input\_topic\_arn) | (Required) ARN of the SNS topic to subscribe to. | `any` | n/a | yes | + +## Outputs + +No outputs. diff --git a/terraform-modules/aws/sns/suscription/main.tf b/terraform-modules/aws/sns/suscription/main.tf new file mode 100644 index 000000000..bdcbc8e75 --- /dev/null +++ b/terraform-modules/aws/sns/suscription/main.tf @@ -0,0 +1,5 @@ +resource "aws_sns_topic_subscription" "user_updates_sqs_target" { + topic_arn = var.topic_arn + protocol = var.protocol + endpoint = var.endpoint +} \ No newline at end of file diff --git a/terraform-modules/aws/sns/suscription/variables.tf b/terraform-modules/aws/sns/suscription/variables.tf new file mode 100644 index 000000000..39fe1d75d --- /dev/null +++ b/terraform-modules/aws/sns/suscription/variables.tf @@ -0,0 +1,11 @@ +variable "protocol" { + description = "(Required) Protocol to use. Valid values are: sqs, sms, lambda, firehose, and application. Protocols email, email-json, http and https" +} + +variable "endpoint" { + description = "(Required) In email endpoint is an email address." +} + +variable "topic_arn" { + description = "(Required) ARN of the SNS topic to subscribe to." +} \ No newline at end of file diff --git a/terraform-modules/aws/ssm/AWS-SSM.png b/terraform-modules/aws/ssm/AWS-SSM.png new file mode 100644 index 000000000..950fe0835 Binary files /dev/null and b/terraform-modules/aws/ssm/AWS-SSM.png differ diff --git a/terraform-modules/aws/ssm/AWS-SSM.xml b/terraform-modules/aws/ssm/AWS-SSM.xml new file mode 100644 index 000000000..3103ef988 --- /dev/null +++ b/terraform-modules/aws/ssm/AWS-SSM.xml @@ -0,0 +1 @@ +7Vxrc9u2Ev01mqZ3ph6+9PqoKHHjpr31RJn6M0RCIiYkwYKgZd1fX7z4BCTTsiipV5okLQWSC+Cc3cUusNLAnccvvxKQhn/gAEYDxwpeBu6ngePYnuMM+F8r2MqWieXJhjVBgXqoalig/0HVaKnWHAUwazxIMY4oSpuNPk4S6NNGGyAEb5qPrXDU7DUFa6g1LHwQ6a1PKKChmsXQqtq/QLQOi55tS92JQfGwashCEOBNrcn9PHDnBGMqr+KXOYw4eAUu8r37HXfLgRGY0C4vWOOn9IdPv6Zzkn0Jnn6bjb6OfinEPIMoVzNWo6XbAgKC8ySAXIo9cD9uQkThIgU+v7thpLO2kMaRuq3EQULhy86B2uX0md5AHENKtuwR9cLUU4gplbEn6vOmIsBzVVtYA79sBIr0dSm7woVdKGjeAJMJpVHEuv24wmxSdbhGf+e4uPFLJvR5xh5wrfSlusmu1vz/s6cFu7dY/FGIY6OTEuV9jQuGKm0CnlGCf8A5jjBhLQlOIO8cRVGrCURonbCPPmMBsvaPnCPEFH2mbsQoCHg3RoYrHbCOQ/KoRbKrc2yPDRw7fVHsaBTPfMoAbDPAzDjll3kcyQcqJH8HSxg94gxRhDmiS0wpjg1QU9yyGpzTCCWMxcKJHQnlcRNkE8omQxr1BbKrgfzAtTGBVMOZSWM+nutjgbgf4Tw4iQcqV589uNmOAbhJX8B5unYK1zF7fNjjr62ToDW0Wmh5HdHqTc2GO9ASjtZawCxjBpqdHbixd2nAjTTgPs95w0OSUZAwJM4NmW05l4bZxBAb7FgzVhF8mfGglIEBk0BdMscGmEb6YjEHhOrNGoYw0KLWVxGsATQ04FO0ERgBip6b4k2gqR4eMRIRUEGQ2+JnNL0bNoVkOCc+VO/VA9aWKM0L66IYXGtINVGCx3Lqh1M7vVFb48OdHI1ab3RuagvdunErvePwaNyOX/cAfXPbIam9Im6n7fjscG6nr7uAvrnV87Qidw7QczOvfpjxcK+4vSRVVl0m27V3DGL+w8HHEWSh4n0KSYyKwNH8/oXF4e703KGRred712yIw2FpLQVF7YSxqyEaRFktUX0bop6SFnaRR22bilDR8oUNz7ESzHnJlxGjkI04CAjLyWpmVT2/VwIqNw8s4PvdRdwTHAuKCeQA4pz91weJYBj4IReXbDfqNuLtNOSXfz3O93oTvU/WWEejpfvv382L4IqefS9vOm05Hkd3PI7J8fS2mWfrOwCmVSIPENedCK85xQSgqPPS8GETYvnqmkEpVJF/3oSA/tx9xbmwDYgLWDH0HYhrXjEm7SX90PVCE3Tq1WLcxSDFZjDwBWDlPp2yMpSs3xHJfSDQxyTgKwcQo53//sCdPo5jkATZv8dktQ0wb3h2m73tgDV2wKxxOzbzvAPN1iDLbfPYt+WaNsHedvbpeKazzwVllgcIXzwNu/Ps6j5iSnBt56KtzZPyDPS1s+/+zkV3J9xd+bcnJv5rwfTVsGvbLe89HBn4PSm9HVL0kxeAtIxg2tUI+isAcQwHsP/+8oDWLnwVW5yrPsDR87bLLBCwOiB32goBR8+cLqdEwJu28epaUdGfqukZyWUWCbQjgguATg/4L65MwL481G6nyY3UxmkzNDy8UkBzx7qsntOkQr1u7MqoYXw8dr3h+dm9nSg3qgXaFdrvYHfcwQ/0za4pxb1edidasHY4u9MOfqBvdk0Z7q1iwBiWm75qcdooyTUdK1+vLQ699v6vXW4JvrlmQJdlTVuy+rbF3eeyt6KBKysamLR9j637ntNWDbimw+db1cCrOxIXsGqYjpevd9UYa+v6oWuGJunUK0aRaRz9+HHfmaM1CwKxSw/4+L7Bv3NEYMy4ra8V13Fi1bL1kcHUh9NTOmnv/d/FvZ1HVueR7X1S11BOctIDSW93XWltEfwuQitQN1PSMNMiTtuIwI+yBZand+xfgJOfqLghlEWsvyEQBUfiOs9gGbrJXW0hAbB/S5BR6SaW+EXEe3wNJzlvkVVFMce2KCpilysZM1I+mDs2dhBzGpNllgr+xIDqA1mKWS2jcjTFzxqoj7WI0hIDER1G2BcIxCwMRQksRyansuMRIU+OXUothm0a5zsy4ne8+mdKRfLMjfaNve3LJp5gGblnkOapYpdFcjVt+uvxvwVIWQoqlJiCYVqRoMI3qWvyCYY64UrO+V/mQtV4c4ACXfECXCpnpxxEqn196fJDwDQkkhrIf+2CD6DUHpaZiMHy+X2fP4oZF0tdTaHKSYU442NDSYYC/hmv6kpn0ozvIZIGBrnMNYtZqiFIG12iCNGtPqREzOFLpeRsWKYenhANS5TmBZySv7qxVh49y8KcUm5ElY8XvxpixKV6SnIeoR/NN6vhVRbNwqfdVmXUFJZxbjD5UXZgodUeORupURmiVBQ+apQI1JXMu7dkk5rJPEnfKAQyPhRyyoWEIhwS+Q7v6ei2+FD41iyWHjTd0lAAnRK8JiAumedc84cZueXotk342PKo0KINH1pnu86xkdntXmpBndhO8NfmSoW8BKU5i+7FZAwTkJOs/IIEf4XJBsj6Vald84dP33boW6VpNGQS12HVkQSvMe1yWtVMZbvs3TTZHT6gMH65NSIHtYIwUpRIefImINIlEjaMaFsNSSTFak5C5k6sD9tK6X/Neuurr+T2/yebPa1Co7EhyBya8uH+dgw8fSfS1tCvSoxe2VUBWSoLs1boheN2lNhcq86ydNRM1Vm9FcF5ty9n7K1gsK1DT8m0/RrLO/EpmafvoOnkXpY9lPifzR52l8Y3fLrLnrGPGjbJPCCrKuhlMsBXyJXcwZJJ6xI/m8OgRghwjDX1WKsnx8o5KlZ/ioI0FXgUmb6MLuoozFvBSZ4VcQuUgVMRGKtEokix60+lBD4jnGclIfs6YLl3Il+WUVkVrKEdgR3Pzszxl0i+amNsRpkZ0/eByhzM4e1PWT36FH2riJO/DrgV2tadfWfdMWW551/Sqw1XA9M0xoVKlJMSheLUDOdlOswHyqQJUFSILrplf9jlh89fFxLGb5/Uhdyg4bj8vHNuwkFEZXg9UBG1Pv4yk2bOTYxMvRZJqrFhE0D2j8qyR6UVKhsu+0toLZ5X6SAmPOPZ9hjQXkdo2T5GdAzfYTXHlu0vZXVYF9jH6gc75dJb/eyp+/kf \ No newline at end of file diff --git a/terraform-modules/aws/ssm/README.md b/terraform-modules/aws/ssm/README.md new file mode 100644 index 000000000..3337fc6e5 --- /dev/null +++ b/terraform-modules/aws/ssm/README.md @@ -0,0 +1,302 @@ +# SSM Session Manager +Session Manager is a fully managed AWS Systems Manager capability that lets you manage your EC2 instances, on-premises instances, and virtual machines (VMs) through an interactive one-click browser-based shell or through the AWS CLI. + +Main doc: https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager.html + +The goals: +* Be able to trace back to exactly what happened on an EC2 system +* Have two classes of users. One that can sudo and one that can not + +## Be able to answer the 5 Ws +1. What happened? +1. Where did it take place? +1. When did it occur? +1. Why did it happen? +1. Who was involved? + +# How users can use SSM to get a interactive shell on an EC2 node + +1. Via the AWS console: AWS System Manger -> Instances & Nodes -> Session Manager -> Start session +1. Via the AWS CLI (requires the SSM plugin). Instructions below + +# Terraform Modules + +## EC2 Instance IAM Role +Modules: +* `ec2-role` + +There is a role that is created that is assigned to an EC2 instance that wants to participate in this setup. + +This role gives permission for: +* SSM permissions for the node to be able to send/recieve messsages in the AWS SSM setup +* S3 bucket permissions to write logs +* KMS permissions for encryption keys + +A new role for each type of SSM groups should be created. For example, if you have a `dev` and a `prod` group, you should create two groups mirroring this structure. The EC2 instance is given a role with write permissions to a S3 bucket and a certain part of the path. If the role grants all access to S3 (which is a bad choice) or the entire bucket and it is shared for logs from other SSM groups, other SSM groups would be able to write to any of the paths in the bucket. This is potentially bad if an EC2 node is compromized it would have access to overwrite logs anywhere in the bucket which then can overwrite logs for other SSM group's logs. By creating an EC2 instance role for each group, we can then set a more restrictive S3 bucket write access to limit it to a certain path. + +## User SSM Permissions +Modules: +* `user-policies/restrict-by-ssm-document` +* `user-policies/attach-policy-to-group` +* `user-policies/attach-opolicy-to-user` + +Users that wants to connect to an instance via the AWS SSM setup, will need IAM permissions to do so. + +* What instances a user can connect to +* What SSM document this user must use +* SSM permissions + +## VPC-Endpoints +Modules: +* `vpc-endpoints` + +The EC2 nodes needs a way to get to the AWS SSM API endpoint to be able to get information and talk to the SSM control servers. This `vpc-endpoint` puts the SSM control endpoint in the VPC where the EC2 nodes are. + +## SSM Session Document +Modules: +* `documents/sessions` + +This is basically configuration for the SSM session. When a user connects through SSM, SSM needs to know what parameters to apply to the connection. This `document` gives SSM that information. + +Info this document/config holds: +* What user to connect to the remote system as +* S3 bucket to send the session logs to +* Encryption to use + +## S3 bucket +Modules: +* `s3` + +Doc: https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-logging-auditing.html#session-manager-logging-auditing-s3 + +A bucket needs to be setup with encryption enabled to receive the SSM session logs. This bucket name is used in the EC2 instance role and SSM Session document. + +# SSM with run-as + +## Users +Will have two shared users. Can we still answer the 5 Ws? + +### user-sudo +This user can sudo. + +What happened? +* SSM has full interactive session capture +* Will be able to get a log of everything this user did + +Where did it take place? +* Via SSM the user will be using Okta which is tied to a unique account +* CloudTrail should be tell us which machine this user login to + +When did it occur? +* Logs from SSM session capture has a time stamp +* Logs from the EC2 machines has the timestamp on when the shared user did something + +Why did it happen? +* With full session recording we can see what caused something +* The EC2 logs will also tell us why something happened + +Who was involved? +* The SSM session is tied to a unique Okta account + +### user-no-sudo +This user has not sudo abilities. + +The 5ws are the same as the `user-sudo` answers + +# Discussions/caveats + +## No unique users on the EC2 machine? +That is correct. A user will be uniquely identified via SSM but when SSM places the user onto an EC2 instance, it will assume a shared user. This is a limitation of the SSM feature set. However, we are still able to answer the 5 Ws accurately. SSM will uniquely identify the person on session start. It will also capture the entire interactive SSH session. By using this information, we can see exactly what the user was doing. We can also "pretty" closely tie it back to the EC2 Linux logs on what happened and who was responsible. + +Since we have the full capture, we can say we have a compensating control for the shared login on the machine and thus have accountability. + +## EC2 Instance needs ssm-agent installed +Any EC2 instance that wants to participate in this setup, needs to have the AWS ssm-agent installed on it. This is a prerequisite for this setup. + +Prerequisites: https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-prerequisites.html + +## Should not use `aws ssm start-session` on a shared machine +You probably should not use the `aws ssm start-session` to connect to a remote machine on a shared machine. The AWS temporary token value shows up in the `ps` list: + +``` +ps aux | grep ssm +g44 1322389 0.0 0.0 2716 524 pts/3 S+ 20:49 0:00 aws ssm start-session --target i-0efbd22c010b703bf --document-name SSM-gar-test-sudoer +g44 1322390 0.3 0.1 141432 47940 pts/3 S+ 20:49 0:00 aws ssm start-session --target i-0efbd22c010b703bf --document-name SSM-gar-test-sudoer +g44 1322395 0.3 0.0 856848 11916 pts/3 Sl+ 20:49 0:00 session-manager-plugin {"SessionId": "garland.kan-0191f0eae08e1b4f8", "TokenValue": "AAEAAbgY78NB2V5KlbYS3hpjegONznprdtIhAYhfZfWRp+zTAAAAAF6+EUjaUDZXp05OWxxhFMOChSpVAlbUiV5ozjiztSzhRUpyzUVLL9XjlcW5FEKumgt1/uzq2HSFG2jF31GoCqRKQcKhlDMdu2vKHRLsJ7jxT5M51Mmoo2EQKQ2DggJ6oz++byhQyh6osqZjH9SBme+eSkCkQLTvG+P7/i+DblvCOBwWFWooS1jfRqS4jai3+7jsd/eFncLVrdWFwDwND8cltwoW4bMVIML97eZ8x4Sraq1ioCJ0EtZ//TcIWiJ/I7jGMG7LsjB1ipI57Axd7hRbGaKtAIOv9JlF4Io43OeKhzd1DI3NFg==", "StreamUrl": "wss://ssmmessages.us-east-1.amazonaws.com/v1/data-channel/garland.kan-0191f0eae08e1b4f8?role=publish_subscribe", "ResponseMetadata": {"RequestId": "1cf7099e-1fdf-47f6-9cdb-101eab7abddf", "HTTPStatusCode": 200, "HTTPHeaders": {"x-amzn-requestid": "1cf7099e-1fdf-47f6-9cdb-101eab7abddf", "content-type": "application/x-amz-json-1.1", "content-length": "610", "date": "Fri, 15 May 2020 03:49:27 GMT"}, "RetryAttempts": 0}} us-east-1 StartSession {"Target": "i-0efbd22c010b703bf", "DocumentName": "SSM-gar-test-sudoer"} https://ssm.us-east-1.amazonaws.com +``` + +## Where do I view Session Manager's activities + +### User login sessions +You can view session login activities in `CloudTrails`. + +Go to: +* AWS Console -> CloudTrails -> Event History +* Filter by Event name: `StartSession` + +This will list all of the sessions that were started. Here is an example of the event: +```json +{ + "eventVersion": "1.05", + "userIdentity": { + "type": "IAMUser", + "principalId": "AIDAVE4W5C6YOXXF5XPOR", + "arn": "arn:aws:iam::354114410416:user/garland.kan.temp", + "accountId": "354114410416", + "accessKeyId": "AKIAVE4W5C6YJPLGCFU5", + "userName": "garland.kan.temp" + }, + "eventTime": "2020-05-18T17:00:24Z", + "eventSource": "ssm.amazonaws.com", + "eventName": "StartSession", + "awsRegion": "us-east-1", + "sourceIPAddress": "38.30.8.138", + "userAgent": "aws-cli/2.0.0 Python/3.7.3 Linux/5.4.0-29-generic botocore/2.0.0dev4", + "requestParameters": { + "target": "i-02311671588e96626", + "documentName": "SSM-sudo" + }, + "responseElements": { + "sessionId": "garland.kan.temp-0e34861185201706f", + "tokenValue": "Value hidden due to security reasons.", + "streamUrl": "wss://ssmmessages.us-east-1.amazonaws.com/v1/data-channel/garland.kan.temp-0e34861185201706f?role=publish_subscribe" + }, + "requestID": "35714caa-4b64-47c1-9842-2dc6d4786070", + "eventID": "4b7a66fc-bffb-4179-be64-69bba2bf714c", + "readOnly": false, + "eventType": "AwsApiCall", + "recipientAccountId": "354114410416" +} +``` + +## How do I troubleshoot the SSM Agent? +The SSM Agent runs on each EC2 node that wants to participate in the SSM interactive session setup. This agent has IAM permissions via the instance role we created to talk to the AWS SSM API (vpc endpoint) that we created. When someone initiates a session from the console or the CLI, there is an API call to the AWS SSM API and SSM performs authentication and authorization at this point. If that succeeds, AWS SSM contacts the requested EC2 instance via the AWS SSM Agent that is running on it. If the SSM agent on the EC2 machine answers, a connection will be created with the appropriate settings via the SSM Document (either the default or a custom document). + +### Where are the SSM Agents logs? +Doc: https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-agent-logs.html +* `/var/log/amazon/ssm/amazon-ssm-agent.log` +* `/var/log/amazon/ssm/errors.log` + +The Session log: +* Has the session id: `garland.kan.temp-0073b0a9869ded8de`. This can be used to tie it back to the CloudTrail logs +``` +Script started on 2020-05-27 23:00:48+0000 +[?1034hsh-4.2# /usr/bin/ssm-session-logger /var/lib/amazon/ssm/i-0c76bc102a2c8324b/sess +ion/orchestration/garland.kan.temp-0073b0a9869ded8de/Standard_Stream/ipcTempFile +.log false +Error occurred fetching the seelog config file path: open /etc/amazon/ssm/seelog.xml: no such file or directory +Initializing new seelog logger +New Seelog Logger Creation Complete +[?1034hsh-4.2$ +sh-4.2$ + +sh-4.2$ + +sh-4.2$ + +sh-4.2$ # test 1 + +sh-4.2$ ls / + +bin boot dev etc home lib lib64 local media mnt opt proc root run sbin srv sys tmp usr var + +sh-4.2$ exit + +exit + +sh-4.2# exit +exit + +Script done on 2020-05-27 23:01:53+0000 +``` + +#### Not writing session logs to the S3 bucket +The EC2 instance needs access to the bucket. In the `/var/log/amazon/ssm/errors.log` logs on the EC2 instance you might see logs like this which is an indication that the node does not have access to S3: + +``` +2020-05-26 18:11:59 ERROR [S3Upload @ s3util.go.114] [ssm-session-worker] [garland.kan.temp-075bd0a4981d0a426] [DataBackend] [pluginName=Standard_Stream] Failed uploading /var/lib/amazon/ssm/i-0be867147d0c364b8/session/orchestration/garland.kan.temp-075bd0a4981d0a426/Standard_Stream/garland.kan.temp-075bd0a4981d0a426.log to