Last active
August 12, 2019 13:24
-
-
Save lucasponce/5654eca6ac6e10c96014e3075f33e2f4 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
apiVersion: maistra.io/v1 | |
kind: ServiceMeshControlPlane | |
metadata: | |
name: full-install | |
spec: | |
# NOTE, if you remove all children from an element, you should remove the | |
# element too. An empty element is interpreted as null and will override all | |
# default values (i.e. no values will be specified for that element, not even | |
# the defaults baked into the chart values.yaml). | |
istio: | |
global: | |
oauthproxy: | |
hub: docker.io/openshift | |
image: oauth-proxy | |
tag: latest | |
hub: quay.io/maistra | |
tag: latest-qe | |
imagePullPolicy: Always | |
proxy: | |
# constrain resources for use in smaller environments | |
resources: | |
requests: | |
cpu: 100m | |
memory: 128Mi | |
limits: | |
cpu: 500m | |
memory: 128Mi | |
gateways: | |
istio-egressgateway: | |
# disable autoscaling for use in smaller environments | |
autoscaleEnabled: false | |
istio-ingressgateway: | |
# disable autoscaling for use in smaller environments | |
autoscaleEnabled: false | |
# set to true to enable IOR | |
ior_enabled: false | |
mixer: | |
policy: | |
# disable autoscaling for use in smaller environments | |
autoscaleEnabled: false | |
telemetry: | |
# disable autoscaling for use in smaller environments | |
autoscaleEnabled: false | |
# constrain resources for use in smaller environments | |
resources: | |
requests: | |
cpu: 100m | |
memory: 1G | |
limits: | |
cpu: 500m | |
memory: 4G | |
pilot: | |
# disable autoscaling for use in smaller environments | |
autoscaleEnabled: false | |
# increase random sampling rate for development/testing | |
traceSampling: 100.0 | |
kiali: | |
# change to false to disable kiali | |
enabled: false | |
# create a secret for accessing kiali dashboard with the following credentials | |
# dashboard: | |
# user: admin | |
# passphrase: admin | |
tracing: | |
# change to false to disable tracing (i.e. jaeger) | |
enabled: true | |
jaeger: | |
hub: quay.io/maistra | |
tag: 1.13.1 | |
imagePullPolicy: Always | |
# simple, all-in-one strategy | |
template: all-in-one | |
# production strategy, utilizing elasticsearch | |
#template: production-elasticsearch | |
# if required. only one instance may use agentStrategy=DaemonSet | |
#agentStrategy: DaemonSet | |
--- | |
apiVersion: maistra.io/v1 | |
kind: ServiceMeshMemberRoll | |
metadata: | |
name: default | |
spec: | |
members: | |
# a list of namespaces that should be joined into the service mesh | |
# for example, to add the bookinfo namespace | |
#- bookinfo |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
apiVersion: apiextensions.k8s.io/v1beta1 | |
kind: CustomResourceDefinition | |
metadata: | |
name: servicemeshcontrolplanes.maistra.io | |
spec: | |
group: maistra.io | |
names: | |
kind: ServiceMeshControlPlane | |
listKind: ServiceMeshControlPlaneList | |
plural: servicemeshcontrolplanes | |
singular: servicemeshcontrolplane | |
shortNames: | |
- smcp | |
scope: Namespaced | |
subresources: | |
status: {} | |
version: v1 | |
additionalPrinterColumns: | |
- JSONPath: .status.conditions[?(@.type=="Ready")].status | |
name: Ready | |
description: Whether or not the control plane installation is up to date and ready to handle requests. | |
type: string | |
- JSONPath: .status.conditions[?(@.type=="Ready")].message | |
name: Status | |
description: The status of the control plane installation. | |
type: string | |
priority: 1 | |
- JSONPath: .status.conditions[?(@.type=="Reconciled")].status | |
name: Reconciled | |
description: Whether or not the control plane installation is up to date with the latest version of this resource. | |
type: string | |
priority: 1 | |
- JSONPath: .status.conditions[?(@.type=="Reconciled")].message | |
name: Reconciliation Status | |
description: The status of the reconciliation process, if the control plane is not up to date with the latest version this resource. | |
type: string | |
priority: 1 | |
--- | |
apiVersion: apiextensions.k8s.io/v1beta1 | |
kind: CustomResourceDefinition | |
metadata: | |
name: servicemeshmemberrolls.maistra.io | |
