[dev-v2.10 ] rancher-istio 105.6.0+up1.25.0 create (#5616)

Author: diogoasouza

assets/logos/rancher-istio.svg

@@ -0,0 +1,24 @@
+annotations:
+  catalog.cattle.io/certified: rancher
+  catalog.cattle.io/display-name: Istio
+  catalog.cattle.io/kube-version: '>= 1.29.0-0 < 1.32.0-0'
+  catalog.cattle.io/namespace: istio-system
+  catalog.cattle.io/os: linux
+  catalog.cattle.io/permits-os: linux,windows
+  catalog.cattle.io/rancher-version: '>= 2.10.0-0 < 2.11.0-0'
+  catalog.cattle.io/release-name: rancher-istio
+  catalog.cattle.io/requests-cpu: 710m
+  catalog.cattle.io/requests-memory: 2314Mi
+  catalog.cattle.io/type: cluster-tool
+  catalog.cattle.io/ui-component: istio
+  catalog.cattle.io/upstream-version: 1.25.0
+apiVersion: v1
+appVersion: 1.25.0
+description: A basic Istio setup that installs with the istioctl. Refer to https://istio.io/latest/
+  for details.
+icon: file://assets/logos/rancher-istio.svg
+keywords:
+- networking
+- infrastructure
+name: rancher-istio
+version: 105.6.0+up1.25.0

assets/rancher-istio/rancher-istio-105.6.0+up1.25.0.tgz

@@ -0,0 +1,79 @@
+# Rancher-Istio Chart
+
+Our [Istio](https://istio.io/) installer wraps the istioctl binary commands in a handy helm chart, including an overlay file option to allow complex customization.
+
+See the app-readme for known issues and deprecations.
+
+## Installation Requirements
+
+#### Chart Dependencies
+- rancher-monitoring chart or other Prometheus installation
+
+#### Install
+To install the rancher-istio chart with helm, use the following command:
+```
+helm install rancher-istio <location/of/the/rancher-istio/chart> --create-namespace -n istio-system
+```
+
+#### Uninstall
+To ensure rancher-istio uninstalls correctly, you must uninstall rancher-istio prior to uninstalling chart dependencies (see chart dependencies for list of dependencies). This is because all definitions need to be available in order to properly build the rancher-istio objects for removal.
+
+**If you remove dependent CRD charts prior to removing rancher-istio, you may encounter the following error:**
+`Error: uninstallation completed with 1 error(s): unable to build kubernetes objects for delete: unable to recognize "": no matches for kind   "MonitoringDashboard" in version "monitoring.kiali.io/v1alpha1"`
+
+## Addons
+The addons that are included with rancher-istio are:
+
+- Kiali
+- Jaeger
+
+Each addon has additional customization and dependencies required for them to work as expected. Use the values.yaml to customize or to enable/disable each addon.
+### Kiali Addon
+
+Kiali allows you to view and manage your istio-based service mesh through an easy to use dashboard.
+
+####  Kiali Dependencies
+##### rancher-monitoring chart or other Prometheus installation
+
+This dependecy installs the required CRDs for installing Kiali. Since Kiali is bundled in with Istio in this chart, if you do not have these dependencies installed, your Istio installation will fail. If you do not plan on using Kiali, set `kiali.enabled=false` when installing Istio for a succesful installation.
+
+####  Prometheus Configuration for Kiali
+> **Note:** The following configuration options assume you have installed the dependecies for Kiali. Please ensure you have Promtheus in your cluster before proceeding.
+
+The Rancher Monitoring app sets `prometheus.prometheusSpec.ignoreNamespaceSelectors=false` which means all namespaces will be scraped by Prometheus by default. This ensures you can view traffic, metrics and graphs for resources deployed in other namespaces.
+
+To limit scraping to specific namespaces, set `prometheus.prometheusSpec.ignoreNamespaceSelectors=true` and add one of the following configurations to ensure you can continue to view traffic, metrics and graphs for your deployed resources. 
+
+1. Add a Service Monitor or Pod Monitor in the namespace with the targets you want to scrape.
+1. Add an additionalScrapeConfig to your rancher-monitoring instance to scrape all targets in all namespaces.
+
+####  Kiali External Services
+
+The external services that can be configured in Kiali are: Prometheus, Grafana and Tracing.
+
+##### Prometheus
+The `kiali.external_services.prometheus` url is set in the values.yaml:
+```
+http://{{ .Values.nameOverride }}-prometheus.{{ .Values.namespaceOverride }}.svc:{{ prometheus.service.port }}
+```
+The url depends on the default values for `nameOverride`, `namespaceOverride`, and `prometheus.service.port` being set in your rancher-monitoring or other monitoring instance.
+
+##### Grafana
+The `kiali.external_services.grafana` url is set in the values.yaml:
+```
+http://{{ .Values.nameOverride }}-grafana.{{ .Values.namespaceOverride }}.svc:{{ grafana.service.port }}
+```
+The url depends on the default values for `nameOverride`, `namespaceOverride`, and `grafana.service.port` being set in your rancher-monitoring or other monitoring instance.
+
+##### Tracing
+The `kiali.external_services.tracing` url and `.Values.tracing.contextPath` is set in the rancher-istio values.yaml:
+```
+http://tracing.{{ .Values.namespaceOverride }}.svc:{{ .Values.service.externalPort }}/{{ .Values.tracing.contextPath }}
+```
+The url depends on the default values for `namespaceOverride`, and `.Values.service.externalPort` being set in your rancher-tracing or other tracing instance.
+
+## Jaeger Addon
+
+Jaeger allows you to trace and monitor distributed microservices.
+
+> **Note:** This addon is using the all-in-one Jaeger installation which is not qualified for production. Use the [Jaeger Tracing](https://www.jaegertracing.io/docs/1.21/getting-started/) documentation to determine which installation you will need for your production needs.