s3://expanse-ssm-session-logs-dev/dev/garland.kan.temp-075bd0a4981d0a426.log err:AccessDenied: Access Denied +``` + +You can give the EC2 instance access to the bucket by giving attaching a policy to the instance role: + +```json +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "s3:*", + "Resource": [ + "arn:aws:s3:::expanse-ssm-session-logs-dev", + "arn:aws:s3:::expanse-ssm-session-logs-dev/*" + ] + } + ] +} +``` + +### Enabling debug on the SSM Agent +Doc: https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-agent-logs.html#ssm-agent-debug-log-files + + +# Testing + +## Login as both classes of user + +### Users in the sudoers class can login with the sudoers user + + +### Users in the non sudoers class can login + + +### Users in the non sudoers class can NOT login as the sudoer's user + + +## Answering the 5 Ws + +### What happened? +Can we get the SSM interactive session logs? + +Does it tell us who the user is? + +### Where did it take place? +Does it tell us which machine this all took place on? + +### When did it occur? +Timestamps? + +### Why did it happen? +The sequence of activities? + +### Who was involved? +Who was the unique user involved? + + +# Usage + +## Requirements + +### aws cli +If using the CLI, you need the `aws cli` + +Install doc: https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-install.html + +### session manager plugin +If you want to use the AWS CLI to start and end sessions that connect you to your managed instances, you must first install the Session Manager plugin on your local machine. The plugin can be installed on supported versions of Microsoft Windows, macOS, Linux, and Ubuntu Server. + +Install doc: https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-working-with-install-plugin.html + +## starting a session + +``` +aws ssm start-session --target i-0061375d1e98e81fc --document-name SSM-sudo +``` + +# Tunnelling +https://aws.amazon.com/blogs/aws/new-port-forwarding-using-aws-system-manager-sessions-manager/ + +``` +aws ssm start-session --target $INSTANCE_ID \ +--document-name AWS-StartPortForwardingSession \ +--parameters '{"portNumber":["80"],"localPortNumber":["9999"]}' +``` diff --git a/terraform-modules/aws/ssm/ec2-role/README.md b/terraform-modules/aws/ssm/ec2-role/README.md new file mode 100644 index 000000000..816eeb799 --- /dev/null +++ b/terraform-modules/aws/ssm/ec2-role/README.md @@ -0,0 +1,6 @@ +EC2 SSM Role +============= + +This is a required role that is created to be attached EC2 instances to give it access to SSM and the S3 bucket for the interactive session logs output. + +https://docs.aws.amazon.com/systems-manager/latest/userguide/what-is-systems-manager.html diff --git a/terraform-modules/aws/ssm/ec2-role/main.tf b/terraform-modules/aws/ssm/ec2-role/main.tf new file mode 100644 index 000000000..48b99fc81 --- /dev/null +++ b/terraform-modules/aws/ssm/ec2-role/main.tf @@ -0,0 +1,114 @@ +resource "aws_iam_instance_profile" "profile" { + name = "OpsEC2SSM${var.name}" + role = aws_iam_role.role.name +} + +resource "aws_iam_role" "role" { + name = "OpsEC2SSM${var.name}" + + description = "Allows EC2 instances to call AWS services on your behalf with SSM." + + force_detach_policies = true + + assume_role_policy = < Node Management -> Run command +* Click on the Command History tab + +This list all of the runs. + +If you just updated the run information, it would trigger almost instantaniously. + +### Viewing runs and log outputs on the node +The location where the files are placed onto the node is with this var `upload_working_dir`. The default location is `/tmp/ssm-configs`. + + +## Run script from S3 + +* https://docs.aws.amazon.com/systems-manager/latest/userguide/integration-s3-shell.html + +``` +{"path":"https://s3.amazonaws.com/garland-1234-ssm-test/run.sh"} +``` + + +## Script from Github +NOTE: This doesnt work with our repo (explanation below) + +* https://aws.amazon.com/blogs/mt/run-scripts-stored-in-private-or-public-github-repositories-using-amazon-ec2-systems-manager/ +* https://docs.aws.amazon.com/systems-manager/latest/userguide/integration-github-python.html + + +SSM Document name: `AWS-RunRemoteScript` + +``` +{ + "owner": "owner_name", + "repository": "repository_name", + "getOptions": "branch:branch_name", + "path": "path_to_document", + "tokenInfo": "{{ssm-secure:SecureString_parameter_name}}" +} +``` + +``` +aws ssm put-parameter --name test-token --value xxxxxxx --type SecureString +``` + + + + +{ + "owner": "marqeta", + "repository": "featurespace-onprem-infra", + "getOptions": "branch:gkan.RP-2585-node-list-ssm-run-command", + "path": "/terraform-modules/aws/ssm/run_remote_script/scripts/run.sh", + "tokenInfo": "{{ssm-secure:test-token}}" +} + +AWS SSM outputs the runtime error: +``` +GET https://api.github.com/repos/marqeta/featurespace-onprem-infra/contents//terraform-modules/aws/ssm/run_remote_script/scripts/run.sh?ref=gkan.RP-2585-node-list-ssm-run-command: 401 Bad credentials [] +``` + +We have a self hosted repository at: https://github.marqeta.com/marqeta/featurespace-onprem-infra. AWS SSM is going to the public `api.github.com` +host. There is no configuration option to change the host where AWS SSM should reach the Github server. Which means we will not be able +to auth correctly and even if it did, the repository isn't hosted on the public Github.com servers. + diff --git a/terraform-modules/aws/ssm_config/run_remote_script/file_sets/datadog/files/openmetrics.d/conf.yaml.tpl b/terraform-modules/aws/ssm_config/run_remote_script/file_sets/datadog/files/openmetrics.d/conf.yaml.tpl new file mode 100644 index 000000000..c13b60f1e --- /dev/null +++ b/terraform-modules/aws/ssm_config/run_remote_script/file_sets/datadog/files/openmetrics.d/conf.yaml.tpl @@ -0,0 +1,68 @@ +## All options defined here are available to all instances. +# +init_config: + + ## @param proxy - mapping - optional + ## Set HTTP or HTTPS proxies for all instances. Use the `no_proxy` list + ## to specify hosts that must bypass proxies. + ## + ## The SOCKS protocol is also supported like so: + ## + ## socks5://user:pass@host:port + ## + ## Using the scheme `socks5` causes the DNS resolution to happen on the + ## client, rather than on the proxy server. This is in line with `curl`, + ## which uses the scheme to decide whether to do the DNS resolution on + ## the client or proxy. If you want to resolve the domains on the proxy + ## server, use `socks5h` as the scheme. + # + # proxy: + # http: http://: + # https: https://: + # no_proxy: + # - + # - + + ## @param skip_proxy - boolean - optional - default: false + ## If set to `true`, this makes the check bypass any proxy + ## settings enabled and attempt to reach services directly. + # + # skip_proxy: false + + ## @param timeout - number - optional - default: 10 + ## The timeout for connecting to services. + # + # timeout: 10 + + ## @param service - string - optional + ## Attach the tag `service:` to every metric, event, and service check emitted by this integration. + ## + ## Additionally, this sets the default `service` for every log source. + # + # service: + +## Every instance is scheduled independent of the others. +# +instances: + + ## @param prometheus_url - string - required + ## The URL where your application metrics are exposed by Prometheus. + # + - prometheus_url: ${prometheus_url} + + ## @param namespace - string - required + ## The namespace to be prepended to all metrics. + # + namespace: ${namespace} + + ## @param metrics - (list of string or mapping) - required + ## List of metrics to be fetched from the prometheus endpoint, if there's a + ## value it'll be renamed. This list should contain at least one metric. + # + metrics: + - processor:cpu + - memory:mem + - io + - prometheus* + - net* + - go* \ No newline at end of file diff --git a/terraform-modules/aws/ssm_config/run_remote_script/file_sets/datadog/files/someconfig.conf b/terraform-modules/aws/ssm_config/run_remote_script/file_sets/datadog/files/someconfig.conf new file mode 100644 index 000000000..c9f0304f6 --- /dev/null +++ b/terraform-modules/aws/ssm_config/run_remote_script/file_sets/datadog/files/someconfig.conf @@ -0,0 +1 @@ +foo=bar \ No newline at end of file diff --git a/terraform-modules/aws/ssm_config/run_remote_script/file_sets/datadog/run.sh b/terraform-modules/aws/ssm_config/run_remote_script/file_sets/datadog/run.sh new file mode 100755 index 000000000..afae5070f --- /dev/null +++ b/terraform-modules/aws/ssm_config/run_remote_script/file_sets/datadog/run.sh @@ -0,0 +1,15 @@ +#!/bin/bash + +# output run information +echo "######################################" >> run_output.txt +echo "######################################" >> run_output.txt +echo "Start of the run: $(date)" >> run_output.txt +echo "pwd: $(pwd)" >> run_output.txt + +echo "Copying file to: /etc/datadog-agent/conf.d/openmetrics.d/conf.yaml" >> run_output.txt +cp ./files/openmetrics.d/conf.yaml.tpl /etc/datadog-agent/conf.d/openmetrics.d/conf.yaml + +# output run information +echo "Finished: $(date)" >> run_output.txt +echo "######################################" >> run_output.txt +echo "######################################" >> run_output.txt diff --git a/terraform-modules/aws/ssm_config/run_remote_script/main.tf b/terraform-modules/aws/ssm_config/run_remote_script/main.tf new file mode 100644 index 000000000..1b66177ba --- /dev/null +++ b/terraform-modules/aws/ssm_config/run_remote_script/main.tf @@ -0,0 +1,48 @@ +locals { + upload_directory = var.use_local_files ? var.local_upload_directory : "${path.module}/file_sets/${var.file_set_to_upload}/" + + # https://docs.aws.amazon.com/systems-manager/latest/userguide/integration-s3-shell.html + # Step 5 the Source Info json + source_info = { + path = "https://s3.amazonaws.com/${var.s3_bucket_name}/${var.s3_bucket_key_path}${var.file_set_to_upload}/" + } +} + +resource "aws_ssm_association" "this" { + name = "AWS-RunRemoteScript" + + parameters = { + sourceType = "S3" + sourceInfo = "${jsonencode(local.source_info)}" + commandLine = var.run_command + workingDirectory = "${var.upload_working_dir}/${var.s3_bucket_key_path}${var.file_set_to_upload}" + executionTimeout = var.execution_time + } + + targets { + key = "tag:${var.target_ec2_tag_key}" + values = var.target_ec2_tag_values + } + + depends_on = [ + aws_s3_bucket_object.files, + ] +} + +# Updloads all the files/folders based on the var.file_set_to_upload +resource "aws_s3_bucket_object" "files" { + for_each = fileset(local.upload_directory, "**/*.*") + bucket = var.s3_bucket_name + key = "${var.s3_bucket_key_path}${var.file_set_to_upload}/${replace(each.value, local.upload_directory, "")}" + content = templatefile("${local.upload_directory}${each.value}", { + ############################################# + # All template vars for the various file_sets + ############################################# + # Datadog file_sets var + prometheus_url = var.datadog_template_vars.prometheus_url + namespace = var.datadog_template_vars.namespace + }) + acl = "private" + source_hash = filemd5("${local.upload_directory}${each.value}") + server_side_encryption = "AES256" +} diff --git a/terraform-modules/aws/ssm_config/run_remote_script/variables.tf b/terraform-modules/aws/ssm_config/run_remote_script/variables.tf new file mode 100644 index 000000000..dd839a4a0 --- /dev/null +++ b/terraform-modules/aws/ssm_config/run_remote_script/variables.tf @@ -0,0 +1,68 @@ +variable "s3_bucket_name" { + type = string + default = "rpg-featurespace-ssm-run-script-for-unit-testing-purposes" + description = "The bucket name to hold the SSM script and file items" +} + +variable "s3_bucket_key_path" { + type = string + default = "node_configs/" + description = "The bucket sub folder to put the items into." +} + +variable "target_ec2_tag_key" { + type = string + default = "node_list_group_name" + description = "The EC2 instance tag key name to target" +} + +variable "target_ec2_tag_values" { + type = list(string) + default = ["rpg-featurespace-dev-app-cep", "foo"] + description = "The EC2 instance tag values to target" +} + +variable "upload_working_dir" { + type = string + default = "/tmp/ssm-configs" + description = "The location on the remote server to update the files to" +} + +variable "execution_time" { + type = string + default = "3600" + description = "The max execution time for the script" +} + +variable "file_set_to_upload" { + type = string + default = "datadog" + description = "The file set directory to upload and run on the remote server(s)" +} + +variable "run_command" { + type = string + default = "run.sh" + description = "The script to execute." +} + +variable "datadog_template_vars" { + type = map + description = "Templating: Datadog input variables" + default = { + prometheus_url = "http://localhost:9090/api/prometheus/metrics" + namespace = "name-to-prepend" + } +} + +variable "use_local_files" { + type = bool + description = "Flag to upload files from your local path or files from this module in the file_sets. If this is set to true, the input local_upload_directory is required." + default = false +} + +variable "local_upload_directory" { + type = string + description = "The local file path to upload. Example, if uploading a directory named `file` from the same location where you are instantiation this module from. The input var should be: `./files/`" + default = null +} diff --git a/terraform-modules/aws/standard-bucket-replication/README.md b/terraform-modules/aws/standard-bucket-replication/README.md new file mode 100644 index 000000000..bdfdb6ea8 --- /dev/null +++ b/terraform-modules/aws/standard-bucket-replication/README.md @@ -0,0 +1,68 @@ +# Standard AWS Bucket with Replication + +Standard Bucket creates an S3 Bucket using the publicly available [aws bucket terraform implementation](github.com/terraform-aws-modules/terraform-aws-s3-bucket) that is able to setup S3 replication as an option to another bucket (same region or different region). You can +use this module to create a single bucket or a single bucket that replicates to another. If you think you will ever have requirements +to replicate your bucket, you should use this module instead of the `standard-bucket` module. + +NOTE: Due to a bug in the AWS Terraform provider 'false' actually creates the bucket with versioning enabled but suspended. 'true' properly enables versioning. https://github.com/hashicorp/terraform-provider-aws/issues/4494 + +The goals: +* Enable simple PRs for AWS bucket requests. +* Enable simple setup of a replicated S3 bucket setup + +Background: + +Review [Self Service Terraform Modules Document](https://qadium.atlassian.net/wiki/spaces/EN/pages/1704329276/Self-Service+Terraform+Modules+WIP) + +## Module Usage + +This module creates an AWS S3 Bucket + +| Parameter Name | Required | Default Value | Description | +| --- | --- | --- | --- | +| bucket_name | **Yes** | | The name of the bucket. | +| env | **Yes** | | environment name for the bucket. | +| region | **Yes** | | gcp region for the bucket. | +| group | **Yes** | | group owner | +| acl | **No** | private | The canned ACL to apply. Defaults to 'private'. | +| tags | **No** | {} | Override Bucket tags derived from env and group parameters. | +| policy | **No** | null | Optional bucket policy to provide. | +| attach_policy | **No** | false | attatch the bucket policy default is false. | +| versioning | **No** | false | enable bucket versioning. NOTE: Due to a bug in the AWS Terraform provider 'false' actually creates the bucket with versioning enabled but suspended. 