spec: | |
group: maistra.io | |
names: | |
kind: ServiceMeshMemberRoll | |
listKind: ServiceMeshMemberRollList | |
plural: servicemeshmemberrolls | |
singular: servicemeshmemberroll | |
shortNames: | |
- smmr | |
scope: Namespaced | |
subresources: | |
status: {} | |
version: v1 | |
additionalPrinterColumns: | |
- JSONPath: .spec.members | |
description: Namespaces that are members of this Control Plane | |
name: Members | |
type: string | |
--- | |
# create role that can be used to grant users permission to create smcp and smmr resources | |
apiVersion: rbac.authorization.k8s.io/v1 | |
kind: ClusterRole | |
metadata: | |
name: maistra-admin | |
labels: | |
rbac.authorization.k8s.io/aggregate-to-admin: "true" | |
rules: | |
- apiGroups: ["maistra.io"] | |
resources: ["*"] | |
verbs: ["*"] | |
--- | |
apiVersion: rbac.authorization.k8s.io/v1 | |
kind: ClusterRoleBinding | |
metadata: | |
name: maistra-admin | |
roleRef: | |
kind: ClusterRole | |
apiGroup: rbac.authorization.k8s.io | |
name: maistra-admin | |
--- | |
apiVersion: rbac.authorization.k8s.io/v1 | |
kind: ClusterRole | |
metadata: | |
name: istio-admin | |
labels: | |
rbac.authorization.k8s.io/aggregate-to-admin: "true" | |
rules: | |
- apiGroups: ["config.istio.io"] | |
resources: ["*"] | |
verbs: ["*"] | |
- apiGroups: ["networking.istio.io"] | |
resources: ["*"] | |
verbs: ["*"] | |
- apiGroups: ["authentication.istio.io"] | |
resources: ["*"] | |
verbs: ["*"] | |
- apiGroups: ["rbac.istio.io"] | |
resources: ["*"] | |
verbs: ["*"] | |
- apiGroups: ["authentication.maistra.io"] | |
resources: ["*"] | |
verbs: ["*"] | |
- apiGroups: ["rbac.maistra.io"] | |
resources: ["*"] | |
verbs: ["*"] | |
--- | |
apiVersion: rbac.authorization.k8s.io/v1 | |
kind: ClusterRoleBinding | |
metadata: | |
name: istio-admin | |
roleRef: | |
kind: ClusterRole | |
apiGroup: rbac.authorization.k8s.io | |
name: istio-admin | |
--- | |
apiVersion: rbac.authorization.k8s.io/v1 | |
kind: ClusterRole | |
metadata: | |
name: istio-operator | |
rules: | |
- apiGroups: | |
- "" | |
resources: | |
- configmaps | |
- endpoints | |
- namespaces | |
- persistentvolumeclaims | |
- pods | |
- replicationcontrollers | |
- secrets | |
- serviceaccounts | |
- services | |
- events # is this needed? | |
verbs: | |
- '*' | |
- apiGroups: | |
- apps | |
- extensions | |
resources: | |
- daemonsets | |
- deployments | |
- deployments/finalizers | |
- ingresses # is this needed? should it be converted to a route? | |
- ingresses/status | |
- replicasets | |
- statefulsets | |
verbs: | |
- '*' | |
- apiGroups: | |
- autoscaling | |
resources: | |
- horizontalpodautoscalers | |
verbs: | |
- '*' | |
- apiGroups: | |
- policy | |
resources: | |
- poddisruptionbudgets | |
verbs: | |
- '*' | |
- apiGroups: | |
- admissionregistration.k8s.io | |
resources: | |
- mutatingwebhookconfigurations | |
- validatingwebhookconfigurations | |
verbs: | |
- '*' | |
- apiGroups: | |
- apiextensions.k8s.io | |
resources: | |
- customresourcedefinitions | |
verbs: | |
- '*' | |
- apiGroups: | |
- certmanager.k8s.io | |
resources: | |
- clusterissuers | |
verbs: | |
- '*' | |
- apiGroups: | |
- networking.k8s.io | |
resources: | |
- networkpolicies | |
verbs: | |
- '*' | |
- apiGroups: | |
- rbac.authorization.k8s.io | |
resources: | |
- clusterrolebindings | |
- clusterroles | |
- rolebindings | |
- roles | |
verbs: | |
- '*' | |
- apiGroups: | |
- authentication.istio.io | |
resources: | |
- '*' | |
verbs: | |
- '*' | |
- apiGroups: | |
- config.istio.io | |
resources: | |
- '*' | |
verbs: | |
- '*' | |
- apiGroups: | |
- networking.istio.io | |
resources: | |
- '*' | |
verbs: | |
- '*' | |
- apiGroups: | |
- rbac.istio.io | |
resources: | |
- '*' | |
verbs: | |
- '*' | |
- apiGroups: | |
- jaegertracing.io | |
resources: | |
- jaegers | |
verbs: | |
- '*' | |
- apiGroups: | |
- kiali.io | |
resources: | |
- kialis | |
verbs: | |
- '*' | |
- apiGroups: | |
- maistra.io | |
resources: | |
- '*' | |
verbs: | |
- '*' | |
- apiGroups: | |
- authentication.maistra.io | |
resources: | |
- '*' | |
verbs: | |
- '*' | |
- apiGroups: | |
- rbac.maistra.io | |
resources: | |
- '*' | |
verbs: | |
- '*' | |
- apiGroups: | |