charts/rancher-istio/105.6.0+up1.25.0/Chart.yaml

@@ -0,0 +1,65 @@
+# Rancher Istio
+
+Our [Istio](https://istio.io/) installer wraps the istioctl binary commands in a handy helm chart, including an overlay file option to allow complex customization. It also includes:
+* **[Kiali](https://kiali.io/)**: Used for graphing traffic flow throughout the mesh
+* **[Jaeger](https://www.jaegertracing.io/)**: A quick start, all-in-one installation used for tracing distributed system. This is not production qualified, please refer to jaeger documentation to determine which installation you may need instead.
+
+For more information on how to use the feature, refer to our [docs](https://ranchermanager.docs.rancher.com/integrations-in-rancher/istio).
+
+## Upgrading to Kubernetes v1.25+
+
+Starting in Kubernetes v1.25, [Pod Security Policies](https://kubernetes.io/docs/concepts/security/pod-security-policy/) have been removed from the Kubernetes API.
+
+As a result, **before upgrading to Kubernetes v1.25** (or on a fresh install in a Kubernetes v1.25+ cluster), users are expected to perform an in-place upgrade of this chart with `global.cattle.psp.enabled` set to `false` if it has been previously set to `true`.
+
+> **Note:**
+> In this chart release, any previous field that was associated with any PSP resources have been removed in favor of a single global field: `global.cattle.psp.enabled`.
+
+> **Note:**
+> If you upgrade your cluster to Kubernetes v1.25+ before removing PSPs via a `helm upgrade` (even if you manually clean up resources), **it will leave the Helm release in a broken state within the cluster such that further Helm operations will not work (`helm uninstall`, `helm upgrade`, etc.).**
+>
+> If your charts get stuck in this state, please consult the Rancher docs on how to clean up your Helm release secrets.
+
+Upon setting `global.cattle.psp.enabled` to false, the chart will remove any PSP resources deployed on its behalf from the cluster. This is the default setting for this chart.
+
+As a replacement for PSPs, [Pod Security Admission](https://kubernetes.io/docs/concepts/security/pod-security-admission/) should be used. Please consult the Rancher docs for more details on how to configure your chart release namespaces to work with the new Pod Security Admission and apply Pod Security Standards.
+
+## Warnings
+- Upgrading across more than two minor versions (e.g., 1.6.x to 1.9.x) in one step is not officially tested or recommended. See [Istio upgrade docs](https://istio.io/latest/docs/setup/upgrade/) for more details.
+
+## Known Issues
+
+#### Airgapped Environments
+**A temporary fix has been added to this chart to allow upgrades to succeed in an airgapped environment. See [this issue](https://github.com/rancher/rancher/issues/30842) for details.** We are still advocating for an upstream fix in Istio to formally resolve this issue. The root cause is the Istio Operator upgrade command reaches out to an external repo on upgrades and the external repo is not configurable. We are tracking the fix for this issue [here](https://github.com/rancher/rancher/issues/33402)
+
+#### Installing Istio with CNI component enabled on RHEL 8.4 SElinux enabled cluster.
+To install istio with CNI enabled, e.g. when cluster has a default PSP set to "restricted", on a cluster using nodes with RHEL 8.4 SElinux enabled, run the following command on each cluster node before creating a cluster.
+`mkdir -p /var/run/istio-cni && semanage fcontext -a -t container_file_t /var/run/istio-cni && restorecon -v /var/run/istio-cni`
+See [this issue](https://github.com/rancher/rancher/issues/33291) for details.
+
+## Installing istio with distroless-images.