'true' properly enables versioning. | +| sse_algorithm | **No** | AES256 | bucket's server side side encryption algorithm. | +| cors_rule | **No** | [] | list of maps representing Cross-Origin Resource rules. | +| lifecycle_rules | **No** | [] | list of bucket object lifecycle rules. | +| block_public_acls | **No** | false | block public ACLs for this bucket default is false | +| block_public_policy | **No** | false | block public bucket policies for this bucket default is false | +| ignore_public_acls | **No** | false | ignore public ACLs for this bucket default is false | +| restrict_public_buckets | **No** | false | restrict public policies for this bucket default is false | +| replica_provider_profile | **No** | | AWS profile to use for the replica bucket| +| enable_replication | **No** | false | Enable replication or not: 0 or 1 | +| replica_region | **No** | | Region to create s3 replica bucket in| +| replica_bucket_name | **No** | | Replica bucket name | + + +## Supported Outputs +The following outputs are supported as part of this module: + +| Output Name | Description | +| --- | --- | +| bucket_id | name of created bucket if creating a none replicated bucket | +| bucket_arn | arn of created bucket if creating a none replicated bucket | +| bucket_id_source_replica | name of the source bucket if creating a replicated bucket | +| bucket_arn_source_replica | arn of the source bucket if creating a replicated bucket | +| bucket_id_replica | name of the replicated bucket if creating a replicated bucket | +| bucket_arn_replica | arn of the replicated bucket if creating a replicated bucket | + +## iam_members syntax: + + +## Examples + +### Terraform + +* See [tested default example](examples/default/) + +### Terragrunt + +* See [terragrunt.hcl](examples/terragrunt/terragrunt.hcl) diff --git a/terraform-modules/aws/standard-bucket-replication/default-variables.tf b/terraform-modules/aws/standard-bucket-replication/default-variables.tf new file mode 100644 index 000000000..a999f34e3 --- /dev/null +++ b/terraform-modules/aws/standard-bucket-replication/default-variables.tf @@ -0,0 +1,97 @@ +variable "acl" { + description = "bucket acl" + type = string + default = "private" +} + +variable "tags" { + description = "override bucket tags" + type = map(string) + default = {} +} + +variable "policy" { + description = "The bucket policy" + default = null +} + +variable "attach_policy" { + default = false +} + +variable "versioning" { + description = "Set to true to enable s3 bucket versioning" + type = bool + default = true +} + +variable "sse_algorithm" { + description = "The SSE encryption algorithm to use" + type = string + default = "AES256" +} + +variable "lifecycle_rules" { + description = "List of maps containing configuration of object lifecycle management." + type = any + default = [] +} + +variable "cors_rule" { + description = "List of maps containing rules for Cross-Origin Resource Sharing." + type = any + default = [] +} + + +variable "block_public_acls" { + type = bool + description = "block public ACLs for this bucket" + default = false +} + +variable "block_public_policy" { + type = bool + description = "block public bucket policies for this bucket" + default = false +} + +variable "ignore_public_acls" { + type = bool + description = "should ignore public ACLs for this bucket" + default = false +} + +variable "restrict_public_buckets" { + type = bool + description = "restrict public bucket policies for this bucket" + default = false +} + +variable "enable_replication" { + type = number + description = "Flag to enable S3 bucket replication | 0=off, 1=on" + default = 0 +} + +variable "replica_region" { + type = string + description = "The AWS region for the replica bucket" + default = "us-west-2" +} + +variable "replica_bucket_name" { + description = "name of the replica S3 Bucket" + type = string + default = "" +} + +variable "policy_replica" { + description = "The replica's bucket policy" + default = null +} + +variable "replica_provider_profile" { + description = "The AWS profile to use for the replica aws provider" + default = null +} diff --git a/terraform-modules/aws/standard-bucket-replication/examples.orig/default/main.tf b/terraform-modules/aws/standard-bucket-replication/examples.orig/default/main.tf new file mode 100644 index 000000000..1c80cb520 --- /dev/null +++ b/terraform-modules/aws/standard-bucket-replication/examples.orig/default/main.tf @@ -0,0 +1,57 @@ +locals { + bucket_name = "test-test-1234-test-test-1234" + env = "dev" + region = "us-east-1" + group = "devops" +} + +module "bucket-with-replication" { + source = "../.." + + bucket_name = local.bucket_name + env = local.env + region = local.region + group = local.group + lifecycle_rules = [ + { + enabled = true + expiration = { + days = 90 + } + } + ] + + # Replication settings + replica_provider_profile = "qadium-dev" + enable_replication = 1 + replica_region = "us-west-2" + replica_bucket_name = "${local.bucket_name}-replica" + policy_replica = < with appropriate shared-terraform-modules tag number +terraform { + source = "git::ssh://git@github.q-internal.tech/qadium/shared-terraform-modules.git//aws/s3/standard-bucket?ref=v" +} + +inputs = { + bucket_name = "expanse-benchmark-reports-staging" + region = "us-west-2" + env = "prod" + group = "engineering" + cors_rule = [ + { + allowed_headers = ["*"] + allowed_methods = ["GET"] + allowed_origins = ["https://internal-tool.expander.staging.qadium.com"] + } + ] +} diff --git a/terraform-modules/aws/standard-bucket-replication/main.tf b/terraform-modules/aws/standard-bucket-replication/main.tf new file mode 100644 index 000000000..5295ef54d --- /dev/null +++ b/terraform-modules/aws/standard-bucket-replication/main.tf @@ -0,0 +1,240 @@ +locals { + has_bucket_public_access_block = (var.block_public_acls || var.block_public_policy || var.ignore_public_acls || var.restrict_public_buckets) ? 1 : 0 +} + +terraform { + # This module is now only being tested with Terraform 0.13.3. test edit + required_version = ">= 0.13.3" +} + +data "aws_caller_identity" "current" {} + +provider "aws" { + profile = var.replica_provider_profile + region = var.replica_region + + alias = "replica" +} + +module "bucket-tags" { + source = "../../tags" + + env = var.env + group = var.group + name = var.bucket_name + region = var.region +} + +# Single bucket usage. No replication enabled. +module "terraform-aws-s3-bucket-single-bucket" { + source = "github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=v2.6.0" + count = var.enable_replication == 1 ? 0 : 1 + bucket = var.bucket_name + tags = module.bucket-tags.tags + acl = var.acl + policy = var.policy + attach_policy = var.attach_policy + cors_rule = var.cors_rule + + server_side_encryption_configuration = { + rule = { + apply_server_side_encryption_by_default = { + sse_algorithm = var.sse_algorithm + } + } + } + + versioning = { + enabled = var.versioning + } + + lifecycle_rule = var.lifecycle_rules + +} + +resource "aws_s3_bucket_public_access_block" "single-bucket" { + count = local.has_bucket_public_access_block + bucket = module.terraform-aws-s3-bucket-single-bucket[0].s3_bucket_id + block_public_acls = var.block_public_acls + block_public_policy = var.block_public_policy + ignore_public_acls = var.ignore_public_acls + restrict_public_buckets = var.restrict_public_buckets +} + +module "terraform-aws-s3-bucket-source-replica" { + source = "github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=v2.6.0" + count = var.enable_replication + bucket = var.bucket_name + tags = module.bucket-tags.tags + acl = var.acl + policy = var.policy + attach_policy = var.attach_policy + cors_rule = var.cors_rule + + server_side_encryption_configuration = { + rule = { + apply_server_side_encryption_by_default = { + sse_algorithm = var.sse_algorithm + } + } + } + + versioning = { + enabled = true + } + + lifecycle_rule = var.lifecycle_rules + + replication_configuration = { + role = aws_iam_role.replication[0].arn + + rules = [ + { + id = "replicate_1" + status = "Enabled" + priority = 10 + + source_selection_criteria = { + sse_kms_encrypted_objects = { + enabled = true + } + } + + destination = { + bucket = "arn:aws:s3:::${var.replica_bucket_name}" + storage_class = "STANDARD" + replica_kms_key_id = aws_kms_key.replica[0].arn + account_id = data.aws_caller_identity.current.account_id + access_control_translation = { + owner = "Destination" + } + } + } + + ] + } + + depends_on = [ + module.terraform-aws-s3-bucket-replica, + ] +} + +resource "aws_s3_bucket_public_access_block" "source-replica" { + count = local.has_bucket_public_access_block + bucket = module.terraform-aws-s3-bucket-source-replica[0].s3_bucket_id + block_public_acls = var.block_public_acls + block_public_policy = var.block_public_policy + ignore_public_acls = var.ignore_public_acls + restrict_public_buckets = var.restrict_public_buckets +} + + +module "terraform-aws-s3-bucket-replica" { + source = "github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=v2.6.0" + count = var.enable_replication + + providers = { + aws = aws.replica + } + + bucket = var.replica_bucket_name + tags = module.bucket-tags.tags + acl = var.acl + policy = var.policy_replica + attach_policy = var.attach_policy + cors_rule = var.cors_rule + + server_side_encryption_configuration = { + rule = { + apply_server_side_encryption_by_default = { + sse_algorithm = var.sse_algorithm + } + } + } + + versioning = { + enabled = true + } + + lifecycle_rule = var.lifecycle_rules + +} + +resource "aws_s3_bucket_public_access_block" "replica" { + count = local.has_bucket_public_access_block + bucket = module.terraform-aws-s3-bucket-replica[0].s3_bucket_id + block_public_acls = var.block_public_acls + block_public_policy = var.block_public_policy + ignore_public_acls = var.ignore_public_acls + restrict_public_buckets = var.restrict_public_buckets +} + +resource "aws_kms_key" "replica" { + count = var.enable_replication + provider = aws.replica + + description = "S3 bucket replication KMS key" + deletion_window_in_days = 7 +} + +# Permissions needed: https://docs.aws.amazon.com/AmazonS3/latest/userguide/setting-repl-config-perm-overview.html#setting-repl-config-same-acctowner +resource "aws_iam_role" "replication" { + count = var.enable_replication + name = var.bucket_name + + assume_role_policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = "sts:AssumeRole" + Effect = "Allow" + Sid = "" + Principal = { + Service = "s3.amazonaws.com" + } + }, + ] + }) + + inline_policy { + name = var.bucket_name + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = ["s3:ListBucket", + "s3:GetReplicationConfiguration", + "s3:GetObjectVersionForReplication", + "s3:GetObjectVersionAcl", + "s3:GetObjectVersionTagging", + "s3:GetObjectRetention", + "s3:GetObjectLegalHold" + ] + Effect = "Allow" + Resource = [ + "arn:aws:s3:::${var.bucket_name}", + "arn:aws:s3:::${var.bucket_name}/*", + "arn:aws:s3:::${var.replica_bucket_name}", + "arn:aws:s3:::${var.replica_bucket_name}/*" + ] + }, + { + Action = [ + "s3:ReplicateObject", + "s3:ReplicateDelete", + "s3:ReplicateTags", + "s3:ObjectOwnerOverrideToBucketOwner" + ] + Effect = "Allow" + Resource = [ + "arn:aws:s3:::${var.bucket_name}/*", + "arn:aws:s3:::${var.replica_bucket_name}/*" + ] + }, + ] + }) + } + + tags = module.bucket-tags.tags +} diff --git a/terraform-modules/aws/standard-bucket-replication/outputs.tf b/terraform-modules/aws/standard-bucket-replication/outputs.tf new file mode 100644 index 000000000..e04ac4dd6 --- /dev/null +++ b/terraform-modules/aws/standard-bucket-replication/outputs.tf @@ -0,0 +1,23 @@ +output "bucket_id" { + value = module.terraform-aws-s3-bucket-single-bucket[*].s3_bucket_id +} + +output "bucket_arn" { + value = module.terraform-aws-s3-bucket-single-bucket[*].s3_bucket_arn +} + +output "bucket_id_source_replica" { + value = module.terraform-aws-s3-bucket-source-replica[*].s3_bucket_id +} + +output "bucket_arn_source_replica" { + value = module.terraform-aws-s3-bucket-source-replica[*].s3_bucket_arn +} + +output "bucket_id_replica" { + value = module.terraform-aws-s3-bucket-replica[*].s3_bucket_id +} + +output "bucket_arn_replica" { + value = module.terraform-aws-s3-bucket-replica[*].s3_bucket_arn +} \ No newline at end of file diff --git a/terraform-modules/aws/standard-bucket-replication/required-variables.tf b/terraform-modules/aws/standard-bucket-replication/required-variables.tf new file mode 100644 index 000000000..f4badc611 --- /dev/null +++ b/terraform-modules/aws/standard-bucket-replication/required-variables.tf @@ -0,0 +1,19 @@ +variable "bucket_name" { + description = "name of the S3 Bucket" + type = string +} + +variable "env" { + description = "environment or aws account name" + type = string +} + +variable "region" { + description = "name of the aws region" + type = string +} + +variable "group" { + description = "organizational group name" + type = string +} diff --git a/terraform-modules/aws/standard-bucket-replication/temp.tfvars b/terraform-modules/aws/standard-bucket-replication/temp.tfvars new file mode 100644 index 000000000..2f840d0f4 --- /dev/null +++ b/terraform-modules/aws/standard-bucket-replication/temp.tfvars @@ -0,0 +1,87 @@ +env = "gar-test" +region = "us-east-1" +group = "devops" +versioning = true +lifecycle_rules = [ + { + enabled = true + expiration = { + days = 7 + } + } +] + +cors_rule = [ + { + allowed_headers = ["*"] + allowed_methods = ["GET"] + allowed_origins = ["https://internal-tool.expander.dev.q-internal.tech"] + } +] + +block_public_acls = true + +bucket_name = "garland-gar-123-source" +policy = < [manifest\_set](#module\_manifest\_set) | github.com/ManagedKube/kubernetes-ops.git//terraform-modules/aws/kubernetes/manifest_set | v2.0.12 | + +## Resources + +No resources. + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [x2\_namespace](#input\_x2\_namespace) | The namespace that the X2 applications are in | `string` | `"ops"` | no | + +## Outputs + +No outputs. diff --git a/terraform-modules/aws/testkube/local/main.tf b/terraform-modules/aws/testkube/local/main.tf new file mode 100644 index 000000000..37c904fd0 --- /dev/null +++ b/terraform-modules/aws/testkube/local/main.tf @@ -0,0 +1,10 @@ +module "manifest_set" { + source = "github.com/ManagedKube/kubernetes-ops.git//terraform-modules/aws/kubernetes/manifest_set?ref=v2.0.12" + + upload_source_path = path.cwd + upload_directory = "yaml" + fileset_pattern = "**/*.yaml.tftpl" + template_vars = { + namespace = var.app_namespace + } +} diff --git a/terraform-modules/aws/testkube/local/variables.tf b/terraform-modules/aws/testkube/local/variables.tf new file mode 100644 index 000000000..193958801 --- /dev/null +++ b/terraform-modules/aws/testkube/local/variables.tf @@ -0,0 +1,4 @@ +variable "app_namespace" { + default = "my-app" + description = "The namespace that the applications are in" +} diff --git a/terraform-modules/aws/testkube/local/yaml/local-x2-api-gateway-endpoint.yaml.tftpl b/terraform-modules/aws/testkube/local/yaml/local-x2-api-gateway-endpoint.yaml.tftpl new file mode 100644 index 000000000..9a8a38352 --- /dev/null +++ b/terraform-modules/aws/testkube/local/yaml/local-x2-api-gateway-endpoint.yaml.tftpl @@ -0,0 +1,18 @@ +apiVersion: tests.testkube.io/v2 +kind: Test +metadata: + name: local-my-app-endpoint + namespace: testkube +spec: + content: + data: | + { + "command": [ + "curl", + "http://my-app.${namespace}.svc:80/public-routes" + ], + "expected_status": "200", + "expected_body": "my-app is up" + } + type: string + type: curl/test \ No newline at end of file diff --git a/terraform-modules/aws/testkube/local/yaml/ts.yaml.tftpl b/terraform-modules/aws/testkube/local/yaml/ts.yaml.tftpl new file mode 100644 index 000000000..a85081e40 --- /dev/null +++ b/terraform-modules/aws/testkube/local/yaml/ts.yaml.tftpl @@ -0,0 +1,16 @@ +apiVersion: tests.testkube.io/v1 +kind: TestSuite +metadata: + name: infra-local + namespace: testkube +spec: + description: Infra local testsuite + steps: + - execute: + name: local-my-app-endpoint + namespace: testkube + type: testExecution + # - delay: + # duration: 2000 + # type: delay + diff --git a/terraform-modules/aws/vpc/README.md b/terraform-modules/aws/vpc/README.md new file mode 100644 index 000000000..c92f2301a --- /dev/null +++ b/terraform-modules/aws/vpc/README.md @@ -0,0 +1,48 @@ +## Requirements + +No requirements. + +## Providers + +No providers. + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | 3.2.0 | + +## Resources + +No resources. + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [aws\_region](#input\_aws\_region) | n/a | `string` | `"us-east-1"` | no | +| [azs](#input\_azs) | n/a | `list(any)` | 
