Skip to content

Commit b62fbab

Browse files
Laci21Laci21
authored
Merge pull request #248 from banzaicloud/istio-1.2.2
Istio 1.2.2 support
2 parents 9a9c56e + 42ac9f4 commit b62fbab

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

41 files changed

+1403
-768
lines changed

README.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -56,7 +56,7 @@ If you are willing to kickstart your Istio experience using Pipeline, check out
5656

5757
## Installation
5858

59-
The operator (`release-1.1` branch) installs the 1.1.9 version of Istio, and can run on Minikube v0.33.1+ and Kubernetes 1.10.0+.
59+
The operator (`release-1.2` branch) installs the 1.2.2 version of Istio, and can run on Minikube v0.33.1+ and Kubernetes 1.10.0+.
6060

6161
As a pre-requisite it needs a Kubernetes cluster (you can create one using [Pipeline](https://github.com/banzaicloud/pipeline)).
6262

config/README.md

Lines changed: 9 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -6,28 +6,28 @@ Firstly, you'll need to install the necessary crds and namespace with the follow
66

77
```
88
bases:
9-
- github.com/banzaicloud/istio-operator/config?ref=release-1.1
9+
- github.com/banzaicloud/istio-operator/config?ref=release-1.2
1010
```
11-
11+
1212
Secondly, you can install the operator with multiple possible configurations with the use of overlays (choose one option).
13-
13+
1414
- `basic`: installs the clusterrole, clusterrolebinding and statefulset for the operator
15-
15+
1616
```
1717
bases:
18-
- github.com/banzaicloud/istio-operator/config/overlays/basic?ref=release-1.1
18+
- github.com/banzaicloud/istio-operator/config/overlays/basic?ref=release-1.2
1919
```
2020

2121
- `auth-proxy-enabled`: besides the basic configs, installs the auth proxy resources as well
22-
22+
2323
```
2424
bases:
25-
- github.com/banzaicloud/istio-operator/config/overlays/auth-proxy-enabled?ref=release-1.1
25+
- github.com/banzaicloud/istio-operator/config/overlays/auth-proxy-enabled?ref=release-1.2
2626
```
2727

2828
- `prometheus-scpraping-enabled`: besides the basic configs, enables Prometheus scraping for the manager pod
29-
29+
3030
```
3131
bases:
32-
- github.com/banzaicloud/istio-operator/config/overlays/prometheus-scpraping-enabled?ref=release-1.1
32+
- github.com/banzaicloud/istio-operator/config/overlays/prometheus-scpraping-enabled?ref=release-1.2
3333
```

config/base/crds/istio_v1beta1_istio.yaml

Lines changed: 112 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -61,8 +61,19 @@ spec:
6161
type: string
6262
enabled:
6363
type: boolean
64+
healthCheck:
65+
description: Enable health checking on the Citadel CSR signing API.
66+
https://istio.io/docs/tasks/security/health-check/
67+
type: boolean
6468
image:
6569
type: string
70+
maxWorkloadCertTTL:
71+
description: Citadel uses a flag max-workload-cert-ttl to control
72+
the maximum lifetime for Istio certificates issued to workloads.
73+
The default value is 90 days. If workload-cert-ttl on Citadel
74+
or node agent is greater than max-workload-cert-ttl, Citadel will
75+
fail issuing the certificate.
76+
type: string
6677
nodeSelector:
6778
type: object
6879
resources:
@@ -71,6 +82,12 @@ spec:
7182
items:
7283
type: object
7384
type: array
85+
workloadCertTTL:
86+
description: For the workloads running in Kubernetes, the lifetime
87+
of their Istio certificates is controlled by the workload-cert-ttl
88+
flag on Citadel. The default value is 90 days. This value should
89+
be no greater than max-workload-cert-ttl of Citadel.
90+
type: string
7491
type: object
7592
controlPlaneSecurityEnabled:
7693
description: ControlPlaneSecurityEnabled control plane services are
@@ -263,6 +280,51 @@ spec:
263280
type: object
264281
type: array
265282
type: object
283+
localityLB:
284+
description: Locality based load balancing distribution or failover
285+
settings.
286+
properties:
287+
distribute:
288+
description: 'Optional: only one of distribute or failover can be
289+
set. Explicitly specify loadbalancing weight across different
290+
zones and geographical locations. Refer to [Locality weighted
291+
load balancing](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/load_balancing/locality_weight)
292+
If empty, the locality weight is set according to the endpoints
293+
number within it.'
294+
items:
295+
properties:
296+
from:
297+
description: Originating locality, '/' separated, e.g. 'region/zone'.
298+
type: string
299+
to:
300+
description: Map of upstream localities to traffic distribution
301+
weights. The sum of all weights should be == 100. Any locality
302+
not assigned a weight will receive no traffic.
303+
type: object
304+
type: object
305+
type: array
306+
enabled:
307+
description: If set to true, locality based load balancing will
308+
be enabled
309+
type: boolean
310+
failover:
311+
description: 'Optional: only failover or distribute can be set.
312+
Explicitly specify the region traffic will land on when endpoints
313+
in local region becomes unhealthy. Should be used together with
314+
OutlierDetection to detect unhealthy endpoints. Note: if no OutlierDetection
315+
specified, this will not take effect.'
316+
items:
317+
properties:
318+
from:
319+
description: Originating region.
320+
type: string
321+
to:
322+
description: Destination region the traffic will fail over
323+
to when endpoints in the 'from' region becomes unhealthy.
324+
type: string
325+
type: object
326+
type: array
327+
type: object
266328
meshExpansion:
267329
description: If set to true, the pilot and citadel mtls will be exposed
268330
on the ingress gateway also the remote istios will be connected through
@@ -283,6 +345,10 @@ spec:
283345
minReplicas:
284346
format: int32
285347
type: integer
348+
multiClusterSupport:
349+
description: Turn it on if you use mixer that supports multi cluster
350+
telemetry
351+
type: boolean
286352
nodeSelector:
287353
type: object
288354
replicaCount:
@@ -367,12 +433,35 @@ spec:
367433
proxy:
368434
description: Proxy configuration options
369435
properties:
436+
componentLogLevel:
437+
description: Per Component log level for proxy, applies to gateways
438+
and sidecars. If a component level is not set, then the "LogLevel"
439+
will be used. If left empty, "misc:error" is used.
440+
type: string
441+
dnsRefreshRate:
442+
description: Configure the DNS refresh rate for Envoy cluster of
443+
type STRICT_DNS This must be given it terms of seconds. For example,
444+
300s is valid but 5m is invalid.
445+
pattern: ^[0-9]{1,5}s$
446+
type: string
370447
enableCoreDump:
371448
description: If set, newly injected sidecars will have core dumps
372449
enabled.
373450
type: boolean
374451
image:
375452
type: string
453+
logLevel:
454+
description: 'Log level for proxy, applies to gateways and sidecars.
455+
If left empty, "warning" is used. Expected values are: trace|debug|info|warning|error|critical|off'
456+
enum:
457+
- trace
458+
- debug
459+
- info
460+
- warning
461+
- error
462+
- critical
463+
- "off"
464+
type: string
376465
privileged:
377466
description: If set to true, istio-proxy container will have privileged
378467
securityContext
@@ -391,6 +480,8 @@ spec:
391480
will be distributed through the SecretDiscoveryService instead of
392481
using K8S secrets to mount the certificates
393482
properties:
483+
customTokenDirectory:
484+
type: string
394485
enabled:
395486
description: If set to true, mTLS certificates for the sidecars
396487
will be distributed through the SecretDiscoveryService instead
@@ -420,9 +511,21 @@ spec:
420511
properties:
421512
affinity:
422513
type: object
514+
alwaysInjectSelector:
515+
description: 'AlwaysInjectSelector: Forces the injection on pods
516+
whose labels match this selector. It''s an array of label selectors,
517+
that will be OR''ed, meaning we will iterate over it and stop
518+
at the first match'
519+
items:
520+
type: object
521+
type: array
423522
autoInjectionPolicyEnabled:
424523
description: This controls the 'policy' in the sidecar injector
425524
type: boolean
525+
enableNamespacesByDefault:
526+
description: This controls whether the webhook looks for namespaces
527+
for injection enabled or disabled
528+
type: boolean
426529
enabled:
427530
type: boolean
428531
image:
@@ -460,6 +563,14 @@ spec:
460563
description: Logging level for CNI binary
461564
type: string
462565
type: object
566+
neverInjectSelector:
567+
description: 'NeverInjectSelector: Refuses the injection on pods
568+
whose labels match this selector. It''s an array of label selectors,
569+
that will be OR''ed, meaning we will iterate over it and stop
570+
at the first match Takes precedence over AlwaysInjectSelector.'
571+
items:
572+
type: object
573+
type: array
463574
nodeSelector:
464575
type: object
465576
replicaCount:
@@ -533,7 +644,7 @@ spec:
533644
type: boolean
534645
version:
535646
description: Contains the intended Istio version
536-
pattern: ^1.1
647+
pattern: ^1.2
537648
type: string
538649
watchAdapterCRDs:
539650
description: Whether or not to establish watches for adapter-specific

config/base/crds/istio_v1beta1_remoteistio.yaml

Lines changed: 60 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -61,8 +61,19 @@ spec:
6161
type: string
6262
enabled:
6363
type: boolean
64+
healthCheck:
65+
description: Enable health checking on the Citadel CSR signing API.
66+
https://istio.io/docs/tasks/security/health-check/
67+
type: boolean
6468
image:
6569
type: string
70+
maxWorkloadCertTTL:
71+
description: Citadel uses a flag max-workload-cert-ttl to control
72+
the maximum lifetime for Istio certificates issued to workloads.
73+
The default value is 90 days. If workload-cert-ttl on Citadel
74+
or node agent is greater than max-workload-cert-ttl, Citadel will
75+
fail issuing the certificate.
76+
type: string
6677
nodeSelector:
6778
type: object
6879
resources:
@@ -71,6 +82,12 @@ spec:
7182
items:
7283
type: object
7384
type: array
85+
workloadCertTTL:
86+
description: For the workloads running in Kubernetes, the lifetime
87+
of their Istio certificates is controlled by the workload-cert-ttl
88+
flag on Citadel. The default value is 90 days. This value should
89+
be no greater than max-workload-cert-ttl of Citadel.
90+
type: string
7491
type: object
7592
defaultResources:
7693
description: DefaultResources are applied for all Istio components by
@@ -106,12 +123,35 @@ spec:
106123
proxy:
107124
description: Proxy configuration options
108125
properties:
126+
componentLogLevel:
127+
description: Per Component log level for proxy, applies to gateways
128+
and sidecars. If a component level is not set, then the "LogLevel"
129+
will be used. If left empty, "misc:error" is used.
130+
type: string
131+
dnsRefreshRate:
132+
description: Configure the DNS refresh rate for Envoy cluster of
133+
type STRICT_DNS This must be given it terms of seconds. For example,
134+
300s is valid but 5m is invalid.
135+
pattern: ^[0-9]{1,5}s$
136+
type: string
109137
enableCoreDump:
110138
description: If set, newly injected sidecars will have core dumps
111139
enabled.
112140
type: boolean
113141
image:
114142
type: string
143+
logLevel:
144+
description: 'Log level for proxy, applies to gateways and sidecars.
145+
If left empty, "warning" is used. Expected values are: trace|debug|info|warning|error|critical|off'
146+
enum:
147+
- trace
148+
- debug
149+
- info
150+
- warning
151+
- error
152+
- critical
153+
- "off"
154+
type: string
115155
privileged:
116156
description: If set to true, istio-proxy container will have privileged
117157
securityContext
@@ -130,9 +170,21 @@ spec:
130170
properties:
131171
affinity:
132172
type: object
173+
alwaysInjectSelector:
174+
description: 'AlwaysInjectSelector: Forces the injection on pods
175+
whose labels match this selector. It''s an array of label selectors,
176+
that will be OR''ed, meaning we will iterate over it and stop
177+
at the first match'
178+
items:
179+
type: object
180+
type: array
133181
autoInjectionPolicyEnabled:
134182
description: This controls the 'policy' in the sidecar injector
135183
type: boolean
184+
enableNamespacesByDefault:
185+
description: This controls whether the webhook looks for namespaces
186+
for injection enabled or disabled
187+
type: boolean
136188
enabled:
137189
type: boolean
138190
image:
@@ -170,6 +222,14 @@ spec:
170222
description: Logging level for CNI binary
171223
type: string
172224
type: object
225+
neverInjectSelector:
226+
description: 'NeverInjectSelector: Refuses the injection on pods
227+
whose labels match this selector. It''s an array of label selectors,
228+
that will be OR''ed, meaning we will iterate over it and stop
229+
at the first match Takes precedence over AlwaysInjectSelector.'
230+
items:
231+
type: object
232+
type: array
173233
nodeSelector:
174234
type: object
175235
replicaCount:

config/base/manager/manager.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -36,7 +36,7 @@ spec:
3636
containers:
3737
- command:
3838
- /manager
39-
image: banzaicloud/istio-operator:latest-1.1
39+
image: banzaicloud/istio-operator:latest-1.2
4040
imagePullPolicy: Always
4141
name: manager
4242
env:

0 commit comments

Comments
 (0)