+Istio `105.6.0+up1.25.0` uses distroless images for `istio-proxyv2`, `istio-install-cni` and `istio-pilot`. Distroless images don't have the common debugging tools like `bash`, `curl`, etc. If you wish to troubleshoot Istio, you can switch to regular images by updating `values.yaml` file.
+
+## Deprecations
+
+#### v1alpha1 security policies
+As of 1.6, Istio removed support for `v1alpha1` security policies resource and replaced the API with `v1beta1` authorization policies. https://istio.io/latest/docs/reference/config/security/authorization-policy/
+
+If you are currently running rancher-istio <= 1.7.x, you need to migrate any existing `v1alpha1` security policies to `v1beta1` authorization policies prior to upgrading to the next minor version.
+
+> **Note:** If you attempt to upgrade prior to migrating your policy resources, you might see errors similar to:
+```
+Error: found 6 CRD of unsupported v1alpha1 security policy
+```
+```
+ Error: found 1 unsupported v1alpha1 security policy
+ ```
+ ```
+ Control Plane - policy pod - istio-policy - version: x.x.x does not match the target version x.x.x
+ ```
+ Continue with the migration steps below before retrying the upgrade process.
+
+#### Migrating Resources:
+Migration steps can be found in this [istio blog post](https://istio.io/latest/blog/2021/migrate-alpha-policy/ "istio blog post").
+
+You can also use these [quick steps](https://github.com/rancher/rancher/issues/34699#issuecomment-921995917 "quick steps") to determine if you need to follow the more extensive migration steps.

charts/rancher-istio/105.6.0+up1.25.0/README.md

@@ -0,0 +1,28 @@
+annotations:
+  catalog.cattle.io/hidden: "true"
+  catalog.cattle.io/os: linux
+  catalog.cattle.io/requires-gvr: monitoring.coreos.com.prometheus/v1
+  catalog.rancher.io/namespace: cattle-istio-system
+  catalog.rancher.io/release-name: rancher-kiali-server
+apiVersion: v2
+appVersion: v2.7.1
+description: Kiali is an open source project for service mesh observability, refer
+  to https://www.kiali.io for details. This is installed as sub-chart with customized
+  values in Rancher's Istio.
+home: https://github.com/kiali/kiali
+icon: https://raw.githubusercontent.com/kiali/kiali.io/current/assets/icons/logo.svg
+keywords:
+- istio
+- kiali
+- networking
+- infrastructure
+maintainers:
+- email: [email protected]
+  name: Kiali
+  url: https://kiali.io
+name: kiali
+sources:
+- https://github.com/kiali/kiali
+- https://github.com/kiali/kiali-operator
+- https://github.com/kiali/helm-charts
+version: 2.7.1

charts/rancher-istio/105.6.0+up1.25.0/app-readme.md

@@ -0,0 +1,20 @@
+Welcome to Kiali! For more details on Kiali, see: https://kiali.io
+
+The Kiali Server [{{ .Chart.AppVersion }}] has been installed in namespace [{{ .Release.Namespace }}]. It will be ready soon.
+
+{{- if not .Values.deployment.cluster_wide_access }}
+===============
+!!! WARNING !!!
+===============
+This Kiali Server Helm Chart does NOT support "deployment.cluster_wide_access" set to "false"!
+
+This feature, as well as others, is only available when using the Kiali Operator to install
+the Kiali Server. It is for this reason this Kiali Server Helm Chart, while provided for
+convenience, is not the recommended installation mechanism for installing the Kiali Server.
+{{- end }}
+
+When installing with "deployment.cluster_wide_access=false" using this Kiali Server Helm Chart,
+it is your responsibility to manually create the proper Roles and RoleBindings for the Kiali Server
+to have the correct permissions to access the service mesh namespaces.
+
+(Helm: Chart=[{{ .Chart.Name }}], Release=[{{ .Release.Name }}], Version=[{{ .Chart.Version }}])