[
  "us-east-1a",
  "us-east-1b",
  "us-east-1c"
]
| no | +| [cluster\_name](#input\_cluster\_name) | The cluster name for the Kubernetes tags on the subnets | `string` | `"none"` | no | +| [enable\_dns\_hostnames](#input\_enable\_dns\_hostnames) | Enable dns hostname resolution | `bool` | `true` | no | +| [enable\_dns\_support](#input\_enable\_dns\_support) | Enable dns support | `bool` | `true` | no | +| [enable\_nat\_gateway](#input\_enable\_nat\_gateway) | n/a | `bool` | `true` | no | +| [enable\_vpn\_gateway](#input\_enable\_vpn\_gateway) | n/a | `bool` | `true` | no | +| [environment\_name](#input\_environment\_name) | n/a | `any` | n/a | yes | +| [external\_nat\_ip\_ids](#input\_external\_nat\_ip\_ids) | List of EIP IDs to be assigned to the NAT Gateways (used in combination with reuse\_nat\_ips) | `list(string)` | `[]` | no | +| [k8s\_worker\_subnets](#input\_k8s\_worker\_subnets) | list of alternate secondary cidrs for kubernetes workers | `list(string)` | 
[
  "100.64.0.0/20",
  "100.64.16.0/20",
  "100.64.32.0/20"
]
| no | +| [private\_subnets](#input\_private\_subnets) | n/a | `list(any)` | 
[
  "10.0.1.0/24",
  "10.0.2.0/24",
  "10.0.3.0/24"
]
| no | +| [public\_subnets](#input\_public\_subnets) | n/a | `list(any)` | 
[
  "10.0.101.0/24",
  "10.0.102.0/24",
  "10.0.103.0/24"
]
| no | +| [reuse\_nat\_ips](#input\_reuse\_nat\_ips) | Should be true if you don't want EIPs to be created for your NAT Gateways and will instead pass them in via the 'external\_nat\_ip\_ids' variable | `bool` | `false` | no | +| [secondary\_cidrs](#input\_secondary\_cidrs) | optional list of secondary cidr blocks | `list(string)` | 
[
  "100.64.0.0/16"
]
| no | +| [tags](#input\_tags) | n/a | `map(any)` | `{}` | no | +| [vpc\_cidr](#input\_vpc\_cidr) | n/a | `any` | n/a | yes | + +## Outputs + +| Name | Description | +|------|-------------| +| [k8s\_subnets](#output\_k8s\_subnets) | A list of private k8s subnets | +| [private\_subnets](#output\_private\_subnets) | A list of private subnets | +| [public\_subnets](#output\_public\_subnets) | A list of public subnets | +| [vpc\_cidr\_block](#output\_vpc\_cidr\_block) | The CIDR block of the VPC | +| [vpc\_id](#output\_vpc\_id) | The ID of the VPC | diff --git a/terraform-modules/aws/vpc/main.tf b/terraform-modules/aws/vpc/main.tf new file mode 100644 index 000000000..957faf030 --- /dev/null +++ b/terraform-modules/aws/vpc/main.tf @@ -0,0 +1,51 @@ +module "vpc" { + source = "terraform-aws-modules/vpc/aws" + version = "3.7.0" + + name = var.environment_name + cidr = var.vpc_cidr + + secondary_cidr_blocks = var.secondary_cidrs + + azs = var.azs + private_subnets = var.private_subnets + public_subnets = var.public_subnets + + # We want to use the 100.64.0.0/16 address space for the EKS nodes and since + # this module doesnt have an EKS subnet, we will use the elasticache instead. + elasticache_subnets = var.k8s_worker_subnets + + enable_nat_gateway = var.enable_nat_gateway + reuse_nat_ips = var.reuse_nat_ips + external_nat_ip_ids = var.external_nat_ip_ids + enable_vpn_gateway = var.enable_vpn_gateway + + enable_dns_hostnames = var.enable_dns_hostnames + enable_dns_support = var.enable_dns_support + + public_subnet_tags = { + "kubernetes.io/cluster/${var.cluster_name}" = "shared" + "kubernetes.io/role/elb" = "1" + } + + private_subnet_tags = { + "kubernetes.io/cluster/${var.cluster_name}" = "shared" + "kubernetes.io/role/internal-elb" = "1" + } + + elasticache_subnet_tags = { + "kubernetes.io/cluster/${var.cluster_name}" = "shared" + "kubernetes.io/role/internal-elb" = "1" + "ops_purpose" = "Overloaded for k8s worker usage" + } + + tags = var.tags + + #Default Security Group Management (Default: secure) + manage_default_security_group = var.manage_default_security_group + default_security_group_name = var.default_security_group_name + default_security_group_egress = var.default_security_group_egress + default_security_group_ingress = var.default_security_group_ingress + default_security_group_tags = var.default_security_group_tags + +} diff --git a/terraform-modules/aws/vpc/outputs.tf b/terraform-modules/aws/vpc/outputs.tf new file mode 100644 index 000000000..a90936c8a --- /dev/null +++ b/terraform-modules/aws/vpc/outputs.tf @@ -0,0 +1,44 @@ +output "vpc_id" { + description = "The ID of the VPC" + value = module.vpc.vpc_id +} + +output "vpc_name" { + description = "name of vpc" + value = module.vpc.name +} + +output "vpc_cidr_block" { + description = "The CIDR block of the VPC" + value = var.vpc_cidr +} + +output "private_subnets" { + description = "A list of private subnets" + value = module.vpc.private_subnets +} + +output "public_subnets" { + description = "A list of public subnets" + value = module.vpc.public_subnets +} + +output "k8s_subnets" { + description = "A list of private k8s subnets" + value = module.vpc.elasticache_subnets +} + +output "private_route_table_ids" { + description = "A list of route table ids for private subnets" + value = module.vpc.private_route_table_ids +} + +output "public_route_table_ids" { + description = "A list of route table ids for public subnets" + value = module.vpc.public_route_table_ids +} + +output "vpc_secondary_cidr_blocks" { + description = "List of secondary CIDR blocks of the VPC" + value = module.vpc.vpc_secondary_cidr_blocks +} diff --git a/terraform-modules/aws/vpc/test/go.mod b/terraform-modules/aws/vpc/test/go.mod new file mode 100644 index 000000000..4672cc929 --- /dev/null +++ b/terraform-modules/aws/vpc/test/go.mod @@ -0,0 +1,8 @@ +module github.com/ManagedKube/kubernetes-ops + +go 1.15 + +require ( + github.com/gruntwork-io/terratest v0.32.24 + github.com/stretchr/testify v1.7.0 +) diff --git a/terraform-modules/aws/vpc/test/go.sum b/terraform-modules/aws/vpc/test/go.sum new file mode 100644 index 000000000..f607bb444 --- /dev/null +++ b/terraform-modules/aws/vpc/test/go.sum @@ -0,0 +1,631 @@ +cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= +cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= +cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU= +cloud.google.com/go v0.44.1/go.mod h1:iSa0KzasP4Uvy3f1mN/7PiObzGgflwredwwASm/v6AU= +cloud.google.com/go v0.44.2/go.mod h1:60680Gw3Yr4ikxnPRS/oxxkBccT6SA1yMk63TGekxKY= +cloud.google.com/go v0.45.1/go.mod h1:RpBamKRgapWJb87xiFSdk4g1CME7QZg3uwTez+TSTjc= +cloud.google.com/go v0.46.3/go.mod h1:a6bKKbmY7er1mI7TEI4lsAkts/mkhTSZK8w33B4RAg0= +cloud.google.com/go v0.51.0/go.mod h1:hWtGJ6gnXH+KgDv+V0zFGDvpi07n3z8ZNj3T1RW0Gcw= +cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o= +cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE= +cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I= +cloud.google.com/go/storage v1.0.0/go.mod h1:IhtSnM/ZTZV8YYJWCY8RULGVqBDmpoyjwiyrjsg+URw= +dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= +github.com/Azure/azure-sdk-for-go v35.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= +github.com/Azure/azure-sdk-for-go v38.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= +github.com/Azure/azure-sdk-for-go v46.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= +github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78/go.mod h1:LmzpDX56iTiv29bbRTIsUNlaFfuhWRQBWjQdVyAevI8= +github.com/Azure/go-autorest v14.2.0+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSWATqVooLgysK6ZNox3g/xq24= +github.com/Azure/go-autorest/autorest v0.9.0/go.mod h1:xyHB1BMZT0cuDHU7I0+g046+BFDTQ8rEZB0s4Yfa6bI= +github.com/Azure/go-autorest/autorest v0.9.3/go.mod h1:GsRuLYvwzLjjjRoWEIyMUaYq8GNUx2nRB378IPt/1p0= +github.com/Azure/go-autorest/autorest v0.9.6/go.mod h1:/FALq9T/kS7b5J5qsQ+RSTUdAmGFqi0vUdVNNx8q630= +github.com/Azure/go-autorest/autorest v0.11.0/go.mod h1:JFgpikqFJ/MleTTxwepExTKnFUKKszPS8UavbQYUMuw= +github.com/Azure/go-autorest/autorest v0.11.5/go.mod h1:foo3aIXRQ90zFve3r0QiDsrjGDUwWhKl0ZOQy1CT14k= +github.com/Azure/go-autorest/autorest/adal v0.5.0/go.mod h1:8Z9fGy2MpX0PvDjB1pEgQTmVqjGhiHBW7RJJEciWzS0= +github.com/Azure/go-autorest/autorest/adal v0.8.0/go.mod h1:Z6vX6WXXuyieHAXwMj0S6HY6e6wcHn37qQMBQlvY3lc= +github.com/Azure/go-autorest/autorest/adal v0.8.1/go.mod h1:ZjhuQClTqx435SRJ2iMlOxPYt3d2C/T/7TiQCVZSn3Q= +github.com/Azure/go-autorest/autorest/adal v0.8.2/go.mod h1:ZjhuQClTqx435SRJ2iMlOxPYt3d2C/T/7TiQCVZSn3Q= +github.com/Azure/go-autorest/autorest/adal v0.9.0/go.mod h1:/c022QCutn2P7uY+/oQWWNcK9YU+MH96NgK+jErpbcg= +github.com/Azure/go-autorest/autorest/adal v0.9.2/go.mod h1:/3SMAM86bP6wC9Ev35peQDUeqFZBMH07vvUOmg4z/fE= +github.com/Azure/go-autorest/autorest/azure/auth v0.5.1/go.mod h1:ea90/jvmnAwDrSooLH4sRIehEPtG/EPUXavDh31MnA4= +github.com/Azure/go-autorest/autorest/azure/cli v0.4.0/go.mod h1:JljT387FplPzBA31vUcvsetLKF3pec5bdAxjVU4kI2s= +github.com/Azure/go-autorest/autorest/date v0.1.0/go.mod h1:plvfp3oPSKwf2DNjlBjWF/7vwR+cUD/ELuzDCXwHUVA= +github.com/Azure/go-autorest/autorest/date v0.2.0/go.mod h1:vcORJHLJEh643/Ioh9+vPmf1Ij9AEBM5FuBIXLmIy0g= +github.com/Azure/go-autorest/autorest/date v0.3.0/go.mod h1:BI0uouVdmngYNUzGWeSYnokU+TrmwEsOqdt8Y6sso74= +github.com/Azure/go-autorest/autorest/mocks v0.1.0/go.mod h1:OTyCOPRA2IgIlWxVYxBee2F5Gr4kF2zd2J5cFRaIDN0= +github.com/Azure/go-autorest/autorest/mocks v0.2.0/go.mod h1:OTyCOPRA2IgIlWxVYxBee2F5Gr4kF2zd2J5cFRaIDN0= +github.com/Azure/go-autorest/autorest/mocks v0.3.0/go.mod h1:a8FDP3DYzQ4RYfVAxAN3SVSiiO77gL2j2ronKKP0syM= +github.com/Azure/go-autorest/autorest/mocks v0.4.0/go.mod h1:LTp+uSrOhSkaKrUy935gNZuuIPPVsHlr9DSOxSayd+k= +github.com/Azure/go-autorest/autorest/mocks v0.4.1/go.mod h1:LTp+uSrOhSkaKrUy935gNZuuIPPVsHlr9DSOxSayd+k= +github.com/Azure/go-autorest/autorest/to v0.2.0/go.mod h1:GunWKJp1AEqgMaGLV+iocmRAJWqST1wQYhyyjXJ3SJc= +github.com/Azure/go-autorest/autorest/to v0.3.0/go.mod h1:MgwOyqaIuKdG4TL/2ywSsIWKAfJfgHDo8ObuUk3t5sA= +github.com/Azure/go-autorest/autorest/validation v0.1.0/go.mod h1:Ha3z/SqBeaalWQvokg3NZAlQTalVMtOIAs1aGK7G6u8= +github.com/Azure/go-autorest/autorest/validation v0.3.0/go.mod h1:yhLgjC0Wda5DYXl6JAsWyUe4KVNffhoDhG0zVzUMo3E= +github.com/Azure/go-autorest/logger v0.1.0/go.mod h1:oExouG+K6PryycPJfVSxi/koC6LSNgds39diKLz7Vrc= +github.com/Azure/go-autorest/logger v0.2.0/go.mod h1:T9E3cAhj2VqvPOtCYAvby9aBXkZmbF5NWuPV8+WeEW8= +github.com/Azure/go-autorest/tracing v0.5.0/go.mod h1:r/s2XiOKccPW3HrqB+W0TQzfbtp2fGCgRFtBroKn4Dk= +github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBpUA79WCAKPPZVC2DeU= +github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= +github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= +github.com/GoogleCloudPlatform/k8s-cloud-provider v0.0.0-20190822182118-27a4ced34534/go.mod h1:iroGtC8B3tQiqtds1l+mgk/BBOrxbqjH+eUfFQYRc14= +github.com/Microsoft/go-winio v0.4.14/go.mod h1:qXqCSQ3Xa7+6tgxaGTIe4Kpcdsi+P8jBhyzoq1bpyYA= +github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ= +github.com/PuerkitoBio/purell v1.0.0/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0= +github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0= +github.com/PuerkitoBio/urlesc v0.0.0-20160726150825-5bd2802263f2/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE= +github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE= +github.com/agext/levenshtein v1.2.1 h1:QmvMAjj2aEICytGiWzmxoE0x2KZvE0fvmqMOfy2tjT8= +github.com/agext/levenshtein v1.2.1/go.mod h1:JEDfjyjHDjOF/1e4FlBE/PkbqA9OfWu2ki2W0IB5558= +github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= +github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= +github.com/apparentlymart/go-dump v0.0.0-20180507223929-23540a00eaa3/go.mod h1:oL81AME2rN47vu18xqj1S1jPIPuN7afo62yKTNn3XMM= +github.com/apparentlymart/go-textseg v1.0.0 h1:rRmlIsPEEhUTIKQb7T++Nz/A5Q6C9IuX2wFoYVvnCs0= +github.com/apparentlymart/go-textseg v1.0.0/go.mod h1:z96Txxhf3xSFMPmb5X/1W05FF/Nj9VFpLOpjS5yuumk= +github.com/apparentlymart/go-textseg/v12 v12.0.0 h1:bNEQyAGak9tojivJNkoqWErVCQbjdL7GzRt3F8NvfJ0= +github.com/apparentlymart/go-textseg/v12 v12.0.0/go.mod h1:S/4uRK2UtaQttw1GenVJEynmyUenKwP++x/+DdGV/Ec= +github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8= +github.com/aws/aws-lambda-go v1.13.3/go.mod h1:4UKl9IzQMoD+QF79YdCuzCwp8VbmG4VAQwij/eHl5CU= +github.com/aws/aws-sdk-go v1.16.26/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo= +github.com/aws/aws-sdk-go v1.27.1 h1:MXnqY6SlWySaZAqNnXThOvjRFdiiOuKtC6i7baFdNdU= +github.com/aws/aws-sdk-go v1.27.1/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo= +github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q= +github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8= +github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs= +github.com/blang/semver v3.5.0+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk= +github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc h1:biVzkmvwrH8WK8raXaxBx6fRVTlJILwEwQGL1I/ByEI= +github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8= +github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= +github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI= +github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI= +github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU= +github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= +github.com/cockroachdb/datadriven v0.0.0-20190809214429-80d97fb3cbaa/go.mod h1:zn76sxSg3SzpJ0PPJaLDCu+Bu0Lg3sKTORVIj19EIF8= +github.com/containerd/containerd v1.3.0/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA= +github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE= +github.com/coreos/go-etcd v2.0.0+incompatible/go.mod h1:Jez6KQU2B/sWsbdaef3ED8NzMklzPG4d5KIOhIy30Tk= +github.com/coreos/go-oidc v2.1.0+incompatible/go.mod h1:CgnwVTmzoESiwO9qyAFEMiHoZ1nMCKZlZ9V6mm3/LKc= +github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk= +github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk= +github.com/coreos/go-systemd v0.0.0-20180511133405-39ca1b05acc7/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= +github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= +github.com/coreos/pkg v0.0.0-20160727233714-3ac0863d7acf/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA= +github.com/coreos/pkg v0.0.0-20180108230652-97fdf19511ea/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA= +github.com/cpuguy83/go-md2man v1.0.10 h1:BSKMNlYxDvnunlTymqtgONjNnaRV1sTpcovwwjF22jk= +github.com/cpuguy83/go-md2man v1.0.10/go.mod h1:SmD6nW6nTyfqj6ABTjUi3V3JVMnlJmwcJI5acqYI6dE= +github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU= +github.com/cpuguy83/go-md2man/v2 v2.0.0 h1:EoUDS0afbrsXAZ9YQ9jdu/mZ2sXgT1/2yyNng4PGlyM= +github.com/cpuguy83/go-md2man/v2 v2.0.0/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU= +github.com/creack/pty v1.1.7/go.mod h1:lj5s0c3V2DBrqTV7llrYr5NG6My20zk30Fl46Y7DoTY= +github.com/davecgh/go-spew v0.0.0-20151105211317-5215b55f46b2/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= +github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ= +github.com/dimchansky/utfbom v1.1.0/go.mod h1:rO41eb7gLfo8SF1jd9F8HplJm1Fewwi4mQvIirEdv+8= +github.com/dnaeon/go-vcr v1.0.1/go.mod h1:aBB1+wY4s93YsC3HHjMBMrwTj2R9FHDzUr9KyGc8n1E= +github.com/docker/cli v0.0.0-20191017083524-a8ff7f821017/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= +github.com/docker/cli v0.0.0-20200109221225-a4f60165b7a3/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= +github.com/docker/distribution v2.7.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= +github.com/docker/docker v0.7.3-0.20190327010347-be7ac8be2ae0/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +github.com/docker/docker v1.4.2-0.20190924003213-a8608b5b67c7/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +github.com/docker/docker-credential-helpers v0.6.3/go.mod h1:WRaJzqw3CTB9bk10avuGsjVBZsD05qeibJ1/TYlvc0Y= +github.com/docker/go-connections v0.4.0/go.mod h1:Gbd7IOopHjR8Iph03tsViu4nIes5XhDvyHbTtUxmeec= +github.com/docker/go-units v0.4.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk= +github.com/docker/spdystream v0.0.0-20160310174837-449fdfce4d96/go.mod h1:Qh8CwZgvJUkLughtfhJv5dyTYa91l1fOUCrgjqmcifM= +github.com/docker/spdystream v0.0.0-20181023171402-6480d4af844c/go.mod h1:Qh8CwZgvJUkLughtfhJv5dyTYa91l1fOUCrgjqmcifM= +github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE= +github.com/dustin/go-humanize v0.0.0-20171111073723-bb3d318650d4/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk= +github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk= +github.com/elazarl/goproxy v0.0.0-20170405201442-c4fc26588b6e/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc= +github.com/elazarl/goproxy v0.0.0-20180725130230-947c36da3153/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc= +github.com/elazarl/goproxy v0.0.0-20190911111923-ecfe977594f1/go.mod h1:Ro8st/ElPeALwNFlcTpWmkr6IoMFfkjXAvTHpevnDsM= +github.com/elazarl/goproxy/ext v0.0.0-20190711103511-473e67f1d7d2/go.mod h1:gNh8nYJoAm43RfaxurUnxr+N1PwuFV3ZMl/efxlIlY8= +github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs= +github.com/emicklei/go-restful v2.9.5+incompatible/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs= +github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= +github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= +github.com/evanphx/json-patch v4.2.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= +github.com/evanphx/json-patch v4.9.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= +github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4= +github.com/fatih/color v1.9.0/go.mod h1:eQcE1qtQxscV5RaZvpXrrb8Drkc3/DdQ+uUYCNjL+zU= +github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= +github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ= +github.com/ghodss/yaml v0.0.0-20150909031657-73d445a93680/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= +github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= +github.com/go-errors/errors v1.0.1/go.mod h1:f4zRHt4oKfwPJE5k8C9vpYG+aDHdBFUsgrm6/TyX73Q= +github.com/go-errors/errors v1.0.2-0.20180813162953-d98b870cc4e0 h1:skJKxRtNmevLqnayafdLe2AsenqRupVmzZSqrvb5caU= +github.com/go-errors/errors v1.0.2-0.20180813162953-d98b870cc4e0/go.mod h1:f4zRHt4oKfwPJE5k8C9vpYG+aDHdBFUsgrm6/TyX73Q= +github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= +github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= +github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE= +github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas= +github.com/go-logr/logr v0.2.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU= +github.com/go-openapi/jsonpointer v0.0.0-20160704185906-46af16f9f7b1/go.mod h1:+35s3my2LFTysnkMfxsJBAMHj/DoqoB9knIWoYG/Vk0= +github.com/go-openapi/jsonpointer v0.19.2/go.mod h1:3akKfEdA7DF1sugOqz1dVQHBcuDBPKZGEoHC/NkiQRg= +github.com/go-openapi/jsonpointer v0.19.3/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg= +github.com/go-openapi/jsonreference v0.0.0-20160704190145-13c6e3589ad9/go.mod h1:W3Z9FmVs9qj+KR4zFKmDPGiLdk1D9Rlm7cyMvf57TTg= +github.com/go-openapi/jsonreference v0.19.2/go.mod h1:jMjeRr2HHw6nAVajTXJ4eiUwohSTlpa0o73RUL1owJc= +github.com/go-openapi/jsonreference v0.19.3/go.mod h1:rjx6GuL8TTa9VaixXglHmQmIL98+wF9xc8zWvFonSJ8= +github.com/go-openapi/spec v0.0.0-20160808142527-6aced65f8501/go.mod h1:J8+jY1nAiCcj+friV/PDoE1/3eeccG9LYBs0tYvLOWc= +github.com/go-openapi/spec v0.19.3/go.mod h1:FpwSN1ksY1eteniUU7X0N/BgJ7a4WvBFVA8Lj9mJglo= +github.com/go-openapi/swag v0.0.0-20160704191624-1d0bd113de87/go.mod h1:DXUve3Dpr1UfpPtxFw+EFuQ41HhCWZfha5jSVRG7C7I= +github.com/go-openapi/swag v0.19.2/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk= +github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk= +github.com/go-sql-driver/mysql v1.4.1 h1:g24URVg0OFbNUTx9qqY1IRZ9D9z3iPyi5zKhQZpNwpA= +github.com/go-sql-driver/mysql v1.4.1/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w= +github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= +github.com/go-test/deep v1.0.3/go.mod h1:wGDj63lr65AM2AQyKZd/NYHGb0R+1RLqB8NKt3aSFNA= +github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= +github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4= +github.com/gogo/protobuf v1.2.2-0.20190723190241-65acae22fc9d/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o= +github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o= +github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= +github.com/golang/groupcache v0.0.0-20160516000752-02826c3e7903/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= +github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= +github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= +github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= +github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= +github.com/golang/mock v1.3.1/go.mod h1:sBzyDLLjw3U8JLTeZvSv8jJB+tU5PVekmnlKIyFUx0Y= +github.com/golang/protobuf v0.0.0-20161109072736-4bd1920723d7/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.1.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.3.3/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw= +github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8= +github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA= +github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs= +github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w= +github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0= +github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8= +github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= +github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= +github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= +github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= +github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= +github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= +github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-containerregistry v0.0.0-20200110202235-f4fb41bf00a3/go.mod h1:2wIuQute9+hhWqvL3vEI7YB0EKluF4WcPzI1eAliazk= +github.com/google/gofuzz v0.0.0-20161122191042-44d81051d367/go.mod h1:HP5RmnzzSNb993RKQDq4+1A4ia9nllfqcQFTQJedwGI= +github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= +github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= +github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs= +github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= +github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= +github.com/google/pprof v0.0.0-20191218002539-d4f498aebedc/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= +github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= +github.com/google/uuid v1.0.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/google/uuid v1.1.1 h1:Gkbcsh/GbpXz7lPftLA3P6TYMwjCLYm83jiFQZF/3gY= +github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg= +github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk= +github.com/googleapis/gnostic v0.0.0-20170729233727-0c5108395e2d/go.mod h1:sJBsCZ4ayReDTBIg8b9dl28c5xFWyhBTVRp3pOg5EKY= +github.com/googleapis/gnostic v0.2.2/go.mod h1:sJBsCZ4ayReDTBIg8b9dl28c5xFWyhBTVRp3pOg5EKY= +github.com/googleapis/gnostic v0.4.1/go.mod h1:LRhVm6pbyptWbWbuZ38d1eyptfvIytN3ir6b65WBswg= +github.com/gophercloud/gophercloud v0.1.0/go.mod h1:vxM41WHh5uqHVBMZHzuwNOHh8XEoIEcSTewFxm1c5g8= +github.com/gorilla/mux v1.7.3/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs= +github.com/gorilla/websocket v0.0.0-20170926233335-4201258b820c/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ= +github.com/gorilla/websocket v1.4.0/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ= +github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA= +github.com/grpc-ecosystem/go-grpc-middleware v1.0.1-0.20190118093823-f849b5445de4/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs= +github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk= +github.com/grpc-ecosystem/grpc-gateway v1.9.5/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY= +github.com/gruntwork-io/go-commons v0.8.0 h1:k/yypwrPqSeYHevLlEDmvmgQzcyTwrlZGRaxEM6G0ro= +github.com/gruntwork-io/go-commons v0.8.0/go.mod h1:gtp0yTtIBExIZp7vyIV9I0XQkVwiQZze678hvDXof78= +github.com/gruntwork-io/terratest v0.32.24 h1:ihbpYh05VBNPtru2GGN36xTLrLkdMacCyRuvIOs3lsQ= +github.com/gruntwork-io/terratest v0.32.24/go.mod h1:IBb+b5b7p34oZLfpz/ZADyn8TSKeWSBu+vQMmNeePLE= +github.com/hashicorp/errwrap v1.0.0 h1:hLrqtEDnRye3+sgx6z4qVLNuviH3MR5aQ0ykNJa/UYA= +github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= +github.com/hashicorp/go-multierror v1.1.0 h1:B9UzwGQJehnUY1yNrnwREHc3fGbC2xefo8g4TbElacI= +github.com/hashicorp/go-multierror v1.1.0/go.mod h1:spPvp8C1qA32ftKqdAHm4hHTbPw+vmowP0z+KUhOZdA= +github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= +github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= +github.com/hashicorp/golang-lru v0.5.3/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4= +github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4= +github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ= +github.com/hashicorp/hcl/v2 v2.8.2 h1:wmFle3D1vu0okesm8BTLVDyJ6/OL9DCLUwn0b2OptiY= +github.com/hashicorp/hcl/v2 v2.8.2/go.mod h1:bQTN5mpo+jewjJgh8jr0JUguIi7qPHUF6yIfAEN3jqY= +github.com/hashicorp/terraform-json v0.9.0 h1:WE7+Wt93W93feOiCligElSyS0tlDzwZUtJuDGIBr8zg= +github.com/hashicorp/terraform-json v0.9.0/go.mod h1:3defM4kkMfttwiE7VakJDwCd4R+umhSQnvJwORXbprE= +github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU= +github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= +github.com/imdario/mergo v0.3.5/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA= +github.com/imdario/mergo v0.3.7/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA= +github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8= +github.com/jinzhu/copier v0.0.0-20190924061706-b57f9002281a h1:zPPuIq2jAWWPTrGt70eK/BSch+gFAGrNzecsoENgu2o= +github.com/jinzhu/copier v0.0.0-20190924061706-b57f9002281a/go.mod h1:yL958EeXv8Ylng6IfnvG4oflryUi3vgA3xPs9hmII1s= +github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af h1:pmfjZENx5imkbgOkpRUYLnmbU7UEFbjtDA2hxJ1ichM= +github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k= +github.com/joefitzgerald/rainbow-reporter v0.1.0/go.mod h1:481CNgqmVHQZzdIbN52CupLJyoVwB10FQ/IQlF1pdL8= +github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo= +github.com/json-iterator/go v0.0.0-20180612202835-f2b4162afba3/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU= +github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU= +github.com/json-iterator/go v1.1.7/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= +github.com/json-iterator/go v1.1.8/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= +github.com/json-iterator/go v1.1.10/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4= +github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU= +github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk= +github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w= +github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q= +github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00= +github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= +github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= +github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= +github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc= +github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= +github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= +github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= +github.com/kr/pty v1.1.5/go.mod h1:9r2w37qlBe7rQ6e1fg1S/9xpWHSnaqNdHD3WcMdbPDA= +github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= +github.com/kylelemons/godebug v0.0.0-20170820004349-d65d576e9348/go.mod h1:B69LEHPfb2qLo0BaaOLcbitczOKLWTsrBG9LczfCD4k= +github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ= +github.com/mailru/easyjson v0.0.0-20160728113105-d5b7844b561a/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= +github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= +github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= +github.com/mailru/easyjson v0.7.0/go.mod h1:KAzv3t3aY1NaHWoQz1+4F1ccyAH66Jk7yos7ldAVICs= +github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU= +github.com/mattn/go-colorable v0.1.4/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE= +github.com/mattn/go-isatty v0.0.4/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4= +github.com/mattn/go-isatty v0.0.8/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s= +github.com/mattn/go-isatty v0.0.11/go.mod h1:PhnuNfih5lzO57/f3n+odYbM4JtupLOxQOAqxQCu2WE= +github.com/mattn/go-runewidth v0.0.2/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU= +github.com/mattn/go-zglob v0.0.1/go.mod h1:9fxibJccNxU2cnpIKLRRFA7zX7qhkJIQWBb449FYHOo= +github.com/mattn/go-zglob v0.0.2-0.20190814121620-e3c945676326/go.mod h1:9fxibJccNxU2cnpIKLRRFA7zX7qhkJIQWBb449FYHOo= +github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0= +github.com/maxbrunsfeld/counterfeiter/v6 v6.2.2/go.mod h1:eD9eIE7cdwcMi9rYluz88Jz2VyhSmden33/aXg4oVIY= +github.com/miekg/dns v1.1.31/go.mod h1:KNUDUusw/aVsxyTYZM1oqvCicbwhgbNgztCETuNZ7xM= +github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= +github.com/mitchellh/go-wordwrap v0.0.0-20150314170334-ad45545899c7 h1:DpOJ2HYzCv8LZP15IdmG+YdwD2luVPHITV96TkirNBM= +github.com/mitchellh/go-wordwrap v0.0.0-20150314170334-ad45545899c7/go.mod h1:ZXFpozHsX6DPmq2I0TCekCxypsnAUbP2oI0UX1GXzOo= +github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y= +github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= +github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= +github.com/modern-go/reflect2 v0.0.0-20180320133207-05fbef0ca5da/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= +github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= +github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= +github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc= +github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= +github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= +github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= +github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw= +github.com/olekukonko/tablewriter v0.0.0-20170122224234-a0225b3f23b5/go.mod h1:vsDQFd/mU46D+Z4whnwzcISnGGzXWMclvtLoiIKAKIo= +github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= +github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= +github.com/onsi/ginkgo v1.8.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= +github.com/onsi/ginkgo v1.10.1/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= +github.com/onsi/ginkgo v1.11.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= +github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA= +github.com/onsi/gomega v1.5.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= +github.com/onsi/gomega v1.7.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= +github.com/opencontainers/go-digest v1.0.0-rc1/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s= +github.com/opencontainers/image-spec v1.0.1/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0= +github.com/oracle/oci-go-sdk v7.1.0+incompatible/go.mod h1:VQb79nF8Z2cwLkLS35ukwStZIg5F66tcBccjip/j888= +github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic= +github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU= +github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/pmezard/go-difflib v0.0.0-20151028094244-d8ed2627bdf0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= +github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/pquerna/cachecontrol v0.0.0-20171018203845-0dec1b30a021/go.mod h1:prYjPmNq4d1NPVmpShWobRqXY3q7Vp+80DqgxxUrUIA= +github.com/pquerna/otp v1.2.0 h1:/A3+Jn+cagqayeR3iHs/L62m5ue7710D35zl1zJ1kok= +github.com/pquerna/otp v1.2.0/go.mod h1:dkJfzwRKNiegxyNb54X/3fLwhCynbMspSyWKnvi1AEg= +github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw= +github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo= +github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= +github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= +github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= +github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= +github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= +github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= +github.com/remyoudompheng/bigfft v0.0.0-20170806203942-52369c62f446/go.mod h1:uYEyJGbgTkfkS4+E/PavXkNJcbFIpEtjt2B0KDQ5+9M= +github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg= +github.com/rogpeppe/go-charset v0.0.0-20180617210344-2471d30d28b4/go.mod h1:qgYeAmZ5ZIpBWTGllZSQnw97Dj+woV0toclVaRGI8pc= +github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= +github.com/rubiojr/go-vhd v0.0.0-20160810183302-0bfd3b39853c/go.mod h1:DM5xW0nvfNNm2uytzsvhI3OnX8uzaRAg8UX/CnDqbto= +github.com/russross/blackfriday v1.5.2 h1:HyvC0ARfnZBqnXwABFeSZHpKvJHJJfPz81GNueLj0oo= +github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR/rfWxYHBV53g= +github.com/russross/blackfriday/v2 v2.0.1 h1:lPqVAte+HuHNfhJ/0LC98ESWRz8afy9tM/0RK8m9o+Q= +github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= +github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0= +github.com/sclevine/spec v1.2.0/go.mod h1:W4J29eT/Kzv7/b9IWLB055Z+qvVC9vt0Arko24q7p+U= +github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo= +github.com/shurcooL/sanitized_anchor_name v1.0.0 h1:PdmoCO6wvbs+7yrJyMORt4/BmY5IYyJwS/kOiWx8mHo= +github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc= +github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo= +github.com/sirupsen/logrus v1.4.1/go.mod h1:ni0Sbl8bgC9z8RoU9G6nDWqqs/fq4eDPysMBDgk/93Q= +github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE= +github.com/soheilhy/cmux v0.1.4/go.mod h1:IM3LyeVVIOuxMH7sFAkER9+bJ4dT7Ms6E4xg4kGIyLM= +github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ= +github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk= +github.com/spf13/cast v1.3.0/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE= +github.com/spf13/cobra v0.0.3/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ= +github.com/spf13/cobra v0.0.5/go.mod h1:3K3wKZymM7VvHMDS9+Akkh4K60UwM26emMESw8tLCHU= +github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo= +github.com/spf13/pflag v0.0.0-20170130214245-9ff6c6923cff/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= +github.com/spf13/pflag v1.0.1/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= +github.com/spf13/pflag v1.0.2/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= +github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= +github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= +github.com/spf13/viper v1.3.2/go.mod h1:ZiWeW+zYFKm7srdB9IoDzzZXaJaI5eL9QjNiN/DMA2s= +github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE= +github.com/stretchr/testify v0.0.0-20151208002404-e3a8ff8ce365/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= +github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= +github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= +github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= +github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY= +github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/tmc/grpc-websocket-proxy v0.0.0-20170815181823-89b8d40f7ca8/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= +github.com/ugorji/go/codec v0.0.0-20181204163529-d75b2dcb6bc8/go.mod h1:VFNgLljTbGfSG7qAOspJ7OScBnGdDN/yBr0sguwnwf0= +github.com/urfave/cli v1.20.0/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA= +github.com/urfave/cli v1.22.1/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0= +github.com/urfave/cli v1.22.2 h1:gsqYFH8bb9ekPA12kRo0hfjngWQjkJPlN9R0N78BoUo= +github.com/urfave/cli v1.22.2/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0= +github.com/vdemeester/k8s-pkg-credentialprovider v0.0.0-20200107171650-7c61ffa44238/go.mod h1:JwQJCMWpUDqjZrB5jpw0f5VbN7U95zxFy1ZDpoEarGo= +github.com/vmihailenco/msgpack v3.3.3+incompatible/go.mod h1:fy3FlTQTDXWkZ7Bh6AcGMlsjHatGryHQYUTf1ShIgkk= +github.com/vmware/govmomi v0.20.3/go.mod h1:URlwyTFZX72RmxtxuaFL2Uj3fD1JTvZdx59bHWk6aFU= +github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU= +github.com/xordataexchange/crypt v0.0.3-0.20170626215501-b2862e3d0a77/go.mod h1:aYKd//L2LvnjZzWKhF00oedf4jCCReLcmhLdhm1A27Q= +github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= +github.com/zclconf/go-cty v1.2.0/go.mod h1:hOPWgoHbaTUnI5k4D2ld+GRpFJSCe6bCM7m1q/N4PQ8= +github.com/zclconf/go-cty v1.2.1 h1:vGMsygfmeCl4Xb6OA5U5XVAaQZ69FvoG7X2jUtQujb8= +github.com/zclconf/go-cty v1.2.1/go.mod h1:hOPWgoHbaTUnI5k4D2ld+GRpFJSCe6bCM7m1q/N4PQ8= +go.etcd.io/bbolt v1.3.3/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU= +go.etcd.io/etcd v0.0.0-20191023171146-3cf2f69b5738/go.mod h1:dnLIgRNXwCJa5e+c6mIZCrds/GIG4ncV9HhK5PX7jPg= +go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= +go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8= +go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= +go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= +go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0= +go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q= +golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= +golang.org/x/crypto v0.0.0-20181203042331-505ab145d0a9/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= +golang.org/x/crypto v0.0.0-20190211182817-74369b46fc67/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= +golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= +golang.org/x/crypto v0.0.0-20190426145343-a29dc8fdc734/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20190611184440-5c40567a22f8/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20190820162420-60c769a6c586/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20191206172530-e9b2fee46413/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= +golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9 h1:psW17arqaxU48Z5kZ0CQnkZWQJsqcURM6tKiBApRjXI= +golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= +golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= +golang.org/x/exp v0.0.0-20190125153040-c74c464bbbf2/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= +golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= +golang.org/x/exp v0.0.0-20190312203227-4b39c73a6495/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= +golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= +golang.org/x/exp v0.0.0-20190829153037-c13cbed26979/go.mod h1:86+5VVa7VpoJ4kLfm080zCjGlMRFzhUhsZKEZO7MGek= +golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= +golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js= +golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0= +golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= +golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU= +golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= +golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= +golang.org/x/lint v0.0.0-20190409202823-959b441ac422/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= +golang.org/x/lint v0.0.0-20190909230951-414d861bb4ac/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= +golang.org/x/lint v0.0.0-20191125180803-fdd1cda4f05f/go.mod h1:5qLYkcX4OjUUV8bRuDixDT3tpyyb+LUpUlRWLxfhWrs= +golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE= +golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028/go.mod h1:E/iHnbuqvinMTCcRqshq8CkpyQDoeVncDDYHnLhea+o= +golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc= +golang.org/x/mod v0.1.0/go.mod h1:0QHyrYULN0/3qlju5TqG8bIK38QM8yzMo5ekMj3DlcY= +golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg= +golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/net v0.0.0-20170114055629-f2499483f923/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20180811021610-c39426892332/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20181220203305-927f97764cc3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= +golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20190628185345-da137c7871d7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20190813141303-74dc4d7220e7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20190923162816-aa69164e4478/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20191004110552-13f9640d40b9/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= +golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= +golang.org/x/net v0.0.0-20201021035429-f5854403a974 h1:IX6qOQeG5uLjB/hjjwjedwfjND0hgjPMMyO1RoIXQNI= +golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= +golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= +golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= +golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= +golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= +golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= +golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sys v0.0.0-20170830134202-bb24a47a89ea/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20181107165924-66b7b1311ac8/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20181205085412-a5c9d58dba9a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190209173611-3b5209105503/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190502145724-3ef323f4f1fd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190502175342-a43fa875dd82/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190616124812-15dcb6c0061f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190626221950-04f50cda93cb/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190826190057-c7b8b68b1456/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190924154521-2837fb4f24fe/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191010194322-b09406accb47/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200622214017-ed371f2e16b4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/text v0.0.0-20160726164857-2910a502d2bf/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= +golang.org/x/text v0.3.3 h1:cokOdA+Jmi5PJGXLlLllQSgYigAEfHXJAERHVMaCc2k= +golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20181011042414-1f849cf54d09/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20181030221726-6c7e314b6563/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20190206041539-40960b6deb8e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY= +golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= +golang.org/x/tools v0.0.0-20190312151545-0bb0c0a6e846/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= +golang.org/x/tools v0.0.0-20190312170243-e65039ee4138/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= +golang.org/x/tools v0.0.0-20190425150028-36563e24a262/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= +golang.org/x/tools v0.0.0-20190506145303-2d16b83fe98c/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= +golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= +golang.org/x/tools v0.0.0-20190606124116-d0a3d012864b/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= +golang.org/x/tools v0.0.0-20190614205625-5aca471b1d59/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= +golang.org/x/tools v0.0.0-20190621195816-6e04913cbbac/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= +golang.org/x/tools v0.0.0-20190628153133-6cdbf07be9d0/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc= +golang.org/x/tools v0.0.0-20190706070813-72ffa07ba3db/go.mod h1:jcCCGcm9btYwXyDqrUWc6MKQKKGJCWEQ3AfLSRIbEuI= +golang.org/x/tools v0.0.0-20190816200558-6889da9d5479/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20190911174233-4f2ddba30aff/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20190920225731-5eefd052ad72/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191012152004-8de300cfc20a/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191125144606-a911d9008d1f/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191205215504-7b8c8591a921/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20191216052735-49a3e744a425/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= +golang.org/x/tools v0.0.0-20191227053925-7b8e75db28f4/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= +golang.org/x/tools v0.0.0-20201110201400-7099162a900a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= +golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +gonum.org/v1/gonum v0.0.0-20190331200053-3d26580ed485/go.mod h1:2ltnJ7xHfj0zHS40VVPYEAAMTa3ZGguvHGBSJeRWqE0= +gonum.org/v1/netlib v0.0.0-20190313105609-8cb42192e0e0/go.mod h1:wa6Ws7BG/ESfp6dHfk7C6KdzKA7wR7u/rKwOGE66zvw= +gonum.org/v1/netlib v0.0.0-20190331212654-76723241ea4e/go.mod h1:kS+toOQn6AQKjmKJ7gzohV1XkqsFehRA2FbsbkopSuQ= +google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE= +google.golang.org/api v0.6.1-0.20190607001116-5213b8090861/go.mod h1:btoxGiFvQNVUZQ8W08zLtrVS08CNpINPEfxXxgJL1Q4= +google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M= +google.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg= +google.golang.org/api v0.9.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg= +google.golang.org/api v0.15.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI= +google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= +google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= +google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= +google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0= +google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= +google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= +google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= +google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= +google.golang.org/genproto v0.0.0-20190425155659-357c62f0e4bb/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= +google.golang.org/genproto v0.0.0-20190502173448-54afdca5d873/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= +google.golang.org/genproto v0.0.0-20190801165951-fa694d86fc64/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= +google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= +google.golang.org/genproto v0.0.0-20190911173649-1774047e7e51/go.mod h1:IbNlFCBrqXvoKpeg0TB2l7cyZUmoaFKYIwrEpbDKLA8= +google.golang.org/genproto v0.0.0-20191230161307-f3c370f40bfb/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc= +google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo= +google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= +google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38= +google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM= +google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= +google.golang.org/grpc v1.23.1/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= +google.golang.org/grpc v1.24.0/go.mod h1:XDChyiUovWa60DnaeDeZmSW86xtLtjtZbwvSiRnRtcA= +google.golang.org/grpc v1.26.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= +google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= +google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= +google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= +google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= +google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE= +google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo= +google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= +google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= +google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= +google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGjtUeSXeh4= +gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= +gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/cheggaaa/pb.v1 v1.0.25/go.mod h1:V/YB90LKu/1FcN3WVnfiiE5oMCibMjukxqG/qStrOgw= +gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI= +gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys= +gopkg.in/gcfg.v1 v1.2.0/go.mod h1:yesOnuUOFQAhST5vPY4nbZsb/huCgGGXlipJsBn0b3o= +gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= +gopkg.in/natefinch/lumberjack.v2 v2.0.0/go.mod h1:l0ndWWf7gzL7RNwBG7wST/UCcT4T24xpD6X8LsfU/+k= +gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo= +gopkg.in/square/go-jose.v2 v2.2.2/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI= +gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw= +gopkg.in/warnings.v0 v0.1.1/go.mod h1:jksf8JmL6Qr/oQM2OXTHunEvvTAsrWBLb6OOjuVWRNI= +gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7/go.mod h1:JAlM8MvJe8wmxCU4Bli9HhUf9+ttbYbLASfIpnQbh74= +gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo= +gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81HFBacw= +honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= +honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= +honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= +honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= +honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg= +k8s.io/api v0.17.0/go.mod h1:npsyOePkeP0CPwyGfXDHxvypiYMJxBWAMpQxCaJ4ZxI= +k8s.io/api v0.19.3/go.mod h1:VF+5FT1B74Pw3KxMdKyinLo+zynBaMBiAfGMuldcNDs= +k8s.io/apimachinery v0.17.0/go.mod h1:b9qmWdKlLuU9EBh+06BtLcSf/Mu89rWL33naRxs1uZg= +k8s.io/apimachinery v0.19.3/go.mod h1:DnPGDnARWFvYa3pMHgSxtbZb7gpzzAZ1pTfaUNDVlmA= +k8s.io/apiserver v0.17.0/go.mod h1:ABM+9x/prjINN6iiffRVNCBR2Wk7uY4z+EtEGZD48cg= +k8s.io/client-go v0.17.0/go.mod h1:TYgR6EUHs6k45hb6KWjVD6jFZvJV4gHDikv/It0xz+k= +k8s.io/client-go v0.19.3/go.mod h1:+eEMktZM+MG0KO+PTkci8xnbCZHvj9TqR6Q1XDUIJOM= +k8s.io/cloud-provider v0.17.0/go.mod h1:Ze4c3w2C0bRsjkBUoHpFi+qWe3ob1wI2/7cUn+YQIDE= +k8s.io/code-generator v0.0.0-20191121015212-c4c8f8345c7e/go.mod h1:DVmfPQgxQENqDIzVR2ddLXMH34qeszkKSdH/N+s+38s= +k8s.io/component-base v0.17.0/go.mod h1:rKuRAokNMY2nn2A6LP/MiwpoaMRHpfRnrPaUJJj1Yoc= +k8s.io/csi-translation-lib v0.17.0/go.mod h1:HEF7MEz7pOLJCnxabi45IPkhSsE/KmxPQksuCrHKWls= +k8s.io/gengo v0.0.0-20190128074634-0689ccc1d7d6/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0= +k8s.io/gengo v0.0.0-20190822140433-26a664648505/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0= +k8s.io/gengo v0.0.0-20200413195148-3a45101e95ac/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0= +k8s.io/klog v0.0.0-20181102134211-b9b56d5dfc92/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk= +k8s.io/klog v0.3.0/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk= +k8s.io/klog v1.0.0/go.mod h1:4Bi6QPql/J/LkTDqv7R/cd3hPo4k2DG6Ptcz060Ez5I= +k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE= +k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y= +k8s.io/kube-openapi v0.0.0-20191107075043-30be4d16710a/go.mod h1:1TqjTSzOxsLGIKfj0lK8EeCP7K1iUG65v09OM0/WG5E= +k8s.io/kube-openapi v0.0.0-20200805222855-6aeccd4b50c6/go.mod h1:UuqjUnNftUyPE5H64/qeyjQoUZhGpeFDVdxjTeEVN2o= +k8s.io/legacy-cloud-providers v0.17.0/go.mod h1:DdzaepJ3RtRy+e5YhNtrCYwlgyK87j/5+Yfp0L9Syp8= +k8s.io/utils v0.0.0-20191114184206-e782cd3c129f/go.mod h1:sZAwmy6armz5eXlNoLmJcl4F1QuKu7sr+mFQ0byX7Ew= +k8s.io/utils v0.0.0-20200729134348-d5654de09c73/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= +modernc.org/cc v1.0.0/go.mod h1:1Sk4//wdnYJiUIxnW8ddKpaOJCF37yAdqYnkxUpaYxw= +modernc.org/golex v1.0.0/go.mod h1:b/QX9oBD/LhixY6NDh+IdGv17hgB+51fET1i2kPSmvk= +modernc.org/mathutil v1.0.0/go.mod h1:wU0vUrJsVWBZ4P6e7xtFJEhFSNsfRLJ8H458uRjg03k= +modernc.org/strutil v1.0.0/go.mod h1:lstksw84oURvj9y3tn8lGvRxyRC1S2+g5uuIzNfIOBs= +modernc.org/xc v1.0.0/go.mod h1:mRNCo0bvLjGhHO9WsyuKVU4q0ceiDDDoEeWDJHrNx8I= +rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= +sigs.k8s.io/structured-merge-diff v0.0.0-20190525122527-15d366b2352e/go.mod h1:wWxsB5ozmmv/SG7nM11ayaAW51xMvak/t1r0CSlcokI= +sigs.k8s.io/structured-merge-diff v1.0.1-0.20191108220359-b1b620dd3f06/go.mod h1:/ULNhyfzRopfcjskuui0cTITekDduZ7ycKN3oUT9R18= +sigs.k8s.io/structured-merge-diff/v4 v4.0.1/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw= +sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o= +sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc= diff --git a/terraform-modules/aws/vpc/test/terratest_test.go b/terraform-modules/aws/vpc/test/terratest_test.go new file mode 100644 index 000000000..b6d38295a --- /dev/null +++ b/terraform-modules/aws/vpc/test/terratest_test.go @@ -0,0 +1,81 @@ +package test + +import ( + "math/rand" + "testing" + "time" + + // "github.com/gruntwork-io/terratest/modules/aws" + "github.com/gruntwork-io/terratest/modules/terraform" + "github.com/stretchr/testify/assert" +) + +// Default test +func TestTerraformDefault(t *testing.T) { + t.Parallel() + + // Random string for various dynamic bucket name usage + stringRand := randomString(8) + + terraformOptions := terraform.WithDefaultRetryableErrors(t, &terraform.Options{ + // The path to where our Terraform code is located + TerraformDir: "../", + + // Dynamic Variables that we should pass in addition to varfile.tfvars + Vars: map[string]interface{}{ + "aws_region": "us-east-1", + "environment_name": "unittest-aws-vpc-" + stringRand, + "vpc_cidr": "10.0.0.0/16", + "enable_nat_gateway": false, + "enable_vpn_gateway": false, + "tags": `{ + ops_env = "unit-test" + ops_managed_by = "terraform", + ops_source_repo = "kubernetes-ops", + ops_source_repo_path = "terraform-module/aws/vpc", + ops_owners = "devops" + }`, + }, + + // Disable colors in Terraform commands so its easier to parse stdout/stderr + NoColor: true, + }) + + // At the end of the test, run `terraform destroy` to clean up any resources that were created + defer terraform.Destroy(t, terraformOptions) + + // This will run `terraform init` and `terraform apply` and fail the test if there are any errors + terraform.InitAndApply(t, terraformOptions) + + // Run `terraform output` to get the values of output variables + actualVPCId := terraform.Output(t, terraformOptions, "vpc_id") + actualPublicSubnets := terraform.OutputList(t, terraformOptions, "public_subnets") + actualPrivateSubnets := terraform.OutputList(t, terraformOptions, "private_subnets") + actualK8sSubnets := terraform.OutputList(t, terraformOptions, "k8s_subnets") + + // awsAccountID := aws.GetAccountId(t) + + // assert.Equal(t, "unittest_aws_iam_policy_"+stringRand, actualPolicyName) + // assert.Equal(t, "arn:aws:iam::"+awsAccountID+":policy/unittest_aws_iam_policy_"+stringRand, actualPolicyArn) + assert.Equal(t, "vpc-", actualVPCId[0:4]) + assert.Equal(t, 3, len(actualPublicSubnets)) + assert.Equal(t, 3, len(actualPrivateSubnets)) + assert.Equal(t, 3, len(actualK8sSubnets)) +} + +func randomString(len int) string { + + rand.Seed(time.Now().UTC().UnixNano()) + bytes := make([]byte, len) + + for i := 0; i < len; i++ { + bytes[i] = byte(randInt(97, 122)) + } + + return string(bytes) +} + +func randInt(min int, max int) int { + + return min + rand.Intn(max-min) +} \ No newline at end of file diff --git a/terraform-modules/aws/vpc/variables.tf b/terraform-modules/aws/vpc/variables.tf new file mode 100644 index 000000000..a3d5a0cd2 --- /dev/null +++ b/terraform-modules/aws/vpc/variables.tf @@ -0,0 +1,174 @@ +variable "aws_region" { + default = "us-east-1" +} +variable "environment_name" {} +variable "vpc_cidr" {} +variable "tags" { + type = map(any) + default = {} +} + +variable "azs" { + type = list(any) + default = ["us-east-1a", "us-east-1b", "us-east-1c"] +} + +variable "private_subnets" { + type = list(any) + default = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"] +} + +variable "public_subnets" { + type = list(any) + default = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"] +} + +variable "enable_nat_gateway" { + type = bool + default = true +} + +variable "enable_vpn_gateway" { + type = bool + default = true +} + +variable "cluster_name" { + type = string + default = "none" + description = "The cluster name for the Kubernetes tags on the subnets" +} + +variable "enable_dns_hostnames" { + type = bool + default = true + description = "Enable dns hostname resolution" +} + +variable "enable_dns_support" { + type = bool + default = true + description = "Enable dns support" +} + +variable "secondary_cidrs" { + type = list(string) + default = ["100.64.0.0/16"] + description = "optional list of secondary cidr blocks" +} + +variable "k8s_worker_subnets" { + type = list(string) + default = ["100.64.0.0/20", "100.64.16.0/20", "100.64.32.0/20"] + description = "list of alternate secondary cidrs for kubernetes workers" +} + +variable "reuse_nat_ips" { + description = "Should be true if you don't want EIPs to be created for your NAT Gateways and will instead pass them in via the 'external_nat_ip_ids' variable" + type = bool + default = false +} + +variable "external_nat_ip_ids" { + description = "List of EIP IDs to be assigned to the NAT Gateways (used in combination with reuse_nat_ips)" + type = list(string) + default = [] +} + +#Default Security Group Management (Default: secure) +variable "manage_default_security_group" { + description = "Should be true to adopt and manage default security group" + type = bool + default = true +} + +variable "default_security_group_name" { + description = "Name to be used on the default security group " + type = string + default = "default" +} + +variable "default_security_group_egress" { + description = "List of maps of egress rules to set on the default security group " + type = list(map(string)) + default = [ + { + cidr_blocks = "10.0.0.0/8" + description = "rfc1918: Private Address Space" + from_port = 0 + protocol = "-1" + self = false + to_port = 0 + }, + { + cidr_blocks = "172.16.0.0/12" + description = "rfc1918: Private Address Space" + from_port = 0 + protocol = "-1" + self = false + to_port = 0 + }, + { + cidr_blocks = "192.168.0.0/16" + description = "rfc1918: Private Address Space" + from_port = 0 + protocol = "-1" + self = false + to_port = 0 + }, + { + cidr_blocks = "100.64.0.0/10" + description = "rfc6598: Private Address Space" + from_port = 0 + protocol = "-1" + self = false + to_port = 0 + } + ] +} + +variable "default_security_group_ingress" { + description = "List of maps of ingress rules to set on the default security group " + type = list(map(string)) + default = [ + { + cidr_blocks = "10.0.0.0/8" + description = "rfc1918: Private Address Space" + from_port = 0 + protocol = "-1" + self = false + to_port = 0 + }, + { + cidr_blocks = "172.16.0.0/12" + description = "rfc1918: Private Address Space" + from_port = 0 + protocol = "-1" + self = false + to_port = 0 + }, + { + cidr_blocks = "192.168.0.0/16" + description = "rfc1918: Private Address Space" + from_port = 0 + protocol = "-1" + self = false + to_port = 0 + }, + { + cidr_blocks = "100.64.0.0/10" + description = "rfc6598: Private Address Space" + from_port = 0 + protocol = "-1" + self = false + to_port = 0 + } + ] +} + +variable "default_security_group_tags" { + description = "Additional tags for the default security group " + type = map(any) + default = {} +} + diff --git a/terraform-modules/datadog/api_key/main.tf b/terraform-modules/datadog/api_key/main.tf new file mode 100644 index 000000000..dd09bc899 --- /dev/null +++ b/terraform-modules/datadog/api_key/main.tf @@ -0,0 +1,3 @@ +resource "datadog_api_key" "this" { + name = var.name +} diff --git a/terraform-modules/datadog/api_key/outputs.tf b/terraform-modules/datadog/api_key/outputs.tf new file mode 100644 index 000000000..f00655013 --- /dev/null +++ b/terraform-modules/datadog/api_key/outputs.tf @@ -0,0 +1,5 @@ +output "api_key" { + value = datadog_api_key.this.key + sensitive = true + description = "The Datadog API key" +} diff --git a/terraform-modules/datadog/api_key/variables.tf b/terraform-modules/datadog/api_key/variables.tf new file mode 100644 index 000000000..265159c5a --- /dev/null +++ b/terraform-modules/datadog/api_key/variables.tf @@ -0,0 +1,5 @@ +variable "name" { + type = string + default = "datadog_api_key" + description = "The API key's name" +} diff --git a/tf-environments/dev-example/_env_defaults/main.tf b/tf-environments/dev-example/_env_defaults/main.tf deleted file mode 100644 index dc6e73e2a..000000000 --- a/tf-environments/dev-example/_env_defaults/main.tf +++ /dev/null @@ -1,27 +0,0 @@ -output environment_name { - value = "dev-example" -} - -output aws_region { - value = "us-east-1" -} - -output vpc_cidr { - value = "10.9.0.0/16" -} - -output vpc_id { - value = "vpc-fill-me-in-after-your-vpc-has-been-created" -} - -output aws_availability_zone_1 { - value = "a" -} - -output aws_availability_zone_2 { - value = "b" -} - -output aws_availability_zone_3 { - value = "c" -} diff --git a/tf-environments/dev-example/aws/vpc/main.tf b/tf-environments/dev-example/aws/vpc/main.tf deleted file mode 100644 index 007a8cde7..000000000 --- a/tf-environments/dev-example/aws/vpc/main.tf +++ /dev/null @@ -1,50 +0,0 @@ -terraform { - backend "s3" {} -} - -# Common modules -module "env_defaults" { - source = "../../_env_defaults" -} - -# Inputs -variable "public_cidrs" { - description = "CIDR block for public subnets (should be the same amount as AZs)" - type = "list" - default = ["10.10.6.0/24", "10.10.7.0/24", "10.10.8.0/24"] -} - -variable "private_cidrs" { - description = "CIDR block for private subnets (should be the same amount as AZs)" - type = "list" - default = ["10.10.1.0/24", "10.10.2.0/24", "10.10.3.0/24"] -} - -# Main -module "main" { - source = "../../../../tf-modules/aws/vpc/" - - region = "${module.env_defaults.aws_region}" - vpc_cidr = "${module.env_defaults.vpc_cidr}" - - availability_zones = ["${module.env_defaults.aws_region}${module.env_defaults.aws_availability_zone_1}", "${module.env_defaults.aws_region}${module.env_defaults.aws_availability_zone_2}", "${module.env_defaults.aws_region}${module.env_defaults.aws_availability_zone_3}"] - - public_cidrs = "${var.public_cidrs}" - - private_cidrs = "${var.private_cidrs}" - - tags = { - Name = "${module.env_defaults.environment_name}", - Environment = "${module.env_defaults.environment_name}", - Account = "${module.env_defaults.environment_name}", - Group = "devops", - Region = "${module.env_defaults.aws_region}" - managed_by = "Terraform" - } -} - - -# Outputs -output "aws_vpc_id" { - value = "${module.main.aws_vpc_id}" -} diff --git a/tf-environments/dev-example/aws/vpc/terraform.tfvars b/tf-environments/dev-example/aws/vpc/terraform.tfvars deleted file mode 100644 index 0b352dc6b..000000000 --- a/tf-environments/dev-example/aws/vpc/terraform.tfvars +++ /dev/null @@ -1,5 +0,0 @@ -terragrunt = { - include { - path = "${find_in_parent_folders()}" - } -} diff --git a/tf-environments/dev-example/terraform.tfvars b/tf-environments/dev-example/terraform.tfvars deleted file mode 100644 index f1af4dd03..000000000 --- a/tf-environments/dev-example/terraform.tfvars +++ /dev/null @@ -1,12 +0,0 @@ -terragrunt = { - remote_state { - backend = "s3" - config { - bucket = "kubernetes-ops-123-terraform-state" - key = "dev-example/${path_relative_to_include()}/terraform.tfstate" - region = "us-east-1" - encrypt = true - # dynamodb_table = "terraform-locks" - } - } -} diff --git a/tf-environments/dev/aws/vpc/main.tf b/tf-environments/dev/aws/vpc/main.tf deleted file mode 100644 index 007a8cde7..000000000 --- a/tf-environments/dev/aws/vpc/main.tf +++ /dev/null @@ -1,50 +0,0 @@ -terraform { - backend "s3" {} -} - -# Common modules -module "env_defaults" { - source = "../../_env_defaults" -} - -# Inputs -variable "public_cidrs" { - description = "CIDR block for public subnets (should be the same amount as AZs)" - type = "list" - default = ["10.10.6.0/24", "10.10.7.0/24", "10.10.8.0/24"] -} - -variable "private_cidrs" { - description = "CIDR block for private subnets (should be the same amount as AZs)" - type = "list" - default = ["10.10.1.0/24", "10.10.2.0/24", "10.10.3.0/24"] -} - -# Main -module "main" { - source = "../../../../tf-modules/aws/vpc/" - - region = "${module.env_defaults.aws_region}" - vpc_cidr = "${module.env_defaults.vpc_cidr}" - - availability_zones = ["${module.env_defaults.aws_region}${module.env_defaults.aws_availability_zone_1}", "${module.env_defaults.aws_region}${module.env_defaults.aws_availability_zone_2}", "${module.env_defaults.aws_region}${module.env_defaults.aws_availability_zone_3}"] - - public_cidrs = "${var.public_cidrs}" - - private_cidrs = "${var.private_cidrs}" - - tags = { - Name = "${module.env_defaults.environment_name}", - Environment = "${module.env_defaults.environment_name}", - Account = "${module.env_defaults.environment_name}", - Group = "devops", - Region = "${module.env_defaults.aws_region}" - managed_by = "Terraform" - } -} - - -# Outputs -output "aws_vpc_id" { - value = "${module.main.aws_vpc_id}" -} diff --git a/tf-environments/dev/aws/vpc/terraform.tfvars b/tf-environments/dev/aws/vpc/terraform.tfvars deleted file mode 100644 index 0b352dc6b..000000000 --- a/tf-environments/dev/aws/vpc/terraform.tfvars +++ /dev/null @@ -1,5 +0,0 @@ -terragrunt = { - include { - path = "${find_in_parent_folders()}" - } -} diff --git a/tf-environments/dev/terraform.tfvars b/tf-environments/dev/terraform.tfvars deleted file mode 100644 index 23c81c8c6..000000000 --- a/tf-environments/dev/terraform.tfvars +++ /dev/null @@ -1,12 +0,0 @@ -terragrunt = { - remote_state { - backend = "s3" - config { - bucket = "kubernetes-ops-123-terraform-state" - key = "dev/${path_relative_to_include()}/terraform.tfstate" - region = "us-east-1" - encrypt = true - # dynamodb_table = "terraform-locks" - } - } -} diff --git a/tf-environments/prod/_env_defaults/main.tf b/tf-environments/prod/_env_defaults/main.tf deleted file mode 100644 index 468472400..000000000 --- a/tf-environments/prod/_env_defaults/main.tf +++ /dev/null @@ -1,27 +0,0 @@ -output environment_name { - value = "prod" -} - -output aws_region { - value = "us-east-1" -} - -output vpc_cidr { - value = "10.13.0.0/16" -} - -output vpc_id { - value = "vpc-fill-me-in-after-your-vpc-has-been-created" -} - -output aws_availability_zone_1 { - value = "a" -} - -output aws_availability_zone_2 { - value = "b" -} - -output aws_availability_zone_3 { - value = "c" -} diff --git a/tf-environments/prod/aws/vpc/main.tf b/tf-environments/prod/aws/vpc/main.tf deleted file mode 100644 index d1a59cf1a..000000000 --- a/tf-environments/prod/aws/vpc/main.tf +++ /dev/null @@ -1,50 +0,0 @@ -terraform { - backend "s3" {} -} - -# Common modules -module "env_defaults" { - source = "../../_env_defaults" -} - -# Inputs -variable "public_cidrs" { - description = "CIDR block for public subnets (should be the same amount as AZs)" - type = "list" - default = ["10.13.6.0/24", "10.13.7.0/24", "10.13.8.0/24"] -} - -variable "private_cidrs" { - description = "CIDR block for private subnets (should be the same amount as AZs)" - type = "list" - default = ["10.13.1.0/24", "10.13.2.0/24", "10.13.3.0/24"] -} - -# Main -module "main" { - source = "../../../../tf-modules/aws/vpc/" - - region = "${module.env_defaults.aws_region}" - vpc_cidr = "${module.env_defaults.vpc_cidr}" - - availability_zones = ["${module.env_defaults.aws_region}${module.env_defaults.aws_availability_zone_1}", "${module.env_defaults.aws_region}${module.env_defaults.aws_availability_zone_2}", "${module.env_defaults.aws_region}${module.env_defaults.aws_availability_zone_3}"] - - public_cidrs = "${var.public_cidrs}" - - private_cidrs = "${var.private_cidrs}" - - tags = { - Name = "${module.env_defaults.environment_name}", - Environment = "${module.env_defaults.environment_name}", - Account = "${module.env_defaults.environment_name}", - Group = "devops", - Region = "${module.env_defaults.aws_region}" - managed_by = "Terraform" - } -} - - -# Outputs -output "aws_vpc_id" { - value = "${module.main.aws_vpc_id}" -} diff --git a/tf-environments/prod/aws/vpc/terraform.tfvars b/tf-environments/prod/aws/vpc/terraform.tfvars deleted file mode 100644 index 0b352dc6b..000000000 --- a/tf-environments/prod/aws/vpc/terraform.tfvars +++ /dev/null @@ -1,5 +0,0 @@ -terragrunt = { - include { - path = "${find_in_parent_folders()}" - } -} diff --git a/tf-environments/prod/terraform.tfvars b/tf-environments/prod/terraform.tfvars deleted file mode 100644 index 4467854c4..000000000 --- a/tf-environments/prod/terraform.tfvars +++ /dev/null @@ -1,12 +0,0 @@ -terragrunt = { - remote_state { - backend = "s3" - config { - bucket = "kubernetes-ops-123-terraform-state" - key = "prod/${path_relative_to_include()}/terraform.tfstate" - region = "us-east-1" - encrypt = true - # dynamodb_table = "terraform-locks" - } - } -} diff --git a/tf-environments/qa/_env_defaults/main.tf b/tf-environments/qa/_env_defaults/main.tf deleted file mode 100644 index 28da21b2d..000000000 --- a/tf-environments/qa/_env_defaults/main.tf +++ /dev/null @@ -1,27 +0,0 @@ -output environment_name { - value = "qa" -} - -output aws_region { - value = "us-east-1" -} - -output vpc_cidr { - value = "10.11.0.0/16" -} - -output vpc_id { - value = "vpc-fill-me-in-after-your-vpc-has-been-created" -} - -output aws_availability_zone_1 { - value = "a" -} - -output aws_availability_zone_2 { - value = "b" -} - -output aws_availability_zone_3 { - value = "c" -} diff --git a/tf-environments/qa/aws/vpc/main.tf b/tf-environments/qa/aws/vpc/main.tf deleted file mode 100644 index 203952ef0..000000000 --- a/tf-environments/qa/aws/vpc/main.tf +++ /dev/null @@ -1,50 +0,0 @@ -terraform { - backend "s3" {} -} - -# Common modules -module "env_defaults" { - source = "../../_env_defaults" -} - -# Inputs -variable "public_cidrs" { - description = "CIDR block for public subnets (should be the same amount as AZs)" - type = "list" - default = ["10.11.6.0/24", "10.11.7.0/24", "10.11.8.0/24"] -} - -variable "private_cidrs" { - description = "CIDR block for private subnets (should be the same amount as AZs)" - type = "list" - default = ["10.11.1.0/24", "10.11.2.0/24", "10.11.3.0/24"] -} - -# Main -module "main" { - source = "../../../../tf-modules/aws/vpc/" - - region = "${module.env_defaults.aws_region}" - vpc_cidr = "${module.env_defaults.vpc_cidr}" - - availability_zones = ["${module.env_defaults.aws_region}${module.env_defaults.aws_availability_zone_1}", "${module.env_defaults.aws_region}${module.env_defaults.aws_availability_zone_2}", "${module.env_defaults.aws_region}${module.env_defaults.aws_availability_zone_3}"] - - public_cidrs = "${var.public_cidrs}" - - private_cidrs = "${var.private_cidrs}" - - tags = { - Name = "${module.env_defaults.environment_name}", - Environment = "${module.env_defaults.environment_name}", - Account = "${module.env_defaults.environment_name}", - Group = "devops", - Region = "${module.env_defaults.aws_region}" - managed_by = "Terraform" - } -} - - -# Outputs -output "aws_vpc_id" { - value = "${module.main.aws_vpc_id}" -} diff --git a/tf-environments/qa/aws/vpc/terraform.tfvars b/tf-environments/qa/aws/vpc/terraform.tfvars deleted file mode 100644 index 0b352dc6b..000000000 --- a/tf-environments/qa/aws/vpc/terraform.tfvars +++ /dev/null @@ -1,5 +0,0 @@ -terragrunt = { - include { - path = "${find_in_parent_folders()}" - } -} diff --git a/tf-environments/qa/terraform.tfvars b/tf-environments/qa/terraform.tfvars deleted file mode 100644 index 320e8800a..000000000 --- a/tf-environments/qa/terraform.tfvars +++ /dev/null @@ -1,12 +0,0 @@ -terragrunt = { - remote_state { - backend = "s3" - config { - bucket = "kubernetes-ops-123-terraform-state" - key = "qa/${path_relative_to_include()}/terraform.tfstate" - region = "us-east-1" - encrypt = true - # dynamodb_table = "terraform-locks" - } - } -} diff --git a/tf-environments/staging/_env_defaults/main.tf b/tf-environments/staging/_env_defaults/main.tf deleted file mode 100644 index d2c7d0804..000000000 --- a/tf-environments/staging/_env_defaults/main.tf +++ /dev/null @@ -1,27 +0,0 @@ -output environment_name { - value = "staging" -} - -output aws_region { - value = "us-east-1" -} - -output vpc_cidr { - value = "10.12.0.0/16" -} - -output vpc_id { - value = "vpc-fill-me-in-after-your-vpc-has-been-created" -} - -output aws_availability_zone_1 { - value = "a" -} - -output aws_availability_zone_2 { - value = "b" -} - -output aws_availability_zone_3 { - value = "c" -} diff --git a/tf-environments/staging/aws/vpc/main.tf b/tf-environments/staging/aws/vpc/main.tf deleted file mode 100644 index 3fe4ba3af..000000000 --- a/tf-environments/staging/aws/vpc/main.tf +++ /dev/null @@ -1,50 +0,0 @@ -terraform { - backend "s3" {} -} - -# Common modules -module "env_defaults" { - source = "../../_env_defaults" -} - -# Inputs -variable "public_cidrs" { - description = "CIDR block for public subnets (should be the same amount as AZs)" - type = "list" - default = ["10.12.6.0/24", "10.12.7.0/24", "10.12.8.0/24"] -} - -variable "private_cidrs" { - description = "CIDR block for private subnets (should be the same amount as AZs)" - type = "list" - default = ["10.12.1.0/24", "10.12.2.0/24", "10.12.3.0/24"] -} - -# Main -module "main" { - source = "../../../../tf-modules/aws/vpc/" - - region = "${module.env_defaults.aws_region}" - vpc_cidr = "${module.env_defaults.vpc_cidr}" - - availability_zones = ["${module.env_defaults.aws_region}${module.env_defaults.aws_availability_zone_1}", "${module.env_defaults.aws_region}${module.env_defaults.aws_availability_zone_2}", "${module.env_defaults.aws_region}${module.env_defaults.aws_availability_zone_3}"] - - public_cidrs = "${var.public_cidrs}" - - private_cidrs = "${var.private_cidrs}" - - tags = { - Name = "${module.env_defaults.environment_name}", - Environment = "${module.env_defaults.environment_name}", - Account = "${module.env_defaults.environment_name}", - Group = "devops", - Region = "${module.env_defaults.aws_region}" - managed_by = "Terraform" - } -} - - -# Outputs -output "aws_vpc_id" { - value = "${module.main.aws_vpc_id}" -} diff --git a/tf-environments/staging/aws/vpc/terraform.tfvars b/tf-environments/staging/aws/vpc/terraform.tfvars deleted file mode 100644 index 0b352dc6b..000000000 --- a/tf-environments/staging/aws/vpc/terraform.tfvars +++ /dev/null @@ -1,5 +0,0 @@ -terragrunt = { - include { - path = "${find_in_parent_folders()}" - } -} diff --git a/tf-environments/staging/terraform.tfvars b/tf-environments/staging/terraform.tfvars deleted file mode 100644 index 2f338e654..000000000 --- a/tf-environments/staging/terraform.tfvars +++ /dev/null @@ -1,12 +0,0 @@ -terragrunt = { - remote_state { - backend = "s3" - config { - bucket = "kubernetes-ops-123-terraform-state" - key = "staging/${path_relative_to_include()}/terraform.tfstate" - region = "us-east-1" - encrypt = true - # dynamodb_table = "terraform-locks" - } - } -} diff --git a/tf-modules/aws/vpc/main.tf b/tf-modules/aws/vpc/main.tf deleted file mode 100644 index fffea2371..000000000 --- a/tf-modules/aws/vpc/main.tf +++ /dev/null @@ -1,157 +0,0 @@ -terraform { - backend "s3" {} -} - -provider "aws" { - region = "${var.region}" -} - -# VPC -resource "aws_vpc" "main" { - cidr_block = "${var.vpc_cidr}" - enable_dns_support = true - enable_dns_hostnames = true - tags = "${var.tags}" - - lifecycle { - create_before_destroy = true - } -} - -# Gateway -resource "aws_internet_gateway" "main" { - vpc_id = "${aws_vpc.main.id}" - tags = "${var.tags}" -} - -resource "aws_nat_gateway" "main" { - count = "${length(var.availability_zones)}" - allocation_id = "${element(aws_eip.nat.*.id, count.index)}" - subnet_id = "${element(aws_subnet.public.*.id, count.index)}" - depends_on = ["aws_internet_gateway.main"] - tags = "${var.tags}" - - lifecycle { - create_before_destroy = true - } -} - -resource "aws_eip" "nat" { - count = "${length(var.availability_zones)}" - vpc = true - tags = "${var.tags}" - - lifecycle { - create_before_destroy = true - } -} - -# Subnets -resource "aws_subnet" "public" { - count = "${length(var.availability_zones)}" - vpc_id = "${aws_vpc.main.id}" - cidr_block = "${element(var.public_cidrs, count.index)}" - availability_zone = "${element(var.availability_zones, count.index)}" - map_public_ip_on_launch = true - - tags = "${var.tags}" - - lifecycle { - create_before_destroy = true - } -} - -resource "aws_subnet" "private" { - count = "${length(var.availability_zones)}" - vpc_id = "${aws_vpc.main.id}" - cidr_block = "${element(var.private_cidrs, count.index)}" - availability_zone = "${element(var.availability_zones, count.index)}" - - tags = "${var.tags}" - - lifecycle { - create_before_destroy = true - } -} - -# Route tables - -// Public -resource "aws_route_table" "public" { - vpc_id = "${aws_vpc.main.id}" - - tags = "${var.tags}" -} - -resource "aws_route" "public" { - route_table_id = "${aws_route_table.public.id}" - destination_cidr_block = "0.0.0.0/0" - gateway_id = "${aws_internet_gateway.main.id}" -} - -resource "aws_route_table" "private" { - count = "${length(var.availability_zones)}" - vpc_id = "${aws_vpc.main.id}" - - tags = "${var.tags}" - - lifecycle { - create_before_destroy = true - } -} - -resource "aws_route" "private" { - count = "${length(var.availability_zones)}" - route_table_id = "${element(aws_route_table.private.*.id, count.index)}" - destination_cidr_block = "0.0.0.0/0" - nat_gateway_id = "${element(aws_nat_gateway.main.*.id, count.index)}" -} - -/** - * Route associations - */ - -resource "aws_route_table_association" "private" { - count = "${length(var.availability_zones)}" - subnet_id = "${element(aws_subnet.private.*.id, count.index)}" - route_table_id = "${element(aws_route_table.private.*.id, count.index)}" - - lifecycle { - create_before_destroy = true - } -} - -resource "aws_route_table_association" "public" { - count = "${length(var.availability_zones)}" - subnet_id = "${element(aws_subnet.public.*.id, count.index)}" - route_table_id = "${aws_route_table.public.id}" - - lifecycle { - create_before_destroy = true - } -} - -/** - * Default security group - * This gives terraform access to the default security group. - * See https://www.terraform.io/docs/providers/aws/r/default_security_group.html - */ - -resource "aws_default_security_group" "default" { - vpc_id = "${aws_vpc.main.id}" - tags = "${var.tags}" - - ingress { - protocol = -1 - self = true - from_port = 0 - to_port = 0 - } - - egress { - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] - } -} diff --git a/tf-modules/aws/vpc/outputs.tf b/tf-modules/aws/vpc/outputs.tf deleted file mode 100644 index 8da208ebb..000000000 --- a/tf-modules/aws/vpc/outputs.tf +++ /dev/null @@ -1,3 +0,0 @@ -output "aws_vpc_id" { - value = "${aws_vpc.main.id}" -}