- route.openshift.io | |
resources: | |
- routes | |
- routes/custom-host | |
verbs: | |
- '*' | |
# required by smmr controller | |
- apiGroups: | |
- authorization.k8s.io | |
resources: | |
- subjectaccessreviews | |
verbs: | |
- create | |
- apiGroups: | |
- network.openshift.io | |
resources: | |
- clusternetworks | |
verbs: | |
- get | |
- apiGroups: | |
- network.openshift.io | |
resources: | |
- netnamespaces | |
verbs: | |
- get | |
- list | |
- watch | |
- update | |
- apiGroups: | |
- k8s.cni.cncf.io | |
resources: | |
- network-attachment-definitions | |
verbs: | |
- create | |
- delete | |
- get | |
- list | |
- patch | |
- watch | |
# required by cni daemonset | |
- apiGroups: | |
- security.openshift.io | |
resources: | |
- securitycontextconstraints | |
resourceNames: | |
- privileged | |
verbs: | |
- use | |
# required by pod locality controller | |
- apiGroups: | |
- "" | |
resources: | |
- nodes | |
- nodes/proxy | |
verbs: | |
- get | |
- list | |
- watch | |
- apiGroups: # might be required by citadel | |
- authentication.k8s.io | |
resources: | |
- tokenreviews | |
verbs: | |
- create | |
- nonResourceURLs: | |
- '/metrics' | |
verbs: | |
- get | |
--- | |
apiVersion: v1 | |
kind: ServiceAccount | |
metadata: | |
name: istio-operator | |
namespace: istio-operator | |
--- | |
kind: ClusterRoleBinding | |
apiVersion: rbac.authorization.k8s.io/v1beta1 | |
metadata: | |
name: istio-operator-account-istio-operator-cluster-role-binding | |
subjects: | |
- kind: ServiceAccount | |
namespace: istio-operator | |
name: istio-operator | |
roleRef: | |
kind: ClusterRole | |
name: istio-operator | |
apiGroup: rbac.authorization.k8s.io | |
--- | |
apiVersion: admissionregistration.k8s.io/v1beta1 | |
kind: ValidatingWebhookConfiguration | |
metadata: | |
# this must match what is used inside the operator, which is <operator-namespace>.servicemesh-resources.maistra.io | |
name: istio-operator.servicemesh-resources.maistra.io | |
webhooks: | |
- name: smcp.validation.maistra.io | |
rules: | |
- apiGroups: | |
- maistra.io | |
apiVersions: | |
- v1 | |
operations: | |
- CREATE | |
- UPDATE | |
resources: | |
- servicemeshcontrolplanes | |
failurePolicy: Fail | |
clientConfig: | |
caBundle: "" | |
service: | |
name: admission-controller | |
namespace: istio-operator | |
path: /validate-smcp | |
namespaceSelector: {} | |
- name: smmr.validation.maistra.io | |
rules: | |
- apiGroups: | |
- maistra.io | |
apiVersions: | |
- v1 | |
operations: | |
- CREATE | |
- UPDATE | |
resources: | |
- servicemeshmemberrolls | |
failurePolicy: Fail | |
clientConfig: | |
caBundle: "" | |
service: | |
name: admission-controller | |
namespace: istio-operator | |
path: /validate-smmr | |
namespaceSelector: {} | |
--- | |
apiVersion: v1 | |
kind: Service | |
metadata: | |
name: admission-controller | |
namespace: istio-operator | |
spec: | |
ports: | |
- port: 443 | |
protocol: TCP | |
targetPort: 11999 | |
selector: | |
name: istio-operator | |
type: ClusterIP | |
--- | |
apiVersion: apps/v1 | |
kind: Deployment | |
metadata: | |
name: istio-operator | |
namespace: istio-operator | |
spec: | |
replicas: 1 | |
selector: | |
matchLabels: | |
name: istio-operator | |
template: | |
metadata: | |
labels: | |
name: istio-operator | |
spec: | |
serviceAccountName: istio-operator | |
volumes: | |
- name: discovery-cache | |
emptyDir: | |
medium: Memory | |
containers: | |
- name: istio-operator | |
image: quay.io/maistra/istio-operator-rhel8:latest-qe | |
ports: | |
- containerPort: 60000 | |
name: metrics | |
command: | |
- istio-operator | |
- --discoveryCacheDir | |
- /home/istio-operator/.kube/cache/discovery | |
imagePullPolicy: Always | |
env: | |
- name: WATCH_NAMESPACE | |
value: "" | |
- name: POD_NAME | |
valueFrom: | |
fieldRef: | |
fieldPath: metadata.name | |
- name: OPERATOR_NAME | |
value: istio-operator | |
- name: ISTIO_CNI_IMAGE | |
value: quay.io/maistra/istio-cni-rhel8:latest-qe | |
# - name: ISTIO_CNI_IMAGE_PULL_SECRET | |
# value: name-of-secret | |
volumeMounts: | |
- name: discovery-cache | |
mountPath: /home/istio-operator/.kube/cache/discovery |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment