diff --git a/answers.md b/answers.md index 93e86a8..d141d63 100644 --- a/answers.md +++ b/answers.md @@ -1,55 +1,69 @@ # Answers -Nom : -Prénom : -NB : +Nom : Seweryn +Prénom : Antoine +NB : 7 # 1. -A quoi sert l'A/B testing ? +A quoi sert l'A/B testing ? On test deux modèle de machine learning pour voir lequel présente le meilleur taux de conversion. Comment appliquer de l'A/B testing grâce à Istio ? +n crée deux routes avec 2 versions qui ont un poids entre 0 et 100. La somme des 2 routes doit avoir un poids de 100. # 2. Comment simuler un problème de timeout avec Istio ? +Avec un outil de fault injection. Comment le résoudre ? +En changeant les timeouts dans les configs des applications ou en optimisant leur vitesse. # 3. Qu'est-ce que le canary release ? +Lorsque l'on veut mettre en prod un nouveau service, on redirige une partie du flux des visiteurs vers le nouveau service (environ 5%) et si le service génère des erreurs 4XX ou 5XX alors on peut rediriger le flux vers l'ancien service En quoi est-ce utile ? +A tester 1 nouveau service et limiter au maximum les effets secondaires du nouveau service. Comment l'implémenter dans Istio ? +Comme pour l'A/B testing. La v1 va avoir un poids de 90 et la v2 de 10 par exemple. # 4. # 5. Qu'est-ce qu'un Circuit Breaker ? +Une sécurité qui se déclenche lorsqu'un appele à un micro service met trop de temps à répondre. Lorsque des erreurs sont détectées, le circuit breaker bloque l'accès au service et la page demandée par l'utilisateur pourra quand même être affichée sans le service en question. Comment l'implémenter dans un contexte Kubernetes ? +Opération dans la config de Kubernetes. # 6. Pourquoi avoir besoin de mirrorer le traffic vers un autre composant ? # 7. Pourquoi bloquer le traffic vers un service ? +pour eviter que les retard s'accumulent, si d'autres services en dépendent ils vont eux aussi être ralenti. Comment l'implémenter simplement avec Istio ? + En n'exposant pas le port de ce service. # 8. Quel est la problématique de tracing distribué ? + Comprendre le comportement d'une appli et résoudre des problèmes. Quel est la spécification du tracing distribué et son implémentation dans Istio ? +n dashboard récapitule tous les appels aux applcations du cluster. # 9. Comment s'appelle l'outil de récupération des métrics ? +Prometheus # 10. # 11. Comment s'appelle l'outil de visualisation des métrics ? +Prometheus # 12. -A quoi sert un servicegraph ? +A quoi sert un servicegraph ? La visualisation dans un graphe du traffic des données. Quel serait l'utilité dans le quotidien d'un ops ? diff --git a/answers.md~ b/answers.md~ new file mode 100644 index 0000000..d13d8d6 --- /dev/null +++ b/answers.md~ @@ -0,0 +1,69 @@ +# Answers + +Nom : Seweryn +Prénom : Antoine +NB : 7 + +# 1. +A quoi sert l'A/B testing ? On test deux modèle de machine learning pour voir lequel présente le meilleur taux de conversion. + +Comment appliquer de l'A/B testing grâce à Istio ? +n crée deux routes avec 2 versions qui ont un poids entre 0 et 100. La somme des 2 routes doit avoir un poids de 100. + +# 2. +Comment simuler un problème de timeout avec Istio ? +Avec un outil de fault injection. + +Comment le résoudre ? +En changeant les timeouts dans les configs des applications ou en optimisant leur vitesse. + +# 3. +Qu'est-ce que le canary release ? +Lorsque l'on veut mettre en prod un nouveau service, on redirige une partie du flux des visiteurs vers le nouveau service (environ 5%) et si le service génère des erreurs 4XX ou 5XX alors on peut rediriger le flux vers l'ancien service + +En quoi est-ce utile ? +A tester 1 nouveau service et limiter au maximum les effets secondaires du nouveau service. + +Comment l'implémenter dans Istio ? +Comme pour l'A/B testing. La v1 va avoir un poids de 90 et la v2 de 10 par exemple. + +# 4. + +# 5. +Qu'est-ce qu'un Circuit Breaker ? +Une sécurité qui se déclenche lorsqu'un appele à un micro service met trop de temps à répondre. Lorsque des erreurs sont détectées, le circuit breaker bloque l'accès au service et la page demandée par l'utilisateur pourra quand même être affichée sans le service en question. + +Comment l'implémenter dans un contexte Kubernetes ? +Opération dans la config de Kubernetes. + +# 6. +Pourquoi avoir besoin de mirrorer le traffic vers un autre composant ? + +# 7. +Pourquoi bloquer le traffic vers un service ? +pour eviter que les retard s'accumulent, si d'autres services en dépendent ils vont eux aussi être ralenti. + +Comment l'implémenter simplement avec Istio ? + En n'exposant pas le port de ce service. + +# 8. +Quel est la problématique de tracing distribué ? + Comprendre le comportement d'une appli et résoudre des problèmes. + +Quel est la spécification du tracing distribué et son implémentation dans Istio ? +n dashboard récapitule tous les appels aux applcations du cluster. + +# 9. +Comment s'appelle l'outil de récupération des métrics ? +Prometheus + +# 10. + +# 11. +Comment s'appelle l'outil de visualisation des métrics ? +Prometheus + +# 12. +A quoi sert un servicegraph ? + +Quel serait l'utilité dans le quotidien d'un ops ? diff --git a/istio-1.0.4/LICENSE b/istio-1.0.4/LICENSE new file mode 100644 index 0000000..2c45691 --- /dev/null +++ b/istio-1.0.4/LICENSE @@ -0,0 +1,202 @@ + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "{}" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright 2016 Istio Authors + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/istio-1.0.4/README.md b/istio-1.0.4/README.md new file mode 100644 index 0000000..f3989eb --- /dev/null +++ b/istio-1.0.4/README.md @@ -0,0 +1,108 @@ +# Istio + +[![CircleCI](https://circleci.com/gh/istio/istio.svg?style=shield)](https://circleci.com/gh/istio/istio) +[![Go Report Card](https://goreportcard.com/badge/github.com/istio/istio)](https://goreportcard.com/report/github.com/istio/istio) +[![GoDoc](https://godoc.org/github.com/istio/istio?status.svg)](https://godoc.org/github.com/istio/istio) +[![codecov.io](https://codecov.io/github/istio/istio/coverage.svg?branch=master)](https://codecov.io/github/istio/istio?branch=master) + +An open platform to connect, manage, and secure microservices. + +- [Introduction](#introduction) +- [Repositories](#repositories) +- [Issue management](#issue-management) + +In addition, here are some other documents you may wish to read: + +- [Istio Community](https://github.com/istio/community) - describes how to get involved and contribute to the Istio project +- [Istio Developer's Guide](https://github.com/istio/istio/wiki/Dev-Guide) - explains how to set up and use an Istio development environment +- [Project Conventions](https://github.com/istio/istio/wiki/Dev-Conventions) - describes the conventions we use within the code base +- [Creating Fast and Lean Code](https://github.com/istio/istio/wiki/Dev-Writing-Fast-and-Lean-Code) - performance-oriented advice and guidelines for the code base + +You'll find many other useful documents on our [Wiki](https://github.com/istio/istio/wiki). + +## Introduction + +Istio is an open platform for providing a uniform way to integrate +microservices, manage traffic flow across microservices, enforce policies +and aggregate telemetry data. Istio's control plane provides an abstraction +layer over the underlying cluster management platform, such as Kubernetes, +Mesos, etc. + +Visit [istio.io](https://istio.io) for in-depth information about using Istio. + +Istio is composed of these components: + +- **Envoy** - Sidecar proxies per microservice to handle ingress/egress traffic + between services in the cluster and from a service to external + services. The proxies form a _secure microservice mesh_ providing a rich + set of functions like discovery, rich layer-7 routing, circuit breakers, + policy enforcement and telemetry recording/reporting + functions. + + > Note: The service mesh is not an overlay network. It + > simplifies and enhances how microservices in an application talk to each + > other over the network provided by the underlying platform. + +- **Mixer** - Central component that is leveraged by the proxies and microservices + to enforce policies such as authorization, rate limits, quotas, authentication, request + tracing and telemetry collection. + +- **Pilot** - A component responsible for configuring the proxies at runtime. + +- **Citadel** - A centralized component responsible for certificate issuance and rotation. + +- **Node Agent** - A per-node component responsible for certificate issuance and rotation. + +Istio currently supports Kubernetes and Consul-based environments. We plan support for additional platforms such as +Cloud Foundry, and Mesos in the near future. + +## Repositories + +The Istio project is divided across a few GitHub repositories. + +- [istio/istio](README.md). This is the main repository that you are +currently looking at. It hosts Istio's core components and also +the sample programs and the various documents that govern the Istio open source +project. It includes: + - [security](security/). This directory contains security related code, +including Citadel (acting as Certificate Authority), node agent, etc. + - [pilot](pilot/). This directory +contains platform-specific code to populate the +[abstract service model](https://istio.io/docs/concepts/traffic-management/overview.html), dynamically reconfigure the proxies +when the application topology changes, as well as translate +[routing rules](https://istio.io/docs/reference/config/istio.networking.v1alpha3/) into proxy specific configuration. + - [istioctl](istioctl/). This directory contains code for the +[_istioctl_](https://istio.io/docs/reference/commands/istioctl.html) command line utility. + - [mixer](mixer/). This directory +contains code to enforce various policies for traffic passing through the +proxies, and collect telemetry data from proxies and services. There +are plugins for interfacing with various cloud platforms, policy +management services, and monitoring services. + +- [istio/api](https://github.com/istio/api). This repository defines +component-level APIs and common configuration formats for the Istio platform. + +- [istio/mixerclient](https://github.com/istio/mixerclient). Client libraries +(currently supports C++) for Mixer's API. + +- [istio/proxy](https://github.com/istio/proxy). The Istio proxy contains +extensions to the [Envoy proxy](https://github.com/envoyproxy/envoy) (in the form of +Envoy filters), that allow the proxy to delegate policy enforcement +decisions to Mixer. + +## Issue management + +We use GitHub combined with ZenHub to track all of our bugs and feature requests. Each issue we track has a variety of metadata: + +- **Epic**. An epic represents a feature area for Istio as a whole. Epics are fairly broad in scope and are basically product-level things. +Each issue is ultimately part of an epic. + +- **Milestone**. Each issue is assigned a milestone. This is 0.1, 0.2, ..., or 'Nebulous Future'. The milestone indicates when we +think the issue should get addressed. + +- **Priority/Pipeline**. Each issue has a priority which is represented by the Pipeline field within GitHub. Priority can be one of +P0, P1, P2, or >P2. The priority indicates how important it is to address the issue within the milestone. P0 says that the +milestone cannot be considered achieved if the issue isn't resolved. + +We don't annotate issues with Releases; Milestones are used instead. We don't use GitHub projects at all, that +support is disabled for our organization. diff --git a/istio-1.0.4/bin/istioctl b/istio-1.0.4/bin/istioctl new file mode 100755 index 0000000..5503f3e Binary files /dev/null and b/istio-1.0.4/bin/istioctl differ diff --git a/istio-1.0.4/install/README.md b/istio-1.0.4/install/README.md new file mode 100644 index 0000000..a336c8a --- /dev/null +++ b/istio-1.0.4/install/README.md @@ -0,0 +1,36 @@ +# Istio installation + +This directory contains the default Istio installation configuration in several +different flavors. Also contained is the script for updating it. + +## updateVersion.sh + +The [updateVersion.sh](updateVersion.sh) script is used to update image versions in +[../istio.VERSION](../istio.VERSION) and the istio installation yaml files. + +### Options + +* `-p ,` new pilot image +* `-x ,` new mixer image +* `-c ,` new ca image +* `-a ,` specifies same hub and tag for pilot, mixer, proxy, and citadel containers +* `-r ` new tag for proxy debian package +* `-i ` new `istioctl` download URL +* `-g` create a `git commit` titled "Updating istio version" for the changes +* `-n` namespace in which to install Istio control plane components (defaults to istio-system) +* `-s` check if template files have been updated with this tool +* `-A` URL to download auth debian packages +* `-P` URL to download pilot debian packages +* `-E` URL to download proxy debian packages +* `-d` directory to store updated/generated files (optional, defaults to source code tree) + +Default values for the `-p`, `-x`, `-c`, `-r`, and `-i` options are as specified in `istio.VERSION` +(i.e., they are left unchanged). + +### Examples + +Update the pilot and istioctl: + +``` +./updateVersion.sh -p "docker.io/istio,2017-05-09-06.14.22" -i "https://storage.googleapis.com/istio-artifacts/dbcc933388561cdf06cbe6d6e1076b410e4433e0/artifacts/istioctl" +``` diff --git a/istio-1.0.4/install/consul/README.md b/istio-1.0.4/install/consul/README.md new file mode 100644 index 0000000..910726f --- /dev/null +++ b/istio-1.0.4/install/consul/README.md @@ -0,0 +1,6 @@ +# Install Istio with Consul in a simple Docker Compose setup + +Please follow the installation instructions from [istio.io](https://istio.io/docs/setup/consul/). + +The install file `istio.yaml` deploys Istio Pilot, Consul, Registrator, and +the Istio API server with etcd as Docker containers. diff --git a/istio-1.0.4/install/consul/istio.yaml b/istio-1.0.4/install/consul/istio.yaml new file mode 100644 index 0000000..9afa6fb --- /dev/null +++ b/istio-1.0.4/install/consul/istio.yaml @@ -0,0 +1,91 @@ +# GENERATED FILE. Use with Docker-Compose and consul +# TO UPDATE, modify files in install/consul/templates and run install/updateVersion.sh +version: '2' +services: + etcd: + image: quay.io/coreos/etcd:latest + networks: + istiomesh: + aliases: + - etcd + ports: + - "4001:4001" + - "2380:2380" + - "2379:2379" + environment: + - SERVICE_IGNORE=1 + command: ["/usr/local/bin/etcd", "-advertise-client-urls=http://0.0.0.0:2379", "-listen-client-urls=http://0.0.0.0:2379"] + + istio-apiserver: + image: gcr.io/google_containers/kube-apiserver-amd64:v1.7.3 + networks: + istiomesh: + ipv4_address: 172.28.0.13 + aliases: + - apiserver + ports: + - "8080:8080" + privileged: true + environment: + - SERVICE_IGNORE=1 + command: ["kube-apiserver", "--etcd-servers", "http://etcd:2379", "--service-cluster-ip-range", "10.99.0.0/16", "--insecure-port", "8080", "-v", "2", "--insecure-bind-address", "0.0.0.0"] + + consul: + image: gliderlabs/consul-server + networks: + istiomesh: + aliases: + - consul + ports: + - "8500:8500" + - "${DOCKER_GATEWAY}53:8600/udp" + - "8400:8400" + environment: + - SERVICE_IGNORE=1 + command: ["-bootstrap"] + + registrator: + image: gliderlabs/registrator:latest + networks: + istiomesh: + volumes: + - /var/run/docker.sock:/tmp/docker.sock + command: ["-internal", "-retry-attempts=-1", "consul://consul:8500"] + + pilot: + image: docker.io/istio/pilot:1.0.4 + networks: + istiomesh: + aliases: + - istio-pilot + expose: + - "15003" + - "15005" + - "15007" + ports: + - "8081:15007" + command: ["discovery", + "--httpAddr", ":15007", + "--registries", "Consul", + "--consulserverURL", "http://consul:8500", + "--kubeconfig", "/etc/istio/config/kubeconfig" + ] + volumes: + - ./kubeconfig:/etc/istio/config/kubeconfig + + zipkin: + image: docker.io/openzipkin/zipkin:2.7 + networks: + istiomesh: + aliases: + - zipkin + ports: + - "9411:9411" + +networks: + istiomesh: + ipam: + driver: default + config: + - subnet: 172.28.0.0/16 + gateway: 172.28.0.1 diff --git a/istio-1.0.4/install/consul/kubeconfig b/istio-1.0.4/install/consul/kubeconfig new file mode 100644 index 0000000..5dd31e7 --- /dev/null +++ b/istio-1.0.4/install/consul/kubeconfig @@ -0,0 +1,11 @@ +apiVersion: v1 +clusters: +- cluster: + server: http://istio-apiserver:8080 + name: istio +contexts: +- context: + cluster: istio + user: "" + name: istio +current-context: istio \ No newline at end of file diff --git a/istio-1.0.4/install/gcp/README.md b/istio-1.0.4/install/gcp/README.md new file mode 100644 index 0000000..ee4fb3d --- /dev/null +++ b/istio-1.0.4/install/gcp/README.md @@ -0,0 +1,4 @@ +# Google Cloud Platform Installation + +This directory contains contributed solutions for installing Istio that are +specific to Google Cloud Platform. diff --git a/istio-1.0.4/install/gcp/deployment_manager/README.md b/istio-1.0.4/install/gcp/deployment_manager/README.md new file mode 100644 index 0000000..c30eae6 --- /dev/null +++ b/istio-1.0.4/install/gcp/deployment_manager/README.md @@ -0,0 +1,33 @@ +# Google Deployment Manager Template + +This directory contains a Google Cloud Deployment Manager template for getting +up-and-running with a Google Cloud Kubernetes Engine cluster with Istio +included. + +If you have the Google Cloud SDK installed (get it [here](https://cloud.google.com/sdk/)), you can create a new deployment via the command: +``` +$ gcloud deployment-manager deployments create my-istio-deployment --config=istio-cluster.yaml +``` + +**NOTE:** You must grant your default compute service account +the correct permissions before creating the deployment. +Otherwise, the installation will fail. Make sure that your +default compute service account (by default +`[PROJECT_NUMBER]-compute@developer.gserviceaccount.com`) +includes the following roles: +* `roles/container.admin` (Container Engine Admin) +* `roles/editor` (included by default) + +You can set this permission by navigating to the [IAM +section](https://console.cloud.google.com/permissions/projectpermissions) +of the Google Cloud Console, viewing the permissions for your +default compute service account +(`[PROJECT_NUMBER]-compute@developer.gserviceaccount.com`), and +making sure that both Editor (`roles/editor`) and Container +Engine Admin (`roles/container.admin`) are selected. + +## Changing parameters +See the file `istio-cluster.yaml` and `istio-cluster.schema` for details on customization. Note that you can override a parameter at the command line. For example: +``` +$ gcloud deployment-manager deployments create my-istio-deployment --template=istio-cluster.jinja --properties enableMutualTLS:false,gkeClusterName:istio-gke +``` diff --git a/istio-1.0.4/install/gcp/deployment_manager/istio-cluster.jinja b/istio-1.0.4/install/gcp/deployment_manager/istio-cluster.jinja new file mode 100644 index 0000000..c4cfac4 --- /dev/null +++ b/istio-1.0.4/install/gcp/deployment_manager/istio-cluster.jinja @@ -0,0 +1,140 @@ +{% set CLUSTER_NAME = env['deployment'] + '-' + env['name'] %} + +resources: + +- name: {{ properties['gkeClusterName'] }} + type: container.v1.cluster + properties: + zone: {{ properties['zone'] }} + cluster: + name: {{ properties['gkeClusterName'] }} + legacyAbac: + enabled: false + initialNodeCount: {{ properties['initialNodeCount'] }} + nodeConfig: + machineType: {{ properties["instanceType"] }} + oauthScopes: + - https://www.googleapis.com/auth/logging.write + - https://www.googleapis.com/auth/monitoring + +- type: runtimeconfig.v1beta1.config + name: {{ CLUSTER_NAME }}-config + properties: + config: {{ CLUSTER_NAME }}-config + +- type: runtimeconfig.v1beta1.waiter + name: {{ CLUSTER_NAME }}-waiter + metadata: + dependsOn: + - {{ CLUSTER_NAME }}-config + properties: + parent: $(ref.{{ CLUSTER_NAME }}-config.name) + waiter: {{ CLUSTER_NAME }}-waiter + timeout: 600s + success: + cardinality: + path: /success + number: 1 + failure: + cardinality: + path: /failure + number: 1 + +- name: {{ CLUSTER_NAME }}-vm + type: compute.v1.instance + metadata: + dependsOn: + - {{ properties['gkeClusterName'] }} + properties: + zone: {{ properties['zone'] }} + machineType: https://www.googleapis.com/compute/v1/projects/{{ env["project"] }}/zones/{{ properties["zone"] }}/machineTypes/{{ properties["instanceType"] }} + tags: + items: + - istio-init + serviceAccounts: + - email: "default" + scopes: + - https://www.googleapis.com/auth/cloud-platform + - https://www.googleapis.com/auth/compute + - https://www.googleapis.com/auth/logging.write + - https://www.googleapis.com/auth/monitoring + - https://www.googleapis.com/auth/servicecontrol + - https://www.googleapis.com/auth/service.management.readonly + - https://www.googleapis.com/auth/userinfo.email + + networkInterfaces: + - network: https://www.googleapis.com/compute/v1/projects/{{ env["project"] }}/global/networks/default + accessConfigs: + - name: External NAT + type: ONE_TO_ONE_NAT + disks: + - deviceName: boot + type: PERSISTENT + boot: true + autoDelete: true + initializeParams: + diskName: {{ CLUSTER_NAME }}-vm-disk + sourceImage: https://www.googleapis.com/compute/v1/projects/debian-cloud/global/images/family/debian-9 + metadata: + items: + - key: startup-script + value: | + #!/bin/bash -x + + apt-get update && apt-get install -y git google-cloud-sdk curl kubectl + + export HOME=/root + cd /root/ + + gcloud container clusters get-credentials {{ properties['gkeClusterName'] }} --zone {{ properties['zone'] }} + kubectl create clusterrolebinding cluster-admin-binding --clusterrole=cluster-admin --user=$(gcloud config get-value core/account) + + wget https://github.com/istio/istio/releases/download/{{ properties['installIstioRelease'] }}/istio-{{ properties['installIstioRelease'] }}-linux.tar.gz + tar xzf istio-{{ properties['installIstioRelease'] }}-linux.tar.gz + + wget -P /root/helm/ https://storage.googleapis.com/kubernetes-helm/helm-v2.9.1-linux-amd64.tar.gz + tar xf /root/helm/helm-v2.9.1-linux-amd64.tar.gz -C /root/helm/ + + export PATH="$PATH:/root/istio-{{ properties['installIstioRelease'] }}/bin::/root/helm/linux-amd64/" + cd /root/istio-{{ properties['installIstioRelease'] }} + + kubectl create ns istio-system + + ISTIO_OPTIONS="" + + {% if properties['enableMutualTLS'] %} + ISTIO_OPTIONS=$ISTIO_OPTIONS" --set global.mtls.enabled=true" + {% endif %} + + {% if properties['enableAutomaticSidecarInjection'] %} + ISTIO_OPTIONS=$ISTIO_OPTIONS" --set sidecar-injector.enabled=true" + {% endif %} + + {% if properties['enableGrafana'] or properties['enablePrometheus'] %} + ISTIO_OPTIONS=$ISTIO_OPTIONS" --set prometheus.enabled=true" + {% endif %} + + {% if properties['enableGrafana'] %} + ISTIO_OPTIONS=$ISTIO_OPTIONS" --set grafana.enabled=true" + {% endif %} + + {% if properties['enableTracing'] %} + ISTIO_OPTIONS=$ISTIO_OPTIONS" --set tracing.enabled=true " + {% endif %} + + {% if properties['enableServiceGraph'] %} + ISTIO_OPTIONS=$ISTIO_OPTIONS" --set servicegraph.enabled=true" + {% endif %} + + helm template install/kubernetes/helm/istio --name istio --namespace istio-system $ISTIO_OPTIONS > istio.yaml + + kubectl apply -f istio.yaml + kubectl label namespace default istio-injection=enabled + + sleep 150 + + kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml + bin/istioctl create -f samples/bookinfo/networking/bookinfo-gateway.yaml + + gcloud beta runtime-config configs variables set success/{{ CLUSTER_NAME }}-waiter success --config-name $(ref.{{ CLUSTER_NAME }}-config.name) + gcloud -q compute instances delete {{ CLUSTER_NAME }}-vm --zone {{ properties['zone'] }} diff --git a/istio-1.0.4/install/gcp/deployment_manager/istio-cluster.jinja.display b/istio-1.0.4/install/gcp/deployment_manager/istio-cluster.jinja.display new file mode 100644 index 0000000..101d9d4 --- /dev/null +++ b/istio-1.0.4/install/gcp/deployment_manager/istio-cluster.jinja.display @@ -0,0 +1,146 @@ +metadataVersion: v1test + +description: + title: Istio on GKE + version: 0.0.1 + url: 'https://istio.io/' + tagline: Running Istio on GKE + descriptionHtml: 'GKE with Istio' + logo: 'https://avatars3.githubusercontent.com/u/23534644?s=100&v=4' + icon: 'https://avatars3.githubusercontent.com/u/23534644?s=100&v=4' + architectureDiagram: 'https://avatars3.githubusercontent.com/u/23534644?s=100&v=4' + architectureDescription: 'Istio is an open platform that provides a uniform way to connect, manage, and secure microservices. Istio supports managing traffic flows between microservices, enforcing access policies, and aggregating telemetry data, all without requiring changes to the microservice code.
  • Note: You must set your compute service account with "Container Engine Admin" IAM Role.
  • For more information, see Quick Start with Google Kubernetes Engine
    • ' + author: + title: Google Click to Deploy + documentations: + - title: GKE Documentation + url: 'https://cloud.google.com/container-engine/' + description: Google Container Engine is a managed Kubernetes environment. + destinations: + - DESTINATION_SOLUTION_DETAILS + - DESTINATION_CONFIGURATION + - DESTINATION_POST_DEPLOY + - title: Istio Documentation + url: 'https://istio.io' + description: Istio provides an easy way to create a network of deployed services. + destinations: + - DESTINATION_SOLUTION_DETAILS + - DESTINATION_CONFIGURATION + - DESTINATION_POST_DEPLOY + support: + - title: Support + descriptionHtml: 'Google does not offer support for this solution. However, community support is available on Stack Overflow.

    Go to Stack Overflow' + softwareGroups: + - type: SOFTWARE_GROUP_OS + software: + - title: Container Optimized OS (COS) + url: 'https://cloud.google.com/container-optimized-os/docs/' + - software: + - title: Google Container Engine + url: 'https://cloud.google.com/container-engine/' + - software: + - title: Istio.io + url: 'https://istio.io' + licenseTitle: AGPL v3 + licenseUrl: 'https://github.com/istio/istio/blob/master/LICENSE' +input: + properties: + - name: gkeClusterName + title: GKE Cluster Name + tooltip: Name of the GKE Cluster + section: server + + - name: zone + title: Zone + tooltip: The zone determines what computing resources are available and where your data is stored and used. + section: server + + - name: initialNodeCount + title: Number of GKE nodes to run on + tooltip: GKE node count + section: server + + - name: instanceType + title: Node Machine Type + tooltip: GKE MachineType + section: server + + - name: enableBookInfoSample + title: Add BookInfo Sample Application + tooltip: Enable Istio BookInfo Sample application + section: APPLICATIONS_GROUP + + - name: enableAutomaticSidecarInjection + title: Enable Automatic Istio sidecar injection + tooltip: Enable automatic sidecar injection (requires GKE Alpha Clusters) + section: SECURITY + boolean_group: SECURITY_GROUP + + - name: enableMutualTLS + title: Enable mutualTLS authentication + tooltip: Enable mutualTLS on the cluster + section: SECURITY + boolean_group: SECURITY_GROUP + + - name: enablePrometheus + title: Enable Prometheus for metrics/logs collection + tooltip: Enable Prometheus on the cluster + section: MONITORING + boolean_group: MONITORING_GROUP + + - name: enableGrafana + title: Enable Grafana for metrics display + tooltip: Enable Grafana on the cluster + section: MONITORING + boolean_group: MONITORING_GROUP + + - name: enableGrafana + title: Enable Grafana for metrics display + tooltip: Enable Grafana on the cluster + section: MONITORING + boolean_group: MONITORING_GROUP + + - name: enableTracing + title: Enable Tracing + tooltip: Enable Tracing on the cluster + section: MONITORING + boolean_group: MONITORING_GROUP + + - name: enableServiceGraph + title: Enable ServiceGraph for deployment visualization + tooltip: Enable ServiceGraph on the cluster + section: MONITORING + boolean_group: MONITORING_GROUP + + sections: + - name: server + title: Baseline GKE Cluster config + tooltip: This section contains input properties related to basic GKE cluster + - name: MONITORING + title: Monitoring, Logging and Tracing + tooltip: This section contains input properties related to Monitoring, Logging and Tracing plugins + - name: SECURITY + title: Security + tooltip: This section contains input properties related to security plugins. + - name: APPLICATIONS_GROUP + title: Install Applications + tooltip: This section contains input properties related to adding in additional applications to the cluster. + + boolean_groups: + - name: SECURITY_GROUP + title: Security + tooltip: 'Security related plugins. Learn more' + subtext: Add optional Security related plugins to the cluster + + - name: MONITORING_GROUP + title: Metrics, Logs, and Traces + tooltip: 'Metrics, Logs, and Traces related plugins. Learn more' + subtext: Add optional Metrics, Logs, and Traces related plugins to the cluster + + - name: APPLICATIONS_GROUP + title: Install additional application + tooltip: 'Automatically install sample applications.' + subtext: Automatically Install sample applications (e.g. BookInfo) + +runtime: + deployingMessage: 'Deployment can take 3-10 minutes to complete, depending on the size of your cluster.' diff --git a/istio-1.0.4/install/gcp/deployment_manager/istio-cluster.jinja.schema b/istio-1.0.4/install/gcp/deployment_manager/istio-cluster.jinja.schema new file mode 100644 index 0000000..191f249 --- /dev/null +++ b/istio-1.0.4/install/gcp/deployment_manager/istio-cluster.jinja.schema @@ -0,0 +1,83 @@ +info: + title: GKE cluster + author: Google, Inc. + description: | + Creates a GKE cluster with a VM initializing istio.io for use within the cluster + +required: +- gkeClusterName +- zone +- initialNodeCount +- instanceType + +properties: + gkeClusterName: + type: string + description: GKE Cluster Name + default: istio-cluster + zone: + type: string + description: Zone in which the cluster should run. + default: us-central1-a + x-googleProperty: + type: GCE_ZONE + initialNodeCount: + type: integer + description: Initial number of nodes desired in the cluster. + default: 4 + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + instanceType: + type: string + description: Node machineType + default: n1-standard-1 + x-googleProperty: + type: GCE_MACHINE_TYPE + zoneProperty: zone + + installIstioRelease: + type: string + description: Install Istio Release version. + default: 1.0.3 + enum: + - 1.0.3 + + enableBookInfoSample: + type: boolean + description: Add BookInfo Sample Application + default: true + + enableAutomaticSidecarInjection: + type: boolean + description: Enable automatic istio sidecar injection. + default: true + + enableMutualTLS: + type: boolean + description: Enable mutualTLS. + default: true + + enablePrometheus: + type: boolean + description: Enable Prometheus for metrics/logs + default: true + + enableGrafana: + type: boolean + description: Enable Grafana for metrics/logs + default: true + + enableTracing: + type: boolean + description: Enable Tracing + default: true + + enableServiceGraph: + type: boolean + description: Enable ServiceGraph for metrics/logs + default: true diff --git a/istio-1.0.4/install/gcp/deployment_manager/istio-cluster.yaml b/istio-1.0.4/install/gcp/deployment_manager/istio-cluster.yaml new file mode 100644 index 0000000..e41399d --- /dev/null +++ b/istio-1.0.4/install/gcp/deployment_manager/istio-cluster.yaml @@ -0,0 +1,20 @@ + +imports: +- path: istio-cluster.jinja + +resources: +- name: my-cluster + type: istio-cluster.jinja + properties: + gkeClusterName: istio-cluster + zone: us-central1-a + initialNodeCount: 4 + instanceType: n1-standard-1 + enableAutomaticSidecarInjection: true + enableMutualTLS: true + enablePrometheus: true + enableGrafana: true + enableTracing: true + enableServiceGraph: true + enableBookInfoSample: true + installIstioRelease: 1.0.3 diff --git a/istio-1.0.4/install/kubernetes/README.md b/istio-1.0.4/install/kubernetes/README.md new file mode 100644 index 0000000..811be00 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/README.md @@ -0,0 +1,13 @@ +# Install Istio on an existing Kubernetes cluster + +Please follow the installation instructions from [istio.io](https://istio.io/docs/setup/kubernetes/quick-start.html). + +## Directory structure + +If you prefer to install Istio from checking out the [istio/istio](https://github.com/istio/istio) repostiory, you can run `updateVersion.sh` in the parent directory to generate the required installation files. This directory contains files needed for installing Istio on a Kubernetes cluster: + +* istio.yaml - use this generated file for installation without authentication enabled +* istio-auth.yaml - use this generated file for installation with authentication enabled +* templates - directory contains the templates used to generate istio.yaml and istio-auth.yaml +* addons - directory contains optional components (Prometheus, Grafana, Service Graph, Zipkin, Zipkin to Stackdriver) +* helm - directory contains the Istio helm release configuration files. This directory also requires running `updateVersion.sh` to generate some of the configuration files. diff --git a/istio-1.0.4/install/kubernetes/ansible/README.md b/istio-1.0.4/install/kubernetes/ansible/README.md new file mode 100644 index 0000000..ab03230 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/ansible/README.md @@ -0,0 +1,3 @@ +# Installation using Ansible + +Please follow the installation instructions from [istio.io](https://preliminary.istio.io/docs/setup/kubernetes/ansible-install.html). diff --git a/istio-1.0.4/install/kubernetes/ansible/ansible.cfg b/istio-1.0.4/install/kubernetes/ansible/ansible.cfg new file mode 100644 index 0000000..e9a5b2b --- /dev/null +++ b/istio-1.0.4/install/kubernetes/ansible/ansible.cfg @@ -0,0 +1,3 @@ +[defaults] +#Needed to be able to override selected variables from the command line +hash_behaviour=merge \ No newline at end of file diff --git a/istio-1.0.4/install/kubernetes/ansible/istio/defaults/main.yml b/istio-1.0.4/install/kubernetes/ansible/istio/defaults/main.yml new file mode 100644 index 0000000..09379fc --- /dev/null +++ b/istio-1.0.4/install/kubernetes/ansible/istio/defaults/main.yml @@ -0,0 +1,24 @@ +--- + +# Whether the cluster is an Openshift (ocp) or upstream Kubernetes (k8s) cluster +cluster_flavour: ocp + + +istio: + + # Install istio with or without istio-auth module + auth: false + + # A set of add-ons to install, for example kiali + addon: [] + + # The names of the samples that should be installed as well. + # The available samples are in the istio_simple_samples variable + # In addition to the values in istio_simple_samples, 'bookinfo' can also be specified + samples: [] + + # Whether or not to open apps in the browser + open_apps: false + + # Whether to delete resources that might exist from previous Istio installations + delete_resources: false diff --git a/istio-1.0.4/install/kubernetes/ansible/istio/meta/main.yml b/istio-1.0.4/install/kubernetes/ansible/istio/meta/main.yml new file mode 100644 index 0000000..6099501 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/ansible/istio/meta/main.yml @@ -0,0 +1,2 @@ +--- +dependencies: [] \ No newline at end of file diff --git a/istio-1.0.4/install/kubernetes/ansible/istio/tasks/add_to_path.yml b/istio-1.0.4/install/kubernetes/ansible/istio/tasks/add_to_path.yml new file mode 100644 index 0000000..4f2d6b3 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/ansible/istio/tasks/add_to_path.yml @@ -0,0 +1,28 @@ +- name: Set istio dir + set_fact: + istio_dir: "{{ istio_k8s_dir | dirname | dirname }}" + +- name: Add Istio to PATH + shell: | + ISTIO_BIN_DIR=$(cd {{ istio_dir }}/bin; pwd) + echo "########################################################################################" + echo "Execute this command within your terminal to include the bin direcrtory of the istioctl client !" + echo export PATH='$'PATH:$ISTIO_BIN_DIR + echo "Then, you will be able within your shell to call the istioctl client" + echo "istioctl [command]" + echo "########################################################################################" + register: r + +- debug: msg="{{ r.stdout.split('\n') }}" + +# PATH=$PATH:$ISTIO_BIN_DIR; export PATH + +# shell: ISTIO_BIN_DIR=$(cd {{ istio_dir }}/bin; pwd) | echo $ISTIO_BIN_DIR +# register: r + +# - debug: var=r +# +# - lineinfile: +# path: ms +# regexp: '.istio-{{ istio.istio_version_to_use }}' +# line: "\n# Istio\nexport PATH=$PATH:{{ r.stdout }}" diff --git a/istio-1.0.4/install/kubernetes/ansible/istio/tasks/assert_oc_admin.yml b/istio-1.0.4/install/kubernetes/ansible/istio/tasks/assert_oc_admin.yml new file mode 100644 index 0000000..3cd3553 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/ansible/istio/tasks/assert_oc_admin.yml @@ -0,0 +1,18 @@ +- name: Find users that have the admin role + shell: | + {{ cmd_path }} get ClusterRoleBinding cluster-admin -o 'jsonpath={.subjects[*].name}' 2> /dev/null + register: ro + ignore_errors: true + +- name: Get current logged in user + command: "{{ cmd_path }} whoami" + register: uo + ignore_errors: true + +- assert: + that: + - ro.rc == 0 + - uo.rc == 0 + - uo.stdout in ro.stdout + msg: "Make sure you use 'oc login' with a user that is an admin before running the playbook" + diff --git a/istio-1.0.4/install/kubernetes/ansible/istio/tasks/bookinfo_cmd.j2 b/istio-1.0.4/install/kubernetes/ansible/istio/tasks/bookinfo_cmd.j2 new file mode 100644 index 0000000..6abe636 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/ansible/istio/tasks/bookinfo_cmd.j2 @@ -0,0 +1,5 @@ +{% if cluster_flavour == 'ocp' %} +{{ cmd_path }} adm policy add-scc-to-user privileged -z default -n {{ sample_namespace }} +{% endif %} +{{ cmd_path }} apply -n {{ sample_namespace }} -f <({{ istio_dir }}/bin/istioctl kube-inject -f {{ istio_dir }}/samples/bookinfo/kube/bookinfo.yaml) +{{ cmd_path }} expose svc productpage -n {{ sample_namespace }} \ No newline at end of file diff --git a/istio-1.0.4/install/kubernetes/ansible/istio/tasks/change_scc.yml b/istio-1.0.4/install/kubernetes/ansible/istio/tasks/change_scc.yml new file mode 100644 index 0000000..20f6ccb --- /dev/null +++ b/istio-1.0.4/install/kubernetes/ansible/istio/tasks/change_scc.yml @@ -0,0 +1,14 @@ +# Openshift by default does not allow containers running with UID 0. Enable containers running with UID 0 for Istio’s service accounts +- name: Define SCC rules to enable containers running with UID zero for Istio service accounts + shell: "{{ cmd_path }} adm policy add-scc-to-user anyuid -z {{ item }} -n {{ istio_namespace }}" + with_items: + - istio-ingressgateway-service-account + - istio-egressgateway-service-account + - istio-pilot-service-account + - istio-mixer-service-account + - istio-mixer-post-install-account + - istio-ca-service-account + - istio-sidecar-injector-service-account + - istio-citadel-service-account + - prometheus + - default diff --git a/istio-1.0.4/install/kubernetes/ansible/istio/tasks/create_namespace_free_definition_file.yml b/istio-1.0.4/install/kubernetes/ansible/istio/tasks/create_namespace_free_definition_file.yml new file mode 100644 index 0000000..afd391a --- /dev/null +++ b/istio-1.0.4/install/kubernetes/ansible/istio/tasks/create_namespace_free_definition_file.yml @@ -0,0 +1,17 @@ +- name: Create temp directory that will the modified definition file + command: mktemp -d -t ansible.XXXXXXXXXX + register: temp_output + +- name: Define var containing copied definition file + set_fact: + istio_copied_definition_file_full_path: "{{ temp_output.stdout }}/def.yml" + +- name: Copy definition file + command: "cp {{ istio_definition_full_path }} {{ istio_copied_definition_file_full_path }}" + +- name: Remove lines corresponding to namespace + replace: + path: "{{ istio_copied_definition_file_full_path }}" + regexp: '^\s*apiVersion: v1\s*\n+\s*kind: Namespace\s*\n+\s*metadata:\s*\n+\s*name: {{ istio_namespace }}\s*$' + replace: '' + diff --git a/istio-1.0.4/install/kubernetes/ansible/istio/tasks/delete_resources.yml b/istio-1.0.4/install/kubernetes/ansible/istio/tasks/delete_resources.yml new file mode 100644 index 0000000..7ff92e8 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/ansible/istio/tasks/delete_resources.yml @@ -0,0 +1,33 @@ +# Copies the istio definition file and removes the namespace from it +# This is done some we can avoid deleting the namespace +# At the end a variable named istio_copied_definition_file_full_path will be available which contains the path +# of the new file +- import_tasks: create_namespace_free_definition_file.yml + +- name: Delete Jaeger info + shell: | + {{ cmd_path }} process -f https://raw.githubusercontent.com/jaegertracing/jaeger-openshift/master/all-in-one/jaeger-all-in-one-template.yml | {{ cmd_path }} delete --ignore-not-found=true -f - + {{ cmd_path }} delete svc jaeger --ignore-not-found=true + ignore_errors: true + +- name: Delete Kiali info + shell: | + {{ cmd_path }} delete all,secrets,sa,templates,configmaps,deployments,clusterroles,clusterrolebindings,virtualservices,destinationrules --selector=app=kiali --selector=version=master --ignore-not-found=true -n {{ istio_namespace }} + ignore_errors: true + +- name: Delete content from Istio Kubernetes file + command: "{{ cmd_path }} delete -f {{ istio_copied_definition_file_full_path }} --ignore-not-found=true -n {{ istio_namespace }}" + when: not istio.auth + ignore_errors: true + +- name: Delete whatever else might be left over + command: "{{ cmd_path }} delete all --all -n {{ item }}" + ignore_errors: true + with_items: + - "{{ istio_namespace }}" + - samples + - bookinfo + +- name: Wait for the previous command to complete + pause: + seconds: 30 diff --git a/istio-1.0.4/install/kubernetes/ansible/istio/tasks/install_addons.yml b/istio-1.0.4/install/kubernetes/ansible/istio/tasks/install_addons.yml new file mode 100644 index 0000000..70861af --- /dev/null +++ b/istio-1.0.4/install/kubernetes/ansible/istio/tasks/install_addons.yml @@ -0,0 +1,23 @@ +- name: Install Kiali + block: + + - set_fact: + kiali_version: v0.9 + + - name: Install Kiali on Openshift + shell: | + curl https://raw.githubusercontent.com/kiali/kiali/{{ kiali_version }}/deploy/openshift/kiali-configmap.yaml | VERSION_LABEL={{ kiali_version }} envsubst | {{ cmd_path }} create -n {{ istio_namespace }} -f - + curl https://raw.githubusercontent.com/kiali/kiali/{{ kiali_version }}/deploy/openshift/kiali-secrets.yaml | VERSION_LABEL={{ kiali_version }} envsubst | {{ cmd_path }} create -n {{ istio_namespace }} -f - + curl https://raw.githubusercontent.com/kiali/kiali/{{ kiali_version }}/deploy/openshift/kiali.yaml | IMAGE_NAME=kiali/kiali IMAGE_VERSION={{ kiali_version }} NAMESPACE={{ istio_namespace }} VERSION_LABEL=master VERBOSE_MODE=4 envsubst | {{ cmd_path }} create -n {{ istio_namespace }} -f - + when: "cluster_flavour == 'ocp'" + + - name: Install Kiali on Kubernetes + shell: | + curl https://raw.githubusercontent.com/kiali/kiali/{{ kiali_version }}/deploy/kubernetes/kiali-configmap.yaml | VERSION_LABEL={{ kiali_version }} envsubst | {{ cmd_path }} create -n {{ istio_namespace }} -f - + curl https://raw.githubusercontent.com/kiali/kiali/{{ kiali_version }}/deploy/kubernetes/kiali-secrets.yaml | VERSION_LABEL={{ kiali_version }} envsubst | {{ cmd_path }} create -n {{ istio_namespace }} -f - + curl https://raw.githubusercontent.com/kiali/kiali/{{ kiali_version }}/deploy/kubernetes/kiali.yaml | IMAGE_NAME=kiali/kiali IMAGE_VERSION={{ kiali_version }} NAMESPACE={{ istio_namespace }} VERSION_LABEL=master VERBOSE_MODE=4 envsubst | {{ cmd_path }} create -n {{ istio_namespace }} -f - + when: "cluster_flavour == 'k8s'" + + when: + - is_istioaddon_iterable + - "'kiali' in istio.addon" diff --git a/istio-1.0.4/install/kubernetes/ansible/istio/tasks/install_on_cluster.yml b/istio-1.0.4/install/kubernetes/ansible/istio/tasks/install_on_cluster.yml new file mode 100644 index 0000000..e0358bb --- /dev/null +++ b/istio-1.0.4/install/kubernetes/ansible/istio/tasks/install_on_cluster.yml @@ -0,0 +1,24 @@ +- name: Get istio k8s install path + set_fact: + istio_k8s_dir: "{{ playbook_dir | dirname }}" + +- name: Set istio definition pull path + import_tasks: set_istio_distro_vars.yml + +- name: Add istio bin dir to PATH + import_tasks: add_to_path.yml + +- name: Deploy Istio from kubernetes file + shell: "{{ cmd_path }} create -f {{ istio_definition_full_path }}" + ignore_errors: true + +- name: Create Routes in Openshift + shell: "{{cmd_path}} expose svc {{item}} -n istio-system" + with_items: + - istio-ingressgateway + - prometheus + - grafana + when: "cluster_flavour == 'ocp'" + +- name: Deploy Addons defined such as Grafana, ... + import_tasks: install_addons.yml diff --git a/istio-1.0.4/install/kubernetes/ansible/istio/tasks/install_sample.yml b/istio-1.0.4/install/kubernetes/ansible/istio/tasks/install_sample.yml new file mode 100644 index 0000000..97b9077 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/ansible/istio/tasks/install_sample.yml @@ -0,0 +1,30 @@ +# We can't simply execute the standard sample installation script using shell +# because Ansible doesn't play nicely with bash's process substitution +# This task expects to given the following arguments: +# sample_cmd_template: the template that will be used to create the command that will be executed +# sample_path: the path within the istio directory where the sample's definition file can be found +# sample_namespace: the namespace where the sample will be deployed to + +- name: Create temp directory that will contain the installation script + command: mktemp -d -t ansible.XXXXXXXXXX + register: temp_output + +- name: Set command full path + set_fact: + sample_cmd_full_path: "{{ temp_output.stdout }}/sample_cmd" + +- name: Copy command into temp directory + template: src={{ sample_cmd_template }} dest={{ sample_cmd_full_path }} + +- name: Make command executable + file: dest={{ sample_cmd_full_path }} mode=a+x + +- command: "cat {{ sample_cmd_full_path }}" + register: co + +- name: Install sample {{ sample_path }} + command : "bash -c {{ sample_cmd_full_path }}" + +- name: Show helpful bookinfo message + debug: + msg: "Sample from path {{ sample_path }} is being deployed in namespace {{ sample_namespace }}" \ No newline at end of file diff --git a/istio-1.0.4/install/kubernetes/ansible/istio/tasks/install_samples.yml b/istio-1.0.4/install/kubernetes/ansible/istio/tasks/install_samples.yml new file mode 100644 index 0000000..18c745e --- /dev/null +++ b/istio-1.0.4/install/kubernetes/ansible/istio/tasks/install_samples.yml @@ -0,0 +1,33 @@ +- name: Find samples that don't require special handling + set_fact: + selected_simple_samples: "{{ istio.samples | difference('bookinfo') }}" + +- include_tasks: safely_create_namespace.yml + vars: + ns_name: samples + when: "selected_simple_samples | length > 0" + +- name: Install sample + include_tasks: install_sample.yml + vars: + sample_cmd_template: simple_sample_cmd.j2 + sample_path: "{{ item.path }}" + sample_namespace: samples + with_items: "{{ istio_simple_samples }}" + when: "item.name in selected_simple_samples" + +- set_fact: + bookinfo_selected: "{{ 'bookinfo' in istio.samples }}" + +- include_tasks: safely_create_namespace.yml + vars: + ns_name: bookinfo + when: bookinfo_selected == true + +- name: Install bookinfo + include_tasks: install_sample.yml + vars: + sample_cmd_template: bookinfo_cmd.j2 + sample_path: bookinfo/kube/bookinfo.yaml + sample_namespace: bookinfo + when: bookinfo_selected == true \ No newline at end of file diff --git a/istio-1.0.4/install/kubernetes/ansible/istio/tasks/main.yml b/istio-1.0.4/install/kubernetes/ansible/istio/tasks/main.yml new file mode 100644 index 0000000..ab04b3d --- /dev/null +++ b/istio-1.0.4/install/kubernetes/ansible/istio/tasks/main.yml @@ -0,0 +1,31 @@ +--- + +- name: Is istio.addon be iterable + set_fact: + is_istioaddon_iterable: "{{ istio.addon is defined and istio.addon is iterable }}" + +- include_tasks: set_appropriate_cmd_path.yml + when: cmd_path is not defined + +- name: Extract server version + shell: | + {{ cmd_path }} version | sed -En "{{'s/kubernetes.*v([[:digit:]]+\.[[:digit:]]+\.[[:digit:]]+).*/\1/p' if cluster_flavour == 'ocp' else 's/Server Version.*GitVersion.*v([[:digit:]]+\.[[:digit:]]+\.[[:digit:]]+).*/\1/p'}}" | tail -1 + register: vo + +- assert: + that: + - "vo.stdout is version_compare(minimum_cluster_version,'>=')" + msg: "Cluster version must be at least {{ minimum_cluster_version }}" + +- include_tasks: set_istio_path.yml + +- include_tasks: delete_resources.yml + when: istio.delete_resources == true + +- include_tasks: install_on_cluster.yml + +- include_tasks: change_scc.yml + when: cluster_flavour == 'ocp' + +- include_tasks: install_samples.yml + when: (istio.samples is iterable) and (istio.samples | length > 0) diff --git a/istio-1.0.4/install/kubernetes/ansible/istio/tasks/safely_create_namespace.yml b/istio-1.0.4/install/kubernetes/ansible/istio/tasks/safely_create_namespace.yml new file mode 100644 index 0000000..a3bea4d --- /dev/null +++ b/istio-1.0.4/install/kubernetes/ansible/istio/tasks/safely_create_namespace.yml @@ -0,0 +1,13 @@ +# Create a namespace if it doesn't exist +# The name of the namespace to create is given in variable ns_name + +- name: Check if namespace exists + shell: "{{ cmd_path }} get namespace/{{ ns_name }}" + ignore_errors: true + register: r + +- name: Create namespace {{ ns_name }} + shell: "{{ cmd_path }} create namespace {{ ns_name }}" + when: + - r.stderr != "" + - r.stderr.find("NotFound") != -1 \ No newline at end of file diff --git a/istio-1.0.4/install/kubernetes/ansible/istio/tasks/set_appropriate_cmd_path.yml b/istio-1.0.4/install/kubernetes/ansible/istio/tasks/set_appropriate_cmd_path.yml new file mode 100644 index 0000000..101ddda --- /dev/null +++ b/istio-1.0.4/install/kubernetes/ansible/istio/tasks/set_appropriate_cmd_path.yml @@ -0,0 +1,6 @@ +--- + +- name: Assume that command is already on the PATH + set_fact: + cmd_path: "{{'oc' if cluster_flavour == 'ocp' else 'kubectl' }}" + when: cmd_path is not defined \ No newline at end of file diff --git a/istio-1.0.4/install/kubernetes/ansible/istio/tasks/set_istio_distro_vars.yml b/istio-1.0.4/install/kubernetes/ansible/istio/tasks/set_istio_distro_vars.yml new file mode 100644 index 0000000..fe51344 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/ansible/istio/tasks/set_istio_distro_vars.yml @@ -0,0 +1,11 @@ +- name: Define var containg Istio definition file name + set_fact: + istio_definition_file_name: "{{'istio-demo-auth.yaml' if istio.auth == true else 'istio-demo.yaml'}}" + +- name: Define var containg Istio definition file full path + set_fact: + istio_definition_full_path: "{{ istio_k8s_dir }}/{{ istio_definition_file_name }}" + +- name: Show the full path of the definition file to be used + debug: + msg: "Using the following file to install Istio onto Kubernetes {{ istio_definition_full_path }}" diff --git a/istio-1.0.4/install/kubernetes/ansible/istio/tasks/set_istio_path.yml b/istio-1.0.4/install/kubernetes/ansible/istio/tasks/set_istio_path.yml new file mode 100644 index 0000000..c4744a3 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/ansible/istio/tasks/set_istio_path.yml @@ -0,0 +1,9 @@ +- name: Get istio k8s install path + set_fact: + istio_k8s_dir: "{{ playbook_dir | dirname }}" + +- name: Set istio definition pull path + import_tasks: set_istio_distro_vars.yml + +- name: Add istio bin dir to PATH + import_tasks: add_to_path.yml diff --git a/istio-1.0.4/install/kubernetes/ansible/istio/tasks/simple_sample_cmd.j2 b/istio-1.0.4/install/kubernetes/ansible/istio/tasks/simple_sample_cmd.j2 new file mode 100644 index 0000000..4f7bb7a --- /dev/null +++ b/istio-1.0.4/install/kubernetes/ansible/istio/tasks/simple_sample_cmd.j2 @@ -0,0 +1,4 @@ +{% if cluster_flavour == 'ocp' %} +{{ cmd_path }} adm policy add-scc-to-user privileged -z default -n {{ sample_namespace }} +{% endif %} +{{ cmd_path }} apply -n {{ sample_namespace }} -f <({{ istio_dir }}/bin/istioctl kube-inject -f {{ istio_dir }}/samples/{{ sample_path }}) \ No newline at end of file diff --git a/istio-1.0.4/install/kubernetes/ansible/istio/vars/main.yml b/istio-1.0.4/install/kubernetes/ansible/istio/vars/main.yml new file mode 100644 index 0000000..cca21f4 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/ansible/istio/vars/main.yml @@ -0,0 +1,12 @@ +--- +minimum_cluster_version: 1.9.0 + +istio_namespace: istio-system + +istio_simple_samples: + - name: helloworld + path: helloworld/helloworld.yaml + - name: httpbin + path: httpbin/httpbin.yaml + - name: sleep + path: sleep/sleep.yaml diff --git a/istio-1.0.4/install/kubernetes/ansible/main.yml b/istio-1.0.4/install/kubernetes/ansible/main.yml new file mode 100644 index 0000000..794a91c --- /dev/null +++ b/istio-1.0.4/install/kubernetes/ansible/main.yml @@ -0,0 +1,20 @@ +--- +- hosts: localhost + gather_facts: true + + pre_tasks: + # We require Ansible 2.4 or newer + - name: Check Ansible version + assert: + that: '(ansible_version.major, ansible_version.minor, ansible_version.revision) >= (2, 4, 0)' + msg: 'Please install the recommended version 2.4+. You have Ansible {{ ansible_version.string }}.' + run_once: yes + + - name: Playbook runs correctly only on Linux or Mac OSX + assert: + that: 'ansible_system == "Linux" or ansible_os_family == "Darwin"' + msg: 'The playbook can only be run on Linux or Mac OSX systems' + run_once: yes + + roles: + - istio \ No newline at end of file diff --git a/istio-1.0.4/install/kubernetes/helm/README.md b/istio-1.0.4/install/kubernetes/helm/README.md new file mode 100644 index 0000000..35e06cd --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/README.md @@ -0,0 +1,3 @@ +# Installation using Helm + +Please follow the installation instructions from [istio.io](https://preliminary.istio.io/docs/setup/kubernetes/helm-install.html). diff --git a/istio-1.0.4/install/kubernetes/helm/helm-service-account.yaml b/istio-1.0.4/install/kubernetes/helm/helm-service-account.yaml new file mode 100644 index 0000000..3f328dd --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/helm-service-account.yaml @@ -0,0 +1,21 @@ +# Create a service account for Helm and grant the cluster admin role. +# It is assumed that helm should be installed with this service account +# (tiller). +apiVersion: v1 +kind: ServiceAccount +metadata: + name: tiller + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: tiller +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: +- kind: ServiceAccount + name: tiller + namespace: kube-system diff --git a/istio-1.0.4/install/kubernetes/helm/istio-remote/Chart.yaml b/istio-1.0.4/install/kubernetes/helm/istio-remote/Chart.yaml new file mode 100644 index 0000000..2fdcbb7 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio-remote/Chart.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +name: istio-remote +version: 1.0.4 +appVersion: 1.0.4 +tillerVersion: ">=2.7.2" +description: Helm chart needed for remote Kubernetes clusters to join the main Istio control plane +keywords: + - remote +sources: + - http://github.com/istio/istio +engine: gotpl +icon: https://istio.io/favicons/android-192x192.png diff --git a/istio-1.0.4/install/kubernetes/helm/istio-remote/README.md b/istio-1.0.4/install/kubernetes/helm/istio-remote/README.md new file mode 100644 index 0000000..87fe0e8 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio-remote/README.md @@ -0,0 +1,5 @@ +# Istio Remote + +This chart is for preparing a remote cluster to use the Istio components in a primary control plane cluster. + +Please follow the installation instructions from [istio.io](https://preliminary.istio.io/docs/setup/kubernetes/multicluster-install/). diff --git a/istio-1.0.4/install/kubernetes/helm/istio-remote/charts/security/Chart.yaml b/istio-1.0.4/install/kubernetes/helm/istio-remote/charts/security/Chart.yaml new file mode 100644 index 0000000..40d2add --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio-remote/charts/security/Chart.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +name: security +version: 1.0.4 +appVersion: 1.0.4 +tillerVersion: ">=2.7.2" +description: Helm chart for istio authentication +keywords: + - istio + - security +sources: + - http://github.com/istio/istio +engine: gotpl +icon: https://istio.io/favicons/android-192x192.png diff --git a/istio-1.0.4/install/kubernetes/helm/istio-remote/charts/security/templates/_helpers.tpl b/istio-1.0.4/install/kubernetes/helm/istio-remote/charts/security/templates/_helpers.tpl new file mode 100644 index 0000000..7564a1b --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio-remote/charts/security/templates/_helpers.tpl @@ -0,0 +1,16 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "security.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "security.fullname" -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/istio-1.0.4/install/kubernetes/helm/istio-remote/charts/security/templates/cleanup-secrets.yaml b/istio-1.0.4/install/kubernetes/helm/istio-remote/charts/security/templates/cleanup-secrets.yaml new file mode 100644 index 0000000..ae93b9f --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio-remote/charts/security/templates/cleanup-secrets.yaml @@ -0,0 +1,100 @@ +# The reason for creating a ServiceAccount and ClusterRole specifically for this +# post-delete hooked job is because the citadel ServiceAccount is being deleted +# before this hook is launched. On the other hand, running this hook before the +# deletion of the citadel (e.g. pre-delete) won't delete the secrets because they +# will be re-created immediately by the to-be-deleted citadel. +# +# It's also important that the ServiceAccount, ClusterRole and ClusterRoleBinding +# will be ready before running the hooked Job therefore the hook weights. + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: istio-cleanup-secrets-service-account + namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook": post-delete + "helm.sh/hook-delete-policy": hook-succeeded + "helm.sh/hook-weight": "1" + labels: + app: {{ template "security.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: istio-cleanup-secrets-{{ .Release.Namespace }} + annotations: + "helm.sh/hook": post-delete + "helm.sh/hook-delete-policy": hook-succeeded + "helm.sh/hook-weight": "1" + labels: + app: {{ template "security.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +rules: +- apiGroups: [""] + resources: ["secrets"] + verbs: ["list", "delete"] +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: istio-cleanup-secrets-{{ .Release.Namespace }} + annotations: + "helm.sh/hook": post-delete + "helm.sh/hook-delete-policy": hook-succeeded + "helm.sh/hook-weight": "2" + labels: + app: {{ template "security.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-cleanup-secrets-{{ .Release.Namespace }} +subjects: + - kind: ServiceAccount + name: istio-cleanup-secrets-service-account + namespace: {{ .Release.Namespace }} +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: istio-cleanup-secrets + namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook": post-delete + "helm.sh/hook-delete-policy": hook-succeeded + "helm.sh/hook-weight": "3" + labels: + app: {{ template "security.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + template: + metadata: + name: istio-cleanup-secrets + labels: + app: {{ template "security.name" . }} + release: {{ .Release.Name }} + spec: + serviceAccountName: istio-cleanup-secrets-service-account + containers: + - name: hyperkube + image: "{{ .Values.global.hyperkube.hub }}/hyperkube:{{ .Values.global.hyperkube.tag }}" + command: + - /bin/bash + - -c + - > + kubectl get secret --all-namespaces | grep "istio.io/key-and-cert" | while read -r entry; do + ns=$(echo $entry | awk '{print $1}'); + name=$(echo $entry | awk '{print $2}'); + kubectl delete secret $name -n $ns; + done + restartPolicy: OnFailure diff --git a/istio-1.0.4/install/kubernetes/helm/istio-remote/charts/security/templates/clusterrole.yaml b/istio-1.0.4/install/kubernetes/helm/istio-remote/charts/security/templates/clusterrole.yaml new file mode 100644 index 0000000..d7879a9 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio-remote/charts/security/templates/clusterrole.yaml @@ -0,0 +1,19 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: istio-citadel-{{ .Release.Namespace }} + labels: + app: {{ template "security.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +rules: +- apiGroups: [""] + resources: ["secrets"] + verbs: ["create", "get", "watch", "list", "update", "delete"] +- apiGroups: [""] + resources: ["serviceaccounts"] + verbs: ["get", "watch", "list"] +- apiGroups: [""] + resources: ["services"] + verbs: ["get", "watch", "list"] diff --git a/istio-1.0.4/install/kubernetes/helm/istio-remote/charts/security/templates/clusterrolebinding.yaml b/istio-1.0.4/install/kubernetes/helm/istio-remote/charts/security/templates/clusterrolebinding.yaml new file mode 100644 index 0000000..501f8ad --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio-remote/charts/security/templates/clusterrolebinding.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: istio-citadel-{{ .Release.Namespace }} + labels: + app: {{ template "security.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-citadel-{{ .Release.Namespace }} +subjects: + - kind: ServiceAccount + name: istio-citadel-service-account + namespace: {{ .Release.Namespace }} diff --git a/istio-1.0.4/install/kubernetes/helm/istio-remote/charts/security/templates/deployment.yaml b/istio-1.0.4/install/kubernetes/helm/istio-remote/charts/security/templates/deployment.yaml new file mode 100644 index 0000000..7561017 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio-remote/charts/security/templates/deployment.yaml @@ -0,0 +1,63 @@ +# istio CA watching all namespaces +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: istio-citadel + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "security.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + istio: citadel +spec: + replicas: {{ .Values.replicaCount }} + template: + metadata: + labels: + istio: citadel + annotations: + sidecar.istio.io/inject: "false" + scheduler.alpha.kubernetes.io/critical-pod: "" + spec: + serviceAccountName: istio-citadel-service-account +{{- if .Values.global.priorityClassName }} + priorityClassName: "{{ .Values.global.priorityClassName }}" +{{- end }} + containers: + - name: citadel + image: "{{ .Values.global.hub }}/{{ .Values.image }}:{{ .Values.global.tag }}" + imagePullPolicy: {{ .Values.global.imagePullPolicy }} + args: + - --append-dns-names=true + - --grpc-port=8060 + - --grpc-hostname=citadel + - --citadel-storage-namespace={{ .Release.Namespace }} + {{- if .Values.selfSigned }} + - --self-signed-ca=true + {{- else }} + - --self-signed-ca=false + - --signing-cert=/etc/cacerts/ca-cert.pem + - --signing-key=/etc/cacerts/ca-key.pem + - --root-cert=/etc/cacerts/root-cert.pem + - --cert-chain=/etc/cacerts/cert-chain.pem + {{- end }} + resources: +{{- if .Values.resources }} +{{ toYaml .Values.resources | indent 12 }} +{{- else }} +{{ toYaml .Values.global.defaultResources | indent 12 }} +{{- end }} +{{- if not .Values.selfSigned }} + volumeMounts: + - name: cacerts + mountPath: /etc/cacerts + readOnly: true + volumes: + - name: cacerts + secret: + secretName: cacerts + optional: true +{{- end }} + affinity: + {{- include "nodeaffinity" . | indent 6 }} diff --git a/istio-1.0.4/install/kubernetes/helm/istio-remote/charts/security/templates/enable-mesh-mtls.yaml b/istio-1.0.4/install/kubernetes/helm/istio-remote/charts/security/templates/enable-mesh-mtls.yaml new file mode 100644 index 0000000..deec436 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio-remote/charts/security/templates/enable-mesh-mtls.yaml @@ -0,0 +1,53 @@ +{{- if .Values.global.mtls.enabled }} +# These policy and destination rules effectively enable mTLS for all services in the mesh. For now, +# they are added to Istio installation yaml for backward compatible. In future, they should be in +# a separated yaml file so that customer can enable mTLS independent from installation. + +# Authentication policy to enable mutual TLS for all services (that have sidecar) in the mesh. +apiVersion: "authentication.istio.io/v1alpha1" +kind: "MeshPolicy" +metadata: + name: "default" + labels: + app: istio-security + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + peers: + - mtls: {} +--- +# Corresponding destination rule to configure client side to use mutual TLS when talking to +# any service (host) in the mesh. +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: "default" + labels: + app: istio-security + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + host: "*.local" + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +--- +# Destination rule to dislabe (m)TLS when talking to API server, as API server doesn't have sidecar. +# Customer should add similar destination rules for other services that dont' have sidecar. +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: "api-server" + labels: + app: istio-security + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + host: "kubernetes.default.svc.cluster.local" + trafficPolicy: + tls: + mode: DISABLE +{{- end }} diff --git a/istio-1.0.4/install/kubernetes/helm/istio-remote/charts/security/templates/enable-mesh-permissive.yaml b/istio-1.0.4/install/kubernetes/helm/istio-remote/charts/security/templates/enable-mesh-permissive.yaml new file mode 100644 index 0000000..35908d2 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio-remote/charts/security/templates/enable-mesh-permissive.yaml @@ -0,0 +1,16 @@ +{{ define "security-permissive.yaml.tpl" }} +# Authentication policy to enable permissive mode for all services (that have sidecar) in the mesh. +apiVersion: "authentication.istio.io/v1alpha1" +kind: "MeshPolicy" +metadata: + name: "default" + labels: + app: istio-security + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + peers: + - mtls: + mode: PERMISSIVE +{{- end }} diff --git a/istio-1.0.4/install/kubernetes/helm/istio-remote/charts/security/templates/service.yaml b/istio-1.0.4/install/kubernetes/helm/istio-remote/charts/security/templates/service.yaml new file mode 100644 index 0000000..902c138 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio-remote/charts/security/templates/service.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Service +metadata: + # we use the normal name here (e.g. 'prometheus') + # as grafana is configured to use this as a data source + name: istio-citadel + namespace: {{ .Release.Namespace }} + labels: + app: istio-citadel +spec: + ports: + - name: grpc-citadel + port: 8060 + targetPort: 8060 + protocol: TCP + - name: http-monitoring + port: 9093 + selector: + istio: citadel diff --git a/istio-1.0.4/install/kubernetes/helm/istio-remote/charts/security/templates/serviceaccount.yaml b/istio-1.0.4/install/kubernetes/helm/istio-remote/charts/security/templates/serviceaccount.yaml new file mode 100644 index 0000000..58501af --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio-remote/charts/security/templates/serviceaccount.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: ServiceAccount +{{- if .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range .Values.global.imagePullSecrets }} + - name: {{ . }} +{{- end }} +{{- end }} +metadata: + name: istio-citadel-service-account + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "security.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} diff --git a/istio-1.0.4/install/kubernetes/helm/istio-remote/charts/sidecarInjectorWebhook/Chart.yaml b/istio-1.0.4/install/kubernetes/helm/istio-remote/charts/sidecarInjectorWebhook/Chart.yaml new file mode 100644 index 0000000..ec10266 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio-remote/charts/sidecarInjectorWebhook/Chart.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +name: sidecarInjectorWebhook +version: 1.0.4 +appVersion: 1.0.4 +tillerVersion: ">=2.7.2" +description: Helm chart for sidecar injector webhook deployment +keywords: + - istio + - sidecarInjectorWebhook +sources: + - http://github.com/istio/istio +engine: gotpl +icon: https://istio.io/favicons/android-192x192.png diff --git a/istio-1.0.4/install/kubernetes/helm/istio-remote/charts/sidecarInjectorWebhook/templates/_helpers.tpl b/istio-1.0.4/install/kubernetes/helm/istio-remote/charts/sidecarInjectorWebhook/templates/_helpers.tpl new file mode 100644 index 0000000..8ed67e2 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio-remote/charts/sidecarInjectorWebhook/templates/_helpers.tpl @@ -0,0 +1,16 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "sidecar-injector.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "sidecar-injector.fullname" -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/istio-1.0.4/install/kubernetes/helm/istio-remote/charts/sidecarInjectorWebhook/templates/clusterrole.yaml b/istio-1.0.4/install/kubernetes/helm/istio-remote/charts/sidecarInjectorWebhook/templates/clusterrole.yaml new file mode 100644 index 0000000..b36fdb0 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio-remote/charts/sidecarInjectorWebhook/templates/clusterrole.yaml @@ -0,0 +1,16 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: istio-sidecar-injector-{{ .Release.Namespace }} + labels: + app: istio-sidecar-injector + chart: {{ .Chart.Name }}-{{ .Chart.Version }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +rules: +- apiGroups: ["*"] + resources: ["configmaps"] + verbs: ["get", "list", "watch"] +- apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "patch"] diff --git a/istio-1.0.4/install/kubernetes/helm/istio-remote/charts/sidecarInjectorWebhook/templates/clusterrolebinding.yaml b/istio-1.0.4/install/kubernetes/helm/istio-remote/charts/sidecarInjectorWebhook/templates/clusterrolebinding.yaml new file mode 100644 index 0000000..10b0d71 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio-remote/charts/sidecarInjectorWebhook/templates/clusterrolebinding.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: istio-sidecar-injector-admin-role-binding-{{ .Release.Namespace }} + labels: + app: istio-sidecar-injector + chart: {{ .Chart.Name }}-{{ .Chart.Version }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-sidecar-injector-{{ .Release.Namespace }} +subjects: + - kind: ServiceAccount + name: istio-sidecar-injector-service-account + namespace: {{ .Release.Namespace }} diff --git a/istio-1.0.4/install/kubernetes/helm/istio-remote/charts/sidecarInjectorWebhook/templates/deployment.yaml b/istio-1.0.4/install/kubernetes/helm/istio-remote/charts/sidecarInjectorWebhook/templates/deployment.yaml new file mode 100644 index 0000000..357f51d --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio-remote/charts/sidecarInjectorWebhook/templates/deployment.yaml @@ -0,0 +1,86 @@ +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: istio-sidecar-injector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "sidecar-injector.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + istio: sidecar-injector +spec: + replicas: {{ .Values.replicaCount }} + template: + metadata: + labels: + istio: sidecar-injector + annotations: + sidecar.istio.io/inject: "false" + scheduler.alpha.kubernetes.io/critical-pod: "" + spec: + serviceAccountName: istio-sidecar-injector-service-account +{{- if .Values.global.priorityClassName }} + priorityClassName: "{{ .Values.global.priorityClassName }}" +{{- end }} + containers: + - name: sidecar-injector-webhook + image: "{{ .Values.global.hub }}/{{ .Values.image }}:{{ .Values.global.tag }}" + imagePullPolicy: {{ .Values.global.imagePullPolicy }} + args: + - --caCertFile=/etc/istio/certs/root-cert.pem + - --tlsCertFile=/etc/istio/certs/cert-chain.pem + - --tlsKeyFile=/etc/istio/certs/key.pem + - --injectConfig=/etc/istio/inject/config + - --meshConfig=/etc/istio/config/mesh + - --healthCheckInterval=2s + - --healthCheckFile=/health + volumeMounts: + - name: config-volume + mountPath: /etc/istio/config + readOnly: true + - name: certs + mountPath: /etc/istio/certs + readOnly: true + - name: inject-config + mountPath: /etc/istio/inject + readOnly: true + livenessProbe: + exec: + command: + - /usr/local/bin/sidecar-injector + - probe + - --probe-path=/health + - --interval=4s + initialDelaySeconds: 4 + periodSeconds: 4 + readinessProbe: + exec: + command: + - /usr/local/bin/sidecar-injector + - probe + - --probe-path=/health + - --interval=4s + initialDelaySeconds: 4 + periodSeconds: 4 + resources: +{{- if .Values.resources }} +{{ toYaml .Values.resources | indent 12 }} +{{- else }} +{{ toYaml .Values.global.defaultResources | indent 12 }} +{{- end }} + volumes: + - name: config-volume + configMap: + name: istio + - name: certs + secret: + secretName: istio.istio-sidecar-injector-service-account + - name: inject-config + configMap: + name: istio-sidecar-injector + items: + - key: config + path: config + affinity: + {{- include "nodeaffinity" . | indent 6 }} diff --git a/istio-1.0.4/install/kubernetes/helm/istio-remote/charts/sidecarInjectorWebhook/templates/mutatingwebhook.yaml b/istio-1.0.4/install/kubernetes/helm/istio-remote/charts/sidecarInjectorWebhook/templates/mutatingwebhook.yaml new file mode 100644 index 0000000..e7f7519 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio-remote/charts/sidecarInjectorWebhook/templates/mutatingwebhook.yaml @@ -0,0 +1,36 @@ +apiVersion: admissionregistration.k8s.io/v1beta1 +kind: MutatingWebhookConfiguration +metadata: + name: istio-sidecar-injector + namespace: {{ .Release.Namespace }} + labels: + app: istio-sidecar-injector + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +webhooks: + - name: sidecar-injector.istio.io + clientConfig: + service: + name: istio-sidecar-injector + namespace: {{ .Release.Namespace }} + path: "/inject" + caBundle: "" + rules: + - operations: [ "CREATE" ] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + failurePolicy: Fail + namespaceSelector: +{{- if .Values.enableNamespacesByDefault }} + matchExpressions: + - key: istio-injection + operator: NotIn + values: + - disabled +{{- else }} + matchLabels: + istio-injection: enabled +{{- end }} + diff --git a/istio-1.0.4/install/kubernetes/helm/istio-remote/charts/sidecarInjectorWebhook/templates/service.yaml b/istio-1.0.4/install/kubernetes/helm/istio-remote/charts/sidecarInjectorWebhook/templates/service.yaml new file mode 100644 index 0000000..b24900b --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio-remote/charts/sidecarInjectorWebhook/templates/service.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Service +metadata: + name: istio-sidecar-injector + namespace: {{ .Release.Namespace }} + labels: + istio: sidecar-injector +spec: + ports: + - port: 443 + selector: + istio: sidecar-injector diff --git a/istio-1.0.4/install/kubernetes/helm/istio-remote/charts/sidecarInjectorWebhook/templates/serviceaccount.yaml b/istio-1.0.4/install/kubernetes/helm/istio-remote/charts/sidecarInjectorWebhook/templates/serviceaccount.yaml new file mode 100644 index 0000000..8beb35b --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio-remote/charts/sidecarInjectorWebhook/templates/serviceaccount.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: ServiceAccount +{{- if .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range .Values.global.imagePullSecrets }} + - name: {{ . }} +{{- end }} +{{- end }} +metadata: + name: istio-sidecar-injector-service-account + namespace: {{ .Release.Namespace }} + labels: + app: istio-sidecar-injector + chart: {{ .Chart.Name }}-{{ .Chart.Version }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} diff --git a/istio-1.0.4/install/kubernetes/helm/istio-remote/requirements.yaml b/istio-1.0.4/install/kubernetes/helm/istio-remote/requirements.yaml new file mode 100644 index 0000000..00181d3 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio-remote/requirements.yaml @@ -0,0 +1,6 @@ +dependencies: + - name: sidecarInjectorWebhook + version: 1.0.4 + condition: sidecarInjectorWebhook.enabled + - name: security + version: 1.0.4 diff --git a/istio-1.0.4/install/kubernetes/helm/istio-remote/templates/_affinity.tpl b/istio-1.0.4/install/kubernetes/helm/istio-remote/templates/_affinity.tpl new file mode 100644 index 0000000..0a702d4 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio-remote/templates/_affinity.tpl @@ -0,0 +1,36 @@ +{{/* affinity - https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ */}} + +{{- define "nodeaffinity" }} + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + {{- include "nodeAffinityRequiredDuringScheduling" . }} + preferredDuringSchedulingIgnoredDuringExecution: + {{- include "nodeAffinityPreferredDuringScheduling" . }} +{{- end }} + +{{- define "nodeAffinityRequiredDuringScheduling" }} + nodeSelectorTerms: + - matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + {{- range $key, $val := .Values.global.arch }} + {{- if gt ($val | int) 0 }} + - {{ $key }} + {{- end }} + {{- end }} +{{- end }} + +{{- define "nodeAffinityPreferredDuringScheduling" }} + {{- range $key, $val := .Values.global.arch }} + {{- if gt ($val | int) 0 }} + - weight: {{ $val | int }} + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - {{ $key }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/istio-1.0.4/install/kubernetes/helm/istio-remote/templates/_helpers.tpl b/istio-1.0.4/install/kubernetes/helm/istio-remote/templates/_helpers.tpl new file mode 100644 index 0000000..b85468d --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio-remote/templates/_helpers.tpl @@ -0,0 +1,30 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "istio.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "istio.fullname" -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a fully qualified configmap name. +*/}} +{{- define "istio.configmap.fullname" -}} +{{- printf "%s-%s" .Release.Name "istio-mesh-config" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Configmap checksum. +*/}} +{{- define "istio.configmap.checksum" -}} +{{- print $.Template.BasePath "/configmap.yaml" | sha256sum -}} +{{- end -}} diff --git a/istio-1.0.4/install/kubernetes/helm/istio-remote/templates/clusterrole.yaml b/istio-1.0.4/install/kubernetes/helm/istio-remote/templates/clusterrole.yaml new file mode 100644 index 0000000..d03a903 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio-remote/templates/clusterrole.yaml @@ -0,0 +1,8 @@ +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: istio-reader +rules: + - apiGroups: [''] + resources: ['nodes', 'pods', 'services', 'endpoints'] + verbs: ['get', 'watch', 'list'] diff --git a/istio-1.0.4/install/kubernetes/helm/istio-remote/templates/clusterrolebinding.yaml b/istio-1.0.4/install/kubernetes/helm/istio-remote/templates/clusterrolebinding.yaml new file mode 100644 index 0000000..827601b --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio-remote/templates/clusterrolebinding.yaml @@ -0,0 +1,14 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istio-multi + labels: + chart: {{ .Chart.Name }}-{{ .Chart.Version }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-reader +subjects: +- kind: ServiceAccount + name: istio-multi + namespace: {{ .Release.Namespace }} diff --git a/istio-1.0.4/install/kubernetes/helm/istio-remote/templates/configmap.yaml b/istio-1.0.4/install/kubernetes/helm/istio-remote/templates/configmap.yaml new file mode 100644 index 0000000..79dcfc0 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio-remote/templates/configmap.yaml @@ -0,0 +1,120 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "istio.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +data: + mesh: |- + + {{- if .Values.global.remotePolicyAddress }} + # Set the following variable to true to disable policy checks by the Mixer. + # Note that metrics will still be reported to the Mixer. + disablePolicyChecks: {{ .Values.global.disablePolicyChecks }} + + # policyCheckFailOpen allows traffic in cases when the mixer policy service cannot be reached. + # Default is false which means the traffic is denied when the client is unable to connect to Mixer. + policyCheckFailOpen: {{ .Values.global.policyCheckFailOpen }} + {{- end }} + + {{- if .Values.global.remoteZipkinAddress }} + # Set enableTracing to false to disable request tracing. + enableTracing: {{ .Values.global.enableTracing }} + {{- end }} + + # TODO: not clear if this is used - pilot generates config based on the main cluster config. + # Set accessLogFile to empty string to disable access log. + accessLogFile: "{{ .Values.global.proxy.accessLogFile }}" + # + # To disable the mixer completely (including metrics), comment out + # the following lines + {{- if .Values.global.remotePolicyAddress }} + mixerCheckServer: {{ .Values.global.remotePolicyAddress }}:15004 + {{- end }} + + {{- if .Values.global.remoteTelemetryAddress }} + mixerReportServer: {{ .Values.global.remoteTelemetryAddress }}:15004 + {{- end }} + + defaultConfig: + # + # TCP connection timeout between Envoy & the application, and between Envoys. + connectTimeout: 10s + # + ### ADVANCED SETTINGS ############# + # Where should envoy's configuration be stored in the istio-proxy container + configPath: "/etc/istio/proxy" + binaryPath: "/usr/local/bin/envoy" + # The pseudo service name used for Envoy. + serviceCluster: istio-proxy + # These settings that determine how long an old Envoy + # process should be kept alive after an occasional reload. + drainDuration: 45s + parentShutdownDuration: 1m0s + # + # The mode used to redirect inbound connections to Envoy. This setting + # has no effect on outbound traffic: iptables REDIRECT is always used for + # outbound connections. + # If "REDIRECT", use iptables REDIRECT to NAT and redirect to Envoy. + # The "REDIRECT" mode loses source addresses during redirection. + # If "TPROXY", use iptables TPROXY to redirect to Envoy. + # The "TPROXY" mode preserves both the source and destination IP + # addresses and ports, so that they can be used for advanced filtering + # and manipulation. + # The "TPROXY" mode also configures the sidecar to run with the + # CAP_NET_ADMIN capability, which is required to use TPROXY. + #interceptionMode: REDIRECT + # + # Port where Envoy listens (on local host) for admin commands + # You can exec into the istio-proxy container in a pod and + # curl the admin port (curl http://localhost:15000/) to obtain + # diagnostic information from Envoy. See + # https://lyft.github.io/envoy/docs/operations/admin.html + # for more details + proxyAdminPort: 15000 + # + # Set concurrency to a specific number to control the number of Proxy worker threads. + # If set to 0 (default), then start worker thread for each CPU thread/core. + concurrency: {{ .Values.global.proxy.concurrency }} + + {{- if .Values.global.remoteZipkinAddress }} + # + # Zipkin trace collector + zipkinAddress: {{ .Values.global.remoteZipkinAddress }}:9411 + {{- end }} + + {{- if .Values.global.proxy.envoyStatsd.enabled }} + # + # Statsd metrics collector converts statsd metrics into Prometheus metrics. + statsdUdpAddress: {{ .Values.global.proxy.envoyStatsd.host }}:{{ .Values.global.proxy.envoyStatsd.port }} + {{- end }} + + {{- $defPilotHostname := printf "istio-pilot.%s" .Release.Namespace }} + {{- $pilotAddress := .Values.global.remotePilotAddress | default $defPilotHostname }} + {{- if .Values.global.controlPlaneSecurityEnabled }} + # + # Mutual TLS authentication between sidecars and istio control plane. + controlPlaneAuthPolicy: MUTUAL_TLS + # + # Address where istio Pilot service is running + {{- if .Values.global.remotePilotCreateSvcEndpoint }} + discoveryAddress: {{ $defPilotHostname }}:15005 + {{- else }} + discoveryAddress: {{ $pilotAddress }}:15005 + {{- end }} + {{- else }} + # + # Mutual TLS authentication between sidecars and istio control plane. + controlPlaneAuthPolicy: NONE + # + # Address where istio Pilot service is running + {{- if .Values.global.remotePilotCreateSvcEndpoint }} + discoveryAddress: {{ $defPilotHostname }}:15007 + {{- else }} + discoveryAddress: {{ $pilotAddress }}:15007 + {{- end }} + {{- end }} diff --git a/istio-1.0.4/install/kubernetes/helm/istio-remote/templates/endpoints.yaml b/istio-1.0.4/install/kubernetes/helm/istio-remote/templates/endpoints.yaml new file mode 100644 index 0000000..d8fcfa3 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio-remote/templates/endpoints.yaml @@ -0,0 +1,25 @@ +{{- if .Values.global.remotePilotCreateSvcEndpoint }} +apiVersion: v1 +kind: Endpoints +metadata: + name: istio-pilot + namespace: {{ .Release.Namespace }} +subsets: +- addresses: + - ip: {{ .Values.global.remotePilotAddress }} + ports: + - port: 15003 + name: http-old-discovery # mTLS or non-mTLS depending on auth setting + - port: 15005 + name: https-discovery # always mTLS + - port: 15007 + name: http-discovery # always plain-text + - port: 15010 + name: grpc-xds # direct + - port: 15011 + name: https-xds # mTLS or non-mTLS depending on auth setting + - port: 8080 + name: http-legacy-discovery # direct + - port: 9093 + name: http-monitoring +{{- end }} diff --git a/istio-1.0.4/install/kubernetes/helm/istio-remote/templates/service.yaml b/istio-1.0.4/install/kubernetes/helm/istio-remote/templates/service.yaml new file mode 100644 index 0000000..15d3581 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio-remote/templates/service.yaml @@ -0,0 +1,24 @@ +{{- if .Values.global.remotePilotCreateSvcEndpoint }} +apiVersion: v1 +kind: Service +metadata: + name: istio-pilot + namespace: {{ .Release.Namespace }} +spec: + ports: + - port: 15003 + name: http-old-discovery # mTLS or non-mTLS depending on auth setting + - port: 15005 + name: https-discovery # always mTLS + - port: 15007 + name: http-discovery # always plain-text + - port: 15010 + name: grpc-xds # direct + - port: 15011 + name: https-xds # mTLS or non-mTLS depending on auth setting + - port: 8080 + name: http-legacy-discovery # direct + - port: 9093 + name: http-monitoring + clusterIP: None +{{- end }} diff --git a/istio-1.0.4/install/kubernetes/helm/istio-remote/templates/serviceaccount.yaml b/istio-1.0.4/install/kubernetes/helm/istio-remote/templates/serviceaccount.yaml new file mode 100644 index 0000000..e52d9eb --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio-remote/templates/serviceaccount.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: istio-multi + namespace: {{ .Release.Namespace }} diff --git a/istio-1.0.4/install/kubernetes/helm/istio-remote/templates/sidecar-injector-configmap.yaml b/istio-1.0.4/install/kubernetes/helm/istio-remote/templates/sidecar-injector-configmap.yaml new file mode 100644 index 0000000..eba7050 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio-remote/templates/sidecar-injector-configmap.yaml @@ -0,0 +1,179 @@ +{{- if not .Values.global.omitSidecarInjectorConfigMap }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-sidecar-injector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "istio.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + istio: sidecar-injector +data: + config: |- + policy: {{ .Values.global.proxy.autoInject }} + template: |- + initContainers: + - name: istio-init + image: {{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }} + args: + - "-p" + - {{ "[[ .MeshConfig.ProxyListenPort ]]" }} + - "-u" + - 1337 + - "-m" + - {{ "[[ or (index .ObjectMeta.Annotations \"sidecar.istio.io/interceptionMode\") .ProxyConfig.InterceptionMode.String ]]" }} + - "-i" + {{ "[[ if (isset .ObjectMeta.Annotations \"traffic.sidecar.istio.io/includeOutboundIPRanges\") -]]" }} + {{ "- \"[[ index .ObjectMeta.Annotations \"traffic.sidecar.istio.io/includeOutboundIPRanges\" ]]\"" }} + {{ "[[ else -]]" }} + - "{{ .Values.global.proxy.includeIPRanges }}" + {{ "[[ end -]]" }} + - "-x" + {{ "[[ if (isset .ObjectMeta.Annotations \"traffic.sidecar.istio.io/excludeOutboundIPRanges\") -]]" }} + {{ "- \"[[ index .ObjectMeta.Annotations \"traffic.sidecar.istio.io/excludeOutboundIPRanges\" ]]\"" }} + {{ "[[ else -]]" }} + - "{{ .Values.global.proxy.excludeIPRanges }}" + {{ "[[ end -]]" }} + - "-b" + {{ "[[ if (isset .ObjectMeta.Annotations \"traffic.sidecar.istio.io/includeInboundPorts\") -]]" }} + {{ "- \"[[ index .ObjectMeta.Annotations \"traffic.sidecar.istio.io/includeInboundPorts\" ]]\"" }} + {{ "[[ else -]]" }} + - {{ "[[ range .Spec.Containers -]][[ range .Ports -]][[ .ContainerPort -]], [[ end -]][[ end -]][[ end]]" }} + - "-d" + {{ "[[ if (isset .ObjectMeta.Annotations \"traffic.sidecar.istio.io/excludeInboundPorts\") -]]" }} + {{ "- \"[[ index .ObjectMeta.Annotations \"traffic.sidecar.istio.io/excludeInboundPorts\" ]]\"" }} + {{ "[[ else -]]" }} + - "{{ .Values.global.proxy.excludeInboundPorts }}" + {{ "[[ end -]]" }} + imagePullPolicy: {{ .Values.global.imagePullPolicy }} + securityContext: + capabilities: + add: + - NET_ADMIN + {{ if .Values.global.proxy.privileged }} + privileged: true + {{ end }} + restartPolicy: Always + {{- if .Values.global.proxy.enableCoreDump }} + - args: + - -c + - sysctl -w kernel.core_pattern=/var/lib/istio/core.proxy && ulimit -c unlimited + command: + - /bin/sh + image: {{ .Values.global.hub }}/proxy_init:{{ .Values.global.tag }} + imagePullPolicy: IfNotPresent + name: enable-core-dump + resources: {} + securityContext: + privileged: true + {{ end }} + containers: + - name: istio-proxy + image: {{ "[[ if (isset .ObjectMeta.Annotations \"sidecar.istio.io/proxyImage\") -]]" }} + {{ "\"[[ index .ObjectMeta.Annotations \"sidecar.istio.io/proxyImage\" ]]\"" }} + {{ "[[ else -]]" }} + {{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }} + {{ "[[ end -]]" }} + args: + - proxy + - sidecar + - --configPath + - {{ "[[ .ProxyConfig.ConfigPath ]]" }} + - --binaryPath + - {{ "[[ .ProxyConfig.BinaryPath ]]" }} + - --serviceCluster + {{ "[[ if ne \"\" (index .ObjectMeta.Labels \"app\") -]]" }} + - {{ "[[ index .ObjectMeta.Labels \"app\" ]]" }} + {{ "[[ else -]]" }} + - "istio-proxy" + {{ "[[ end -]]" }} + - --drainDuration + - {{ "[[ formatDuration .ProxyConfig.DrainDuration ]]" }} + - --parentShutdownDuration + - {{ "[[ formatDuration .ProxyConfig.ParentShutdownDuration ]]" }} + - --discoveryAddress + - {{ "[[ or (index .ObjectMeta.Annotations \"sidecar.istio.io/discoveryAddress\") .ProxyConfig.DiscoveryAddress ]]" }} + - --discoveryRefreshDelay + - {{ "[[ formatDuration .ProxyConfig.DiscoveryRefreshDelay ]]" }} + {{- if .Values.global.zipkinAddress }} + - --zipkinAddress + - {{ "[[ .ProxyConfig.ZipkinAddress ]]" }} + {{- end }} + - --connectTimeout + - {{ "[[ formatDuration .ProxyConfig.ConnectTimeout ]]" }} + {{- if .Values.global.proxy.envoyStatsd.enabled }} + - --statsdUdpAddress + - {{ "[[ .ProxyConfig.StatsdUdpAddress ]]" }} + {{- end }} + - --proxyAdminPort + - {{ "[[ .ProxyConfig.ProxyAdminPort ]]" }} + {{ "[[ if gt .ProxyConfig.Concurrency 0 -]]" }} + - --concurrency + - {{ "[[ .ProxyConfig.Concurrency ]]" }} + {{ "[[ end -]]" }} + - --controlPlaneAuthPolicy + - {{ "[[ or (index .ObjectMeta.Annotations \"sidecar.istio.io/controlPlaneAuthPolicy\") .ProxyConfig.ControlPlaneAuthPolicy ]]" }} + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: ISTIO_META_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: ISTIO_META_INTERCEPTION_MODE + value: {{ "[[ or (index .ObjectMeta.Annotations \"sidecar.istio.io/interceptionMode\") .ProxyConfig.InterceptionMode.String ]]" }} + imagePullPolicy: {{ .Values.global.imagePullPolicy }} + securityContext: + {{- if ne .Values.global.proxy.enableCoreDump true }} + readOnlyRootFilesystem: true + {{- end }} + {{ "[[ if eq (or (index .ObjectMeta.Annotations \"sidecar.istio.io/interceptionMode\") .ProxyConfig.InterceptionMode.String) \"TPROXY\" -]]" }} + capabilities: + add: + - NET_ADMIN + runAsGroup: 1337 + {{ "[[ else -]]" }} + runAsUser: 1337 + {{ "[[ end -]]" }} + restartPolicy: Always + resources: + {{ "[[ if (isset .ObjectMeta.Annotations \"sidecar.istio.io/proxyCPU\") -]]" }} + requests: + cpu: {{ "\"[[ index .ObjectMeta.Annotations \"sidecar.istio.io/proxyCPU\" ]]\"" }} + memory: {{ "\"[[ index .ObjectMeta.Annotations \"sidecar.istio.io/proxyMemory\" ]]\"" }} + {{ "[[ else -]]" }} +{{- if .Values.global.proxy.resources }} +{{ toYaml .Values.global.proxy.resources | indent 10 }} +{{- end }} + {{ "[[ end -]]" }} + volumeMounts: + - mountPath: /etc/istio/proxy + name: istio-envoy + - mountPath: /etc/certs/ + name: istio-certs + readOnly: true + volumes: + - emptyDir: + medium: Memory + name: istio-envoy + - name: istio-certs + secret: + optional: true + {{ "[[ if eq .Spec.ServiceAccountName \"\" -]]" }} + secretName: istio.default + {{ "[[ else -]]" }} + secretName: {{ "[[ printf \"istio.%s\" .Spec.ServiceAccountName ]]" }} + {{ "[[ end -]]" }} +{{- end }} diff --git a/istio-1.0.4/install/kubernetes/helm/istio-remote/values.yaml b/istio-1.0.4/install/kubernetes/helm/istio-remote/values.yaml new file mode 100644 index 0000000..6ce79b9 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio-remote/values.yaml @@ -0,0 +1,164 @@ +# Common settings. +global: + # Default hub for Istio images. + # Releases are published to docker hub under 'istio' project. + # Daily builds from prow are on gcr.io, and nightly builds from circle on docker.io/istionightly + hub: docker.io/istio + + # Default tag for Istio images. + tag: 1.0.4 + + proxy: + image: proxyv2 + + # A minimal set of requested resources to applied to all deployments so that + # Horizontal Pod Autoscaler will be able to function (if set). + # Each component can overwrite these default values by adding its own resources + # block in the relevant section below and setting the desired resources values. + resources: + requests: + cpu: 100m + memory: 128Mi + # limits: + # cpu: 100m + # memory: 128Mi + + # Controls number of Proxy worker threads. + # If set to 0 (default), then start worker thread for each CPU thread/core. + concurrency: 0 + + # Configures the access log for each sidecar. Setting it to an empty string will + # disable access log for sidecar. + accessLogFile: "/dev/stdout" + + # If set, newly injected sidecars will have core dumps enabled. Core dumps will always be written to the same + # file to prevent storage filling up indefinitely. Add a timestamp option to core_pattern to keep all cores: + # e.g. sysctl -w kernel.core_pattern=/var/lib/istio/core.%e.%p.%t + enableCoreDump: false + + # istio egress capture whitelist + # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly + # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16" + # would only capture egress traffic on those two IP Ranges, all other outbound traffic would + # be allowed by the sidecar + includeIPRanges: "*" + excludeIPRanges: "" + + # istio ingress capture whitelist + # examples: + # Redirect no inbound traffic to Envoy: --includeInboundPorts="" + # Redirect all inbound traffic to Envoy: --includeInboundPorts="*" + # Redirect only selected ports: --includeInboundPorts="80,8080" + includeInboundPorts: "*" + excludeInboundPorts: "" + + # This controls the 'policy' in the sidecar injector. + autoInject: enabled + + # Sets the destination Statsd in envoy (the value of the "--statsdUdpAddress" proxy argument + # would be :). + # Disabled by default. + # The istio-statsd-prom-bridge is deprecated and should not be used moving forward. + envoyStatsd: + # If enabled is set to true, host and port must also be provided. Istio no longer provides a statsd collector. + enabled: false + host: # example: statsd-svc + port: # example: 9125 + + + proxy_init: + # Base name for the proxy_init container, used to configure iptables. + image: proxy_init + + # imagePullPolicy is applied to istio control plane components. + # local tests require IfNotPresent, to avoid uploading to dockerhub. + # TODO: Switch to Always as default, and override in the local tests. + imagePullPolicy: IfNotPresent + + # Not recommended for user to configure this. Hyperkube image to use when creating custom resources + hyperkube: + hub: quay.io/coreos + tag: v1.7.6_coreos.0 + + # controlPlaneMtls enabled. Will result in delays starting the pods while secrets are + # propagated, not recommended for tests. + controlPlaneSecurityEnabled: false + + # disablePolicyChecks disables mixer policy checks. + # Will set the value with same name in istio config map - pilot needs to be restarted to take effect. + disablePolicyChecks: false + + # policyCheckFailOpen allows traffic in cases when the mixer policy service cannot be reached. + # Default is false which means the traffic is denied when the client is unable to connect to Mixer. + policyCheckFailOpen: false + + # EnableTracing sets the value with same name in istio config map, requires pilot restart to take effect. + enableTracing: true + + # Default mtls policy. If true, mtls between services will be enabled by default. + mtls: + # Default setting for service-to-service mtls. Can be set explicitly using + # destination rules or service annotations. + enabled: false + + # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace + # to use for pulling any images in pods that reference this ServiceAccount. + # Must be set for any clustser configured with privte docker registry. + imagePullSecrets: + # - private-registry-key + + # If true, create a headless service and endpoint for istio-pilot with the remotePilotAddress and + # sets the MeshConfig configmap discoveryAddress to 'istio-pilot.' + remotePilotCreateSvcEndpoint: false + + # Remote Istio endpoints. Can be hostnames or IP addresses + # The Pilot address is required. The others are optional. + remotePilotAddress: "" + remotePolicyAddress: "" + remoteTelemetryAddress: "" + remoteZipkinAddress: "" + + + # Specify pod scheduling arch(amd64, ppc64le, s390x) and weight as follows: + # 0 - Never scheduled + # 1 - Least preferred + # 2 - No preference + # 3 - Most preferred + arch: + amd64: 2 + s390x: 2 + ppc64le: 2 + + # A minimal set of requested resources to applied to all deployments so that + # Horizontal Pod Autoscaler will be able to function (if set). + # Each component can overwrite these default values by adding its own resources + # block in the relevant section below and setting the desired resources values. + defaultResources: + requests: + cpu: 10m + # memory: 128Mi + # limits: + # cpu: 100m + # memory: 128Mi + + # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and + # system-node-critical, it is better to configure this in order to make sure your Istio pods + # will not be killed because of low prioroty class. + # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + # for more detail. + priorityClassName: "" + +# +# sidecar-injector webhook configuration +# +sidecarInjectorWebhook: + enabled: true + replicaCount: 1 + image: sidecar_injector + enableNamespacesByDefault: false + +security: + replicaCount: 1 + image: citadel + selfSigned: true # indicate if self-signed CA is used. + diff --git a/istio-1.0.4/install/kubernetes/helm/istio/Chart.yaml b/istio-1.0.4/install/kubernetes/helm/istio/Chart.yaml new file mode 100644 index 0000000..112d53b --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/Chart.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +name: istio +version: 1.0.4 +appVersion: 1.0.4 +tillerVersion: ">=2.7.2-0" +description: Helm chart for all istio components +keywords: + - istio + - security + - sidecarInjectorWebhook + - mixer + - pilot + - galley +sources: + - http://github.com/istio/istio +engine: gotpl +icon: https://istio.io/favicons/android-192x192.png diff --git a/istio-1.0.4/install/kubernetes/helm/istio/README.md b/istio-1.0.4/install/kubernetes/helm/istio/README.md new file mode 100644 index 0000000..466864e --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/README.md @@ -0,0 +1,117 @@ +# Istio + +[Istio](https://istio.io/) is an open platform for providing a uniform way to integrate microservices, manage traffic flow across microservices, enforce policies and aggregate telemetry data. + +## Introduction + +This chart bootstraps all istio [components](https://istio.io/docs/concepts/what-is-istio/overview.html) deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. + +## Chart Details + +This chart can install multiple istio components as subcharts: +- ingress +- ingressgateway +- egressgateway +- sidecarInjectorWebhook +- galley +- mixer +- pilot +- security(citadel) +- grafana +- prometheus +- servicegraph +- tracing(jaeger) +- kiali + +To enable or disable each component, change the corresponding `enabled` flag. + +## Prerequisites + +- Kubernetes 1.9 or newer cluster with RBAC (Role-Based Access Control) enabled is required +- Helm 2.7.2 or newer or alternately the ability to modify RBAC rules is also required +- If you want to enable automatic sidecar injection, Kubernetes 1.9+ with `admissionregistration` API is required, and `kube-apiserver` process must have the `admission-control` flag set with the `MutatingAdmissionWebhook` and `ValidatingAdmissionWebhook` admission controllers added and listed in the correct order. + +## Resources Required + +The chart deploys pods that consume minimum resources as specified in the resources configuration parameter. + +## Installing the Chart + +1. If a service account has not already been installed for Tiller, install one: +``` +$ kubectl apply -f install/kubernetes/helm/helm-service-account.yaml +``` + +2. Install Tiller on your cluster with the service account: +``` +$ helm init --service-account tiller +``` + +3. Install Istio’s [Custom Resource Definitions](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/#customresourcedefinitions) via `kubectl apply`, and wait a few seconds for the CRDs to be committed in the kube-apiserver: + ``` + $ kubectl apply -f install/kubernetes/helm/istio/templates/crds.yaml + ``` + **Note**: If you are enabling `certmanager`, you also need to install its CRDs and wait a few seconds for the CRDs to be committed in the kube-apiserver: + ``` + $ kubectl apply -f install/kubernetes/helm/istio/charts/certmanager/templates/crds.yaml + ``` + +4. To install the chart with the release name `istio` in namespace `istio-system`: + - With [automatic sidecar injection](https://istio.io/docs/setup/kubernetes/sidecar-injection/#automatic-sidecar-injection) (requires Kubernetes >=1.9.0): + ``` + $ helm install install/kubernetes/helm/istio --name istio --namespace istio-system + ``` + + - Without the sidecar injection webhook: + ``` + $ helm install install/kubernetes/helm/istio --name istio --namespace istio-system --set sidecarInjectorWebhook.enabled=false + ``` + +## Configuration + +The Helm chart ships with reasonable defaults. There may be circumstances in which defaults require overrides. +To override Helm values, use `--set key=value` argument during the `helm install` command. Multiple `--set` operations may be used in the same Helm operation. + +Helm charts expose configuration options which are currently in alpha. The currently exposed options are explained in the following table: + +| Parameter | Description | Values | Default | +| --- | --- | --- | --- | +| `global.hub` | Specifies the HUB for most images used by Istio | registry/namespace | `docker.io/istio` | +| `global.tag` | Specifies the TAG for most images used by Istio | valid image tag | `0.8.latest` | +| `global.proxy.image` | Specifies the proxy image name | valid proxy name | `proxyv2` | +| `global.proxy.concurrency` | Specifies the number of proxy worker threads | number, 0 = auto | `0` | +| `global.imagePullPolicy` | Specifies the image pull policy | valid image pull policy | `IfNotPresent` | +| `global.controlPlaneSecurityEnabled` | Specifies whether control plane mTLS is enabled | true/false | `false` | +| `global.mtls.enabled` | Specifies whether mTLS is enabled by default between services | true/false | `false` | +| `global.rbacEnabled` | Specifies whether to create Istio RBAC rules or not | true/false | `true` | +| `global.refreshInterval` | Specifies the mesh discovery refresh interval | integer followed by s | `10s` | +| `global.arch.amd64` | Specifies the scheduling policy for `amd64` architectures | 0 = never, 1 = least preferred, 2 = no preference, 3 = most preferred | `2` | +| `global.arch.s390x` | Specifies the scheduling policy for `s390x` architectures | 0 = never, 1 = least preferred, 2 = no preference, 3 = most preferred | `2` | +| `global.arch.ppc64le` | Specifies the scheduling policy for `ppc64le` architectures | 0 = never, 1 = least preferred, 2 = no preference, 3 = most preferred | `2` | +| `ingress.enabled` | Specifies whether Ingress should be installed | true/false | `true` | +| `gateways.istio-ingressgateway.enabled` | Specifies whether Ingress gateway should be installed | true/false | `true` | +| `gateways.istio-egressgateway.enabled` | Specifies whether Egress gateway should be installed | true/false | `true` | +| `sidecarInjectorWebhook.enabled` | Specifies whether automatic sidecar-injector should be installed | `true` | +| `galley.enabled` | Specifies whether Galley should be installed for server-side config validation | true/false | `true` | +| `mixer.enabled` | Specifies whether Mixer should be installed | true/false | `true` | +| `pilot.enabled` | Specifies whether Pilot should be installed | true/false | `true` | +| `grafana.enabled` | Specifies whether Grafana addon should be installed | true/false | `false` | +| `grafana.persist` | Specifies whether Grafana addon should persist config data | true/false | `false` | +| `grafana.storageClassName` | If `grafana.persist` is true, specifies the [`StorageClass`](https://kubernetes.io/docs/concepts/storage/storage-classes/) to use for the `PersistentVolumeClaim` | `StorageClass` | "" | +| `prometheus.enabled` | Specifies whether Prometheus addon should be installed | true/false | `true` | +| `servicegraph.enabled` | Specifies whether Servicegraph addon should be installed | true/false | `false` | +| `tracing.enabled` | Specifies whether Tracing(jaeger) addon should be installed | true/false | `false` | +| `kiali.enabled` | Specifies whether Kiali addon should be installed | true/false | `false` | + +## Uninstalling the Chart + +To uninstall/delete the `istio` release: +``` +$ helm delete istio +``` +The command removes all the Kubernetes components associated with the chart and deletes the release. + +To uninstall/delete the `istio` release completely and make its name free for later use: +``` +$ helm delete istio --purge +``` diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/certmanager/Chart.yaml b/istio-1.0.4/install/kubernetes/helm/istio/charts/certmanager/Chart.yaml new file mode 100644 index 0000000..8663f20 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/certmanager/Chart.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +description: A Helm chart for Kubernetes +name: certmanager +version: 1.0.4 +appVersion: 0.3.1 +tillerVersion: ">=2.7.2" diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/certmanager/templates/_helpers.tpl b/istio-1.0.4/install/kubernetes/helm/istio/charts/certmanager/templates/_helpers.tpl new file mode 100644 index 0000000..8cb480b --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/certmanager/templates/_helpers.tpl @@ -0,0 +1,24 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "certmanager.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "certmanager.fullname" -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- $fullname := printf "%s-%s" $name .Release.Name -}} +{{- default $fullname .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "certmanager.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/certmanager/templates/crds.yaml b/istio-1.0.4/install/kubernetes/helm/istio/charts/certmanager/templates/crds.yaml new file mode 100644 index 0000000..f5fb4aa --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/certmanager/templates/crds.yaml @@ -0,0 +1,50 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: clusterissuers.certmanager.k8s.io + annotations: + "helm.sh/hook": crd-install + labels: + app: certmanager +spec: + group: certmanager.k8s.io + version: v1alpha1 + names: + kind: ClusterIssuer + plural: clusterissuers + scope: Cluster +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: issuers.certmanager.k8s.io + annotations: + "helm.sh/hook": crd-install + labels: + app: certmanager +spec: + group: certmanager.k8s.io + version: v1alpha1 + names: + kind: Issuer + plural: issuers + scope: Namespaced +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: certificates.certmanager.k8s.io + annotations: + "helm.sh/hook": crd-install + labels: + app: certmanager +spec: + group: certmanager.k8s.io + version: v1alpha1 + scope: Namespaced + names: + kind: Certificate + plural: certificates + shortNames: + - cert + - certs diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/certmanager/templates/deployment.yaml b/istio-1.0.4/install/kubernetes/helm/istio/charts/certmanager/templates/deployment.yaml new file mode 100644 index 0000000..f113d7b --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/certmanager/templates/deployment.yaml @@ -0,0 +1,66 @@ +apiVersion: apps/v1beta1 +kind: Deployment +metadata: + name: certmanager + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "certmanager.name" . }} +spec: + replicas: 1 + selector: + matchLabels: + app: certmanager + template: + metadata: + labels: + app: certmanager +{{- if .Values.podLabels }} +{{ toYaml .Values.podLabels | indent 8 }} +{{- end }} + annotations: + sidecar.istio.io/inject: "false" + scheduler.alpha.kubernetes.io/critical-pod: "" + {{- if .Values.podAnnotations }} +{{ toYaml .Values.podAnnotations | indent 8 }} + {{- end }} + spec: + serviceAccountName: certmanager +{{- if .Values.global.priorityClassName }} + priorityClassName: "{{ .Values.global.priorityClassName }}" +{{- end }} + containers: + - name: certmanager + image: "{{ .Values.hub }}/cert-manager-controller:{{ .Values.tag }}" + imagePullPolicy: {{ .Values.global.imagePullPolicy }} + args: + - --cluster-resource-namespace=$(POD_NAMESPACE) + - --leader-election-namespace=$(POD_NAMESPACE) + {{- if .Values.extraArgs }} +{{ toYaml .Values.extraArgs | indent 10 }} + {{- end }} + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + resources: +{{ toYaml .Values.resources | indent 12 }} + {{- with .Values.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} +{{- if .Values.podDnsPolicy }} + dnsPolicy: {{ .Values.podDnsPolicy }} +{{- end }} +{{- if .Values.podDnsConfig }} + dnsConfig: +{{ toYaml .Values.podDnsConfig | indent 8 }} +{{- end }} diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/certmanager/templates/issuer.yaml b/istio-1.0.4/install/kubernetes/helm/istio/charts/certmanager/templates/issuer.yaml new file mode 100644 index 0000000..15dfc06 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/certmanager/templates/issuer.yaml @@ -0,0 +1,27 @@ +--- +apiVersion: certmanager.k8s.io/v1alpha1 +kind: ClusterIssuer +metadata: + name: letsencrypt-staging + namespace: {{ .Release.Namespace }} +spec: + acme: + server: https://acme-staging-v02.api.letsencrypt.org/directory + email: {{ .Values.email }} + # Name of a secret used to store the ACME account private key + privateKeySecretRef: + name: letsencrypt-staging + http01: {} +--- +apiVersion: certmanager.k8s.io/v1alpha1 +kind: ClusterIssuer +metadata: + name: letsencrypt + namespace: {{ .Release.Namespace }} +spec: + acme: + server: https://acme-v02.api.letsencrypt.org/directory + email: {{ .Values.email }} + privateKeySecretRef: + name: letsencrypt + http01: {} diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/certmanager/templates/rbac.yaml b/istio-1.0.4/install/kubernetes/helm/istio/charts/certmanager/templates/rbac.yaml new file mode 100644 index 0000000..c9738de --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/certmanager/templates/rbac.yaml @@ -0,0 +1,36 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: certmanager + labels: + app: certmanager +rules: + - apiGroups: ["certmanager.k8s.io"] + resources: ["certificates", "issuers", "clusterissuers"] + verbs: ["*"] + - apiGroups: [""] + # TODO: remove endpoints once 0.4 is released. We include it here in case + # users use the 'master' version of the Helm chart with a 0.2.x release of + # certManager that still performs leader election with Endpoint resources. + # We advise users don't do this, but some will anyway and this will reduce + # friction. + resources: ["endpoints", "configmaps", "secrets", "events", "services", "pods"] + verbs: ["*"] + - apiGroups: ["extensions"] + resources: ["ingresses"] + verbs: ["*"] +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: certmanager + labels: + app: certmanager +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: certmanager +subjects: + - name: certmanager + namespace: {{ .Release.Namespace }} + kind: ServiceAccount diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/certmanager/templates/serviceaccount.yaml b/istio-1.0.4/install/kubernetes/helm/istio/charts/certmanager/templates/serviceaccount.yaml new file mode 100644 index 0000000..0bfb517 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/certmanager/templates/serviceaccount.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: ServiceAccount +{{- if .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range .Values.global.imagePullSecrets }} + - name: {{ . }} +{{- end }} +{{- end }} +metadata: + name: certmanager + namespace: {{ .Release.Namespace }} + labels: + app: certmanager diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/galley/Chart.yaml b/istio-1.0.4/install/kubernetes/helm/istio/charts/galley/Chart.yaml new file mode 100644 index 0000000..ebd8888 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/galley/Chart.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +name: galley +version: 1.0.4 +appVersion: 1.0.4 +tillerVersion: ">=2.7.2" +description: Helm chart for galley deployment +keywords: + - istio + - galley +sources: + - http://github.com/istio/istio +engine: gotpl +icon: https://istio.io/favicons/android-192x192.png diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/galley/templates/_helpers.tpl b/istio-1.0.4/install/kubernetes/helm/istio/charts/galley/templates/_helpers.tpl new file mode 100644 index 0000000..3df13cc --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/galley/templates/_helpers.tpl @@ -0,0 +1,16 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "galley.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "galley.fullname" -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/galley/templates/clusterrole.yaml b/istio-1.0.4/install/kubernetes/helm/istio/charts/galley/templates/clusterrole.yaml new file mode 100644 index 0000000..a10cc3d --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/galley/templates/clusterrole.yaml @@ -0,0 +1,24 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: istio-galley-{{ .Release.Namespace }} + labels: + app: istio-galley + chart: {{ .Chart.Name }}-{{ .Chart.Version }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +rules: +- apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + verbs: ["*"] +- apiGroups: ["config.istio.io"] # istio mixer CRD watcher + resources: ["*"] + verbs: ["get", "list", "watch"] +- apiGroups: ["*"] + resources: ["deployments"] + resourceNames: ["istio-galley"] + verbs: ["get"] +- apiGroups: ["*"] + resources: ["endpoints"] + resourceNames: ["istio-galley"] + verbs: ["get"] diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/galley/templates/clusterrolebinding.yaml b/istio-1.0.4/install/kubernetes/helm/istio/charts/galley/templates/clusterrolebinding.yaml new file mode 100644 index 0000000..11c51dd --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/galley/templates/clusterrolebinding.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: istio-galley-admin-role-binding-{{ .Release.Namespace }} + labels: + app: istio-galley + chart: {{ .Chart.Name }}-{{ .Chart.Version }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-galley-{{ .Release.Namespace }} +subjects: + - kind: ServiceAccount + name: istio-galley-service-account + namespace: {{ .Release.Namespace }} diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/galley/templates/configmap.yaml b/istio-1.0.4/install/kubernetes/helm/istio/charts/galley/templates/configmap.yaml new file mode 100644 index 0000000..2d1ed2c --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/galley/templates/configmap.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-galley-configuration + namespace: {{ .Release.Namespace }} + labels: + app: istio-galley + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + istio: mixer +data: + validatingwebhookconfiguration.yaml: |- + {{- include "validatingwebhookconfiguration.yaml.tpl" . | indent 4}} + diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/galley/templates/deployment.yaml b/istio-1.0.4/install/kubernetes/helm/istio/charts/galley/templates/deployment.yaml new file mode 100644 index 0000000..aed8f3b --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/galley/templates/deployment.yaml @@ -0,0 +1,87 @@ +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: istio-galley + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "galley.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + istio: galley +spec: + replicas: {{ .Values.replicaCount }} + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + template: + metadata: + labels: + istio: galley + annotations: + sidecar.istio.io/inject: "false" + scheduler.alpha.kubernetes.io/critical-pod: "" + spec: + serviceAccountName: istio-galley-service-account +{{- if .Values.global.priorityClassName }} + priorityClassName: "{{ .Values.global.priorityClassName }}" +{{- end }} + containers: + - name: validator + image: "{{ .Values.global.hub }}/{{ .Values.image }}:{{ .Values.global.tag }}" + imagePullPolicy: {{ .Values.global.imagePullPolicy }} + ports: + - containerPort: 443 + - containerPort: 9093 + command: + - /usr/local/bin/galley + - validator + - --deployment-namespace={{ .Release.Namespace }} + - --caCertFile=/etc/istio/certs/root-cert.pem + - --tlsCertFile=/etc/istio/certs/cert-chain.pem + - --tlsKeyFile=/etc/istio/certs/key.pem + - --healthCheckInterval=1s + - --healthCheckFile=/health + - --webhook-config-file + - /etc/istio/config/validatingwebhookconfiguration.yaml + volumeMounts: + - name: certs + mountPath: /etc/istio/certs + readOnly: true + - name: config + mountPath: /etc/istio/config + readOnly: true + livenessProbe: + exec: + command: + - /usr/local/bin/galley + - probe + - --probe-path=/health + - --interval=10s + initialDelaySeconds: 5 + periodSeconds: 5 + readinessProbe: + exec: + command: + - /usr/local/bin/galley + - probe + - --probe-path=/health + - --interval=10s + initialDelaySeconds: 5 + periodSeconds: 5 + resources: +{{- if .Values.resources }} +{{ toYaml .Values.resources | indent 12 }} +{{- else }} +{{ toYaml .Values.global.defaultResources | indent 12 }} +{{- end }} + volumes: + - name: certs + secret: + secretName: istio.istio-galley-service-account + - name: config + configMap: + name: istio-galley-configuration + affinity: + {{- include "nodeaffinity" . | indent 6 }} diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/galley/templates/service.yaml b/istio-1.0.4/install/kubernetes/helm/istio/charts/galley/templates/service.yaml new file mode 100644 index 0000000..4519e80 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/galley/templates/service.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + name: istio-galley + namespace: {{ .Release.Namespace }} + labels: + istio: galley +spec: + ports: + - port: 443 + name: https-validation + - port: 9093 + name: http-monitoring + selector: + istio: galley diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/galley/templates/serviceaccount.yaml b/istio-1.0.4/install/kubernetes/helm/istio/charts/galley/templates/serviceaccount.yaml new file mode 100644 index 0000000..f13858d --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/galley/templates/serviceaccount.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: ServiceAccount +{{- if .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range .Values.global.imagePullSecrets }} + - name: {{ . }} +{{- end }} +{{- end }} +metadata: + name: istio-galley-service-account + namespace: {{ .Release.Namespace }} + labels: + app: istio-galley + chart: {{ .Chart.Name }}-{{ .Chart.Version }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/galley/templates/validatingwehookconfiguration.yaml.tpl b/istio-1.0.4/install/kubernetes/helm/istio/charts/galley/templates/validatingwehookconfiguration.yaml.tpl new file mode 100644 index 0000000..f260751 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/galley/templates/validatingwehookconfiguration.yaml.tpl @@ -0,0 +1,112 @@ +{{ define "validatingwebhookconfiguration.yaml.tpl" }} +apiVersion: admissionregistration.k8s.io/v1beta1 +kind: ValidatingWebhookConfiguration +metadata: + name: istio-galley + namespace: {{ .Release.Namespace }} + labels: + app: istio-galley + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +webhooks: +{{- if .Values.global.configValidation }} + - name: pilot.validation.istio.io + clientConfig: + service: + name: istio-galley + namespace: {{ .Release.Namespace }} + path: "/admitpilot" + caBundle: "" + rules: + - operations: + - CREATE + - UPDATE + apiGroups: + - config.istio.io + apiVersions: + - v1alpha2 + resources: + - httpapispecs + - httpapispecbindings + - quotaspecs + - quotaspecbindings + - operations: + - CREATE + - UPDATE + apiGroups: + - rbac.istio.io + apiVersions: + - "*" + resources: + - "*" + - operations: + - CREATE + - UPDATE + apiGroups: + - authentication.istio.io + apiVersions: + - "*" + resources: + - "*" + - operations: + - CREATE + - UPDATE + apiGroups: + - networking.istio.io + apiVersions: + - "*" + resources: + - destinationrules + - envoyfilters + - gateways + - serviceentries + - virtualservices + failurePolicy: Fail + - name: mixer.validation.istio.io + clientConfig: + service: + name: istio-galley + namespace: {{ .Release.Namespace }} + path: "/admitmixer" + caBundle: "" + rules: + - operations: + - CREATE + - UPDATE + apiGroups: + - config.istio.io + apiVersions: + - v1alpha2 + resources: + - rules + - attributemanifests + - circonuses + - deniers + - fluentds + - kubernetesenvs + - listcheckers + - memquotas + - noops + - opas + - prometheuses + - rbacs + - servicecontrols + - solarwindses + - stackdrivers + - statsds + - stdios + - apikeys + - authorizations + - checknothings + # - kuberneteses + - listentries + - logentries + - metrics + - quotas + - reportnothings + - servicecontrolreports + - tracespans + failurePolicy: Fail +{{- end }} +{{- end }} diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/gateways/Chart.yaml b/istio-1.0.4/install/kubernetes/helm/istio/charts/gateways/Chart.yaml new file mode 100644 index 0000000..95bc113 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/gateways/Chart.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +name: gateways +version: 1.0.4 +appVersion: 1.0.4 +tillerVersion: ">=2.7.2" +description: Helm chart for deploying Istio gateways +keywords: + - istio + - ingressgateway + - egressgateway + - gateways +sources: + - http://github.com/istio/istio +engine: gotpl +icon: https://istio.io/favicons/android-192x192.png diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/gateways/templates/autoscale.yaml b/istio-1.0.4/install/kubernetes/helm/istio/charts/gateways/templates/autoscale.yaml new file mode 100644 index 0000000..1976d89 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/gateways/templates/autoscale.yaml @@ -0,0 +1,24 @@ +{{- range $key, $spec := .Values }} +{{- if and (ne $key "global") (ne $key "enabled") }} +{{- if and $spec.enabled $spec.autoscaleMin }} +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ $key }} + namespace: {{ $spec.namespace | default $.Release.Namespace }} +spec: + maxReplicas: {{ $spec.autoscaleMax }} + minReplicas: {{ $spec.autoscaleMin }} + scaleTargetRef: + apiVersion: apps/v1beta1 + kind: Deployment + name: {{ $key }} + metrics: + - type: Resource + resource: + name: cpu + targetAverageUtilization: {{ $spec.cpu.targetAverageUtilization }} +--- +{{- end }} +{{- end }} +{{- end }} diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/gateways/templates/clusterrole.yaml b/istio-1.0.4/install/kubernetes/helm/istio/charts/gateways/templates/clusterrole.yaml new file mode 100644 index 0000000..e8987d8 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/gateways/templates/clusterrole.yaml @@ -0,0 +1,20 @@ +{{- range $key, $spec := .Values }} +{{- if and (ne $key "global") (ne $key "enabled") }} +{{- if $spec.enabled }} +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + labels: + app: {{ template "istio.name" $ }} + chart: {{ $.Chart.Name }}-{{ $.Chart.Version }} + heritage: {{ $.Release.Service }} + release: {{ $.Release.Name }} + name: {{ $key }}-{{ $.Release.Namespace }} +rules: +- apiGroups: ["extensions"] + resources: ["thirdpartyresources", "virtualservices", "destinationrules", "gateways"] + verbs: ["get", "watch", "list", "update"] +--- +{{- end }} +{{- end }} +{{- end }} diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/gateways/templates/clusterrolebindings.yaml b/istio-1.0.4/install/kubernetes/helm/istio/charts/gateways/templates/clusterrolebindings.yaml new file mode 100644 index 0000000..1665a08 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/gateways/templates/clusterrolebindings.yaml @@ -0,0 +1,19 @@ +{{- range $key, $spec := .Values }} +{{- if and (ne $key "global") (ne $key "enabled") }} +{{- if $spec.enabled }} +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: {{ $key }}-{{ $.Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ $key }}-{{ $.Release.Namespace }} +subjects: + - kind: ServiceAccount + name: {{ $key }}-service-account + namespace: {{ $.Release.Namespace }} +--- +{{- end }} +{{- end }} +{{- end }} diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/gateways/templates/deployment.yaml b/istio-1.0.4/install/kubernetes/helm/istio/charts/gateways/templates/deployment.yaml new file mode 100644 index 0000000..635c219 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/gateways/templates/deployment.yaml @@ -0,0 +1,172 @@ +{{- range $key, $spec := .Values }} +{{- if and (ne $key "global") (ne $key "enabled") }} +{{- if $spec.enabled }} +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: {{ $key }} + namespace: {{ $spec.namespace | default $.Release.Namespace }} + labels: + chart: {{ $.Chart.Name }}-{{ $.Chart.Version | replace "+" "_" }} + release: {{ $.Release.Name }} + heritage: {{ $.Release.Service }} + {{- range $key, $val := $spec.labels }} + {{ $key }}: {{ $val }} + {{- end }} +spec: + replicas: {{ $spec.replicaCount }} + template: + metadata: + labels: + {{- range $key, $val := $spec.labels }} + {{ $key }}: {{ $val }} + {{- end }} + annotations: + sidecar.istio.io/inject: "false" + scheduler.alpha.kubernetes.io/critical-pod: "" + spec: + serviceAccountName: {{ $key }}-service-account +{{- if $.Values.global.priorityClassName }} + priorityClassName: "{{ $.Values.global.priorityClassName }}" +{{- end }} +{{- if $.Values.global.proxy.enableCoreDump }} + initContainers: + - name: enable-core-dump +{{- if contains "/" $.Values.global.proxy_init.image }} + image: "{{ $.Values.global.proxy_init.image }}" +{{- else }} + image: "{{ $.Values.global.hub }}/{{ $.Values.global.proxy_init.image }}:{{ $.Values.global.tag }}" +{{- end }} + imagePullPolicy: IfNotPresent + command: + - /bin/sh + args: + - -c + - sysctl -w kernel.core_pattern=/var/lib/istio/core.proxy && ulimit -c unlimited + securityContext: + privileged: true +{{- end }} + containers: + - name: istio-proxy +{{- if contains "/" $.Values.global.proxy.image }} + image: "{{ $.Values.global.proxy.image }}" +{{- else }} + image: "{{ $.Values.global.hub }}/{{ $.Values.global.proxy.image }}:{{ $.Values.global.tag }}" +{{- end }} + imagePullPolicy: {{ $.Values.global.imagePullPolicy }} + ports: + {{- range $key, $val := $spec.ports }} + - containerPort: {{ $val.port }} + {{- end }} +{{ if ne $.Values.global.proxy.stats.prometheusPort 0. }} + - containerPort: {{ $.Values.global.proxy.stats.prometheusPort }} + protocol: TCP + name: http-envoy-prom +{{ end }} + args: + - proxy + - router + - -v + - "2" + - --discoveryRefreshDelay + - '1s' #discoveryRefreshDelay + - --drainDuration + - '45s' #drainDuration + - --parentShutdownDuration + - '1m0s' #parentShutdownDuration + - --connectTimeout + - '10s' #connectTimeout + - --serviceCluster + - {{ $key }} + - --zipkinAddress + {{- if $.Values.global.istioNamespace }} + - zipkin.{{ $.Values.global.istioNamespace }}:9411 + {{- else }} + - zipkin:9411 + {{- end }} + {{- if $.Values.global.proxy.envoyStatsd.enabled }} + - --statsdUdpAddress + - {{ $.Values.global.proxy.envoyStatsd.host }}:{{ $.Values.global.proxy.envoyStatsd.port }} + {{- end }} + - --proxyAdminPort + - "15000" + {{- if $.Values.global.controlPlaneSecurityEnabled }} + - --controlPlaneAuthPolicy + - MUTUAL_TLS + - --discoveryAddress + {{- if $.Values.global.istioNamespace }} + - istio-pilot.{{ $.Values.global.istioNamespace }}:15005 + {{- else }} + - istio-pilot:15005 + {{- end }} + {{- else }} + - --controlPlaneAuthPolicy + - NONE + - --discoveryAddress + {{- if $.Values.global.istioNamespace }} + - istio-pilot.{{ $.Values.global.istioNamespace }}:8080 + {{- else }} + - istio-pilot:8080 + {{- end }} + {{- end }} + resources: +{{- if $spec.resources }} +{{ toYaml $spec.resources | indent 12 }} +{{- else }} +{{ toYaml $.Values.global.defaultResources | indent 12 }} +{{- end }} + env: + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + - name: ISTIO_META_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + volumeMounts: + - name: istio-certs + mountPath: /etc/certs + readOnly: true + {{- range $spec.secretVolumes }} + - name: {{ .name }} + mountPath: {{ .mountPath | quote }} + readOnly: true + {{- end }} +{{- if $spec.additionalContainers }} +{{ toYaml $spec.additionalContainers | indent 8 }} +{{- end }} + volumes: + - name: istio-certs + secret: + secretName: istio.{{ $key }}-service-account + optional: true + {{- range $spec.secretVolumes }} + - name: {{ .name }} + secret: + secretName: {{ .secretName | quote }} + optional: true + {{- end }} + {{- range $spec.configVolumes }} + - name: {{ .name }} + configMap: + name: {{ .configMapName | quote }} + optional: true + {{- end }} + affinity: + {{- include "nodeaffinity" $ | indent 6 }} +--- +{{- end }} +{{- end }} +{{- end }} diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/gateways/templates/service.yaml b/istio-1.0.4/install/kubernetes/helm/istio/charts/gateways/templates/service.yaml new file mode 100644 index 0000000..abc9300 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/gateways/templates/service.yaml @@ -0,0 +1,42 @@ +{{- range $key, $spec := .Values }} +{{- if and (ne $key "global") (ne $key "enabled") }} +{{- if $spec.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ $key }} + namespace: {{ $spec.namespace | default $.Release.Namespace }} + annotations: + {{- range $key, $val := $spec.serviceAnnotations }} + {{ $key }}: {{ $val }} + {{- end }} + labels: + chart: {{ $.Chart.Name }}-{{ $.Chart.Version | replace "+" "_" }} + release: {{ $.Release.Name }} + heritage: {{ $.Release.Service }} + {{- range $key, $val := $spec.labels }} + {{ $key }}: {{ $val }} + {{- end }} +spec: +{{- if $spec.loadBalancerIP }} + loadBalancerIP: "{{ $spec.loadBalancerIP }}" +{{- end }} + type: {{ .type }} +{{- if $spec.externalTrafficPolicy }} + externalTrafficPolicy: {{ $spec.externalTrafficPolicy }} +{{- end }} + selector: + {{- range $key, $val := $spec.labels }} + {{ $key }}: {{ $val }} + {{- end }} + ports: + {{- range $key, $val := $spec.ports }} + - + {{- range $pkey, $pval := $val }} + {{ $pkey}}: {{ $pval }} + {{- end }} + {{- end }} +--- +{{- end }} +{{- end }} +{{- end }} diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/gateways/templates/serviceaccount.yaml b/istio-1.0.4/install/kubernetes/helm/istio/charts/gateways/templates/serviceaccount.yaml new file mode 100644 index 0000000..37a252c --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/gateways/templates/serviceaccount.yaml @@ -0,0 +1,23 @@ +{{- range $key, $spec := .Values }} +{{- if and (ne $key "global") (ne $key "enabled") }} +{{- if $spec.enabled }} +apiVersion: v1 +kind: ServiceAccount +{{- if $.Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range $.Values.global.imagePullSecrets }} + - name: {{ . }} +{{- end }} +{{- end }} +metadata: + name: {{ $key }}-service-account + namespace: {{ $spec.namespace | default $.Release.Namespace }} + labels: + app: {{ $spec.labels.istio }} + chart: {{ $.Chart.Name }}-{{ $.Chart.Version }} + heritage: {{ $.Release.Service }} + release: {{ $.Release.Name }} +--- +{{- end }} +{{- end }} +{{- end }} diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/grafana/Chart.yaml b/istio-1.0.4/install/kubernetes/helm/istio/charts/grafana/Chart.yaml new file mode 100644 index 0000000..22cdae1 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/grafana/Chart.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +description: A Helm chart for Kubernetes +name: grafana +version: 1.0.4 +appVersion: 1.0.4 +tillerVersion: ">=2.7.2" diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/grafana/dashboards/galley-dashboard.json b/istio-1.0.4/install/kubernetes/helm/istio/charts/grafana/dashboards/galley-dashboard.json new file mode 100644 index 0000000..3d2072c --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/grafana/dashboards/galley-dashboard.json @@ -0,0 +1,345 @@ +{ + "__inputs": [ + { + "name": "DS_PROMETHEUS", + "label": "Prometheus", + "description": "", + "type": "datasource", + "pluginId": "prometheus", + "pluginName": "Prometheus" + } + ], + "__requires": [ + { + "type": "grafana", + "id": "grafana", + "name": "Grafana", + "version": "5.0.4" + }, + { + "type": "panel", + "id": "graph", + "name": "Graph", + "version": "5.0.0" + }, + { + "type": "datasource", + "id": "prometheus", + "name": "Prometheus", + "version": "5.0.0" + } + ], + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": "-- Grafana --", + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "type": "dashboard" + } + ] + }, + "editable": false, + "gnetId": null, + "graphTooltip": 0, + "id": null, + "links": [], + "panels": [ + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 0, + "y": 0 + }, + "id": 2, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "galley_validation_cert_key_updates{job=\"galley\"}", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Key Updates", + "refId": "A" + }, + { + "expr": "galley_validation_cert_key_update_errors{job=\"galley\"}", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Key Update Errors: {{ error }}", + "refId": "B" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Validation Webhook Certificate", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 8, + "y": 0 + }, + "id": 3, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(galley_validation_passed{job=\"galley\"}) by (group, version, resource)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Passed: {{ group }}/{{ version }}/{{resource}}", + "refId": "A" + }, + { + "expr": "sum(galley_validation_failed{job=\"galley\"}) by (group, version, resource, reason)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Failed: {{ group }}/{{ version }}/{{resource}} ({{ reason}})", + "refId": "B" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Resource Validation", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 16, + "y": 0 + }, + "id": 4, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(galley_validation_http_error{job=\"galley\"}) by (status)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ status }}", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Validation HTTP Errors", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ] + } + ], + "schemaVersion": 16, + "style": "dark", + "tags": [], + "templating": { + "list": [] + }, + "time": { + "from": "now-6h", + "to": "now" + }, + "timepicker": { + "refresh_intervals": [ + "5s", + "10s", + "30s", + "1m", + "5m", + "15m", + "30m", + "1h", + "2h", + "1d" + ], + "time_options": [ + "5m", + "15m", + "1h", + "6h", + "12h", + "24h", + "2d", + "7d", + "30d" + ] + }, + "timezone": "", + "title": "Istio Galley Dashboard", + "uid": "DMXUJ6dmz", + "version": 1 + } diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/grafana/dashboards/istio-mesh-dashboard.json b/istio-1.0.4/install/kubernetes/helm/istio/charts/grafana/dashboards/istio-mesh-dashboard.json new file mode 100644 index 0000000..c30ab50 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/grafana/dashboards/istio-mesh-dashboard.json @@ -0,0 +1,818 @@ +{ + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": "-- Grafana --", + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "type": "dashboard" + } + ] + }, + "editable": false, + "gnetId": null, + "graphTooltip": 0, + "links": [], + "panels": [ + { + "content": "

    \n
    \n Istio\n
    \n
    \n Istio is an open platform that provides a uniform way to connect,\n manage, and \n secure microservices.\n
    \n Need help? Join the Istio community.\n
    \n
    ", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 0 + }, + "height": "50px", + "id": 13, + "links": [], + "mode": "html", + "style": { + "font-size": "18pt" + }, + "title": "", + "transparent": true, + "type": "text" + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "datasource": "Prometheus", + "format": "ops", + "gauge": { + "maxValue": 100, + "minValue": 0, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": true + }, + "gridPos": { + "h": 3, + "w": 6, + "x": 0, + "y": 3 + }, + "id": 20, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "round(sum(irate(istio_requests_total{reporter=\"destination\"}[1m])), 0.001)", + "intervalFactor": 1, + "refId": "A", + "step": 4 + } + ], + "thresholds": "", + "title": "Global Request Volume", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "avg" + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "datasource": "Prometheus", + "format": "percentunit", + "gauge": { + "maxValue": 100, + "minValue": 80, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": false + }, + "gridPos": { + "h": 3, + "w": 6, + "x": 6, + "y": 3 + }, + "id": 21, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "sum(rate(istio_requests_total{reporter=\"destination\", response_code!~\"5.*\"}[1m])) / sum(rate(istio_requests_total{reporter=\"destination\"}[1m]))", + "format": "time_series", + "intervalFactor": 1, + "refId": "A", + "step": 4 + } + ], + "thresholds": "95, 99, 99.5", + "title": "Global Success Rate (non-5xx responses)", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "avg" + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "datasource": "Prometheus", + "format": "ops", + "gauge": { + "maxValue": 100, + "minValue": 0, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": true + }, + "gridPos": { + "h": 3, + "w": 6, + "x": 12, + "y": 3 + }, + "id": 22, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "sum(irate(istio_requests_total{reporter=\"destination\", response_code=~\"4.*\"}[1m])) ", + "format": "time_series", + "intervalFactor": 1, + "refId": "A", + "step": 4 + } + ], + "thresholds": "", + "title": "4xxs", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "avg" + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "datasource": "Prometheus", + "format": "ops", + "gauge": { + "maxValue": 100, + "minValue": 0, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": true + }, + "gridPos": { + "h": 3, + "w": 6, + "x": 18, + "y": 3 + }, + "id": 23, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "sum(irate(istio_requests_total{reporter=\"destination\", response_code=~\"5.*\"}[1m])) ", + "format": "time_series", + "intervalFactor": 1, + "refId": "A", + "step": 4 + } + ], + "thresholds": "", + "title": "5xxs", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "avg" + }, + { + "columns": [], + "datasource": "Prometheus", + "fontSize": "100%", + "gridPos": { + "h": 21, + "w": 24, + "x": 0, + "y": 6 + }, + "hideTimeOverride": false, + "id": 73, + "links": [], + "pageSize": null, + "repeat": null, + "repeatDirection": "v", + "scroll": true, + "showHeader": true, + "sort": { + "col": 4, + "desc": true + }, + "styles": [ + { + "alias": "Workload", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "link": false, + "linkTargetBlank": false, + "linkTooltip": "Workload dashboard", + "linkUrl": "/dashboard/db/istio-workload-dashboard?var-namespace=$__cell_2&var-workload=$__cell_", + "pattern": "destination_workload", + "preserveFormat": false, + "sanitize": false, + "thresholds": [], + "type": "hidden", + "unit": "short" + }, + { + "alias": "", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "pattern": "Time", + "thresholds": [], + "type": "hidden", + "unit": "short" + }, + { + "alias": "Requests", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "pattern": "Value #A", + "thresholds": [], + "type": "number", + "unit": "ops" + }, + { + "alias": "P50 Latency", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "pattern": "Value #B", + "thresholds": [], + "type": "number", + "unit": "s" + }, + { + "alias": "P90 Latency", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "pattern": "Value #D", + "thresholds": [], + "type": "number", + "unit": "s" + }, + { + "alias": "P99 Latency", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "pattern": "Value #E", + "thresholds": [], + "type": "number", + "unit": "s" + }, + { + "alias": "Success Rate", + "colorMode": "cell", + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "pattern": "Value #F", + "thresholds": [ + ".95", + " 1.00" + ], + "type": "number", + "unit": "percentunit" + }, + { + "alias": "Workload", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "link": true, + "linkTooltip": "$__cell dashboard", + "linkUrl": "/dashboard/db/istio-workload-dashboard?var-workload=$__cell_2&var-namespace=$__cell_3", + "pattern": "destination_workload_var", + "thresholds": [], + "type": "number", + "unit": "short" + }, + { + "alias": "Service", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "link": true, + "linkTooltip": "$__cell dashboard", + "linkUrl": "/dashboard/db/istio-service-dashboard?var-service=$__cell", + "pattern": "destination_service", + "thresholds": [], + "type": "string", + "unit": "short" + }, + { + "alias": "", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "pattern": "destination_workload_namespace", + "thresholds": [], + "type": "hidden", + "unit": "short" + } + ], + "targets": [ + { + "expr": "label_join(sum(rate(istio_requests_total{reporter=\"destination\", response_code=\"200\"}[1m])) by (destination_workload, destination_workload_namespace, destination_service), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")", + "format": "table", + "hide": false, + "instant": true, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload}}.{{ destination_workload_namespace }}", + "refId": "A" + }, + { + "expr": "label_join(histogram_quantile(0.50, sum(rate(istio_request_duration_seconds_bucket{reporter=\"destination\"}[1m])) by (le, destination_workload, destination_workload_namespace)), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")", + "format": "table", + "hide": false, + "instant": true, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload}}.{{ destination_workload_namespace }}", + "refId": "B" + }, + { + "expr": "label_join(histogram_quantile(0.90, sum(rate(istio_request_duration_seconds_bucket{reporter=\"destination\"}[1m])) by (le, destination_workload, destination_workload_namespace)), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")", + "format": "table", + "hide": false, + "instant": true, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }}", + "refId": "D" + }, + { + "expr": "label_join(histogram_quantile(0.99, sum(rate(istio_request_duration_seconds_bucket{reporter=\"destination\"}[1m])) by (le, destination_workload, destination_workload_namespace)), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")", + "format": "table", + "hide": false, + "instant": true, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }}", + "refId": "E" + }, + { + "expr": "label_join((sum(rate(istio_requests_total{reporter=\"destination\", response_code!~\"5.*\"}[1m])) by (destination_workload, destination_workload_namespace) / sum(rate(istio_requests_total{reporter=\"destination\"}[1m])) by (destination_workload, destination_workload_namespace)), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")", + "format": "table", + "hide": false, + "instant": true, + "interval": "", + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }}", + "refId": "F" + } + ], + "timeFrom": null, + "title": "HTTP/GRPC Workloads", + "transform": "table", + "transparent": false, + "type": "table" + }, + { + "columns": [], + "datasource": "Prometheus", + "fontSize": "100%", + "gridPos": { + "h": 18, + "w": 24, + "x": 0, + "y": 27 + }, + "hideTimeOverride": false, + "id": 109, + "links": [], + "pageSize": null, + "repeatDirection": "v", + "scroll": true, + "showHeader": true, + "sort": { + "col": 2, + "desc": true + }, + "styles": [ + { + "alias": "Workload", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "link": false, + "linkTargetBlank": false, + "linkTooltip": "$__cell dashboard", + "linkUrl": "/dashboard/db/istio-tcp-workload-dashboard?var-namespace=$__cell_2&&var-workload=$__cell", + "pattern": "destination_workload", + "preserveFormat": false, + "sanitize": false, + "thresholds": [], + "type": "hidden", + "unit": "short" + }, + { + "alias": "Bytes Sent", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "pattern": "Value #A", + "thresholds": [ + "" + ], + "type": "number", + "unit": "Bps" + }, + { + "alias": "Bytes Received", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "pattern": "Value #C", + "thresholds": [], + "type": "number", + "unit": "Bps" + }, + { + "alias": "", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "pattern": "Time", + "thresholds": [], + "type": "hidden", + "unit": "short" + }, + { + "alias": "Workload", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "link": true, + "linkTooltip": "$__cell dashboard", + "linkUrl": "/dashboard/db/istio-workload-dashboard?var-namespace=$__cell_3&var-workload=$__cell_2", + "pattern": "destination_workload_var", + "thresholds": [], + "type": "string", + "unit": "short" + }, + { + "alias": "", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "pattern": "destination_workload_namespace", + "thresholds": [], + "type": "hidden", + "unit": "short" + }, + { + "alias": "Service", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "link": true, + "linkTooltip": "$__cell dashboard", + "linkUrl": "/dashboard/db/istio-service-dashboard?var-service=$__cell", + "pattern": "destination_service", + "thresholds": [], + "type": "number", + "unit": "short" + } + ], + "targets": [ + { + "expr": "label_join(sum(rate(istio_tcp_received_bytes_total{reporter=\"source\"}[1m])) by (destination_workload, destination_workload_namespace, destination_service), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")", + "format": "table", + "hide": false, + "instant": true, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}", + "refId": "C" + }, + { + "expr": "label_join(sum(rate(istio_tcp_sent_bytes_total{reporter=\"source\"}[1m])) by (destination_workload, destination_workload_namespace, destination_service), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")", + "format": "table", + "hide": false, + "instant": true, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}", + "refId": "A" + } + ], + "timeFrom": null, + "title": "TCP Workloads", + "transform": "table", + "transparent": false, + "type": "table" + } + ], + "refresh": "5s", + "schemaVersion": 16, + "style": "dark", + "tags": [], + "templating": { + "list": [] + }, + "time": { + "from": "now-5m", + "to": "now" + }, + "timepicker": { + "refresh_intervals": [ + "5s", + "10s", + "30s", + "1m", + "5m", + "15m", + "30m", + "1h", + "2h", + "1d" + ], + "time_options": [ + "5m", + "15m", + "1h", + "6h", + "12h", + "24h", + "2d", + "7d", + "30d" + ] + }, + "timezone": "browser", + "title": "Istio Mesh Dashboard", + "uid": "1", + "version": 2 +} diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/grafana/dashboards/istio-performance-dashboard.json b/istio-1.0.4/install/kubernetes/helm/istio/charts/grafana/dashboards/istio-performance-dashboard.json new file mode 100644 index 0000000..e09ed53 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/grafana/dashboards/istio-performance-dashboard.json @@ -0,0 +1,511 @@ +{ + "__inputs": [ + { + "name": "DS_PROMETHEUS", + "label": "Prometheus", + "description": "", + "type": "datasource", + "pluginId": "prometheus", + "pluginName": "Prometheus" + } + ], + "__requires": [ + { + "type": "grafana", + "id": "grafana", + "name": "Grafana", + "version": "5.2.3" + }, + { + "type": "panel", + "id": "graph", + "name": "Graph", + "version": "5.0.0" + }, + { + "type": "datasource", + "id": "prometheus", + "name": "Prometheus", + "version": "5.0.0" + } + ], + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": "-- Grafana --", + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "type": "dashboard" + } + ] + }, + "editable": true, + "gnetId": null, + "graphTooltip": 0, + "id": null, + "links": [], + "panels": [ + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 9, + "w": 12, + "x": 0, + "y": 0 + }, + "id": 2, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(rate(container_cpu_usage_seconds_total{pod_name=~\"istio-telemetry-.*\"}[1m]))/ (round(sum(irate(istio_requests_total[1m])), 0.001)/1000)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-telemetry", + "refId": "A" + }, + { + "expr": "sum(rate(container_cpu_usage_seconds_total{pod_name=~\"istio-ingressgateway-.*\"}[1m])) / (round(sum(irate(istio_requests_total{source_workload=\"istio-ingressgateway\", reporter=\"source\"}[1m])), 0.001)/1000)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-ingressgateway", + "refId": "B" + }, + { + "expr": "sum(rate(container_cpu_usage_seconds_total{container_name=\"istio-proxy\"}[1m]))/ (round(sum(irate(istio_requests_total[1m])), 0.001)/1000)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-proxy", + "refId": "C" + }, + { + "expr": "sum(rate(container_cpu_usage_seconds_total{pod_name=~\"istio-policy-.*\"}[1m]))/ (round(sum(irate(istio_requests_total[1m])), 0.001)/1000)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-policy", + "refId": "D" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "vCPU / 1k rps", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 9, + "w": 12, + "x": 12, + "y": 0 + }, + "id": 6, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(rate(container_cpu_usage_seconds_total{pod_name=~\"istio-telemetry-.*\"}[1m]))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-telemetry", + "refId": "A" + }, + { + "expr": "sum(rate(container_cpu_usage_seconds_total{pod_name=~\"istio-ingressgateway-.*\"}[1m]))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-ingressgateway", + "refId": "B" + }, + { + "expr": "sum(rate(container_cpu_usage_seconds_total{container_name=\"istio-proxy\"}[1m]))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-proxy", + "refId": "C" + }, + { + "expr": "sum(rate(container_cpu_usage_seconds_total{pod_name=~\"istio-policy-.*\"}[1m]))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-policy", + "refId": "D" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "vCPU", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 9, + "w": 12, + "x": 0, + "y": 9 + }, + "id": 4, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(container_memory_usage_bytes{pod_name=~\"istio-telemetry-.*\"}) / (sum(irate(istio_requests_total[1m])) / 1000)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-telemetry / 1k rps", + "refId": "A" + }, + { + "expr": "sum(container_memory_usage_bytes{pod_name=~\"istio-ingressgateway-.*\"}) / count(container_memory_usage_bytes{pod_name=~\"istio-ingressgateway-.*\"})", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "per istio-ingressgateway", + "refId": "C" + }, + { + "expr": "sum(container_memory_usage_bytes{container_name=\"istio-proxy\"}) / count(container_memory_usage_bytes{container_name=\"istio-proxy\"})", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "per istio-proxy", + "refId": "B" + }, + { + "expr": "sum(container_memory_usage_bytes{pod_name=~\"istio-policy-.*\"}) / (sum(irate(istio_requests_total[1m])) / 1000)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-policy / 1k rps", + "refId": "D" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Memory", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "decbytes", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 9, + "w": 12, + "x": 12, + "y": 9 + }, + "id": 5, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(irate(istio_response_bytes_sum{destination_workload=\"istio-telemetry\"}[1m])) + sum(irate(istio_request_bytes_sum{destination_workload=\"istio-telemetry\"}[1m]))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-telemetry", + "refId": "A" + }, + { + "expr": "sum(irate(istio_response_bytes_sum{source_workload=\"istio-ingressgateway\", reporter=\"source\"}[1m]))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-ingressgateway", + "refId": "C" + }, + { + "expr": "sum(irate(istio_response_bytes_sum{source_workload_namespace!=\"istio-system\", reporter=\"source\"}[1m])) + sum(irate(istio_response_bytes_sum{destination_workload_namespace!=\"istio-system\", reporter=\"destination\"}[1m])) + sum(irate(istio_request_bytes_sum{source_workload_namespace!=\"istio-system\", reporter=\"source\"}[1m])) + sum(irate(istio_request_bytes_sum{destination_workload_namespace!=\"istio-system\", reporter=\"destination\"}[1m]))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-proxy", + "refId": "D" + }, + { + "expr": "sum(irate(istio_response_bytes_sum{destination_workload=\"istio-policy\"}[1m])) + sum(irate(istio_request_bytes_sum{destination_workload=\"istio-policy\"}[1m]))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-policy", + "refId": "E" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Bytes transferred / sec", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "bytes", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + } + ], + "schemaVersion": 16, + "style": "dark", + "tags": [], + "templating": { + "list": [] + }, + "time": { + "from": "now-5m", + "to": "now" + }, + "timepicker": { + "refresh_intervals": [ + "5s", + "10s", + "30s", + "1m", + "5m", + "15m", + "30m", + "1h", + "2h", + "1d" + ], + "time_options": [ + "5m", + "15m", + "1h", + "6h", + "12h", + "24h", + "2d", + "7d", + "30d" + ] + }, + "timezone": "", + "title": "Istio Performance Dashboard", + "uid": "t8BUIg1mz", + "version": 5 +} diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/grafana/dashboards/istio-service-dashboard.json b/istio-1.0.4/install/kubernetes/helm/istio/charts/grafana/dashboards/istio-service-dashboard.json new file mode 100644 index 0000000..fe1b43c --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/grafana/dashboards/istio-service-dashboard.json @@ -0,0 +1,2569 @@ +{ + "__inputs": [ + { + "name": "DS_PROMETHEUS", + "label": "Prometheus", + "description": "", + "type": "datasource", + "pluginId": "prometheus", + "pluginName": "Prometheus" + } + ], + "__requires": [ + { + "type": "grafana", + "id": "grafana", + "name": "Grafana", + "version": "5.0.4" + }, + { + "type": "panel", + "id": "graph", + "name": "Graph", + "version": "5.0.0" + }, + { + "type": "datasource", + "id": "prometheus", + "name": "Prometheus", + "version": "5.0.0" + }, + { + "type": "panel", + "id": "singlestat", + "name": "Singlestat", + "version": "5.0.0" + }, + { + "type": "panel", + "id": "text", + "name": "Text", + "version": "5.0.0" + } + ], + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": "-- Grafana --", + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "type": "dashboard" + } + ] + }, + "editable": true, + "gnetId": null, + "graphTooltip": 0, + "id": null, + "iteration": 1530559387240, + "links": [], + "panels": [ + { + "content": "
    \nSERVICE: $service\n
    ", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 0 + }, + "id": 89, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "datasource": "Prometheus", + "format": "ops", + "gauge": { + "maxValue": 100, + "minValue": 0, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": true + }, + "gridPos": { + "h": 4, + "w": 6, + "x": 0, + "y": 3 + }, + "id": 12, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "round(sum(rate(istio_requests_total{reporter=\"source\",destination_service=~\"$service\"}[30s])), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "refId": "A", + "step": 4 + } + ], + "thresholds": "", + "title": "Client Request Volume", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "current" + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "rgba(50, 172, 45, 0.97)", + "rgba(237, 129, 40, 0.89)", + "rgba(245, 54, 54, 0.9)" + ], + "datasource": "Prometheus", + "decimals": null, + "format": "percentunit", + "gauge": { + "maxValue": 100, + "minValue": 80, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": false + }, + "gridPos": { + "h": 4, + "w": 6, + "x": 6, + "y": 3 + }, + "id": 14, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "sum(irate(istio_requests_total{reporter=\"source\",destination_service=~\"$service\",response_code!~\"5.*\"}[30s])) / sum(irate(istio_requests_total{reporter=\"source\",destination_service=~\"$service\"}[30s]))", + "format": "time_series", + "intervalFactor": 1, + "refId": "B" + } + ], + "thresholds": "95, 99, 99.5", + "title": "Client Success Rate (non-5xx responses)", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "avg" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 4, + "w": 6, + "x": 12, + "y": 3 + }, + "id": 87, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": false, + "hideZero": false, + "max": false, + "min": false, + "rightSide": true, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\",destination_service=~\"$service\"}[1m])) by (le))", + "format": "time_series", + "interval": "", + "intervalFactor": 1, + "legendFormat": "P50", + "refId": "A" + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\",destination_service=~\"$service\"}[1m])) by (le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "P90", + "refId": "B" + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\",destination_service=~\"$service\"}[1m])) by (le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "P99", + "refId": "C" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Client Request Duration", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "s", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "#299c46", + "rgba(237, 129, 40, 0.89)", + "#d44a3a" + ], + "datasource": "Prometheus", + "format": "Bps", + "gauge": { + "maxValue": 100, + "minValue": 0, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": true + }, + "gridPos": { + "h": 4, + "w": 6, + "x": 18, + "y": 3 + }, + "id": 84, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "sum(irate(istio_tcp_sent_bytes_total{reporter=\"source\", destination_service=~\"$service\"}[1m])) + sum(irate(istio_tcp_received_bytes_total{reporter=\"source\", destination_service=~\"$service\"}[1m]))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "", + "refId": "A" + } + ], + "thresholds": "", + "title": "Client TCP Bandwidth", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "avg" + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "datasource": "Prometheus", + "format": "ops", + "gauge": { + "maxValue": 100, + "minValue": 0, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": true + }, + "gridPos": { + "h": 4, + "w": 6, + "x": 0, + "y": 7 + }, + "id": 97, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "round(sum(rate(istio_requests_total{reporter=\"destination\",destination_service=~\"$service\"}[30s])), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "refId": "A", + "step": 4 + } + ], + "thresholds": "", + "title": "Server Request Volume", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "current" + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "rgba(50, 172, 45, 0.97)", + "rgba(237, 129, 40, 0.89)", + "rgba(245, 54, 54, 0.9)" + ], + "datasource": "Prometheus", + "decimals": null, + "format": "percentunit", + "gauge": { + "maxValue": 100, + "minValue": 80, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": false + }, + "gridPos": { + "h": 4, + "w": 6, + "x": 6, + "y": 7 + }, + "id": 98, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "sum(irate(istio_requests_total{reporter=\"destination\",destination_service=~\"$service\",response_code!~\"5.*\"}[30s])) / sum(irate(istio_requests_total{reporter=\"destination\",destination_service=~\"$service\"}[30s]))", + "format": "time_series", + "intervalFactor": 1, + "refId": "B" + } + ], + "thresholds": "95, 99, 99.5", + "title": "Server Success Rate (non-5xx responses)", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "avg" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 4, + "w": 6, + "x": 12, + "y": 7 + }, + "id": 99, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": false, + "hideZero": false, + "max": false, + "min": false, + "rightSide": true, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\",destination_service=~\"$service\"}[1m])) by (le))", + "format": "time_series", + "interval": "", + "intervalFactor": 1, + "legendFormat": "P50", + "refId": "A" + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\",destination_service=~\"$service\"}[1m])) by (le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "P90", + "refId": "B" + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\",destination_service=~\"$service\"}[1m])) by (le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "P99", + "refId": "C" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Server Request Duration", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "s", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "#299c46", + "rgba(237, 129, 40, 0.89)", + "#d44a3a" + ], + "datasource": "Prometheus", + "format": "Bps", + "gauge": { + "maxValue": 100, + "minValue": 0, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": true + }, + "gridPos": { + "h": 4, + "w": 6, + "x": 18, + "y": 7 + }, + "id": 100, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "sum(irate(istio_tcp_sent_bytes_total{reporter=\"destination\", destination_service=~\"$service\"}[1m])) + sum(irate(istio_tcp_received_bytes_total{reporter=\"destination\", destination_service=~\"$service\"}[1m]))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "", + "refId": "A" + } + ], + "thresholds": "", + "title": "Server TCP Bandwidth", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "avg" + }, + { + "content": "
    \nCLIENT WORKLOADS\n
    ", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 11 + }, + "id": 45, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 0, + "gridPos": { + "h": 6, + "w": 12, + "x": 0, + "y": 14 + }, + "id": 25, + "legend": { + "avg": false, + "current": false, + "hideEmpty": true, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null as zero", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(irate(istio_requests_total{connection_security_policy=\"mutual_tls\",destination_service=~\"$service\",reporter=\"source\",source_workload=~\"$srcwl\",source_workload_namespace=~\"$srcns\"}[30s])) by (source_workload, source_workload_namespace, response_code), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace }} : {{ response_code }} (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "round(sum(irate(istio_requests_total{connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", reporter=\"source\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[30s])) by (source_workload, source_workload_namespace, response_code), 0.001)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace }} : {{ response_code }}", + "refId": "A", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Requests by Source And Response Code", + "tooltip": { + "shared": false, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [ + "total" + ] + }, + "yaxes": [ + { + "format": "ops", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 12, + "x": 12, + "y": 14 + }, + "id": 26, + "legend": { + "avg": false, + "current": false, + "hideEmpty": true, + "hideZero": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(rate(istio_requests_total{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\",response_code!~\"5.*\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[30s])) by (source_workload, source_workload_namespace) / sum(rate(istio_requests_total{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[30s])) by (source_workload, source_workload_namespace)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace }} (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "sum(rate(istio_requests_total{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\",response_code!~\"5.*\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[30s])) by (source_workload, source_workload_namespace) / sum(rate(istio_requests_total{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[30s])) by (source_workload, source_workload_namespace)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace }}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Success Rate (non-5xx responses) By Source", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "percentunit", + "label": null, + "logBase": 1, + "max": "1.01", + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "description": "", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 0, + "y": 20 + }, + "id": 27, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": true, + "hideZero": false, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50 (🔐mTLS)", + "refId": "D", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90 (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95 (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99 (🔐mTLS)", + "refId": "C", + "step": 2 + }, + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50", + "refId": "E", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90", + "refId": "F", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95", + "refId": "G", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99", + "refId": "H", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Request Duration by Source", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "s", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 8, + "y": 20 + }, + "id": 28, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": true, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50 (🔐mTLS)", + "refId": "D", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90 (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95 (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99 (🔐mTLS)", + "refId": "C", + "step": 2 + }, + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50", + "refId": "E", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90", + "refId": "F", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95", + "refId": "G", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99", + "refId": "H", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Request Size By Source", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "decbytes", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 16, + "y": 20 + }, + "id": 68, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": true, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50 (🔐mTLS)", + "refId": "D", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90 (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95 (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99 (🔐mTLS)", + "refId": "C", + "step": 2 + }, + { + "expr": "histogram_quantile(0.50, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50", + "refId": "E", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90", + "refId": "F", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95", + "refId": "G", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99", + "refId": "H", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Response Size By Source", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "decbytes", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 12, + "x": 0, + "y": 26 + }, + "id": 80, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(irate(istio_tcp_received_bytes_total{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace), 0.001)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace}} (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "round(sum(irate(istio_tcp_received_bytes_total{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace}}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Bytes Received from Incoming TCP Connection", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "Bps", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 12, + "x": 12, + "y": 26 + }, + "id": 82, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy=\"mutual_tls\", reporter=\"source\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace}} (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy!=\"mutual_tls\", reporter=\"source\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace}}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Bytes Sent to Incoming TCP Connection", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "Bps", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ] + }, + { + "content": "
    \nSERVICE WORKLOADS\n
    ", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 32 + }, + "id": 69, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 0, + "gridPos": { + "h": 6, + "w": 12, + "x": 0, + "y": 35 + }, + "id": 90, + "legend": { + "avg": false, + "current": false, + "hideEmpty": true, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null as zero", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(irate(istio_requests_total{connection_security_policy=\"mutual_tls\",destination_service=~\"$service\",reporter=\"destination\",destination_workload=~\"$dstwl\",destination_workload_namespace=~\"$dstns\"}[30s])) by (destination_workload, destination_workload_namespace, response_code), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} : {{ response_code }} (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "round(sum(irate(istio_requests_total{connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", reporter=\"destination\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[30s])) by (destination_workload, destination_workload_namespace, response_code), 0.001)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} : {{ response_code }}", + "refId": "A", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Requests by Destination And Response Code", + "tooltip": { + "shared": false, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [ + "total" + ] + }, + "yaxes": [ + { + "format": "ops", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 12, + "x": 12, + "y": 35 + }, + "id": 91, + "legend": { + "avg": false, + "current": false, + "hideEmpty": true, + "hideZero": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(rate(istio_requests_total{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\",response_code!~\"5.*\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[30s])) by (destination_workload, destination_workload_namespace) / sum(rate(istio_requests_total{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[30s])) by (destination_workload, destination_workload_namespace)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "sum(rate(istio_requests_total{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\",response_code!~\"5.*\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[30s])) by (destination_workload, destination_workload_namespace) / sum(rate(istio_requests_total{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[30s])) by (destination_workload, destination_workload_namespace)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Success Rate (non-5xx responses) By Source", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "percentunit", + "label": null, + "logBase": 1, + "max": "1.01", + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "description": "", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 0, + "y": 41 + }, + "id": 94, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": true, + "hideZero": false, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P50 (🔐mTLS)", + "refId": "D", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P90 (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P95 (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P99 (🔐mTLS)", + "refId": "C", + "step": 2 + }, + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P50", + "refId": "E", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P90", + "refId": "F", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P95", + "refId": "G", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P99", + "refId": "H", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Request Duration by Source", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "s", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 8, + "y": 41 + }, + "id": 95, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": true, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P50 (🔐mTLS)", + "refId": "D", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P90 (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P95 (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P99 (🔐mTLS)", + "refId": "C", + "step": 2 + }, + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P50", + "refId": "E", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P90", + "refId": "F", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P95", + "refId": "G", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P99", + "refId": "H", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Request Size By Source", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "decbytes", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 16, + "y": 41 + }, + "id": 96, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": true, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P50 (🔐mTLS)", + "refId": "D", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P90 (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P95 (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P99 (🔐mTLS)", + "refId": "C", + "step": 2 + }, + { + "expr": "histogram_quantile(0.50, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P50", + "refId": "E", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P90", + "refId": "F", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P95", + "refId": "G", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P99", + "refId": "H", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Response Size By Source", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "decbytes", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 12, + "x": 0, + "y": 47 + }, + "id": 92, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(irate(istio_tcp_received_bytes_total{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace), 0.001)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace}} (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "round(sum(irate(istio_tcp_received_bytes_total{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace}}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Bytes Received from Incoming TCP Connection", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "Bps", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 12, + "x": 12, + "y": 47 + }, + "id": 93, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy=\"mutual_tls\", reporter=\"destination\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{destination_workload_namespace }} (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy!=\"mutual_tls\", reporter=\"destination\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{destination_workload_namespace }}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Bytes Sent to Incoming TCP Connection", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "Bps", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ] + } + ], + "refresh": "10s", + "schemaVersion": 16, + "style": "dark", + "tags": [], + "templating": { + "list": [ + { + "allValue": null, + "current": {}, + "datasource": "Prometheus", + "hide": 0, + "includeAll": false, + "label": "Service", + "multi": false, + "name": "service", + "options": [], + "query": "label_values(destination_service)", + "refresh": 1, + "regex": "", + "sort": 0, + "tagValuesQuery": "", + "tags": [], + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "allValue": null, + "current": {}, + "datasource": "Prometheus", + "hide": 0, + "includeAll": true, + "label": "Client Workload Namespace", + "multi": true, + "name": "srcns", + "options": [], + "query": "query_result( sum(istio_requests_total{reporter=\"destination\", destination_service=\"$service\"}) by (source_workload_namespace) or sum(istio_tcp_sent_bytes_total{reporter=\"destination\", destination_service=~\"$service\"}) by (source_workload_namespace))", + "refresh": 1, + "regex": "/.*namespace=\"([^\"]*).*/", + "sort": 2, + "tagValuesQuery": "", + "tags": [], + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "allValue": null, + "current": {}, + "datasource": "Prometheus", + "hide": 0, + "includeAll": true, + "label": "Client Workload", + "multi": true, + "name": "srcwl", + "options": [], + "query": "query_result( sum(istio_requests_total{reporter=\"destination\", destination_service=~\"$service\", source_workload_namespace=~\"$srcns\"}) by (source_workload) or sum(istio_tcp_sent_bytes_total{reporter=\"destination\", destination_service=~\"$service\", source_workload_namespace=~\"$srcns\"}) by (source_workload))", + "refresh": 1, + "regex": "/.*workload=\"([^\"]*).*/", + "sort": 3, + "tagValuesQuery": "", + "tags": [], + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "allValue": null, + "current": {}, + "datasource": "Prometheus", + "hide": 0, + "includeAll": true, + "label": "Service Workload Namespace", + "multi": true, + "name": "dstns", + "options": [], + "query": "query_result( sum(istio_requests_total{reporter=\"destination\", destination_service=\"$service\"}) by (destination_workload_namespace) or sum(istio_tcp_sent_bytes_total{reporter=\"destination\", destination_service=~\"$service\"}) by (destination_workload_namespace))", + "refresh": 1, + "regex": "/.*namespace=\"([^\"]*).*/", + "sort": 2, + "tagValuesQuery": "", + "tags": [], + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "allValue": null, + "current": {}, + "datasource": "Prometheus", + "hide": 0, + "includeAll": true, + "label": "Service Workload", + "multi": true, + "name": "dstwl", + "options": [], + "query": "query_result( sum(istio_requests_total{reporter=\"destination\", destination_service=~\"$service\", destination_workload_namespace=~\"$dstns\"}) by (destination_workload) or sum(istio_tcp_sent_bytes_total{reporter=\"destination\", destination_service=~\"$service\", destination_workload_namespace=~\"$dstns\"}) by (destination_workload))", + "refresh": 1, + "regex": "/.*workload=\"([^\"]*).*/", + "sort": 3, + "tagValuesQuery": "", + "tags": [], + "tagsQuery": "", + "type": "query", + "useTags": false + } + ] + }, + "time": { + "from": "now-5m", + "to": "now" + }, + "timepicker": { + "refresh_intervals": [ + "5s", + "10s", + "30s", + "1m", + "5m", + "15m", + "30m", + "1h", + "2h", + "1d" + ], + "time_options": [ + "5m", + "15m", + "1h", + "6h", + "12h", + "24h", + "2d", + "7d", + "30d" + ] + }, + "timezone": "", + "title": "Istio Service Dashboard", + "uid": "LJ_uJAvmk", + "version": 10 +} diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/grafana/dashboards/istio-workload-dashboard.json b/istio-1.0.4/install/kubernetes/helm/istio/charts/grafana/dashboards/istio-workload-dashboard.json new file mode 100644 index 0000000..dee4325 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/grafana/dashboards/istio-workload-dashboard.json @@ -0,0 +1,2303 @@ +{ + "__inputs": [ + { + "name": "DS_PROMETHEUS", + "label": "Prometheus", + "description": "", + "type": "datasource", + "pluginId": "prometheus", + "pluginName": "Prometheus" + } + ], + "__requires": [ + { + "type": "grafana", + "id": "grafana", + "name": "Grafana", + "version": "5.0.4" + }, + { + "type": "panel", + "id": "graph", + "name": "Graph", + "version": "5.0.0" + }, + { + "type": "datasource", + "id": "prometheus", + "name": "Prometheus", + "version": "5.0.0" + }, + { + "type": "panel", + "id": "singlestat", + "name": "Singlestat", + "version": "5.0.0" + }, + { + "type": "panel", + "id": "text", + "name": "Text", + "version": "5.0.0" + } + ], + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": "-- Grafana --", + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "type": "dashboard" + } + ] + }, + "editable": false, + "gnetId": null, + "graphTooltip": 0, + "id": null, + "iteration": 1531345461465, + "links": [], + "panels": [ + { + "content": "
    \nWORKLOAD: $workload.$namespace\n
    ", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 0 + }, + "id": 89, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "datasource": "Prometheus", + "format": "ops", + "gauge": { + "maxValue": 100, + "minValue": 0, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": true + }, + "gridPos": { + "h": 4, + "w": 8, + "x": 0, + "y": 3 + }, + "id": 12, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "round(sum(rate(istio_requests_total{reporter=\"destination\",destination_workload_namespace=~\"$namespace\",destination_workload=~\"$workload\"}[30s])), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "refId": "A", + "step": 4 + } + ], + "thresholds": "", + "title": "Incoming Request Volume", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "current" + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "rgba(50, 172, 45, 0.97)", + "rgba(237, 129, 40, 0.89)", + "rgba(245, 54, 54, 0.9)" + ], + "datasource": "Prometheus", + "decimals": null, + "format": "percentunit", + "gauge": { + "maxValue": 100, + "minValue": 80, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": false + }, + "gridPos": { + "h": 4, + "w": 8, + "x": 8, + "y": 3 + }, + "id": 14, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "sum(irate(istio_requests_total{reporter=\"destination\",destination_workload_namespace=~\"$namespace\",destination_workload=~\"$workload\",response_code!~\"5.*\"}[30s])) / sum(irate(istio_requests_total{reporter=\"destination\",destination_workload_namespace=~\"$namespace\",destination_workload=~\"$workload\"}[30s]))", + "format": "time_series", + "intervalFactor": 1, + "refId": "B" + } + ], + "thresholds": "95, 99, 99.5", + "title": "Incoming Success Rate (non-5xx responses)", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "avg" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 4, + "w": 8, + "x": 16, + "y": 3 + }, + "id": 87, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": false, + "hideZero": false, + "max": false, + "min": false, + "rightSide": true, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\",destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\"}[1m])) by (le))", + "format": "time_series", + "interval": "", + "intervalFactor": 1, + "legendFormat": "P50", + "refId": "A" + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\",destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\"}[1m])) by (le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "P90", + "refId": "B" + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\",destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\"}[1m])) by (le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "P99", + "refId": "C" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Request Duration", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "s", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "#299c46", + "rgba(237, 129, 40, 0.89)", + "#d44a3a" + ], + "datasource": "Prometheus", + "format": "Bps", + "gauge": { + "maxValue": 100, + "minValue": 0, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": true + }, + "gridPos": { + "h": 4, + "w": 12, + "x": 0, + "y": 7 + }, + "id": 84, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "sum(irate(istio_tcp_sent_bytes_total{reporter=\"destination\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\"}[1m])) + sum(irate(istio_tcp_received_bytes_total{reporter=\"destination\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\"}[1m]))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "", + "refId": "A" + } + ], + "thresholds": "", + "title": "TCP Server Traffic", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "avg" + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "#299c46", + "rgba(237, 129, 40, 0.89)", + "#d44a3a" + ], + "datasource": "Prometheus", + "format": "Bps", + "gauge": { + "maxValue": 100, + "minValue": 0, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": true + }, + "gridPos": { + "h": 4, + "w": 12, + "x": 12, + "y": 7 + }, + "id": 85, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "sum(irate(istio_tcp_sent_bytes_total{reporter=\"source\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\"}[1m])) + sum(irate(istio_tcp_received_bytes_total{reporter=\"source\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\"}[1m]))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "", + "refId": "A" + } + ], + "thresholds": "", + "title": "TCP Client Traffic", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "avg" + }, + { + "content": "
    \nINBOUND WORKLOADS\n
    ", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 11 + }, + "id": 45, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 0, + "gridPos": { + "h": 6, + "w": 12, + "x": 0, + "y": 14 + }, + "id": 25, + "legend": { + "avg": false, + "current": false, + "hideEmpty": true, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null as zero", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(irate(istio_requests_total{connection_security_policy=\"mutual_tls\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\", reporter=\"destination\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[30s])) by (source_workload, source_workload_namespace, response_code), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace }} : {{ response_code }} (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "round(sum(irate(istio_requests_total{connection_security_policy!=\"mutual_tls\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\", reporter=\"destination\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[30s])) by (source_workload, source_workload_namespace, response_code), 0.001)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace }} : {{ response_code }}", + "refId": "A", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Requests by Source And Response Code", + "tooltip": { + "shared": false, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [ + "total" + ] + }, + "yaxes": [ + { + "format": "ops", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 12, + "x": 12, + "y": 14 + }, + "id": 26, + "legend": { + "avg": false, + "current": false, + "hideEmpty": true, + "hideZero": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(rate(istio_requests_total{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\",response_code!~\"5.*\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[30s])) by (source_workload, source_workload_namespace) / sum(rate(istio_requests_total{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[30s])) by (source_workload, source_workload_namespace)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace }} (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "sum(rate(istio_requests_total{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\",response_code!~\"5.*\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[30s])) by (source_workload, source_workload_namespace) / sum(rate(istio_requests_total{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[30s])) by (source_workload, source_workload_namespace)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace }}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Success Rate (non-5xx responses) By Source", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "percentunit", + "label": null, + "logBase": 1, + "max": "1.01", + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "description": "", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 0, + "y": 20 + }, + "id": 27, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": true, + "hideZero": false, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50 (🔐mTLS)", + "refId": "D", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90 (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95 (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99 (🔐mTLS)", + "refId": "C", + "step": 2 + }, + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50", + "refId": "E", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90", + "refId": "F", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95", + "refId": "G", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99", + "refId": "H", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Request Duration by Source", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "s", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 8, + "y": 20 + }, + "id": 28, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": true, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50 (🔐mTLS)", + "refId": "D", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90 (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95 (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99 (🔐mTLS)", + "refId": "C", + "step": 2 + }, + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50", + "refId": "E", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90", + "refId": "F", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95", + "refId": "G", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99", + "refId": "H", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Request Size By Source", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "decbytes", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 16, + "y": 20 + }, + "id": 68, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": true, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50 (🔐mTLS)", + "refId": "D", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90 (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95 (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99 (🔐mTLS)", + "refId": "C", + "step": 2 + }, + { + "expr": "histogram_quantile(0.50, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50", + "refId": "E", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90", + "refId": "F", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95", + "refId": "G", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99", + "refId": "H", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Response Size By Source", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "decbytes", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 12, + "x": 0, + "y": 26 + }, + "id": 80, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(irate(istio_tcp_received_bytes_total{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace), 0.001)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace}} (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "round(sum(irate(istio_tcp_received_bytes_total{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace}}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Bytes Received from Incoming TCP Connection", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "Bps", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 12, + "x": 12, + "y": 26 + }, + "id": 82, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy=\"mutual_tls\", reporter=\"destination\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace}} (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy!=\"mutual_tls\", reporter=\"destination\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace}}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Bytes Sent to Incoming TCP Connection", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "Bps", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ] + }, + { + "content": "
    \nOUTBOUND SERVICES\n
    ", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 32 + }, + "id": 69, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 0, + "gridPos": { + "h": 6, + "w": 12, + "x": 0, + "y": 35 + }, + "id": 70, + "legend": { + "avg": false, + "current": false, + "hideEmpty": true, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null as zero", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(irate(istio_requests_total{connection_security_policy=\"mutual_tls\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\", reporter=\"source\", destination_service=~\"$dstsvc\"}[30s])) by (destination_service, response_code), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} : {{ response_code }} (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "round(sum(irate(istio_requests_total{connection_security_policy!=\"mutual_tls\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\", reporter=\"source\", destination_service=~\"$dstsvc\"}[30s])) by (destination_service, response_code), 0.001)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} : {{ response_code }}", + "refId": "A", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Outgoing Requests by Destination And Response Code", + "tooltip": { + "shared": false, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [ + "total" + ] + }, + "yaxes": [ + { + "format": "ops", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 12, + "x": 12, + "y": 35 + }, + "id": 71, + "legend": { + "avg": false, + "current": false, + "hideEmpty": true, + "hideZero": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(rate(istio_requests_total{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\",response_code!~\"5.*\", destination_service=~\"$dstsvc\"}[30s])) by (destination_service) / sum(rate(istio_requests_total{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\", destination_service=~\"$dstsvc\"}[30s])) by (destination_service)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "sum(rate(istio_requests_total{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\",response_code!~\"5.*\", destination_service=~\"$dstsvc\"}[30s])) by (destination_service) / sum(rate(istio_requests_total{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\", destination_service=~\"$dstsvc\"}[30s])) by (destination_service)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{destination_service }}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Outgoing Success Rate (non-5xx responses) By Destination", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "percentunit", + "label": null, + "logBase": 1, + "max": "1.01", + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "description": "", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 0, + "y": 41 + }, + "id": 72, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": true, + "hideZero": false, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P50 (🔐mTLS)", + "refId": "D", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P90 (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P95 (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P99 (🔐mTLS)", + "refId": "C", + "step": 2 + }, + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P50", + "refId": "E", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P90", + "refId": "F", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P95", + "refId": "G", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P99", + "refId": "H", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Outgoing Request Duration by Destination", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "s", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 8, + "y": 41 + }, + "id": 73, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": true, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P50 (🔐mTLS)", + "refId": "D", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P90 (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P95 (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P99 (🔐mTLS)", + "refId": "C", + "step": 2 + }, + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P50", + "refId": "E", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P90", + "refId": "F", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P95", + "refId": "G", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P99", + "refId": "H", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Outgoing Request Size By Destination", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "decbytes", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 16, + "y": 41 + }, + "id": 74, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": true, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P50 (🔐mTLS)", + "refId": "D", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P90 (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P95 (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P99 (🔐mTLS)", + "refId": "C", + "step": 2 + }, + { + "expr": "histogram_quantile(0.50, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P50", + "refId": "E", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P90", + "refId": "F", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P95", + "refId": "G", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P99", + "refId": "H", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Response Size By Destination", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "decbytes", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 12, + "x": 0, + "y": 47 + }, + "id": 76, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy=\"mutual_tls\", reporter=\"source\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy!=\"mutual_tls\", reporter=\"source\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ destination_service }}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Bytes Sent on Outgoing TCP Connection", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "Bps", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 12, + "x": 12, + "y": 47 + }, + "id": 78, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(irate(istio_tcp_received_bytes_total{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "round(sum(irate(istio_tcp_received_bytes_total{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ destination_service }}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Bytes Received from Outgoing TCP Connection", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "Bps", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ] + } + ], + "refresh": "10s", + "schemaVersion": 16, + "style": "dark", + "tags": [], + "templating": { + "list": [ + { + "allValue": null, + "current": {}, + "datasource": "Prometheus", + "hide": 0, + "includeAll": false, + "label": "Namespace", + "multi": false, + "name": "namespace", + "options": [], + "query": "query_result(sum(istio_requests_total) by (destination_workload_namespace) or sum(istio_tcp_sent_bytes_total) by (destination_workload_namespace))", + "refresh": 1, + "regex": "/.*_namespace=\"([^\"]*).*/", + "sort": 0, + "tagValuesQuery": "", + "tags": [], + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "allValue": null, + "current": {}, + "datasource": "Prometheus", + "hide": 0, + "includeAll": false, + "label": "Workload", + "multi": false, + "name": "workload", + "options": [], + "query": "query_result((sum(istio_requests_total{destination_workload_namespace=~\"$namespace\"}) by (destination_workload) or sum(istio_requests_total{source_workload_namespace=~\"$namespace\"}) by (source_workload)) or (sum(istio_tcp_sent_bytes_total{destination_workload_namespace=~\"$namespace\"}) by (destination_workload) or sum(istio_tcp_sent_bytes_total{source_workload_namespace=~\"$namespace\"}) by (source_workload)))", + "refresh": 1, + "regex": "/.*workload=\"([^\"]*).*/", + "sort": 1, + "tagValuesQuery": "", + "tags": [], + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "allValue": null, + "current": {}, + "datasource": "Prometheus", + "hide": 0, + "includeAll": true, + "label": "Inbound Workload Namespace", + "multi": true, + "name": "srcns", + "options": [], + "query": "query_result( sum(istio_requests_total{reporter=\"destination\", destination_workload=\"$workload\", destination_workload_namespace=~\"$namespace\"}) by (source_workload_namespace) or sum(istio_tcp_sent_bytes_total{reporter=\"destination\", destination_workload=\"$workload\", destination_workload_namespace=~\"$namespace\"}) by (source_workload_namespace))", + "refresh": 1, + "regex": "/.*namespace=\"([^\"]*).*/", + "sort": 2, + "tagValuesQuery": "", + "tags": [], + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "allValue": null, + "current": {}, + "datasource": "Prometheus", + "hide": 0, + "includeAll": true, + "label": "Inbound Workload", + "multi": true, + "name": "srcwl", + "options": [], + "query": "query_result( sum(istio_requests_total{reporter=\"destination\", destination_workload=\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload_namespace=~\"$srcns\"}) by (source_workload) or sum(istio_tcp_sent_bytes_total{reporter=\"destination\", destination_workload=\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload_namespace=~\"$srcns\"}) by (source_workload))", + "refresh": 1, + "regex": "/.*workload=\"([^\"]*).*/", + "sort": 3, + "tagValuesQuery": "", + "tags": [], + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "allValue": null, + "current": {}, + "datasource": "Prometheus", + "hide": 0, + "includeAll": true, + "label": "Destination Service", + "multi": true, + "name": "dstsvc", + "options": [], + "query": "query_result( sum(istio_requests_total{reporter=\"source\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\"}) by (destination_service) or sum(istio_tcp_sent_bytes_total{reporter=\"source\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\"}) by (destination_service))", + "refresh": 1, + "regex": "/.*destination_service=\"([^\"]*).*/", + "sort": 4, + "tagValuesQuery": "", + "tags": [], + "tagsQuery": "", + "type": "query", + "useTags": false + } + ] + }, + "time": { + "from": "now-5m", + "to": "now" + }, + "timepicker": { + "refresh_intervals": [ + "5s", + "10s", + "30s", + "1m", + "5m", + "15m", + "30m", + "1h", + "2h", + "1d" + ], + "time_options": [ + "5m", + "15m", + "1h", + "6h", + "12h", + "24h", + "2d", + "7d", + "30d" + ] + }, + "timezone": "", + "title": "Istio Workload Dashboard", + "uid": "UbsSZTDik", + "version": 1 +} diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/grafana/dashboards/mixer-dashboard.json b/istio-1.0.4/install/kubernetes/helm/istio/charts/grafana/dashboards/mixer-dashboard.json new file mode 100644 index 0000000..ce48ff7 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/grafana/dashboards/mixer-dashboard.json @@ -0,0 +1,1707 @@ +{ + "__inputs": [ + { + "name": "DS_PROMETHEUS", + "label": "Prometheus", + "description": "", + "type": "datasource", + "pluginId": "prometheus", + "pluginName": "Prometheus" + } + ], + "__requires": [ + { + "type": "grafana", + "id": "grafana", + "name": "Grafana", + "version": "5.2.2" + }, + { + "type": "panel", + "id": "graph", + "name": "Graph", + "version": "5.0.0" + }, + { + "type": "datasource", + "id": "prometheus", + "name": "Prometheus", + "version": "5.0.0" + }, + { + "type": "panel", + "id": "text", + "name": "Text", + "version": "5.0.0" + } + ], + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": "-- Grafana --", + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "type": "dashboard" + } + ] + }, + "editable": false, + "gnetId": null, + "graphTooltip": 1, + "id": null, + "iteration": 1535646398209, + "links": [], + "panels": [ + { + "content": "

    Resource Usage

    ", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 0 + }, + "height": "40", + "id": 29, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 0, + "y": 3 + }, + "id": 5, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(process_virtual_memory_bytes{job=~\"istio-telemetry|istio-policy\"}) by (job)", + "format": "time_series", + "instant": false, + "intervalFactor": 2, + "legendFormat": "Virtual Memory ({{ job }})", + "refId": "I" + }, + { + "expr": "sum(process_resident_memory_bytes{job=~\"istio-telemetry|istio-policy\"}) by (job)", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Resident Memory ({{ job }})", + "refId": "H" + }, + { + "expr": "sum(go_memstats_heap_sys_bytes{job=~\"istio-telemetry|istio-policy\"}) by (job)", + "format": "time_series", + "hide": true, + "intervalFactor": 2, + "legendFormat": "heap sys ({{ job }})", + "refId": "A" + }, + { + "expr": "sum(go_memstats_heap_alloc_bytes{job=~\"istio-telemetry|istio-policy\"}) by (job)", + "format": "time_series", + "hide": true, + "intervalFactor": 2, + "legendFormat": "heap alloc ({{ job }})", + "refId": "D" + }, + { + "expr": "sum(go_memstats_alloc_bytes{job=~\"istio-telemetry|istio-policy\"}) by (job)", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Alloc ({{ job }})", + "refId": "F" + }, + { + "expr": "sum(go_memstats_heap_inuse_bytes{job=~\"istio-telemetry|istio-policy\"}) by (job)", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "Heap in-use ({{ job }})", + "refId": "E" + }, + { + "expr": "sum(go_memstats_stack_inuse_bytes{job=~\"istio-telemetry|istio-policy\"}) by (job)", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Stack in-use ({{ job }})", + "refId": "G" + }, + { + "expr": "sum(label_replace(container_memory_usage_bytes{container_name=~\"mixer|istio-proxy\", pod_name=~\"istio-telemetry-.*|istio-policy-.*\"}, \"service\", \"$1\" , \"pod_name\", \"(istio-telemetry|istio-policy)-.*\")) by (service)", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "{{ service }} total (k8s)", + "refId": "C" + }, + { + "expr": "sum(label_replace(container_memory_usage_bytes{container_name=~\"mixer|istio-proxy\", pod_name=~\"istio-telemetry-.*|istio-policy-.*\"}, \"service\", \"$1\" , \"pod_name\", \"(istio-telemetry|istio-policy)-.*\")) by (container_name, service)", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "{{ service }} - {{ container_name }} (k8s)", + "refId": "B" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Memory", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "bytes", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 6, + "y": 3 + }, + "id": 6, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "label_replace(sum(rate(container_cpu_usage_seconds_total{container_name=~\"mixer|istio-proxy\", pod_name=~\"istio-telemetry-.*|istio-policy-.*\"}[1m])) by (pod_name), \"service\", \"$1\" , \"pod_name\", \"(istio-telemetry|istio-policy)-.*\")", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "{{ service }} total (k8s)", + "refId": "A" + }, + { + "expr": "label_replace(sum(rate(container_cpu_usage_seconds_total{container_name=~\"mixer|istio-proxy\", pod_name=~\"istio-telemetry-.*|istio-policy-.*\"}[1m])) by (container_name, pod_name), \"service\", \"$1\" , \"pod_name\", \"(istio-telemetry|istio-policy)-.*\")", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "{{ service }} - {{ container_name }} (k8s)", + "refId": "B" + }, + { + "expr": "sum(irate(process_cpu_seconds_total{job=~\"istio-telemetry|istio-policy\"}[1m])) by (job)", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "{{ job }} (self-reported)", + "refId": "C" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "CPU", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 12, + "y": 3 + }, + "id": 7, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(process_open_fds{job=~\"istio-telemetry|istio-policy\"}) by (job)", + "format": "time_series", + "hide": true, + "instant": false, + "interval": "", + "intervalFactor": 2, + "legendFormat": "Open FDs ({{ job }})", + "refId": "A" + }, + { + "expr": "sum(label_replace(container_fs_usage_bytes{container_name=~\"mixer|istio-proxy\", pod_name=~\"istio-telemetry-.*|istio-policy-.*\"}, \"service\", \"$1\" , \"pod_name\", \"(istio-telemetry|istio-policy)-.*\")) by (container_name, service)", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "{{ service }} - {{ container_name }}", + "refId": "B" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Disk", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "bytes", + "label": "", + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "decimals": null, + "format": "none", + "label": "", + "logBase": 1024, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 18, + "y": 3 + }, + "id": 4, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": false, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(go_goroutines{job=~\"istio-telemetry|istio-policy\"}) by (job)", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Number of Goroutines ({{ job }})", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Goroutines", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": "", + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "content": "

    Mixer Overview

    ", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 10 + }, + "height": "40px", + "id": 30, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 6, + "x": 0, + "y": 13 + }, + "id": 9, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(rate(grpc_server_handled_total[1m]))", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "mixer (Total)", + "refId": "B" + }, + { + "expr": "sum(rate(grpc_server_handled_total[1m])) by (grpc_method)", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "mixer ({{ grpc_method }})", + "refId": "C" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Requests", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "ops", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 6, + "x": 6, + "y": 13 + }, + "id": 8, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [ + { + "alias": "{}", + "yaxis": 1 + } + ], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.5, sum(rate(grpc_server_handling_seconds_bucket{}[1m])) by (grpc_method, le)) * 1000", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "{{ grpc_method }} 0.5", + "refId": "B" + }, + { + "expr": "histogram_quantile(0.9, sum(rate(grpc_server_handling_seconds_bucket{}[1m])) by (grpc_method, le)) * 1000", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "{{ grpc_method }} 0.9", + "refId": "C" + }, + { + "expr": "histogram_quantile(0.99, sum(rate(grpc_server_handling_seconds_bucket{}[1m])) by (grpc_method, le)) * 1000", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "{{ grpc_method }} 0.99", + "refId": "D" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Response Durations", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "ms", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 6, + "x": 12, + "y": 13 + }, + "id": 11, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(rate(grpc_server_handled_total{grpc_code=~\"Unknown|Unimplemented|Internal|DataLoss\"}[1m])) by (grpc_method)", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Mixer {{ grpc_method }}", + "refId": "B" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Server Error Rate (5xx responses)", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 6, + "x": 18, + "y": 13 + }, + "id": 12, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(irate(grpc_server_handled_total{grpc_code!=\"OK\",grpc_service=~\".*Mixer\"}[1m])) by (grpc_method)", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Mixer {{ grpc_method }}", + "refId": "B" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Non-successes (4xxs)", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "content": "

    Adapters and Config

    ", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 19 + }, + "id": 28, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 12, + "x": 0, + "y": 22 + }, + "id": 13, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(irate(mixer_runtime_dispatch_count{adapter=~\"$adapter\"}[1m])) by (adapter)", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "{{ adapter }}", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Adapter Dispatch Count", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 12, + "x": 12, + "y": 22 + }, + "id": 14, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.5, sum(irate(mixer_runtime_dispatch_duration_bucket{adapter=~\"$adapter\"}[1m])) by (adapter, le))", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "{{ adapter }} - p50", + "refId": "A" + }, + { + "expr": "histogram_quantile(0.9, sum(irate(mixer_runtime_dispatch_duration_bucket{adapter=~\"$adapter\"}[1m])) by (adapter, le))", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "{{ adapter }} - p90 ", + "refId": "B" + }, + { + "expr": "histogram_quantile(0.99, sum(irate(mixer_runtime_dispatch_duration_bucket{adapter=~\"$adapter\"}[1m])) by (adapter, le))", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "{{ adapter }} - p99", + "refId": "C" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Adapter Dispatch Duration", + "tooltip": { + "shared": true, + "sort": 1, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "s", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 0, + "y": 29 + }, + "id": 60, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "scalar(topk(1, max(mixer_config_rule_config_count) by (configID)))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Rules", + "refId": "A" + }, + { + "expr": "scalar(topk(1, max(mixer_config_rule_config_error_count) by (configID)))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Config Errors", + "refId": "B" + }, + { + "expr": "scalar(topk(1, max(mixer_config_rule_config_match_error_count) by (configID)))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Match Errors", + "refId": "C" + }, + { + "expr": "scalar(topk(1, max(mixer_config_unsatisfied_action_handler_count) by (configID)))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Unsatisfied Actions", + "refId": "D" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Rules", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 6, + "y": 29 + }, + "id": 56, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "scalar(topk(1, max(mixer_config_instance_config_count) by (configID)))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Instances", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Instances in Latest Config", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 12, + "y": 29 + }, + "id": 54, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "scalar(topk(1, max(mixer_config_handler_config_count) by (configID)))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Handlers", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Handlers in Latest Config", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 18, + "y": 29 + }, + "id": 58, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "scalar(topk(1, max(mixer_config_attribute_count) by (configID)))", + "format": "time_series", + "instant": false, + "intervalFactor": 1, + "legendFormat": "Attributes", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Attributes in Latest Config", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "content": "

    Individual Adapters

    ", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 36 + }, + "id": 23, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "collapsed": false, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 39 + }, + "id": 46, + "panels": [], + "repeat": "adapter", + "title": "$adapter Adapter", + "type": "row" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 12, + "x": 0, + "y": 40 + }, + "id": 17, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "label_replace(irate(mixer_runtime_dispatch_count{adapter=\"$adapter\"}[1m]),\"handler\", \"$1 ($3)\", \"handler\", \"(.*)\\\\.(.*)\\\\.(.*)\")", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "{{ handler }} (error: {{ error }})", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Dispatch Count By Handler", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 12, + "x": 12, + "y": 40 + }, + "id": 18, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "label_replace(histogram_quantile(0.5, sum(rate(mixer_runtime_dispatch_duration_bucket{adapter=\"$adapter\"}[1m])) by (handler, error, le)), \"handler_short\", \"$1 ($3)\", \"handler\", \"(.*)\\\\.(.*)\\\\.(.*)\")", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "p50 - {{ handler_short }} (error: {{ error }})", + "refId": "A" + }, + { + "expr": "label_replace(histogram_quantile(0.9, sum(irate(mixer_runtime_dispatch_duration_bucket{adapter=\"$adapter\"}[1m])) by (handler, error, le)), \"handler_short\", \"$1 ($3)\", \"handler\", \"(.*)\\\\.(.*)\\\\.(.*)\")", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "p90 - {{ handler_short }} (error: {{ error }})", + "refId": "D" + }, + { + "expr": "label_replace(histogram_quantile(0.99, sum(irate(mixer_runtime_dispatch_duration_bucket{adapter=\"$adapter\"}[1m])) by (handler, error, le)), \"handler_short\", \"$1 ($3)\", \"handler\", \"(.*)\\\\.(.*)\\\\.(.*)\")", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "p99 - {{ handler_short }} (error: {{ error }})", + "refId": "E" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Dispatch Duration By Handler", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "s", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + } + ], + "refresh": "5s", + "schemaVersion": 16, + "style": "dark", + "tags": [], + "templating": { + "list": [ + { + "allValue": null, + "current": {}, + "datasource": "Prometheus", + "hide": 0, + "includeAll": true, + "label": "Adapter", + "multi": true, + "name": "adapter", + "options": [], + "query": "label_values(adapter)", + "refresh": 2, + "regex": "", + "sort": 1, + "tagValuesQuery": "", + "tags": [], + "tagsQuery": "", + "type": "query", + "useTags": false + } + ] + }, + "time": { + "from": "now-5m", + "to": "now" + }, + "timepicker": { + "refresh_intervals": [ + "5s", + "10s", + "30s", + "1m", + "5m", + "15m", + "30m", + "1h", + "2h", + "1d" + ], + "time_options": [ + "5m", + "15m", + "1h", + "6h", + "12h", + "24h", + "2d", + "7d", + "30d" + ] + }, + "timezone": "", + "title": "Mixer Dashboard", + "uid": "2", + "version": 2 +} diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/grafana/dashboards/pilot-dashboard.json b/istio-1.0.4/install/kubernetes/helm/istio/charts/grafana/dashboards/pilot-dashboard.json new file mode 100644 index 0000000..793bed9 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/grafana/dashboards/pilot-dashboard.json @@ -0,0 +1,1466 @@ +{ + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": "-- Grafana --", + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "type": "dashboard" + } + ] + }, + "editable": false, + "gnetId": null, + "graphTooltip": 1, + "links": [], + "panels": [ + { + "content": "

    Resource Usage

    ", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 0 + }, + "height": "40", + "id": 29, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 0, + "y": 3 + }, + "id": 5, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "process_virtual_memory_bytes{job=\"pilot\"}", + "format": "time_series", + "instant": false, + "intervalFactor": 2, + "legendFormat": "Virtual Memory", + "refId": "I", + "step": 2 + }, + { + "expr": "process_resident_memory_bytes{job=\"pilot\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Resident Memory", + "refId": "H", + "step": 2 + }, + { + "expr": "go_memstats_heap_sys_bytes{job=\"pilot\"}", + "format": "time_series", + "hide": true, + "intervalFactor": 2, + "legendFormat": "heap sys", + "refId": "A" + }, + { + "expr": "go_memstats_heap_alloc_bytes{job=\"pilot\"}", + "format": "time_series", + "hide": true, + "intervalFactor": 2, + "legendFormat": "heap alloc", + "refId": "D" + }, + { + "expr": "go_memstats_alloc_bytes{job=\"pilot\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Alloc", + "refId": "F", + "step": 2 + }, + { + "expr": "go_memstats_heap_inuse_bytes{job=\"pilot\"}", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "Heap in-use", + "refId": "E", + "step": 2 + }, + { + "expr": "go_memstats_stack_inuse_bytes{job=\"pilot\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Stack in-use", + "refId": "G", + "step": 2 + }, + { + "expr": "sum(container_memory_usage_bytes{container_name=~\"discovery|istio-proxy\", pod_name=~\"istio-pilot-.*\"})", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "Total (k8s)", + "refId": "C", + "step": 2 + }, + { + "expr": "container_memory_usage_bytes{container_name=~\"discovery|istio-proxy\", pod_name=~\"istio-pilot-.*\"}", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "{{ container_name }} (k8s)", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Memory", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "bytes", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 6, + "y": 3 + }, + "id": 6, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(rate(container_cpu_usage_seconds_total{container_name=~\"discovery|istio-proxy\", pod_name=~\"istio-pilot-.*\"}[1m]))", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "Total (k8s)", + "refId": "A", + "step": 2 + }, + { + "expr": "sum(rate(container_cpu_usage_seconds_total{container_name=~\"discovery|istio-proxy\", pod_name=~\"istio-pilot-.*\"}[1m])) by (container_name)", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "{{ container_name }} (k8s)", + "refId": "B", + "step": 2 + }, + { + "expr": "irate(process_cpu_seconds_total{job=\"pilot\"}[1m])", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "pilot (self-reported)", + "refId": "C", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "CPU", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 12, + "y": 3 + }, + "id": 7, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "process_open_fds{job=\"pilot\"}", + "format": "time_series", + "hide": true, + "instant": false, + "interval": "", + "intervalFactor": 2, + "legendFormat": "Open FDs (pilot)", + "refId": "A" + }, + { + "expr": "container_fs_usage_bytes{container_name=~\"discovery|istio-proxy\", pod_name=~\"istio-pilot-.*\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "{{ container_name }}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Disk", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "bytes", + "label": "", + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "decimals": null, + "format": "none", + "label": "", + "logBase": 1024, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 18, + "y": 3 + }, + "id": 4, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": false, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "go_goroutines{job=\"pilot\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Number of Goroutines", + "refId": "A", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Goroutines", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": "", + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "content": "

    xDS

    ", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 10 + }, + "id": 28, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 0, + "y": 13 + }, + "id": 40, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(irate(envoy_cluster_update_success{cluster_name=\"xds-grpc\"}[1m]))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "XDS GRPC Successes", + "refId": "C" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Updates", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "ops", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "ops", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 8, + "y": 13 + }, + "id": 42, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(rate(envoy_cluster_update_attempt{cluster_name=\"xds-grpc\"}[1m])) - sum(rate(envoy_cluster_update_success{cluster_name=\"xds-grpc\"}[1m])))", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "XDS GRPC ", + "refId": "A", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Failures", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "ops", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 16, + "y": 13 + }, + "id": 41, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(envoy_cluster_upstream_cx_active{cluster_name=\"xds-grpc\"})", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Pilot (XDS GRPC)", + "refId": "C", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Active Connections", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 8, + "w": 8, + "x": 0, + "y": 19 + }, + "id": 45, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "pilot_conflict_inbound_listener{job=\"pilot\"}", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Inbound Listeners", + "refId": "B" + }, + { + "expr": "pilot_conflict_outbound_listener_http_over_current_tcp{job=\"pilot\"}", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Outbound Listeners (http over current tcp)", + "refId": "A" + }, + { + "expr": "pilot_conflict_outbound_listener_tcp_over_current_tcp{job=\"pilot\"}", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Outbound Listeners (tcp over current tcp)", + "refId": "C" + }, + { + "expr": "pilot_conflict_outbound_listener_tcp_over_current_http{job=\"pilot\"}", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Outbound Listeners (tcp over current http)", + "refId": "D" + }, + { + "expr": "pilot_conf_filter_chains{job=\"pilot\"}", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Filter Chains", + "refId": "E" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Conflicts", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 8, + "w": 8, + "x": 8, + "y": 19 + }, + "id": 47, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "pilot_virt_services{job=\"pilot\"}", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Virtual Services", + "refId": "A" + }, + { + "expr": "pilot_services{job=\"pilot\"}", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Services", + "refId": "B" + }, + { + "expr": "label_replace(sum(pilot_xds_cds_reject{job=\"pilot\"}) by (node, err), \"node\", \"$1\", \"node\", \".*~.*~(.*)~.*\")", + "format": "time_series", + "hide": true, + "intervalFactor": 1, + "legendFormat": "Rejected CDS Configs - {{ node }}: {{ err }}", + "refId": "C" + }, + { + "expr": "pilot_xds_eds_reject{job=\"pilot\"}", + "format": "time_series", + "hide": true, + "intervalFactor": 1, + "legendFormat": "Rejected EDS Configs", + "refId": "D" + }, + { + "expr": "pilot_xds{job=\"pilot\"}", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Connected Endpoints", + "refId": "E" + }, + { + "expr": "rate(pilot_xds_write_timeout{job=\"pilot\"}[1m])", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Write Timeouts", + "refId": "F" + }, + { + "expr": "rate(pilot_xds_push_timeout{job=\"pilot\"}[1m])", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Push Timeouts", + "refId": "G" + }, + { + "expr": "rate(pilot_xds_pushes{job=\"pilot\"}[1m])", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Pushes ({{ type }})", + "refId": "H" + }, + { + "expr": "rate(pilot_xds_push_errors{job=\"pilot\"}[1m])", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Push Errors ({{ type }})", + "refId": "I" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "ADS Monitoring", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 8, + "w": 8, + "x": 16, + "y": 19 + }, + "id": 49, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "label_replace(sum(pilot_xds_cds_reject{job=\"pilot\"}) by (node, err), \"node\", \"$1\", \"node\", \".*~.*~(.*)~.*\")", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ node }} ({{ err }})", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Rejected CDS Configs", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 8, + "x": 0, + "y": 27 + }, + "id": 52, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "label_replace(sum(pilot_xds_eds_reject{job=\"pilot\"}) by (node, err), \"node\", \"$1\", \"node\", \".*~.*~(.*)~.*\")", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ node }} ({{err}})", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Rejected EDS Configs", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 8, + "x": 8, + "y": 27 + }, + "id": 54, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "label_replace(sum(pilot_xds_lds_reject{job=\"pilot\"}) by (node, err), \"node\", \"$1\", \"node\", \".*~.*~(.*)~.*\")", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ node }} ({{err}})", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Rejected LDS Configs", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 8, + "x": 16, + "y": 27 + }, + "id": 53, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "label_replace(sum(pilot_xds_rds_reject{job=\"pilot\"}) by (node, err), \"node\", \"$1\", \"node\", \".*~.*~(.*)~.*\")", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ node }} ({{err}})", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Rejected RDS Configs", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": { + "outbound|80||default-http-backend.kube-system.svc.cluster.local": "rgba(255, 255, 255, 0.97)" + }, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 8, + "x": 0, + "y": 34 + }, + "id": 51, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [ + { + "alias": "outbound|80||default-http-backend.kube-system.svc.cluster.local", + "yaxis": 1 + } + ], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(pilot_xds_eds_instances{job=\"pilot\"}) by (cluster)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ cluster }}", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "EDS Instances", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + } + ], + "refresh": "5s", + "schemaVersion": 16, + "style": "dark", + "tags": [], + "templating": { + "list": [] + }, + "time": { + "from": "now-5m", + "to": "now" + }, + "timepicker": { + "refresh_intervals": [ + "5s", + "10s", + "30s", + "1m", + "5m", + "15m", + "30m", + "1h", + "2h", + "1d" + ], + "time_options": [ + "5m", + "15m", + "1h", + "6h", + "12h", + "24h", + "2d", + "7d", + "30d" + ] + }, + "timezone": "browser", + "title": "Pilot Dashboard", + "uid": "3", + "version": 1 +} diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/grafana/templates/_helpers.tpl b/istio-1.0.4/install/kubernetes/helm/istio/charts/grafana/templates/_helpers.tpl new file mode 100644 index 0000000..dae241d --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/grafana/templates/_helpers.tpl @@ -0,0 +1,16 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "grafana.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "grafana.fullname" -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/grafana/templates/configmap-custom-resources.yaml b/istio-1.0.4/install/kubernetes/helm/istio/charts/grafana/templates/configmap-custom-resources.yaml new file mode 100644 index 0000000..17730f2 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/grafana/templates/configmap-custom-resources.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-grafana-custom-resources + namespace: {{ .Release.Namespace }} + labels: + app: istio-grafana + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + istio: grafana +data: + custom-resources.yaml: |- + {{- include "grafana-default.yaml.tpl" . | indent 4}} + run.sh: |- + {{- include "install-custom-resources.sh.tpl" . | indent 4}} diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/grafana/templates/configmap-dashboards.yaml b/istio-1.0.4/install/kubernetes/helm/istio/charts/grafana/templates/configmap-dashboards.yaml new file mode 100644 index 0000000..9873d0d --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/grafana/templates/configmap-dashboards.yaml @@ -0,0 +1,18 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-grafana-configuration-dashboards + namespace: {{ .Release.Namespace }} + labels: + app: istio-grafana + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + istio: grafana + +data: + {{- $files := .Files }} + {{ range $path, $bytes := .Files.Glob "dashboards/*.json" }} + {{ base $path }}: '{{ $files.Get $path }}' + {{ end }} diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/grafana/templates/configmap.yaml b/istio-1.0.4/install/kubernetes/helm/istio/charts/grafana/templates/configmap.yaml new file mode 100644 index 0000000..bd6808a --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/grafana/templates/configmap.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-grafana + namespace: {{ .Release.Namespace }} + labels: + app: istio-grafana + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + istio: grafana +data: +{{- if .Values.datasources }} + {{- range $key, $value := .Values.datasources }} + {{ $key }}: | +{{ toYaml $value | indent 4 }} + {{- end -}} +{{- end -}} + +{{- if .Values.dashboardProviders }} + {{- range $key, $value := .Values.dashboardProviders }} + {{ $key }}: | +{{ toYaml $value | indent 4 }} + {{- end -}} +{{- end -}} diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/grafana/templates/create-custom-resources-job.yaml b/istio-1.0.4/install/kubernetes/helm/istio/charts/grafana/templates/create-custom-resources-job.yaml new file mode 100644 index 0000000..6d8b93d --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/grafana/templates/create-custom-resources-job.yaml @@ -0,0 +1,77 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: istio-grafana-post-install-account + namespace: {{ .Release.Namespace }} + labels: + app: istio-grafana + chart: {{ .Chart.Name }}-{{ .Chart.Version }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: istio-grafana-post-install-{{ .Release.Namespace }} + labels: + app: istio-grafana + chart: {{ .Chart.Name }}-{{ .Chart.Version }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +rules: +- apiGroups: ["authentication.istio.io"] # needed to create default authn policy + resources: ["*"] + verbs: ["*"] +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: istio-grafana-post-install-role-binding-{{ .Release.Namespace }} + labels: + app: istio-grafana + chart: {{ .Chart.Name }}-{{ .Chart.Version }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-grafana-post-install-{{ .Release.Namespace }} +subjects: + - kind: ServiceAccount + name: istio-grafana-post-install-account + namespace: {{ .Release.Namespace }} +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: istio-grafana-post-install + namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook": post-install + "helm.sh/hook-delete-policy": hook-succeeded + labels: + app: istio-grafana + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + template: + metadata: + name: istio-grafana-post-install + labels: + app: istio-grafana + release: {{ .Release.Name }} + spec: + serviceAccountName: istio-grafana-post-install-account + containers: + - name: hyperkube + image: "{{ .Values.global.hyperkube.hub }}/hyperkube:{{ .Values.global.hyperkube.tag }}" + command: [ "/bin/bash", "/tmp/grafana/run.sh", "/tmp/grafana/custom-resources.yaml" ] + volumeMounts: + - mountPath: "/tmp/grafana" + name: tmp-configmap-grafana + volumes: + - name: tmp-configmap-grafana + configMap: + name: istio-grafana-custom-resources + restartPolicy: OnFailure diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/grafana/templates/deployment.yaml b/istio-1.0.4/install/kubernetes/helm/istio/charts/grafana/templates/deployment.yaml new file mode 100644 index 0000000..3e2b752 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/grafana/templates/deployment.yaml @@ -0,0 +1,96 @@ +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: grafana + namespace: {{ .Release.Namespace }} + labels: + app: istio-grafana + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + replicas: {{ .Values.replicaCount }} + template: + metadata: + labels: + app: grafana + annotations: + sidecar.istio.io/inject: "false" + scheduler.alpha.kubernetes.io/critical-pod: "" + spec: +{{- if .Values.global.priorityClassName }} + priorityClassName: "{{ .Values.global.priorityClassName }}" +{{- end }} + containers: + - name: {{ .Chart.Name }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: {{ .Values.global.imagePullPolicy }} + ports: + - containerPort: {{ .Values.service.internalPort }} + readinessProbe: + httpGet: + path: /login + port: {{ .Values.service.internalPort }} + env: + - name: GRAFANA_PORT + value: {{ .Values.service.internalPort | quote }} +{{- if .Values.security.enabled }} + - name: GF_SECURITY_ADMIN_USER + valueFrom: + secretKeyRef: + name: grafana + key: username + - name: GF_SECURITY_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: grafana + key: password + - name: GF_AUTH_BASIC_ENABLED + value: "true" + - name: GF_AUTH_ANONYMOUS_ENABLED + value: "false" + - name: GF_AUTH_DISABLE_LOGIN_FORM + value: "false" +{{- else }} + - name: GF_AUTH_BASIC_ENABLED + value: "false" + - name: GF_AUTH_ANONYMOUS_ENABLED + value: "true" + - name: GF_AUTH_ANONYMOUS_ORG_ROLE + value: Admin +{{- end }} + - name: GF_PATHS_DATA + value: /data/grafana + resources: +{{- if .Values.resources }} +{{ toYaml .Values.resources | indent 12 }} +{{- else }} +{{ toYaml .Values.global.defaultResources | indent 12 }} +{{- end }} + volumeMounts: + - name: data + mountPath: /data/grafana + - name: dashboards-istio + mountPath: "/var/lib/grafana/dashboards/istio" + - name: config + mountPath: "/etc/grafana/provisioning/datasources/datasources.yaml" + subPath: datasources.yaml + - name: config + mountPath: "/etc/grafana/provisioning/dashboards/dashboardproviders.yaml" + subPath: dashboardproviders.yaml + affinity: + {{- include "nodeaffinity" . | indent 6 }} + volumes: + - name: config + configMap: + name: istio-grafana + - name: data +{{- if .Values.persist }} + persistentVolumeClaim: + claimName: istio-grafana-pvc +{{- else }} + emptyDir: {} + - name: dashboards-istio + configMap: + name: istio-grafana-configuration-dashboards +{{- end }} diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/grafana/templates/grafana-ports-mtls.yaml b/istio-1.0.4/install/kubernetes/helm/istio/charts/grafana/templates/grafana-ports-mtls.yaml new file mode 100644 index 0000000..8f2258d --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/grafana/templates/grafana-ports-mtls.yaml @@ -0,0 +1,12 @@ +{{ define "grafana-default.yaml.tpl" }} +apiVersion: authentication.istio.io/v1alpha1 +kind: Policy +metadata: + name: grafana-ports-mtls-disabled + namespace: {{ .Release.Namespace }} +spec: + targets: + - name: grafana + ports: + - number: {{ .Values.service.externalPort }} +{{- end }} diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/grafana/templates/pvc.yaml b/istio-1.0.4/install/kubernetes/helm/istio/charts/grafana/templates/pvc.yaml new file mode 100644 index 0000000..065d72b --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/grafana/templates/pvc.yaml @@ -0,0 +1,18 @@ +{{- if .Values.persist }} +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: istio-grafana-pvc + labels: + app: istio-grafana + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + storageClassName: {{ .Values.storageClassName }} + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 5Gi +{{- end }} diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/grafana/templates/secret.yaml b/istio-1.0.4/install/kubernetes/helm/istio/charts/grafana/templates/secret.yaml new file mode 100644 index 0000000..ec0e2ad --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/grafana/templates/secret.yaml @@ -0,0 +1,14 @@ + +{{- if .Values.security.enabled -}} +apiVersion: v1 +kind: Secret +metadata: + name: grafana + namespace: {{ .Release.Namespace }} + labels: + app: grafana +type: Opaque +data: + username: {{ .Values.security.adminUser | b64enc | quote }} + password: {{ .Values.security.adminPassword | b64enc | quote }} +{{- end -}} diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/grafana/templates/service.yaml b/istio-1.0.4/install/kubernetes/helm/istio/charts/grafana/templates/service.yaml new file mode 100644 index 0000000..3c04723 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/grafana/templates/service.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Service +metadata: + name: grafana + namespace: {{ .Release.Namespace }} + annotations: + {{- range $key, $val := .Values.service.annotations }} + {{ $key }}: {{ $val }} + {{- end }} + labels: + app: istio-grafana + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + type: {{ .Values.service.type }} + ports: + - port: {{ .Values.service.externalPort }} + targetPort: {{ .Values.service.internalPort }} + protocol: TCP + name: {{ .Values.service.name }} + selector: + app: grafana diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/grafana/values.yaml b/istio-1.0.4/install/kubernetes/helm/istio/charts/grafana/values.yaml new file mode 100644 index 0000000..15e1b5c --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/grafana/values.yaml @@ -0,0 +1,25 @@ +datasources: + datasources.yaml: + apiVersion: 1 + datasources: + - name: Prometheus + type: prometheus + orgId: 1 + url: http://prometheus:9090 + access: proxy + isDefault: true + jsonData: + timeInterval: 5s + editable: true + +dashboardProviders: + dashboardproviders.yaml: + apiVersion: 1 + providers: + - name: 'istio' + orgId: 1 + folder: 'istio' + type: file + disableDeletion: false + options: + path: /var/lib/grafana/dashboards/istio diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/ingress/Chart.yaml b/istio-1.0.4/install/kubernetes/helm/istio/charts/ingress/Chart.yaml new file mode 100644 index 0000000..085356e --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/ingress/Chart.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +name: ingress +version: 1.0.4 +appVersion: 1.0.4 +tillerVersion: ">=2.7.2" +description: Helm chart for ingress deployment +keywords: + - istio + - ingress +sources: + - http://github.com/istio/istio +engine: gotpl +icon: https://istio.io/favicons/android-192x192.png diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/ingress/templates/autoscale.yaml b/istio-1.0.4/install/kubernetes/helm/istio/charts/ingress/templates/autoscale.yaml new file mode 100644 index 0000000..d962840 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/ingress/templates/autoscale.yaml @@ -0,0 +1,19 @@ +{{- if .Values.autoscaleMin }} +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: istio-ingress + namespace: {{ .Release.Namespace }} +spec: + maxReplicas: {{ .Values.autoscaleMax }} + minReplicas: {{ .Values.autoscaleMin }} + scaleTargetRef: + apiVersion: apps/v1beta1 + kind: Deployment + name: istio-ingress + metrics: + - type: Resource + resource: + name: cpu + targetAverageUtilization: 80 +{{ end }} diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/ingress/templates/clusterrole.yaml b/istio-1.0.4/install/kubernetes/helm/istio/charts/ingress/templates/clusterrole.yaml new file mode 100644 index 0000000..f65c0d6 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/ingress/templates/clusterrole.yaml @@ -0,0 +1,16 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + labels: + app: {{ template "istio.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + name: istio-ingress-{{ .Release.Namespace }} +rules: +- apiGroups: ["extensions"] + resources: ["thirdpartyresources", "ingresses"] + verbs: ["get", "watch", "list", "update"] +- apiGroups: [""] + resources: ["configmaps", "pods", "endpoints", "services"] + verbs: ["get", "watch", "list"] diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/ingress/templates/clusterrolebinding.yaml b/istio-1.0.4/install/kubernetes/helm/istio/charts/ingress/templates/clusterrolebinding.yaml new file mode 100644 index 0000000..d07e893 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/ingress/templates/clusterrolebinding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: istio-ingress-{{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-pilot-{{ .Release.Namespace }} +subjects: + - kind: ServiceAccount + name: istio-ingress-service-account + namespace: {{ .Release.Namespace }} diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/ingress/templates/deployment.yaml b/istio-1.0.4/install/kubernetes/helm/istio/charts/ingress/templates/deployment.yaml new file mode 100644 index 0000000..83fb663 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/ingress/templates/deployment.yaml @@ -0,0 +1,106 @@ +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: istio-ingress + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "istio.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + istio: ingress +spec: + replicas: {{ .Values.replicaCount }} + template: + metadata: + labels: + istio: ingress + annotations: + sidecar.istio.io/inject: "false" + scheduler.alpha.kubernetes.io/critical-pod: "" + spec: + serviceAccountName: istio-ingress-service-account +{{- if .Values.global.priorityClassName }} + priorityClassName: "{{ .Values.global.priorityClassName }}" +{{- end }} + containers: + - name: {{ template "istio.name" . }} + image: "{{ .Values.global.hub }}/proxyv2:{{ .Values.global.tag }}" + imagePullPolicy: {{ .Values.global.imagePullPolicy }} + ports: + - containerPort: 80 + - containerPort: 443 + args: + - proxy + - ingress + - -v + - "2" + - --discoveryRefreshDelay + - '1s' #discoveryRefreshDelay + - --drainDuration + - '45s' #drainDuration + - --parentShutdownDuration + - '1m0s' #parentShutdownDuration + - --connectTimeout + - '10s' #connectTimeout + - --serviceCluster + - istio-ingress + - --zipkinAddress + - zipkin:9411 + {{- if .Values.global.proxy.envoyStatsd.enabled }} + - --statsdUdpAddress + - {{ .Values.global.proxy.envoyStatsd.host }}:{{ .Values.global.proxy.envoyStatsd.port }} + {{- end }} + - --proxyAdminPort + - "15000" + {{- if .Values.global.controlPlaneSecurityEnabled }} + - --controlPlaneAuthPolicy + - MUTUAL_TLS + - --discoveryAddress + - istio-pilot:15005 + {{- else }} + - --controlPlaneAuthPolicy + - NONE + - --discoveryAddress + - istio-pilot:8080 + {{- end }} + resources: +{{- if .Values.resources }} +{{ toYaml .Values.resources | indent 12 }} +{{- else }} +{{ toYaml .Values.global.defaultResources | indent 12 }} +{{- end }} + env: + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + volumeMounts: + - name: istio-certs + mountPath: /etc/certs + readOnly: true + - name: ingress-certs + mountPath: /etc/istio/ingress-certs + readOnly: true + volumes: + - name: istio-certs + secret: + secretName: istio.istio-ingress-service-account + optional: true + - name: ingress-certs + secret: + secretName: istio-ingress-certs + optional: true + affinity: + {{- include "nodeaffinity" . | indent 6 }} diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/ingress/templates/service.yaml b/istio-1.0.4/install/kubernetes/helm/istio/charts/ingress/templates/service.yaml new file mode 100644 index 0000000..9934d99 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/ingress/templates/service.yaml @@ -0,0 +1,32 @@ +apiVersion: v1 +kind: Service +metadata: + name: istio-ingress + namespace: {{ .Release.Namespace }} + labels: + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + istio: ingress + annotations: + {{- range $key, $val := .Values.service.annotations }} + {{ $key }}: {{ $val }} + {{- end }} +spec: +{{- if .Values.service.loadBalancerIP }} + loadBalancerIP: "{{ .Values.service.loadBalancerIP }}" +{{- end }} + type: {{ .Values.service.type }} +{{- if .Values.service.externalTrafficPolicy }} + externalTrafficPolicy: {{ .Values.service.externalTrafficPolicy }} +{{- end }} + selector: + istio: ingress + ports: + {{- range $key, $val := .Values.service.ports }} + - + {{- range $pkey, $pval := $val }} + {{ $pkey}}: {{ $pval }} + {{- end }} + {{- end }} +--- diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/ingress/templates/serviceaccount.yaml b/istio-1.0.4/install/kubernetes/helm/istio/charts/ingress/templates/serviceaccount.yaml new file mode 100644 index 0000000..dfcfe25 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/ingress/templates/serviceaccount.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: ServiceAccount +{{- if .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range .Values.global.imagePullSecrets }} + - name: {{ . }} +{{- end }} +{{- end }} +metadata: + name: istio-ingress-service-account + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "istio.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/kiali/Chart.yaml b/istio-1.0.4/install/kubernetes/helm/istio/charts/kiali/Chart.yaml new file mode 100644 index 0000000..eeaf303 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/kiali/Chart.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +description: Kiali is an open source project for service mesh observability, refer to https://github.com/kiali/kiali for detail. +name: kiali +version: 1.0.4 +appVersion: 0.9 +tillerVersion: ">=2.7.2" diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/kiali/templates/clusterrole.yaml b/istio-1.0.4/install/kubernetes/helm/istio/charts/kiali/templates/clusterrole.yaml new file mode 100644 index 0000000..ba34003 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/kiali/templates/clusterrole.yaml @@ -0,0 +1,71 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kiali + labels: + app: kiali + version: master +rules: +- apiGroups: ["", "apps", "autoscaling", "batch"] + resources: + - configmaps + - namespaces + - nodes + - pods + - projects + - services + - endpoints + - deployments + - horizontalpodautoscalers + - replicasets + - statefulsets + - replicationcontrollers + - jobs + - cronjobs + verbs: + - get + - list + - watch +- apiGroups: ["config.istio.io"] + resources: + - rules + - circonuses + - deniers + - fluentds + - kubernetesenvs + - listcheckers + - memquotas + - opas + - prometheuses + - rbacs + - servicecontrols + - solarwindses + - stackdrivers + - statsds + - stdios + - apikeys + - authorizations + - checknothings + - kuberneteses + - listentries + - logentries + - metrics + - quotas + - reportnothings + - servicecontrolreports + - quotaspecs + - quotaspecbindings + verbs: + - get + - list + - watch +- apiGroups: ["networking.istio.io"] + resources: + - virtualservices + - destinationrules + - serviceentries + - gateways + verbs: + - get + - list + - watch diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/kiali/templates/clusterrolebinding.yaml b/istio-1.0.4/install/kubernetes/helm/istio/charts/kiali/templates/clusterrolebinding.yaml new file mode 100644 index 0000000..82cfd7f --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/kiali/templates/clusterrolebinding.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istio-kiali-admin-role-binding-{{ .Release.Namespace }} + labels: + app: kiali + chart: {{ .Chart.Name }}-{{ .Chart.Version }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kiali +subjects: +- kind: ServiceAccount + name: kiali-service-account + namespace: {{ .Release.Namespace }} diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/kiali/templates/configmap.yaml b/istio-1.0.4/install/kubernetes/helm/istio/charts/kiali/templates/configmap.yaml new file mode 100644 index 0000000..d5f8c1e --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/kiali/templates/configmap.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: kiali + namespace: {{ .Release.Namespace }} + labels: + app: kiali +data: + config.yaml: | + server: + port: 20001 + external_services: + jaeger: + url: {{ .Values.dashboard.jaegerURL }} + grafana: + url: {{ .Values.dashboard.grafanaURL }} diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/kiali/templates/deployment.yaml b/istio-1.0.4/install/kubernetes/helm/istio/charts/kiali/templates/deployment.yaml new file mode 100644 index 0000000..5132a1e --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/kiali/templates/deployment.yaml @@ -0,0 +1,67 @@ +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: kiali + namespace: {{ .Release.Namespace }} + labels: + app: kiali + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + app: kiali + template: + metadata: + name: kiali + labels: + app: kiali + annotations: + sidecar.istio.io/inject: "false" + scheduler.alpha.kubernetes.io/critical-pod: "" + spec: + serviceAccountName: kiali-service-account +{{- if .Values.global.priorityClassName }} + priorityClassName: "{{ .Values.global.priorityClassName }}" +{{- end }} + containers: + - image: "{{ .Values.hub }}/kiali:{{ .Values.tag }}" + name: kiali + command: + - "/opt/kiali/kiali" + - "-config" + - "/kiali-configuration/config.yaml" + - "-v" + - "4" + env: + - name: ACTIVE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: SERVER_CREDENTIALS_USERNAME + valueFrom: + secretKeyRef: + name: kiali + key: username + - name: SERVER_CREDENTIALS_PASSWORD + valueFrom: + secretKeyRef: + name: kiali + key: passphrase + - name: PROMETHEUS_SERVICE_URL + value: http://prometheus:9090 + volumeMounts: + - name: kiali-configuration + mountPath: "/kiali-configuration" + resources: +{{- if .Values.resources }} +{{ toYaml .Values.resources | indent 10 }} +{{- else }} +{{ toYaml .Values.global.defaultResources | indent 10 }} +{{- end }} + volumes: + - name: kiali-configuration + configMap: + name: kiali diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/kiali/templates/ingress.yaml b/istio-1.0.4/install/kubernetes/helm/istio/charts/kiali/templates/ingress.yaml new file mode 100644 index 0000000..834f885 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/kiali/templates/ingress.yaml @@ -0,0 +1,28 @@ +{{- if .Values.ingress.enabled -}} +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + name: kiali + namespace: {{ .Release.Namespace }} + labels: + app: kiali + annotations: + {{- range $key, $value := .Values.ingress.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} +spec: + rules: + {{- range $host := .Values.ingress.hosts }} + - host: {{ $host }} + http: + paths: + - path: / + backend: + serviceName: kiali + servicePort: 20001 + {{- end -}} + {{- if .Values.ingress.tls }} + tls: +{{ toYaml .Values.ingress.tls | indent 4 }} + {{- end -}} +{{- end -}} diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/kiali/templates/secrets.yaml b/istio-1.0.4/install/kubernetes/helm/istio/charts/kiali/templates/secrets.yaml new file mode 100644 index 0000000..6cbfe39 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/kiali/templates/secrets.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Secret +metadata: + name: kiali + namespace: {{ .Release.Namespace }} + labels: + app: kiali + +type: Opaque +data: + username: {{ .Values.dashboard.username | b64enc | quote }} + passphrase: {{ .Values.dashboard.passphrase | b64enc | quote }} diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/kiali/templates/service.yaml b/istio-1.0.4/install/kubernetes/helm/istio/charts/kiali/templates/service.yaml new file mode 100644 index 0000000..ef396af --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/kiali/templates/service.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + name: kiali + namespace: {{ .Release.Namespace }} + labels: + app: kiali +spec: + ports: + - name: tcp + protocol: TCP + port: 20001 + name: http-kiali + selector: + app: kiali diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/kiali/templates/serviceaccount.yaml b/istio-1.0.4/install/kubernetes/helm/istio/charts/kiali/templates/serviceaccount.yaml new file mode 100644 index 0000000..7adc385 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/kiali/templates/serviceaccount.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: ServiceAccount +{{- if .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range .Values.global.imagePullSecrets }} + - name: {{ . }} +{{- end }} +{{- end }} +metadata: + name: kiali-service-account + namespace: {{ .Release.Namespace }} + labels: + app: kiali + chart: {{ .Chart.Name }}-{{ .Chart.Version }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/mixer/Chart.yaml b/istio-1.0.4/install/kubernetes/helm/istio/charts/mixer/Chart.yaml new file mode 100644 index 0000000..ebac0a8 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/mixer/Chart.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +name: mixer +version: 1.0.4 +appVersion: 1.0.4 +tillerVersion: ">=2.7.2" +description: Helm chart for mixer deployment +keywords: + - istio + - mixer +sources: + - http://github.com/istio/istio +engine: gotpl +icon: https://istio.io/favicons/android-192x192.png diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/mixer/templates/_helpers.tpl b/istio-1.0.4/install/kubernetes/helm/istio/charts/mixer/templates/_helpers.tpl new file mode 100644 index 0000000..ebd724c --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/mixer/templates/_helpers.tpl @@ -0,0 +1,16 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "mixer.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "mixer.fullname" -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/mixer/templates/autoscale.yaml b/istio-1.0.4/install/kubernetes/helm/istio/charts/mixer/templates/autoscale.yaml new file mode 100644 index 0000000..8a80030 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/mixer/templates/autoscale.yaml @@ -0,0 +1,24 @@ +{{- range $key, $spec := .Values }} +{{- if or (eq $key "istio-policy") (eq $key "istio-telemetry") }} +{{- if and $spec.autoscaleEnabled $spec.autoscaleMin }} +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ $key }} + namespace: {{ $.Release.Namespace }} +spec: + maxReplicas: {{ $spec.autoscaleMax }} + minReplicas: {{ $spec.autoscaleMin }} + scaleTargetRef: + apiVersion: apps/v1beta1 + kind: Deployment + name: {{ $key }} + metrics: + - type: Resource + resource: + name: cpu + targetAverageUtilization: {{ $spec.cpu.targetAverageUtilization }} +--- +{{- end }} +{{- end }} +{{- end }} diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/mixer/templates/clusterrole.yaml b/istio-1.0.4/install/kubernetes/helm/istio/charts/mixer/templates/clusterrole.yaml new file mode 100644 index 0000000..dfa5a77 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/mixer/templates/clusterrole.yaml @@ -0,0 +1,28 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: istio-mixer-{{ .Release.Namespace }} + labels: + app: {{ template "mixer.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +rules: +- apiGroups: ["config.istio.io"] # istio CRD watcher + resources: ["*"] + verbs: ["create", "get", "list", "watch", "patch"] +- apiGroups: ["rbac.istio.io"] # istio RBAC watcher + resources: ["*"] + verbs: ["get", "list", "watch"] +- apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "list", "watch"] +- apiGroups: [""] + resources: ["configmaps", "endpoints", "pods", "services", "namespaces", "secrets", "replicationcontrollers"] + verbs: ["get", "list", "watch"] +- apiGroups: ["extensions"] + resources: ["replicasets"] + verbs: ["get", "list", "watch"] +- apiGroups: ["apps"] + resources: ["replicasets"] + verbs: ["get", "list", "watch"] diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/mixer/templates/clusterrolebinding.yaml b/istio-1.0.4/install/kubernetes/helm/istio/charts/mixer/templates/clusterrolebinding.yaml new file mode 100644 index 0000000..5304a37 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/mixer/templates/clusterrolebinding.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: istio-mixer-admin-role-binding-{{ .Release.Namespace }} + labels: + app: {{ template "mixer.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-mixer-{{ .Release.Namespace }} +subjects: + - kind: ServiceAccount + name: istio-mixer-service-account + namespace: {{ .Release.Namespace }} diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/mixer/templates/config.yaml b/istio-1.0.4/install/kubernetes/helm/istio/charts/mixer/templates/config.yaml new file mode 100644 index 0000000..e8826d1 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/mixer/templates/config.yaml @@ -0,0 +1,740 @@ +apiVersion: "config.istio.io/v1alpha2" +kind: attributemanifest +metadata: + name: istioproxy + namespace: {{ .Release.Namespace }} +spec: + attributes: + origin.ip: + valueType: IP_ADDRESS + origin.uid: + valueType: STRING + origin.user: + valueType: STRING + request.headers: + valueType: STRING_MAP + request.id: + valueType: STRING + request.host: + valueType: STRING + request.method: + valueType: STRING + request.path: + valueType: STRING + request.reason: + valueType: STRING + request.referer: + valueType: STRING + request.scheme: + valueType: STRING + request.total_size: + valueType: INT64 + request.size: + valueType: INT64 + request.time: + valueType: TIMESTAMP + request.useragent: + valueType: STRING + response.code: + valueType: INT64 + response.duration: + valueType: DURATION + response.headers: + valueType: STRING_MAP + response.total_size: + valueType: INT64 + response.size: + valueType: INT64 + response.time: + valueType: TIMESTAMP + source.uid: + valueType: STRING + source.user: # DEPRECATED + valueType: STRING + source.principal: + valueType: STRING + destination.uid: + valueType: STRING + destination.principal: + valueType: STRING + destination.port: + valueType: INT64 + connection.event: + valueType: STRING + connection.id: + valueType: STRING + connection.received.bytes: + valueType: INT64 + connection.received.bytes_total: + valueType: INT64 + connection.sent.bytes: + valueType: INT64 + connection.sent.bytes_total: + valueType: INT64 + connection.duration: + valueType: DURATION + connection.mtls: + valueType: BOOL + connection.requested_server_name: + valueType: STRING + context.protocol: + valueType: STRING + context.timestamp: + valueType: TIMESTAMP + context.time: + valueType: TIMESTAMP + # Deprecated, kept for compatibility + context.reporter.local: + valueType: BOOL + context.reporter.kind: + valueType: STRING + context.reporter.uid: + valueType: STRING + api.service: + valueType: STRING + api.version: + valueType: STRING + api.operation: + valueType: STRING + api.protocol: + valueType: STRING + request.auth.principal: + valueType: STRING + request.auth.audiences: + valueType: STRING + request.auth.presenter: + valueType: STRING + request.auth.claims: + valueType: STRING_MAP + request.auth.raw_claims: + valueType: STRING + request.api_key: + valueType: STRING + +--- +apiVersion: "config.istio.io/v1alpha2" +kind: attributemanifest +metadata: + name: kubernetes + namespace: {{ .Release.Namespace }} +spec: + attributes: + source.ip: + valueType: IP_ADDRESS + source.labels: + valueType: STRING_MAP + source.metadata: + valueType: STRING_MAP + source.name: + valueType: STRING + source.namespace: + valueType: STRING + source.owner: + valueType: STRING + source.service: # DEPRECATED + valueType: STRING + source.serviceAccount: + valueType: STRING + source.services: + valueType: STRING + source.workload.uid: + valueType: STRING + source.workload.name: + valueType: STRING + source.workload.namespace: + valueType: STRING + destination.ip: + valueType: IP_ADDRESS + destination.labels: + valueType: STRING_MAP + destination.metadata: + valueType: STRING_MAP + destination.owner: + valueType: STRING + destination.name: + valueType: STRING + destination.container.name: + valueType: STRING + destination.namespace: + valueType: STRING + destination.service: # DEPRECATED + valueType: STRING + destination.service.uid: + valueType: STRING + destination.service.name: + valueType: STRING + destination.service.namespace: + valueType: STRING + destination.service.host: + valueType: STRING + destination.serviceAccount: + valueType: STRING + destination.workload.uid: + valueType: STRING + destination.workload.name: + valueType: STRING + destination.workload.namespace: + valueType: STRING +--- +apiVersion: "config.istio.io/v1alpha2" +kind: stdio +metadata: + name: handler + namespace: {{ .Release.Namespace }} +spec: + outputAsJson: true +--- +apiVersion: "config.istio.io/v1alpha2" +kind: logentry +metadata: + name: accesslog + namespace: {{ .Release.Namespace }} +spec: + severity: '"Info"' + timestamp: request.time + variables: + sourceIp: source.ip | ip("0.0.0.0") + sourceApp: source.labels["app"] | "" + sourcePrincipal: source.principal | "" + sourceName: source.name | "" + sourceWorkload: source.workload.name | "" + sourceNamespace: source.namespace | "" + sourceOwner: source.owner | "" + destinationApp: destination.labels["app"] | "" + destinationIp: destination.ip | ip("0.0.0.0") + destinationServiceHost: destination.service.host | "" + destinationWorkload: destination.workload.name | "" + destinationName: destination.name | "" + destinationNamespace: destination.namespace | "" + destinationOwner: destination.owner | "" + destinationPrincipal: destination.principal | "" + apiClaims: request.auth.raw_claims | "" + apiKey: request.api_key | request.headers["x-api-key"] | "" + protocol: request.scheme | context.protocol | "http" + method: request.method | "" + url: request.path | "" + responseCode: response.code | 0 + responseSize: response.size | 0 + requestSize: request.size | 0 + requestId: request.headers["x-request-id"] | "" + clientTraceId: request.headers["x-client-trace-id"] | "" + latency: response.duration | "0ms" + connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) + requestedServerName: connection.requested_server_name | "" + userAgent: request.useragent | "" + responseTimestamp: response.time + receivedBytes: request.total_size | 0 + sentBytes: response.total_size | 0 + referer: request.referer | "" + httpAuthority: request.headers[":authority"] | request.host | "" + xForwardedFor: request.headers["x-forwarded-for"] | "0.0.0.0" + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") + monitored_resource_type: '"global"' +--- +apiVersion: "config.istio.io/v1alpha2" +kind: logentry +metadata: + name: tcpaccesslog + namespace: {{ .Release.Namespace }} +spec: + severity: '"Info"' + timestamp: context.time | timestamp("2017-01-01T00:00:00Z") + variables: + connectionEvent: connection.event | "" + sourceIp: source.ip | ip("0.0.0.0") + sourceApp: source.labels["app"] | "" + sourcePrincipal: source.principal | "" + sourceName: source.name | "" + sourceWorkload: source.workload.name | "" + sourceNamespace: source.namespace | "" + sourceOwner: source.owner | "" + destinationApp: destination.labels["app"] | "" + destinationIp: destination.ip | ip("0.0.0.0") + destinationServiceHost: destination.service.host | "" + destinationWorkload: destination.workload.name | "" + destinationName: destination.name | "" + destinationNamespace: destination.namespace | "" + destinationOwner: destination.owner | "" + destinationPrincipal: destination.principal | "" + protocol: context.protocol | "tcp" + connectionDuration: connection.duration | "0ms" + connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) + requestedServerName: connection.requested_server_name | "" + receivedBytes: connection.received.bytes | 0 + sentBytes: connection.sent.bytes | 0 + totalReceivedBytes: connection.received.bytes_total | 0 + totalSentBytes: connection.sent.bytes_total | 0 + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") + monitored_resource_type: '"global"' +--- +apiVersion: "config.istio.io/v1alpha2" +kind: rule +metadata: + name: stdio + namespace: {{ .Release.Namespace }} +spec: + match: context.protocol == "http" || context.protocol == "grpc" + actions: + - handler: handler.stdio + instances: + - accesslog.logentry +--- +apiVersion: "config.istio.io/v1alpha2" +kind: rule +metadata: + name: stdiotcp + namespace: {{ .Release.Namespace }} +spec: + match: context.protocol == "tcp" + actions: + - handler: handler.stdio + instances: + - tcpaccesslog.logentry +--- +apiVersion: "config.istio.io/v1alpha2" +kind: metric +metadata: + name: requestcount + namespace: {{ .Release.Namespace }} +spec: + value: "1" + dimensions: + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") + source_workload: source.workload.name | "unknown" + source_workload_namespace: source.workload.namespace | "unknown" + source_principal: source.principal | "unknown" + source_app: source.labels["app"] | "unknown" + source_version: source.labels["version"] | "unknown" + destination_workload: destination.workload.name | "unknown" + destination_workload_namespace: destination.workload.namespace | "unknown" + destination_principal: destination.principal | "unknown" + destination_app: destination.labels["app"] | "unknown" + destination_version: destination.labels["version"] | "unknown" + destination_service: destination.service.host | "unknown" + destination_service_name: destination.service.name | "unknown" + destination_service_namespace: destination.service.namespace | "unknown" + request_protocol: api.protocol | context.protocol | "unknown" + response_code: response.code | 200 + connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) + monitored_resource_type: '"UNSPECIFIED"' +--- +apiVersion: "config.istio.io/v1alpha2" +kind: metric +metadata: + name: requestduration + namespace: {{ .Release.Namespace }} +spec: + value: response.duration | "0ms" + dimensions: + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") + source_workload: source.workload.name | "unknown" + source_workload_namespace: source.workload.namespace | "unknown" + source_principal: source.principal | "unknown" + source_app: source.labels["app"] | "unknown" + source_version: source.labels["version"] | "unknown" + destination_workload: destination.workload.name | "unknown" + destination_workload_namespace: destination.workload.namespace | "unknown" + destination_principal: destination.principal | "unknown" + destination_app: destination.labels["app"] | "unknown" + destination_version: destination.labels["version"] | "unknown" + destination_service: destination.service.host | "unknown" + destination_service_name: destination.service.name | "unknown" + destination_service_namespace: destination.service.namespace | "unknown" + request_protocol: api.protocol | context.protocol | "unknown" + response_code: response.code | 200 + connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) + monitored_resource_type: '"UNSPECIFIED"' +--- +apiVersion: "config.istio.io/v1alpha2" +kind: metric +metadata: + name: requestsize + namespace: {{ .Release.Namespace }} +spec: + value: request.size | 0 + dimensions: + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") + source_workload: source.workload.name | "unknown" + source_workload_namespace: source.workload.namespace | "unknown" + source_principal: source.principal | "unknown" + source_app: source.labels["app"] | "unknown" + source_version: source.labels["version"] | "unknown" + destination_workload: destination.workload.name | "unknown" + destination_workload_namespace: destination.workload.namespace | "unknown" + destination_principal: destination.principal | "unknown" + destination_app: destination.labels["app"] | "unknown" + destination_version: destination.labels["version"] | "unknown" + destination_service: destination.service.host | "unknown" + destination_service_name: destination.service.name | "unknown" + destination_service_namespace: destination.service.namespace | "unknown" + request_protocol: api.protocol | context.protocol | "unknown" + response_code: response.code | 200 + connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) + monitored_resource_type: '"UNSPECIFIED"' +--- +apiVersion: "config.istio.io/v1alpha2" +kind: metric +metadata: + name: responsesize + namespace: {{ .Release.Namespace }} +spec: + value: response.size | 0 + dimensions: + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") + source_workload: source.workload.name | "unknown" + source_workload_namespace: source.workload.namespace | "unknown" + source_principal: source.principal | "unknown" + source_app: source.labels["app"] | "unknown" + source_version: source.labels["version"] | "unknown" + destination_workload: destination.workload.name | "unknown" + destination_workload_namespace: destination.workload.namespace | "unknown" + destination_principal: destination.principal | "unknown" + destination_app: destination.labels["app"] | "unknown" + destination_version: destination.labels["version"] | "unknown" + destination_service: destination.service.host | "unknown" + destination_service_name: destination.service.name | "unknown" + destination_service_namespace: destination.service.namespace | "unknown" + request_protocol: api.protocol | context.protocol | "unknown" + response_code: response.code | 200 + connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) + monitored_resource_type: '"UNSPECIFIED"' +--- +apiVersion: "config.istio.io/v1alpha2" +kind: metric +metadata: + name: tcpbytesent + namespace: {{ .Release.Namespace }} +spec: + value: connection.sent.bytes | 0 + dimensions: + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") + source_workload: source.workload.name | "unknown" + source_workload_namespace: source.workload.namespace | "unknown" + source_principal: source.principal | "unknown" + source_app: source.labels["app"] | "unknown" + source_version: source.labels["version"] | "unknown" + destination_workload: destination.workload.name | "unknown" + destination_workload_namespace: destination.workload.namespace | "unknown" + destination_principal: destination.principal | "unknown" + destination_app: destination.labels["app"] | "unknown" + destination_version: destination.labels["version"] | "unknown" + destination_service: destination.service.name | "unknown" + destination_service_name: destination.service.name | "unknown" + destination_service_namespace: destination.service.namespace | "unknown" + connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) + monitored_resource_type: '"UNSPECIFIED"' +--- +apiVersion: "config.istio.io/v1alpha2" +kind: metric +metadata: + name: tcpbytereceived + namespace: {{ .Release.Namespace }} +spec: + value: connection.received.bytes | 0 + dimensions: + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") + source_workload: source.workload.name | "unknown" + source_workload_namespace: source.workload.namespace | "unknown" + source_principal: source.principal | "unknown" + source_app: source.labels["app"] | "unknown" + source_version: source.labels["version"] | "unknown" + destination_workload: destination.workload.name | "unknown" + destination_workload_namespace: destination.workload.namespace | "unknown" + destination_principal: destination.principal | "unknown" + destination_app: destination.labels["app"] | "unknown" + destination_version: destination.labels["version"] | "unknown" + destination_service: destination.service.name | "unknown" + destination_service_name: destination.service.name | "unknown" + destination_service_namespace: destination.service.namespace | "unknown" + connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) + monitored_resource_type: '"UNSPECIFIED"' +--- +apiVersion: "config.istio.io/v1alpha2" +kind: prometheus +metadata: + name: handler + namespace: {{ .Release.Namespace }} +spec: + metrics: + - name: requests_total + instance_name: requestcount.metric.{{ .Release.Namespace }} + kind: COUNTER + label_names: + - reporter + - source_app + - source_principal + - source_workload + - source_workload_namespace + - source_version + - destination_app + - destination_principal + - destination_workload + - destination_workload_namespace + - destination_version + - destination_service + - destination_service_name + - destination_service_namespace + - request_protocol + - response_code + - connection_security_policy + - name: request_duration_seconds + instance_name: requestduration.metric.{{ .Release.Namespace }} + kind: DISTRIBUTION + label_names: + - reporter + - source_app + - source_principal + - source_workload + - source_workload_namespace + - source_version + - destination_app + - destination_principal + - destination_workload + - destination_workload_namespace + - destination_version + - destination_service + - destination_service_name + - destination_service_namespace + - request_protocol + - response_code + - connection_security_policy + buckets: + explicit_buckets: + bounds: [0.005, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1, 2.5, 5, 10] + - name: request_bytes + instance_name: requestsize.metric.{{ .Release.Namespace }} + kind: DISTRIBUTION + label_names: + - reporter + - source_app + - source_principal + - source_workload + - source_workload_namespace + - source_version + - destination_app + - destination_principal + - destination_workload + - destination_workload_namespace + - destination_version + - destination_service + - destination_service_name + - destination_service_namespace + - request_protocol + - response_code + - connection_security_policy + buckets: + exponentialBuckets: + numFiniteBuckets: 8 + scale: 1 + growthFactor: 10 + - name: response_bytes + instance_name: responsesize.metric.{{ .Release.Namespace }} + kind: DISTRIBUTION + label_names: + - reporter + - source_app + - source_principal + - source_workload + - source_workload_namespace + - source_version + - destination_app + - destination_principal + - destination_workload + - destination_workload_namespace + - destination_version + - destination_service + - destination_service_name + - destination_service_namespace + - request_protocol + - response_code + - connection_security_policy + buckets: + exponentialBuckets: + numFiniteBuckets: 8 + scale: 1 + growthFactor: 10 + - name: tcp_sent_bytes_total + instance_name: tcpbytesent.metric.{{ .Release.Namespace }} + kind: COUNTER + label_names: + - reporter + - source_app + - source_principal + - source_workload + - source_workload_namespace + - source_version + - destination_app + - destination_principal + - destination_workload + - destination_workload_namespace + - destination_version + - destination_service + - destination_service_name + - destination_service_namespace + - connection_security_policy + - name: tcp_received_bytes_total + instance_name: tcpbytereceived.metric.{{ .Release.Namespace }} + kind: COUNTER + label_names: + - reporter + - source_app + - source_principal + - source_workload + - source_workload_namespace + - source_version + - destination_app + - destination_principal + - destination_workload + - destination_workload_namespace + - destination_version + - destination_service + - destination_service_name + - destination_service_namespace + - connection_security_policy +--- +apiVersion: "config.istio.io/v1alpha2" +kind: rule +metadata: + name: promhttp + namespace: {{ .Release.Namespace }} +spec: + match: context.protocol == "http" || context.protocol == "grpc" + actions: + - handler: handler.prometheus + instances: + - requestcount.metric + - requestduration.metric + - requestsize.metric + - responsesize.metric +--- +apiVersion: "config.istio.io/v1alpha2" +kind: rule +metadata: + name: promtcp + namespace: {{ .Release.Namespace }} +spec: + match: context.protocol == "tcp" + actions: + - handler: handler.prometheus + instances: + - tcpbytesent.metric + - tcpbytereceived.metric +--- + +apiVersion: "config.istio.io/v1alpha2" +kind: kubernetesenv +metadata: + name: handler + namespace: {{ .Release.Namespace }} +spec: + # when running from mixer root, use the following config after adding a + # symbolic link to a kubernetes config file via: + # + # $ ln -s ~/.kube/config mixer/adapter/kubernetes/kubeconfig + # + # kubeconfig_path: "mixer/adapter/kubernetes/kubeconfig" + +--- +apiVersion: "config.istio.io/v1alpha2" +kind: rule +metadata: + name: kubeattrgenrulerule + namespace: {{ .Release.Namespace }} +spec: + actions: + - handler: handler.kubernetesenv + instances: + - attributes.kubernetes +--- +apiVersion: "config.istio.io/v1alpha2" +kind: rule +metadata: + name: tcpkubeattrgenrulerule + namespace: {{ .Release.Namespace }} +spec: + match: context.protocol == "tcp" + actions: + - handler: handler.kubernetesenv + instances: + - attributes.kubernetes +--- +apiVersion: "config.istio.io/v1alpha2" +kind: kubernetes +metadata: + name: attributes + namespace: {{ .Release.Namespace }} +spec: + # Pass the required attribute data to the adapter + source_uid: source.uid | "" + source_ip: source.ip | ip("0.0.0.0") # default to unspecified ip addr + destination_uid: destination.uid | "" + destination_port: destination.port | 0 + attribute_bindings: + # Fill the new attributes from the adapter produced output. + # $out refers to an instance of OutputTemplate message + source.ip: $out.source_pod_ip | ip("0.0.0.0") + source.uid: $out.source_pod_uid | "unknown" + source.labels: $out.source_labels | emptyStringMap() + source.name: $out.source_pod_name | "unknown" + source.namespace: $out.source_namespace | "default" + source.owner: $out.source_owner | "unknown" + source.serviceAccount: $out.source_service_account_name | "unknown" + source.workload.uid: $out.source_workload_uid | "unknown" + source.workload.name: $out.source_workload_name | "unknown" + source.workload.namespace: $out.source_workload_namespace | "unknown" + destination.ip: $out.destination_pod_ip | ip("0.0.0.0") + destination.uid: $out.destination_pod_uid | "unknown" + destination.labels: $out.destination_labels | emptyStringMap() + destination.name: $out.destination_pod_name | "unknown" + destination.container.name: $out.destination_container_name | "unknown" + destination.namespace: $out.destination_namespace | "default" + destination.owner: $out.destination_owner | "unknown" + destination.serviceAccount: $out.destination_service_account_name | "unknown" + destination.workload.uid: $out.destination_workload_uid | "unknown" + destination.workload.name: $out.destination_workload_name | "unknown" + destination.workload.namespace: $out.destination_workload_namespace | "unknown" + +--- +# Configuration needed by Mixer. +# Mixer cluster is delivered via CDS +# Specify mixer cluster settings +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: istio-policy + namespace: {{ .Release.Namespace }} +spec: + host: istio-policy.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + {{- if .Values.global.controlPlaneSecurityEnabled }} + portLevelSettings: + - port: + number: 15004 + tls: + mode: ISTIO_MUTUAL + {{- end}} + connectionPool: + http: + http2MaxRequests: 10000 + maxRequestsPerConnection: 10000 +--- +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: istio-telemetry + namespace: {{ .Release.Namespace }} +spec: + host: istio-telemetry.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + {{- if .Values.global.controlPlaneSecurityEnabled }} + portLevelSettings: + - port: + number: 15004 + tls: + mode: ISTIO_MUTUAL + {{- end}} + connectionPool: + http: + http2MaxRequests: 10000 + maxRequestsPerConnection: 10000 +--- diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/mixer/templates/configmap.yaml b/istio-1.0.4/install/kubernetes/helm/istio/charts/mixer/templates/configmap.yaml new file mode 100644 index 0000000..ba13dcd --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/mixer/templates/configmap.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-statsd-prom-bridge + namespace: {{ .Release.Namespace }} + labels: + app: istio-statsd-prom-bridge + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + istio: mixer +data: + mapping.conf: |- diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/mixer/templates/deployment.yaml b/istio-1.0.4/install/kubernetes/helm/istio/charts/mixer/templates/deployment.yaml new file mode 100644 index 0000000..a1f33c5 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/mixer/templates/deployment.yaml @@ -0,0 +1,248 @@ +{{- define "policy_container" }} + spec: + serviceAccountName: istio-mixer-service-account +{{- if $.Values.global.priorityClassName }} + priorityClassName: "{{ $.Values.global.priorityClassName }}" +{{- end }} + volumes: + - name: istio-certs + secret: + secretName: istio.istio-mixer-service-account + optional: true + - name: uds-socket + emptyDir: {} + affinity: + {{- include "nodeaffinity" . | indent 6 }} + containers: + - name: mixer +{{- if contains "/" .Values.image }} + image: "{{ .Values.image }}" +{{- else }} + image: "{{ $.Values.global.hub }}/{{ $.Values.image }}:{{ $.Values.global.tag }}" +{{- end }} + imagePullPolicy: {{ $.Values.global.imagePullPolicy }} + ports: + - containerPort: 9093 + - containerPort: 42422 + args: + - --address + - unix:///sock/mixer.socket + - --configStoreURL=k8s:// + - --configDefaultNamespace={{ $.Release.Namespace }} + - --trace_zipkin_url=http://zipkin:9411/api/v1/spans + {{- if .Values.env }} + env: + {{- range $key, $val := .Values.env }} + - name: {{ $key }} + value: "{{ $val }}" + {{- end }} + {{- end }} + resources: +{{- if .Values.resources }} +{{ toYaml .Values.resources | indent 10 }} +{{- else }} +{{ toYaml .Values.global.defaultResources | indent 10 }} +{{- end }} + volumeMounts: + - name: uds-socket + mountPath: /sock + livenessProbe: + httpGet: + path: /version + port: 9093 + initialDelaySeconds: 5 + periodSeconds: 5 + - name: istio-proxy + image: "{{ $.Values.global.hub }}/proxyv2:{{ $.Values.global.tag }}" + imagePullPolicy: {{ $.Values.global.imagePullPolicy }} + ports: + - containerPort: 9091 + - containerPort: 15004 +{{ if ne .Values.global.proxy.stats.prometheusPort 0. }} + ports: + - containerPort: {{ .Values.global.proxy.stats.prometheusPort }} + protocol: TCP + name: http-envoy-prom +{{ end }} + args: + - proxy + - --serviceCluster + - istio-policy + - --templateFile + - /etc/istio/proxy/envoy_policy.yaml.tmpl + {{- if $.Values.global.controlPlaneSecurityEnabled }} + - --controlPlaneAuthPolicy + - MUTUAL_TLS + {{- else }} + - --controlPlaneAuthPolicy + - NONE + {{- end }} + env: + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + resources: +{{- if $.Values.global.proxy.resources }} +{{ toYaml $.Values.global.proxy.resources | indent 10 }} +{{- else }} +{{ toYaml .Values.global.defaultResources | indent 10 }} +{{- end }} + volumeMounts: + - name: istio-certs + mountPath: /etc/certs + readOnly: true + - name: uds-socket + mountPath: /sock +{{- end }} + +{{- define "telemetry_container" }} + spec: + serviceAccountName: istio-mixer-service-account + volumes: + - name: istio-certs + secret: + secretName: istio.istio-mixer-service-account + optional: true + - name: uds-socket + emptyDir: {} + {{- if $.Values.nodeSelector }} + nodeSelector: +{{ toYaml $.Values.nodeSelector | indent 8 }} + {{- end }} + containers: + - name: mixer +{{- if contains "/" .Values.image }} + image: "{{ .Values.image }}" +{{- else }} + image: "{{ $.Values.global.hub }}/{{ $.Values.image }}:{{ $.Values.global.tag }}" +{{- end }} + imagePullPolicy: {{ $.Values.global.imagePullPolicy }} + ports: + - containerPort: 9093 + - containerPort: 42422 + args: + - --address + - unix:///sock/mixer.socket + - --configStoreURL=k8s:// + - --configDefaultNamespace={{ $.Release.Namespace }} + - --trace_zipkin_url=http://zipkin:9411/api/v1/spans + {{- if .Values.env }} + env: + {{- range $key, $val := .Values.env }} + - name: {{ $key }} + value: "{{ $val }}" + {{- end }} + {{- end }} + resources: +{{- if .Values.resources }} +{{ toYaml .Values.resources | indent 10 }} +{{- else }} +{{ toYaml .Values.global.defaultResources | indent 10 }} +{{- end }} + volumeMounts: + - name: uds-socket + mountPath: /sock + livenessProbe: + httpGet: + path: /version + port: 9093 + initialDelaySeconds: 5 + periodSeconds: 5 + - name: istio-proxy + image: "{{ $.Values.global.hub }}/proxyv2:{{ $.Values.global.tag }}" + imagePullPolicy: {{ $.Values.global.imagePullPolicy }} + ports: + - containerPort: 9091 + - containerPort: 15004 +{{ if ne .Values.global.proxy.stats.prometheusPort 0. }} + ports: + - containerPort: {{ .Values.global.proxy.stats.prometheusPort }} + protocol: TCP + name: http-envoy-prom +{{ end }} + args: + - proxy + - --serviceCluster + - istio-telemetry + - --templateFile + - /etc/istio/proxy/envoy_telemetry.yaml.tmpl + {{- if $.Values.global.controlPlaneSecurityEnabled }} + - --controlPlaneAuthPolicy + - MUTUAL_TLS + {{- else }} + - --controlPlaneAuthPolicy + - NONE + {{- end }} + env: + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + resources: +{{- if $.Values.global.proxy.resources }} +{{ toYaml $.Values.global.proxy.resources | indent 10 }} +{{- else }} +{{ toYaml .Values.global.defaultResources | indent 10 }} +{{- end }} + volumeMounts: + - name: istio-certs + mountPath: /etc/certs + readOnly: true + - name: uds-socket + mountPath: /sock +{{- end }} + + +{{- $mixers := list "policy" "telemetry" }} +{{- range $idx, $mname := $mixers }} +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: istio-{{ $mname }} + namespace: {{ $.Release.Namespace }} + labels: + chart: {{ $.Chart.Name }}-{{ $.Chart.Version | replace "+" "_" }} + release: {{ $.Release.Name }} + istio: mixer +spec: + replicas: {{ $.Values.replicaCount }} + template: + metadata: + labels: + app: {{ $mname }} + istio: mixer + istio-mixer-type: {{ $mname }} + annotations: + sidecar.istio.io/inject: "false" + scheduler.alpha.kubernetes.io/critical-pod: "" +{{- if eq $mname "policy"}} +{{- template "policy_container" $ }} +{{- else }} +{{- template "telemetry_container" $ }} +{{- end }} + +--- +{{- end }} {{/* range */}} diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/mixer/templates/service.yaml b/istio-1.0.4/install/kubernetes/helm/istio/charts/mixer/templates/service.yaml new file mode 100644 index 0000000..f633c66 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/mixer/templates/service.yaml @@ -0,0 +1,28 @@ +{{ $mixers := list "policy" "telemetry" }} +{{- range $idx, $mname := $mixers }} +apiVersion: v1 +kind: Service +metadata: + name: istio-{{ $mname }} + namespace: {{ $.Release.Namespace }} + labels: + chart: {{ $.Chart.Name }}-{{ $.Chart.Version | replace "+" "_" }} + release: {{ $.Release.Name }} + istio: mixer +spec: + ports: + - name: grpc-mixer + port: 9091 + - name: grpc-mixer-mtls + port: 15004 + - name: http-monitoring + port: 9093 +{{- if eq $mname "telemetry" }} + - name: prometheus + port: 42422 +{{- end }} + selector: + istio: mixer + istio-mixer-type: {{ $mname }} +--- +{{- end }} diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/mixer/templates/serviceaccount.yaml b/istio-1.0.4/install/kubernetes/helm/istio/charts/mixer/templates/serviceaccount.yaml new file mode 100644 index 0000000..43a57c3 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/mixer/templates/serviceaccount.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: ServiceAccount +{{- if .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range .Values.global.imagePullSecrets }} + - name: {{ . }} +{{- end }} +{{- end }} +metadata: + name: istio-mixer-service-account + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "mixer.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/pilot/Chart.yaml b/istio-1.0.4/install/kubernetes/helm/istio/charts/pilot/Chart.yaml new file mode 100644 index 0000000..e0bf946 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/pilot/Chart.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +name: pilot +version: 1.0.4 +appVersion: 1.0.4 +tillerVersion: ">=2.7.2" +description: Helm chart for pilot deployment +keywords: + - istio + - pilot +sources: + - http://github.com/istio/istio +engine: gotpl +icon: https://istio.io/favicons/android-192x192.png diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/pilot/templates/autoscale.yaml b/istio-1.0.4/install/kubernetes/helm/istio/charts/pilot/templates/autoscale.yaml new file mode 100644 index 0000000..16dfaf3 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/pilot/templates/autoscale.yaml @@ -0,0 +1,20 @@ +{{- if .Values.autoscaleMin }} +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: istio-pilot + namespace: {{ $.Release.Namespace }} +spec: + maxReplicas: {{ .Values.autoscaleMax }} + minReplicas: {{ .Values.autoscaleMin }} + scaleTargetRef: + apiVersion: apps/v1beta1 + kind: Deployment + name: istio-pilot + metrics: + - type: Resource + resource: + name: cpu + targetAverageUtilization: {{ .Values.cpu.targetAverageUtilization }} +--- +{{- end }} diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/pilot/templates/clusterrole.yaml b/istio-1.0.4/install/kubernetes/helm/istio/charts/pilot/templates/clusterrole.yaml new file mode 100644 index 0000000..f901440 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/pilot/templates/clusterrole.yaml @@ -0,0 +1,37 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: istio-pilot-{{ .Release.Namespace }} + labels: + app: istio-pilot + chart: {{ .Chart.Name }}-{{ .Chart.Version }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +rules: +- apiGroups: ["config.istio.io"] + resources: ["*"] + verbs: ["*"] +- apiGroups: ["rbac.istio.io"] + resources: ["*"] + verbs: ["get", "watch", "list"] +- apiGroups: ["networking.istio.io"] + resources: ["*"] + verbs: ["*"] +- apiGroups: ["authentication.istio.io"] + resources: ["*"] + verbs: ["*"] +- apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["*"] +- apiGroups: ["extensions"] + resources: ["thirdpartyresources", "thirdpartyresources.extensions", "ingresses", "ingresses/status"] + verbs: ["*"] +- apiGroups: [""] + resources: ["configmaps"] + verbs: ["create", "get", "list", "watch", "update"] +- apiGroups: [""] + resources: ["endpoints", "pods", "services"] + verbs: ["get", "list", "watch"] +- apiGroups: [""] + resources: ["namespaces", "nodes", "secrets"] + verbs: ["get", "list", "watch"] diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/pilot/templates/clusterrolebinding.yaml b/istio-1.0.4/install/kubernetes/helm/istio/charts/pilot/templates/clusterrolebinding.yaml new file mode 100644 index 0000000..c6a7216 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/pilot/templates/clusterrolebinding.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: istio-pilot-{{ .Release.Namespace }} + labels: + app: istio-pilot + chart: {{ .Chart.Name }}-{{ .Chart.Version }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-pilot-{{ .Release.Namespace }} +subjects: + - kind: ServiceAccount + name: istio-pilot-service-account + namespace: {{ .Release.Namespace }} diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/pilot/templates/deployment.yaml b/istio-1.0.4/install/kubernetes/helm/istio/charts/pilot/templates/deployment.yaml new file mode 100644 index 0000000..55d8a68 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/pilot/templates/deployment.yaml @@ -0,0 +1,154 @@ +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: istio-pilot + namespace: {{ .Release.Namespace }} + # TODO: default template doesn't have this, which one is right ? + labels: + app: istio-pilot + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + istio: pilot + annotations: + checksum/config-volume: {{ template "istio.configmap.checksum" . }} +spec: + replicas: {{ .Values.replicaCount }} + template: + metadata: + labels: + istio: pilot + app: pilot + annotations: + sidecar.istio.io/inject: "false" + scheduler.alpha.kubernetes.io/critical-pod: "" + spec: + serviceAccountName: istio-pilot-service-account +{{- if .Values.global.priorityClassName }} + priorityClassName: "{{ .Values.global.priorityClassName }}" +{{- end }} + containers: + - name: discovery +{{- if contains "/" .Values.image }} + image: "{{ .Values.image }}" +{{- else }} + image: "{{ .Values.global.hub }}/{{ .Values.image }}:{{ .Values.global.tag }}" +{{- end }} + imagePullPolicy: {{ .Values.global.imagePullPolicy }} + args: + - "discovery" +{{- if .Values.global.oneNamespace }} + - "-a" + - {{ .Release.Namespace }} +{{- end }} +{{- if not .Values.sidecar }} + - --secureGrpcAddr + - ":15011" +{{- end }} + ports: + - containerPort: 8080 + - containerPort: 15010 +{{- if not .Values.sidecar }} + - containerPort: 15011 +{{- end }} + readinessProbe: + httpGet: + path: /ready + port: 8080 + initialDelaySeconds: 5 + periodSeconds: 30 + timeoutSeconds: 5 + env: + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: PILOT_CACHE_SQUASH + value: "5" + {{- if .Values.env }} + {{- range $key, $val := .Values.env }} + - name: {{ $key }} + value: "{{ $val }}" + {{- end }} + {{- end }} +{{- if .Values.traceSampling }} + - name: PILOT_TRACE_SAMPLING + value: "{{ .Values.traceSampling }}" +{{- end }} + resources: +{{- if .Values.resources }} +{{ toYaml .Values.resources | indent 12 }} +{{- else }} +{{ toYaml .Values.global.defaultResources | indent 12 }} +{{- end }} + volumeMounts: + - name: config-volume + mountPath: /etc/istio/config + - name: istio-certs + mountPath: /etc/certs + readOnly: true +{{- if .Values.sidecar }} + - name: istio-proxy + image: "{{ .Values.global.hub }}/proxyv2:{{ .Values.global.tag }}" + imagePullPolicy: {{ .Values.global.imagePullPolicy }} + ports: + - containerPort: 15003 + - containerPort: 15005 + - containerPort: 15007 + - containerPort: 15011 + args: + - proxy + - --serviceCluster + - istio-pilot + - --templateFile + - /etc/istio/proxy/envoy_pilot.yaml.tmpl + {{- if $.Values.global.controlPlaneSecurityEnabled}} + - --controlPlaneAuthPolicy + - MUTUAL_TLS + {{- else }} + - --controlPlaneAuthPolicy + - NONE + {{- end }} + env: + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + resources: +{{- if .Values.global.proxy.resources }} +{{ toYaml .Values.global.proxy.resources | indent 12 }} +{{- else }} +{{ toYaml .Values.global.defaultResources | indent 12 }} +{{- end }} + volumeMounts: + - name: istio-certs + mountPath: /etc/certs + readOnly: true +{{- end }} + volumes: + - name: config-volume + configMap: + name: istio + - name: istio-certs + secret: + secretName: istio.istio-pilot-service-account + optional: true + affinity: + {{- include "nodeaffinity" . | indent 6 }} diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/pilot/templates/gateway.yaml b/istio-1.0.4/install/kubernetes/helm/istio/charts/pilot/templates/gateway.yaml new file mode 100644 index 0000000..048b3e7 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/pilot/templates/gateway.yaml @@ -0,0 +1,74 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: istio-autogenerated-k8s-ingress + namespace: istio-system +spec: + selector: + istio: {{ .Values.global.k8sIngressSelector }} + servers: + - port: + number: 80 + protocol: HTTP2 + name: http + hosts: + - "*" +{{ if .Values.global.k8sIngressHttps }} + - port: + number: 443 + protocol: HTTPS + name: https-default + tls: + mode: SIMPLE + serverCertificate: /etc/istio/ingress-certs/tls.crt + privateKey: /etc/istio/ingress-certs/tls.key + hosts: + - "*" +{{ end }} +--- +{{- if .Values.global.meshExpansion }} +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: meshexpansion-gateway +spec: + selector: + istio: ingressgateway + servers: + - port: + number: 15011 + protocol: TCP + name: tcp-pilot + hosts: + - "*" + - port: + number: 8060 + protocol: TCP + name: tcp-citadel + hosts: + - "*" +--- +{{- end }} + +{{- if .Values.global.meshExpansionILB }} +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: meshexpansion-ilb-gateway +spec: + selector: + istio: ilbgateway + servers: + - port: + number: 15011 + protocol: TCP + name: tcp-pilot + hosts: + - "*" + - port: + number: 8060 + protocol: TCP + name: tcp-citadel + hosts: + - "*" +{{- end }} diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/pilot/templates/meshexpansion.yaml b/istio-1.0.4/install/kubernetes/helm/istio/charts/pilot/templates/meshexpansion.yaml new file mode 100644 index 0000000..88e604d --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/pilot/templates/meshexpansion.yaml @@ -0,0 +1,59 @@ +{{- if .Values.global.meshExpansion }} + +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: meshexpansion-pilot +spec: + hosts: + - "pilot.istio-system" + gateways: + - meshexpansion-gateway + tcp: + - match: + - port: 15011 + route: + - destination: + host: istio-pilot.istio-system.svc.cluster.local + port: + number: 15011 + + +{{- end }} + + +{{- if .Values.global.meshExpansionILB }} +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: ilb-meshexpansion-pilot +spec: + hosts: + - "meshexpansionilb.istio-system" + gateways: + - meshexpansion-ilb-gateway + tcp: + - match: + - port: 15011 + route: + - destination: + host: istio-pilot.istio-system.svc.cluster.local + port: + number: 15011 + - match: + - port: 15010 + route: + - destination: + host: istio-pilot.istio-system.svc.cluster.local + port: + number: 15010 + - match: + - port: 5353 + route: + - destination: + host: kube-dns.kube-system.svc.cluster.local + port: + number: 53 + +{{- end }} diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/pilot/templates/service.yaml b/istio-1.0.4/install/kubernetes/helm/istio/charts/pilot/templates/service.yaml new file mode 100644 index 0000000..e43511f --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/pilot/templates/service.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Service +metadata: + name: istio-pilot + namespace: {{ .Release.Namespace }} + labels: + app: istio-pilot + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + ports: + - port: 15010 + name: grpc-xds # direct + - port: 15011 + name: https-xds # mTLS + - port: 8080 + name: http-legacy-discovery # direct + - port: 9093 + name: http-monitoring + selector: + istio: pilot diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/pilot/templates/serviceaccount.yaml b/istio-1.0.4/install/kubernetes/helm/istio/charts/pilot/templates/serviceaccount.yaml new file mode 100644 index 0000000..c7125b9 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/pilot/templates/serviceaccount.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: ServiceAccount +{{- if .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range .Values.global.imagePullSecrets }} + - name: {{ . }} +{{- end }} +{{- end }} +metadata: + name: istio-pilot-service-account + namespace: {{ .Release.Namespace }} + labels: + app: istio-pilot + chart: {{ .Chart.Name }}-{{ .Chart.Version }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/prometheus/Chart.yaml b/istio-1.0.4/install/kubernetes/helm/istio/charts/prometheus/Chart.yaml new file mode 100644 index 0000000..0ca1208 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/prometheus/Chart.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +description: A Helm chart for Kubernetes +name: prometheus +version: 1.0.4 +appVersion: 2.3.1 +tillerVersion: ">=2.7.2" diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/prometheus/templates/_helpers.tpl b/istio-1.0.4/install/kubernetes/helm/istio/charts/prometheus/templates/_helpers.tpl new file mode 100644 index 0000000..52a2ad3 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/prometheus/templates/_helpers.tpl @@ -0,0 +1,16 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "prometheus.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "prometheus.fullname" -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/prometheus/templates/clusterrole.yaml b/istio-1.0.4/install/kubernetes/helm/istio/charts/prometheus/templates/clusterrole.yaml new file mode 100644 index 0000000..7d966f0 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/prometheus/templates/clusterrole.yaml @@ -0,0 +1,19 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: prometheus-{{ .Release.Namespace }} +rules: +- apiGroups: [""] + resources: + - nodes + - services + - endpoints + - pods + - nodes/proxy + verbs: ["get", "list", "watch"] +- apiGroups: [""] + resources: + - configmaps + verbs: ["get"] +- nonResourceURLs: ["/metrics"] + verbs: ["get"] diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/prometheus/templates/clusterrolebindings.yaml b/istio-1.0.4/install/kubernetes/helm/istio/charts/prometheus/templates/clusterrolebindings.yaml new file mode 100644 index 0000000..6114d6b --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/prometheus/templates/clusterrolebindings.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: prometheus-{{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: prometheus-{{ .Release.Namespace }} +subjects: +- kind: ServiceAccount + name: prometheus + namespace: {{ .Release.Namespace }} diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/prometheus/templates/configmap.yaml b/istio-1.0.4/install/kubernetes/helm/istio/charts/prometheus/templates/configmap.yaml new file mode 100644 index 0000000..57d01c8 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/prometheus/templates/configmap.yaml @@ -0,0 +1,322 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: prometheus + namespace: {{ .Release.Namespace }} + labels: + app: prometheus + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +data: + prometheus.yml: |- + global: + scrape_interval: 15s + scrape_configs: + + - job_name: 'istio-mesh' + # Override the global default and scrape targets from this job every 5 seconds. + scrape_interval: 5s + + kubernetes_sd_configs: + - role: endpoints + namespaces: + names: + - {{ .Release.Namespace }} + + relabel_configs: + - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] + action: keep + regex: istio-telemetry;prometheus + +{{ if ne .Values.global.proxy.stats.prometheusPort 0. }} + # Scrape config for envoy stats + - job_name: 'envoy-stats' + metrics_path: /stats/prometheus + kubernetes_sd_configs: + - role: pod + + relabel_configs: + - source_labels: [__meta_kubernetes_pod_container_port_name] + action: keep + regex: '.*-envoy-prom' + - source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port] + action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:{{ .Values.global.proxy.stats.prometheusPort }} + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_pod_label_(.+) + - source_labels: [__meta_kubernetes_namespace] + action: replace + target_label: namespace + - source_labels: [__meta_kubernetes_pod_name] + action: replace + target_label: pod_name + + metric_relabel_configs: + # Exclude some of the envoy metrics that have massive cardinality + # This list may need to be pruned further moving forward, as informed + # by performance and scalability testing. + - source_labels: [ cluster_name ] + regex: '(outbound|inbound|prometheus_stats).*' + action: drop + - source_labels: [ tcp_prefix ] + regex: '(outbound|inbound|prometheus_stats).*' + action: drop + - source_labels: [ listener_address ] + regex: '(.+)' + action: drop + - source_labels: [ http_conn_manager_listener_prefix ] + regex: '(.+)' + action: drop + - source_labels: [ http_conn_manager_prefix ] + regex: '(.+)' + action: drop + - source_labels: [ __name__ ] + regex: 'envoy_tls.*' + action: drop + - source_labels: [ __name__ ] + regex: 'envoy_tcp_downstream.*' + action: drop + - source_labels: [ __name__ ] + regex: 'envoy_http_(stats|admin).*' + action: drop + - source_labels: [ __name__ ] + regex: 'envoy_cluster_(lb|retry|bind|internal|max|original).*' + action: drop +{{ end}} + + - job_name: 'istio-policy' + # Override the global default and scrape targets from this job every 5 seconds. + scrape_interval: 5s + # metrics_path defaults to '/metrics' + # scheme defaults to 'http'. + + kubernetes_sd_configs: + - role: endpoints + namespaces: + names: + - {{ .Release.Namespace }} + + + relabel_configs: + - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] + action: keep + regex: istio-policy;http-monitoring + + - job_name: 'istio-telemetry' + # Override the global default and scrape targets from this job every 5 seconds. + scrape_interval: 5s + # metrics_path defaults to '/metrics' + # scheme defaults to 'http'. + + kubernetes_sd_configs: + - role: endpoints + namespaces: + names: + - {{ .Release.Namespace }} + + relabel_configs: + - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] + action: keep + regex: istio-telemetry;http-monitoring + + - job_name: 'pilot' + # Override the global default and scrape targets from this job every 5 seconds. + scrape_interval: 5s + # metrics_path defaults to '/metrics' + # scheme defaults to 'http'. + + kubernetes_sd_configs: + - role: endpoints + namespaces: + names: + - {{ .Release.Namespace }} + + relabel_configs: + - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] + action: keep + regex: istio-pilot;http-monitoring + + - job_name: 'galley' + # Override the global default and scrape targets from this job every 5 seconds. + scrape_interval: 5s + # metrics_path defaults to '/metrics' + # scheme defaults to 'http'. + + kubernetes_sd_configs: + - role: endpoints + namespaces: + names: + - {{ .Release.Namespace }} + + relabel_configs: + - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] + action: keep + regex: istio-galley;http-monitoring + + # scrape config for API servers + - job_name: 'kubernetes-apiservers' + kubernetes_sd_configs: + - role: endpoints + namespaces: + names: + - default + scheme: https + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + relabel_configs: + - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] + action: keep + regex: kubernetes;https + + # scrape config for nodes (kubelet) + - job_name: 'kubernetes-nodes' + scheme: https + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + kubernetes_sd_configs: + - role: node + relabel_configs: + - action: labelmap + regex: __meta_kubernetes_node_label_(.+) + - target_label: __address__ + replacement: kubernetes.default.svc:443 + - source_labels: [__meta_kubernetes_node_name] + regex: (.+) + target_label: __metrics_path__ + replacement: /api/v1/nodes/${1}/proxy/metrics + + # Scrape config for Kubelet cAdvisor. + # + # This is required for Kubernetes 1.7.3 and later, where cAdvisor metrics + # (those whose names begin with 'container_') have been removed from the + # Kubelet metrics endpoint. This job scrapes the cAdvisor endpoint to + # retrieve those metrics. + # + # In Kubernetes 1.7.0-1.7.2, these metrics are only exposed on the cAdvisor + # HTTP endpoint; use "replacement: /api/v1/nodes/${1}:4194/proxy/metrics" + # in that case (and ensure cAdvisor's HTTP server hasn't been disabled with + # the --cadvisor-port=0 Kubelet flag). + # + # This job is not necessary and should be removed in Kubernetes 1.6 and + # earlier versions, or it will cause the metrics to be scraped twice. + - job_name: 'kubernetes-cadvisor' + scheme: https + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + kubernetes_sd_configs: + - role: node + relabel_configs: + - action: labelmap + regex: __meta_kubernetes_node_label_(.+) + - target_label: __address__ + replacement: kubernetes.default.svc:443 + - source_labels: [__meta_kubernetes_node_name] + regex: (.+) + target_label: __metrics_path__ + replacement: /api/v1/nodes/${1}/proxy/metrics/cadvisor + + # scrape config for service endpoints. + - job_name: 'kubernetes-service-endpoints' + kubernetes_sd_configs: + - role: endpoints + relabel_configs: + - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scrape] + action: keep + regex: true + - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scheme] + action: replace + target_label: __scheme__ + regex: (https?) + - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_path] + action: replace + target_label: __metrics_path__ + regex: (.+) + - source_labels: [__address__, __meta_kubernetes_service_annotation_prometheus_io_port] + action: replace + target_label: __address__ + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + - action: labelmap + regex: __meta_kubernetes_service_label_(.+) + - source_labels: [__meta_kubernetes_namespace] + action: replace + target_label: kubernetes_namespace + - source_labels: [__meta_kubernetes_service_name] + action: replace + target_label: kubernetes_name + + - job_name: 'kubernetes-pods' + kubernetes_sd_configs: + - role: pod + relabel_configs: # If first two labels are present, pod should be scraped by the istio-secure job. + - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape] + action: keep + regex: true + - source_labels: [__meta_kubernetes_pod_annotation_sidecar_istio_io_status] + action: drop + regex: (.+) + - source_labels: [__meta_kubernetes_pod_annotation_istio_mtls] + action: drop + regex: (true) + - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_path] + action: replace + target_label: __metrics_path__ + regex: (.+) + - source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port] + action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_pod_label_(.+) + - source_labels: [__meta_kubernetes_namespace] + action: replace + target_label: namespace + - source_labels: [__meta_kubernetes_pod_name] + action: replace + target_label: pod_name + + - job_name: 'kubernetes-pods-istio-secure' + scheme: https + tls_config: + ca_file: /etc/istio-certs/root-cert.pem + cert_file: /etc/istio-certs/cert-chain.pem + key_file: /etc/istio-certs/key.pem + insecure_skip_verify: true # prometheus does not support secure naming. + kubernetes_sd_configs: + - role: pod + relabel_configs: + - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape] + action: keep + regex: true + # sidecar status annotation is added by sidecar injector and + # istio_workload_mtls_ability can be specifically placed on a pod to indicate its ability to receive mtls traffic. + - source_labels: [__meta_kubernetes_pod_annotation_sidecar_istio_io_status, __meta_kubernetes_pod_annotation_istio_mtls] + action: keep + regex: (([^;]+);([^;]*))|(([^;]*);(true)) + - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_path] + action: replace + target_label: __metrics_path__ + regex: (.+) + - source_labels: [__address__] # Only keep address that is host:port + action: keep # otherwise an extra target with ':443' is added for https scheme + regex: ([^:]+):(\d+) + - source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port] + action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_pod_label_(.+) + - source_labels: [__meta_kubernetes_namespace] + action: replace + target_label: namespace + - source_labels: [__meta_kubernetes_pod_name] + action: replace + target_label: pod_name \ No newline at end of file diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/prometheus/templates/deployment.yaml b/istio-1.0.4/install/kubernetes/helm/istio/charts/prometheus/templates/deployment.yaml new file mode 100644 index 0000000..a1bf4ab --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/prometheus/templates/deployment.yaml @@ -0,0 +1,68 @@ +# TODO: the original template has service account, roles, etc +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: prometheus + namespace: {{ .Release.Namespace }} + labels: + app: prometheus + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + app: prometheus + template: + metadata: + labels: + app: prometheus + annotations: + sidecar.istio.io/inject: "false" + scheduler.alpha.kubernetes.io/critical-pod: "" + spec: + serviceAccountName: prometheus +{{- if .Values.global.priorityClassName }} + priorityClassName: "{{ .Values.global.priorityClassName }}" +{{- end }} + containers: + - name: prometheus + image: "{{ .Values.hub }}/prometheus:{{ .Values.tag }}" + imagePullPolicy: {{ .Values.global.imagePullPolicy }} + args: + - '--storage.tsdb.retention=6h' + - '--config.file=/etc/prometheus/prometheus.yml' + ports: + - containerPort: 9090 + name: http + livenessProbe: + httpGet: + path: /-/healthy + port: 9090 + readinessProbe: + httpGet: + path: /-/ready + port: 9090 + resources: +{{- if .Values.resources }} +{{ toYaml .Values.resources | indent 12 }} +{{- else }} +{{ toYaml .Values.global.defaultResources | indent 12 }} +{{- end }} + volumeMounts: + - name: config-volume + mountPath: /etc/prometheus + - mountPath: /etc/istio-certs + name: istio-certs + volumes: + - name: config-volume + configMap: + name: prometheus + - name: istio-certs + secret: + defaultMode: 420 + optional: true + secretName: istio.default + affinity: + {{- include "nodeaffinity" . | indent 6 }} diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/prometheus/templates/service.yaml b/istio-1.0.4/install/kubernetes/helm/istio/charts/prometheus/templates/service.yaml new file mode 100644 index 0000000..a9eec0f --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/prometheus/templates/service.yaml @@ -0,0 +1,39 @@ +apiVersion: v1 +kind: Service +metadata: + name: prometheus + namespace: {{ .Release.Namespace }} + annotations: + prometheus.io/scrape: 'true' + {{- range $key, $val := .Values.service.annotations }} + {{ $key }}: {{ $val }} + {{- end }} + labels: + name: prometheus +spec: + selector: + app: prometheus + ports: + - name: http-prometheus + protocol: TCP + port: 9090 + +{{- if .Values.service.nodePort.enabled }} +# Using separate ingress for nodeport, to avoid conflict with pilot e2e test configs. +--- +apiVersion: v1 +kind: Service +metadata: + name: prometheus-nodeport + namespace: {{ .Release.Namespace }} + labels: + name: prometheus +spec: + type: NodePort + ports: + - port: 9090 + nodePort: {{ .Values.service.nodePort.port }} + name: http-prometheus + selector: + app: prometheus +{{- end }} diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/prometheus/templates/serviceaccount.yaml b/istio-1.0.4/install/kubernetes/helm/istio/charts/prometheus/templates/serviceaccount.yaml new file mode 100644 index 0000000..cf083b7 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/prometheus/templates/serviceaccount.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: ServiceAccount +{{- if .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range .Values.global.imagePullSecrets }} + - name: {{ . }} +{{- end }} +{{- end }} +metadata: + name: prometheus + namespace: {{ .Release.Namespace }} diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/security/Chart.yaml b/istio-1.0.4/install/kubernetes/helm/istio/charts/security/Chart.yaml new file mode 100644 index 0000000..40d2add --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/security/Chart.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +name: security +version: 1.0.4 +appVersion: 1.0.4 +tillerVersion: ">=2.7.2" +description: Helm chart for istio authentication +keywords: + - istio + - security +sources: + - http://github.com/istio/istio +engine: gotpl +icon: https://istio.io/favicons/android-192x192.png diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/security/templates/_helpers.tpl b/istio-1.0.4/install/kubernetes/helm/istio/charts/security/templates/_helpers.tpl new file mode 100644 index 0000000..7564a1b --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/security/templates/_helpers.tpl @@ -0,0 +1,16 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "security.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "security.fullname" -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/security/templates/cleanup-secrets.yaml b/istio-1.0.4/install/kubernetes/helm/istio/charts/security/templates/cleanup-secrets.yaml new file mode 100644 index 0000000..ae93b9f --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/security/templates/cleanup-secrets.yaml @@ -0,0 +1,100 @@ +# The reason for creating a ServiceAccount and ClusterRole specifically for this +# post-delete hooked job is because the citadel ServiceAccount is being deleted +# before this hook is launched. On the other hand, running this hook before the +# deletion of the citadel (e.g. pre-delete) won't delete the secrets because they +# will be re-created immediately by the to-be-deleted citadel. +# +# It's also important that the ServiceAccount, ClusterRole and ClusterRoleBinding +# will be ready before running the hooked Job therefore the hook weights. + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: istio-cleanup-secrets-service-account + namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook": post-delete + "helm.sh/hook-delete-policy": hook-succeeded + "helm.sh/hook-weight": "1" + labels: + app: {{ template "security.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: istio-cleanup-secrets-{{ .Release.Namespace }} + annotations: + "helm.sh/hook": post-delete + "helm.sh/hook-delete-policy": hook-succeeded + "helm.sh/hook-weight": "1" + labels: + app: {{ template "security.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +rules: +- apiGroups: [""] + resources: ["secrets"] + verbs: ["list", "delete"] +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: istio-cleanup-secrets-{{ .Release.Namespace }} + annotations: + "helm.sh/hook": post-delete + "helm.sh/hook-delete-policy": hook-succeeded + "helm.sh/hook-weight": "2" + labels: + app: {{ template "security.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-cleanup-secrets-{{ .Release.Namespace }} +subjects: + - kind: ServiceAccount + name: istio-cleanup-secrets-service-account + namespace: {{ .Release.Namespace }} +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: istio-cleanup-secrets + namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook": post-delete + "helm.sh/hook-delete-policy": hook-succeeded + "helm.sh/hook-weight": "3" + labels: + app: {{ template "security.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + template: + metadata: + name: istio-cleanup-secrets + labels: + app: {{ template "security.name" . }} + release: {{ .Release.Name }} + spec: + serviceAccountName: istio-cleanup-secrets-service-account + containers: + - name: hyperkube + image: "{{ .Values.global.hyperkube.hub }}/hyperkube:{{ .Values.global.hyperkube.tag }}" + command: + - /bin/bash + - -c + - > + kubectl get secret --all-namespaces | grep "istio.io/key-and-cert" | while read -r entry; do + ns=$(echo $entry | awk '{print $1}'); + name=$(echo $entry | awk '{print $2}'); + kubectl delete secret $name -n $ns; + done + restartPolicy: OnFailure diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/security/templates/clusterrole.yaml b/istio-1.0.4/install/kubernetes/helm/istio/charts/security/templates/clusterrole.yaml new file mode 100644 index 0000000..d7879a9 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/security/templates/clusterrole.yaml @@ -0,0 +1,19 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: istio-citadel-{{ .Release.Namespace }} + labels: + app: {{ template "security.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +rules: +- apiGroups: [""] + resources: ["secrets"] + verbs: ["create", "get", "watch", "list", "update", "delete"] +- apiGroups: [""] + resources: ["serviceaccounts"] + verbs: ["get", "watch", "list"] +- apiGroups: [""] + resources: ["services"] + verbs: ["get", "watch", "list"] diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/security/templates/clusterrolebinding.yaml b/istio-1.0.4/install/kubernetes/helm/istio/charts/security/templates/clusterrolebinding.yaml new file mode 100644 index 0000000..501f8ad --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/security/templates/clusterrolebinding.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: istio-citadel-{{ .Release.Namespace }} + labels: + app: {{ template "security.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-citadel-{{ .Release.Namespace }} +subjects: + - kind: ServiceAccount + name: istio-citadel-service-account + namespace: {{ .Release.Namespace }} diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/security/templates/configmap.yaml b/istio-1.0.4/install/kubernetes/helm/istio/charts/security/templates/configmap.yaml new file mode 100644 index 0000000..5ca996e --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/security/templates/configmap.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-security-custom-resources + namespace: {{ .Release.Namespace }} + labels: + app: istio-security + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + istio: security +data: + custom-resources.yaml: |- + {{- if .Values.global.mtls.enabled }} + {{- include "security-default.yaml.tpl" . | indent 4}} + {{- else }} + {{- include "security-permissive.yaml.tpl" . | indent 4}} + {{- end }} + run.sh: |- + {{- include "install-custom-resources.sh.tpl" . | indent 4}} diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/security/templates/create-custom-resources-job.yaml b/istio-1.0.4/install/kubernetes/helm/istio/charts/security/templates/create-custom-resources-job.yaml new file mode 100644 index 0000000..d4e581f --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/security/templates/create-custom-resources-job.yaml @@ -0,0 +1,87 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: istio-security-post-install-account + namespace: {{ .Release.Namespace }} + labels: + app: istio-security + chart: {{ .Chart.Name }}-{{ .Chart.Version }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: istio-security-post-install-{{ .Release.Namespace }} + labels: + app: istio-security + chart: {{ .Chart.Name }}-{{ .Chart.Version }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +rules: +- apiGroups: ["authentication.istio.io"] # needed to create default authn policy + resources: ["*"] + verbs: ["*"] +- apiGroups: ["networking.istio.io"] # needed to create security destination rules + resources: ["*"] + verbs: ["*"] +- apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + verbs: ["get"] +- apiGroups: ["extensions"] + resources: ["deployments", "replicasets"] + verbs: ["get", "list", "watch"] +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: istio-security-post-install-role-binding-{{ .Release.Namespace }} + labels: + app: istio-security + chart: {{ .Chart.Name }}-{{ .Chart.Version }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-security-post-install-{{ .Release.Namespace }} +subjects: + - kind: ServiceAccount + name: istio-security-post-install-account + namespace: {{ .Release.Namespace }} +--- + +apiVersion: batch/v1 +kind: Job +metadata: + name: istio-security-post-install + namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook": post-install + "helm.sh/hook-delete-policy": hook-succeeded + labels: + app: istio-security + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + template: + metadata: + name: istio-security-post-install + labels: + app: istio-security + release: {{ .Release.Name }} + spec: + serviceAccountName: istio-security-post-install-account + containers: + - name: hyperkube + image: "{{ .Values.global.hyperkube.hub }}/hyperkube:{{ .Values.global.hyperkube.tag }}" + command: [ "/bin/bash", "/tmp/security/run.sh", "/tmp/security/custom-resources.yaml" ] + volumeMounts: + - mountPath: "/tmp/security" + name: tmp-configmap-security + volumes: + - name: tmp-configmap-security + configMap: + name: istio-security-custom-resources + restartPolicy: OnFailure diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/security/templates/deployment.yaml b/istio-1.0.4/install/kubernetes/helm/istio/charts/security/templates/deployment.yaml new file mode 100644 index 0000000..8913143 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/security/templates/deployment.yaml @@ -0,0 +1,64 @@ +# istio CA watching all namespaces +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: istio-citadel + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "security.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + istio: citadel +spec: + replicas: {{ .Values.replicaCount }} + template: + metadata: + labels: + istio: citadel + annotations: + sidecar.istio.io/inject: "false" + scheduler.alpha.kubernetes.io/critical-pod: "" + spec: + serviceAccountName: istio-citadel-service-account +{{- if .Values.global.priorityClassName }} + priorityClassName: "{{ .Values.global.priorityClassName }}" +{{- end }} + containers: + - name: citadel + image: "{{ .Values.global.hub }}/{{ .Values.image }}:{{ .Values.global.tag }}" + imagePullPolicy: {{ .Values.global.imagePullPolicy }} + args: + - --append-dns-names=true + - --grpc-port=8060 + - --grpc-hostname=citadel + - --citadel-storage-namespace={{ .Release.Namespace }} + - --custom-dns-names=istio-pilot-service-account.{{ .Release.Namespace }}:istio-pilot.{{ .Release.Namespace }},istio-ingressgateway-service-account.{{ .Release.Namespace }}:istio-ingressgateway.{{ .Release.Namespace }} + {{- if .Values.selfSigned }} + - --self-signed-ca=true + {{- else }} + - --self-signed-ca=false + - --signing-cert=/etc/cacerts/ca-cert.pem + - --signing-key=/etc/cacerts/ca-key.pem + - --root-cert=/etc/cacerts/root-cert.pem + - --cert-chain=/etc/cacerts/cert-chain.pem + {{- end }} + resources: +{{- if .Values.resources }} +{{ toYaml .Values.resources | indent 12 }} +{{- else }} +{{ toYaml .Values.global.defaultResources | indent 12 }} +{{- end }} +{{- if not .Values.selfSigned }} + volumeMounts: + - name: cacerts + mountPath: /etc/cacerts + readOnly: true + volumes: + - name: cacerts + secret: + secretName: cacerts + optional: true +{{- end }} + affinity: + {{- include "nodeaffinity" . | indent 6 }} diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/security/templates/enable-mesh-mtls.yaml b/istio-1.0.4/install/kubernetes/helm/istio/charts/security/templates/enable-mesh-mtls.yaml new file mode 100644 index 0000000..7eddaa6 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/security/templates/enable-mesh-mtls.yaml @@ -0,0 +1,53 @@ +{{ define "security-default.yaml.tpl" }} +# These policy and destination rules effectively enable mTLS for all services in the mesh. For now, +# they are added to Istio installation yaml for backward compatible. In future, they should be in +# a separated yaml file so that customer can enable mTLS independent from installation. + +# Authentication policy to enable mutual TLS for all services (that have sidecar) in the mesh. +apiVersion: "authentication.istio.io/v1alpha1" +kind: "MeshPolicy" +metadata: + name: "default" + labels: + app: istio-security + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + peers: + - mtls: {} +--- +# Corresponding destination rule to configure client side to use mutual TLS when talking to +# any service (host) in the mesh. +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: "default" + labels: + app: istio-security + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + host: "*.local" + trafficPolicy: + tls: + mode: ISTIO_MUTUAL +--- +# Destination rule to dislabe (m)TLS when talking to API server, as API server doesn't have sidecar. +# Customer should add similar destination rules for other services that dont' have sidecar. +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: "api-server" + labels: + app: istio-security + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + host: "kubernetes.default.svc.cluster.local" + trafficPolicy: + tls: + mode: DISABLE +{{- end }} diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/security/templates/enable-mesh-permissive.yaml b/istio-1.0.4/install/kubernetes/helm/istio/charts/security/templates/enable-mesh-permissive.yaml new file mode 100644 index 0000000..35908d2 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/security/templates/enable-mesh-permissive.yaml @@ -0,0 +1,16 @@ +{{ define "security-permissive.yaml.tpl" }} +# Authentication policy to enable permissive mode for all services (that have sidecar) in the mesh. +apiVersion: "authentication.istio.io/v1alpha1" +kind: "MeshPolicy" +metadata: + name: "default" + labels: + app: istio-security + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + peers: + - mtls: + mode: PERMISSIVE +{{- end }} diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/security/templates/meshexpansion.yaml b/istio-1.0.4/install/kubernetes/helm/istio/charts/security/templates/meshexpansion.yaml new file mode 100644 index 0000000..fcf677f --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/security/templates/meshexpansion.yaml @@ -0,0 +1,45 @@ +{{- if .Values.global.meshExpansion }} + +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: meshexpansion-citadel +spec: + hosts: + - "istio-citadel.istio-system" + gateways: + - meshexpansion-gateway + tcp: + - match: + - port: 8060 + route: + - destination: + host: istio-citadel.istio-system.svc.cluster.local + port: + number: 8060 + +{{- end }} + +--- + +{{- if .Values.global.meshExpansionILB }} + +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: meshexpansion-ilb-citadel +spec: + hosts: + - "istio-citadel.istio-system" + gateways: + - meshexpansion-ilb-gateway + tcp: + - match: + - port: 8060 + route: + - destination: + host: istio-citadel.istio-system.svc.cluster.local + port: + number: 8060 + +{{- end }} diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/security/templates/service.yaml b/istio-1.0.4/install/kubernetes/helm/istio/charts/security/templates/service.yaml new file mode 100644 index 0000000..902c138 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/security/templates/service.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Service +metadata: + # we use the normal name here (e.g. 'prometheus') + # as grafana is configured to use this as a data source + name: istio-citadel + namespace: {{ .Release.Namespace }} + labels: + app: istio-citadel +spec: + ports: + - name: grpc-citadel + port: 8060 + targetPort: 8060 + protocol: TCP + - name: http-monitoring + port: 9093 + selector: + istio: citadel diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/security/templates/serviceaccount.yaml b/istio-1.0.4/install/kubernetes/helm/istio/charts/security/templates/serviceaccount.yaml new file mode 100644 index 0000000..58501af --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/security/templates/serviceaccount.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: ServiceAccount +{{- if .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range .Values.global.imagePullSecrets }} + - name: {{ . }} +{{- end }} +{{- end }} +metadata: + name: istio-citadel-service-account + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "security.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/servicegraph/Chart.yaml b/istio-1.0.4/install/kubernetes/helm/istio/charts/servicegraph/Chart.yaml new file mode 100644 index 0000000..e33a857 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/servicegraph/Chart.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +description: A Helm chart for Kubernetes +name: servicegraph +version: 1.0.4 +appVersion: 1.0.4 +tillerVersion: ">=2.7.2" diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/servicegraph/templates/_helpers.tpl b/istio-1.0.4/install/kubernetes/helm/istio/charts/servicegraph/templates/_helpers.tpl new file mode 100644 index 0000000..c63ede3 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/servicegraph/templates/_helpers.tpl @@ -0,0 +1,16 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "servicegraph.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "servicegraph.fullname" -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/servicegraph/templates/deployment.yaml b/istio-1.0.4/install/kubernetes/helm/istio/charts/servicegraph/templates/deployment.yaml new file mode 100644 index 0000000..7fbe843 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/servicegraph/templates/deployment.yaml @@ -0,0 +1,47 @@ +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: servicegraph + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "servicegraph.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + replicas: {{ .Values.replicaCount }} + template: + metadata: + labels: + app: servicegraph + annotations: + sidecar.istio.io/inject: "false" + scheduler.alpha.kubernetes.io/critical-pod: "" + spec: +{{- if .Values.global.priorityClassName }} + priorityClassName: "{{ .Values.global.priorityClassName }}" +{{- end }} + containers: + - name: servicegraph + image: "{{ .Values.global.hub }}/{{ .Values.image }}:{{ .Values.global.tag }}" + imagePullPolicy: {{ .Values.global.imagePullPolicy }} + ports: + - containerPort: {{ .Values.service.internalPort }} + args: + - --prometheusAddr=http://prometheus:9090 + livenessProbe: + httpGet: + path: /graph + port: {{ .Values.service.internalPort }} + readinessProbe: + httpGet: + path: /graph + port: {{ .Values.service.internalPort }} + resources: +{{- if .Values.resources }} +{{ toYaml .Values.resources | indent 12 }} +{{- else }} +{{ toYaml .Values.global.defaultResources | indent 12 }} +{{- end }} + affinity: + {{- include "nodeaffinity" . | indent 6 }} diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/servicegraph/templates/ingress.yaml b/istio-1.0.4/install/kubernetes/helm/istio/charts/servicegraph/templates/ingress.yaml new file mode 100644 index 0000000..145a9cb --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/servicegraph/templates/ingress.yaml @@ -0,0 +1,33 @@ +{{- if .Values.ingress.enabled -}} +{{- $serviceName := include "servicegraph.fullname" . -}} +{{- $servicePort := .Values.service.externalPort -}} +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + name: {{ template "servicegraph.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "servicegraph.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + annotations: + {{- range $key, $value := .Values.ingress.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} +spec: + rules: + {{- range $host := .Values.ingress.hosts }} + - host: {{ $host }} + http: + paths: + - path: / + backend: + serviceName: {{ $serviceName }} + servicePort: {{ $servicePort }} + {{- end -}} + {{- if .Values.ingress.tls }} + tls: +{{ toYaml .Values.ingress.tls | indent 4 }} + {{- end -}} +{{- end -}} diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/servicegraph/templates/service.yaml b/istio-1.0.4/install/kubernetes/helm/istio/charts/servicegraph/templates/service.yaml new file mode 100644 index 0000000..f3d2012 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/servicegraph/templates/service.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Service +metadata: + name: servicegraph + namespace: {{ .Release.Namespace }} + annotations: + {{- range $key, $val := .Values.service.annotations }} + {{ $key }}: {{ $val }} + {{- end }} + labels: + app: servicegraph + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + type: {{ .Values.service.type }} + ports: + - port: {{ .Values.service.externalPort }} + targetPort: {{ .Values.service.internalPort }} + protocol: TCP + name: {{ .Values.service.name }} + selector: + app: servicegraph diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/sidecarInjectorWebhook/Chart.yaml b/istio-1.0.4/install/kubernetes/helm/istio/charts/sidecarInjectorWebhook/Chart.yaml new file mode 100644 index 0000000..ec10266 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/sidecarInjectorWebhook/Chart.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +name: sidecarInjectorWebhook +version: 1.0.4 +appVersion: 1.0.4 +tillerVersion: ">=2.7.2" +description: Helm chart for sidecar injector webhook deployment +keywords: + - istio + - sidecarInjectorWebhook +sources: + - http://github.com/istio/istio +engine: gotpl +icon: https://istio.io/favicons/android-192x192.png diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/sidecarInjectorWebhook/templates/_helpers.tpl b/istio-1.0.4/install/kubernetes/helm/istio/charts/sidecarInjectorWebhook/templates/_helpers.tpl new file mode 100644 index 0000000..8ed67e2 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/sidecarInjectorWebhook/templates/_helpers.tpl @@ -0,0 +1,16 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "sidecar-injector.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "sidecar-injector.fullname" -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/sidecarInjectorWebhook/templates/clusterrole.yaml b/istio-1.0.4/install/kubernetes/helm/istio/charts/sidecarInjectorWebhook/templates/clusterrole.yaml new file mode 100644 index 0000000..b36fdb0 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/sidecarInjectorWebhook/templates/clusterrole.yaml @@ -0,0 +1,16 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: istio-sidecar-injector-{{ .Release.Namespace }} + labels: + app: istio-sidecar-injector + chart: {{ .Chart.Name }}-{{ .Chart.Version }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +rules: +- apiGroups: ["*"] + resources: ["configmaps"] + verbs: ["get", "list", "watch"] +- apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "patch"] diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/sidecarInjectorWebhook/templates/clusterrolebinding.yaml b/istio-1.0.4/install/kubernetes/helm/istio/charts/sidecarInjectorWebhook/templates/clusterrolebinding.yaml new file mode 100644 index 0000000..10b0d71 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/sidecarInjectorWebhook/templates/clusterrolebinding.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: istio-sidecar-injector-admin-role-binding-{{ .Release.Namespace }} + labels: + app: istio-sidecar-injector + chart: {{ .Chart.Name }}-{{ .Chart.Version }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-sidecar-injector-{{ .Release.Namespace }} +subjects: + - kind: ServiceAccount + name: istio-sidecar-injector-service-account + namespace: {{ .Release.Namespace }} diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/sidecarInjectorWebhook/templates/deployment.yaml b/istio-1.0.4/install/kubernetes/helm/istio/charts/sidecarInjectorWebhook/templates/deployment.yaml new file mode 100644 index 0000000..37751d4 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/sidecarInjectorWebhook/templates/deployment.yaml @@ -0,0 +1,86 @@ +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: istio-sidecar-injector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "sidecar-injector.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + istio: sidecar-injector +spec: + replicas: {{ .Values.replicaCount }} + template: + metadata: + labels: + istio: sidecar-injector + annotations: + sidecar.istio.io/inject: "false" + scheduler.alpha.kubernetes.io/critical-pod: "" + spec: + serviceAccountName: istio-sidecar-injector-service-account + {{- if .Values.global.priorityClassName }} + priorityClassName: "{{ .Values.global.priorityClassName }}" +{{- end }} + containers: + - name: sidecar-injector-webhook + image: "{{ .Values.global.hub }}/{{ .Values.image }}:{{ .Values.global.tag }}" + imagePullPolicy: {{ .Values.global.imagePullPolicy }} + args: + - --caCertFile=/etc/istio/certs/root-cert.pem + - --tlsCertFile=/etc/istio/certs/cert-chain.pem + - --tlsKeyFile=/etc/istio/certs/key.pem + - --injectConfig=/etc/istio/inject/config + - --meshConfig=/etc/istio/config/mesh + - --healthCheckInterval=2s + - --healthCheckFile=/health + volumeMounts: + - name: config-volume + mountPath: /etc/istio/config + readOnly: true + - name: certs + mountPath: /etc/istio/certs + readOnly: true + - name: inject-config + mountPath: /etc/istio/inject + readOnly: true + livenessProbe: + exec: + command: + - /usr/local/bin/sidecar-injector + - probe + - --probe-path=/health + - --interval=4s + initialDelaySeconds: 4 + periodSeconds: 4 + readinessProbe: + exec: + command: + - /usr/local/bin/sidecar-injector + - probe + - --probe-path=/health + - --interval=4s + initialDelaySeconds: 4 + periodSeconds: 4 + resources: +{{- if .Values.resources }} +{{ toYaml .Values.resources | indent 12 }} +{{- else }} +{{ toYaml .Values.global.defaultResources | indent 12 }} +{{- end }} + volumes: + - name: config-volume + configMap: + name: istio + - name: certs + secret: + secretName: istio.istio-sidecar-injector-service-account + - name: inject-config + configMap: + name: istio-sidecar-injector + items: + - key: config + path: config + affinity: + {{- include "nodeaffinity" . | indent 6 }} diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/sidecarInjectorWebhook/templates/mutatingwebhook.yaml b/istio-1.0.4/install/kubernetes/helm/istio/charts/sidecarInjectorWebhook/templates/mutatingwebhook.yaml new file mode 100644 index 0000000..e7f7519 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/sidecarInjectorWebhook/templates/mutatingwebhook.yaml @@ -0,0 +1,36 @@ +apiVersion: admissionregistration.k8s.io/v1beta1 +kind: MutatingWebhookConfiguration +metadata: + name: istio-sidecar-injector + namespace: {{ .Release.Namespace }} + labels: + app: istio-sidecar-injector + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +webhooks: + - name: sidecar-injector.istio.io + clientConfig: + service: + name: istio-sidecar-injector + namespace: {{ .Release.Namespace }} + path: "/inject" + caBundle: "" + rules: + - operations: [ "CREATE" ] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + failurePolicy: Fail + namespaceSelector: +{{- if .Values.enableNamespacesByDefault }} + matchExpressions: + - key: istio-injection + operator: NotIn + values: + - disabled +{{- else }} + matchLabels: + istio-injection: enabled +{{- end }} + diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/sidecarInjectorWebhook/templates/service.yaml b/istio-1.0.4/install/kubernetes/helm/istio/charts/sidecarInjectorWebhook/templates/service.yaml new file mode 100644 index 0000000..b24900b --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/sidecarInjectorWebhook/templates/service.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Service +metadata: + name: istio-sidecar-injector + namespace: {{ .Release.Namespace }} + labels: + istio: sidecar-injector +spec: + ports: + - port: 443 + selector: + istio: sidecar-injector diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/sidecarInjectorWebhook/templates/serviceaccount.yaml b/istio-1.0.4/install/kubernetes/helm/istio/charts/sidecarInjectorWebhook/templates/serviceaccount.yaml new file mode 100644 index 0000000..8beb35b --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/sidecarInjectorWebhook/templates/serviceaccount.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: ServiceAccount +{{- if .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range .Values.global.imagePullSecrets }} + - name: {{ . }} +{{- end }} +{{- end }} +metadata: + name: istio-sidecar-injector-service-account + namespace: {{ .Release.Namespace }} + labels: + app: istio-sidecar-injector + chart: {{ .Chart.Name }}-{{ .Chart.Version }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/telemetry-gateway/Chart.yaml b/istio-1.0.4/install/kubernetes/helm/istio/charts/telemetry-gateway/Chart.yaml new file mode 100644 index 0000000..334995d --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/telemetry-gateway/Chart.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +name: telemetry-gateway +version: 1.0.4 +appVersion: 1.0.4 +tillerVersion: ">=2.7.2" +description: Helm chart for configuring a gateway for Istio telemetry addons +icon: https://istio.io/favicons/android-192x192.png diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/telemetry-gateway/templates/gateway.yaml b/istio-1.0.4/install/kubernetes/helm/istio/charts/telemetry-gateway/templates/gateway.yaml new file mode 100644 index 0000000..3a8e5e0 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/telemetry-gateway/templates/gateway.yaml @@ -0,0 +1,84 @@ +{{- if or (.Values.prometheusEnabled) (.Values.grafanaEnabled) }} +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: istio-telemetry-gateway + namespace: {{ .Release.Namespace }} +spec: + selector: + istio: {{ .Values.gatewayName }} + servers: + {{- if .Values.prometheusEnabled }} + - port: + number: 15030 + name: http2-prometheus + protocol: HTTP2 + hosts: + - "*" + {{- end }} + {{- if .Values.grafanaEnabled }} + - port: + number: 15031 + name: http2-grafana + protocol: HTTP2 + hosts: + - "*" + {{- end }} +{{- if .Values.grafanaEnabled }} +--- +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: grafana + namespace: {{ .Release.Namespace }} +spec: + host: grafana.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + tls: + mode: DISABLE +{{- end }} +{{- if .Values.prometheusEnabled }} +--- +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: prometheus + namespace: {{ .Release.Namespace }} +spec: + host: prometheus.{{ .Release.Namespace }}.svc.cluster.local + trafficPolicy: + tls: + mode: DISABLE +{{- end }} +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: telemetry-virtual-service + namespace: {{ .Release.Namespace }} +spec: + hosts: + - "*" + gateways: + - istio-telemetry-gateway + http: + {{- if .Values.prometheusEnabled }} + - match: + - port: 15030 + route: + - destination: + host: prometheus.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 9090 + {{- end }} + {{- if .Values.grafanaEnabled }} + - match: + - port: 15031 + route: + - destination: + host: grafana.{{ .Release.Namespace }}.svc.cluster.local + port: + number: 3000 + {{- end }} +--- +{{- end }} diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/tracing/Chart.yaml b/istio-1.0.4/install/kubernetes/helm/istio/charts/tracing/Chart.yaml new file mode 100644 index 0000000..725df09 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/tracing/Chart.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +description: A Helm chart for Kubernetes +name: tracing +version: 1.0.4 +appVersion: 1.5.1 +tillerVersion: ">=2.7.2" diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/tracing/templates/_helpers.tpl b/istio-1.0.4/install/kubernetes/helm/istio/charts/tracing/templates/_helpers.tpl new file mode 100644 index 0000000..9fba8d5 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/tracing/templates/_helpers.tpl @@ -0,0 +1,16 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "zipkin.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "zipkin.fullname" -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/tracing/templates/deployment.yaml b/istio-1.0.4/install/kubernetes/helm/istio/charts/tracing/templates/deployment.yaml new file mode 100644 index 0000000..166377c --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/tracing/templates/deployment.yaml @@ -0,0 +1,62 @@ +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: istio-tracing + namespace: {{ .Release.Namespace }} + labels: + app: istio-tracing + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + replicas: {{ .Values.replicaCount }} + template: + metadata: + labels: + app: jaeger + annotations: + sidecar.istio.io/inject: "false" + scheduler.alpha.kubernetes.io/critical-pod: "" + spec: +{{- if .Values.global.priorityClassName }} + priorityClassName: "{{ .Values.global.priorityClassName }}" +{{- end }} + containers: + - name: jaeger + image: "{{ .Values.jaeger.hub }}/all-in-one:{{ .Values.jaeger.tag }}" + imagePullPolicy: {{ .Values.global.imagePullPolicy }} + ports: + - containerPort: {{ .Values.service.internalPort }} + - containerPort: {{ .Values.jaeger.ui.port }} + - containerPort: 5775 + protocol: UDP + - containerPort: 6831 + protocol: UDP + - containerPort: 6832 + protocol: UDP + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: COLLECTOR_ZIPKIN_HTTP_PORT + value: "{{ .Values.service.internalPort }}" + - name: MEMORY_MAX_TRACES + value: "{{ .Values.jaeger.memory.max_traces }}" + livenessProbe: + httpGet: + path: / + port: {{ .Values.jaeger.ui.port }} + readinessProbe: + httpGet: + path: / + port: {{ .Values.jaeger.ui.port }} + resources: +{{- if .Values.resources }} +{{ toYaml .Values.resources | indent 12 }} +{{- else }} +{{ toYaml .Values.global.defaultResources | indent 12 }} +{{- end }} + affinity: + {{- include "nodeaffinity" . | indent 6 }} diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/tracing/templates/ingress-jaeger.yaml b/istio-1.0.4/install/kubernetes/helm/istio/charts/tracing/templates/ingress-jaeger.yaml new file mode 100644 index 0000000..1647e8a --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/tracing/templates/ingress-jaeger.yaml @@ -0,0 +1,32 @@ +{{ if (.Values.jaeger.ingress.enabled) and eq .Values.provider "jaeger" }} +{{- $servicePort := .Values.jaeger.ui.port -}} +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + name: jaeger-query + namespace: {{ .Release.Namespace }} + labels: + app: jaeger + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + annotations: + {{- range $key, $value := .Values.jaeger.ingress.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} +spec: + rules: + {{- range $host := .Values.jaeger.ingress.hosts }} + - host: {{ $host }} + http: + paths: + - path: / + backend: + serviceName: jaeger-query + servicePort: {{ $servicePort }} + {{- end -}} + {{- if .Values.jaeger.ingress.tls }} + tls: +{{ toYaml .Values.jaeger.ingress.tls | indent 4 }} + {{- end -}} +{{- end -}} diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/tracing/templates/ingress.yaml b/istio-1.0.4/install/kubernetes/helm/istio/charts/tracing/templates/ingress.yaml new file mode 100644 index 0000000..77d53ca --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/tracing/templates/ingress.yaml @@ -0,0 +1,33 @@ +{{- if .Values.ingress.enabled -}} +{{- $serviceName := "zipkin" -}} +{{- $servicePort := .Values.service.externalPort -}} +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + name: {{ template "zipkin.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "zipkin.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + annotations: + {{- range $key, $value := .Values.ingress.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} +spec: + rules: + {{- range $host := .Values.ingress.hosts }} + - host: {{ $host }} + http: + paths: + - path: / + backend: + serviceName: {{ $serviceName }} + servicePort: {{ $servicePort }} + {{- end -}} + {{- if .Values.ingress.tls }} + tls: +{{ toYaml .Values.ingress.tls | indent 4 }} + {{- end -}} +{{- end -}} diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/tracing/templates/service-jaeger.yaml b/istio-1.0.4/install/kubernetes/helm/istio/charts/tracing/templates/service-jaeger.yaml new file mode 100644 index 0000000..43b4c3a --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/tracing/templates/service-jaeger.yaml @@ -0,0 +1,82 @@ +{{ if eq .Values.provider "jaeger" }} + +apiVersion: v1 +kind: List +items: +- apiVersion: v1 + kind: Service + metadata: + name: jaeger-query + namespace: {{ .Release.Namespace }} + annotations: + {{- range $key, $val := .Values.service.annotations }} + {{ $key }}: {{ $val }} + {{- end }} + labels: + app: jaeger + jaeger-infra: jaeger-service + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + spec: + ports: + - name: query-http + port: {{ .Values.jaeger.ui.port }} + protocol: TCP + targetPort: {{ .Values.jaeger.ui.port }} + selector: + app: jaeger +- apiVersion: v1 + kind: Service + metadata: + name: jaeger-collector + namespace: {{ .Release.Namespace }} + labels: + app: jaeger + jaeger-infra: collector-service + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + spec: + ports: + - name: jaeger-collector-tchannel + port: 14267 + protocol: TCP + targetPort: 14267 + - name: jaeger-collector-http + port: 14268 + targetPort: 14268 + protocol: TCP + selector: + app: jaeger + type: ClusterIP +- apiVersion: v1 + kind: Service + metadata: + name: jaeger-agent + namespace: {{ .Release.Namespace }} + labels: + app: jaeger + jaeger-infra: agent-service + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + spec: + ports: + - name: agent-zipkin-thrift + port: 5775 + protocol: UDP + targetPort: 5775 + - name: agent-compact + port: 6831 + protocol: UDP + targetPort: 6831 + - name: agent-binary + port: 6832 + protocol: UDP + targetPort: 6832 + clusterIP: None + selector: + app: jaeger +{{ end }} + diff --git a/istio-1.0.4/install/kubernetes/helm/istio/charts/tracing/templates/service.yaml b/istio-1.0.4/install/kubernetes/helm/istio/charts/tracing/templates/service.yaml new file mode 100644 index 0000000..6a3cadc --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/charts/tracing/templates/service.yaml @@ -0,0 +1,44 @@ +apiVersion: v1 +kind: List +items: +- apiVersion: v1 + kind: Service + metadata: + name: zipkin + namespace: {{ .Release.Namespace }} + labels: + app: jaeger + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + spec: + type: {{ .Values.service.type }} + ports: + - port: {{ .Values.service.externalPort }} + targetPort: {{ .Values.service.internalPort }} + protocol: TCP + name: {{ .Values.service.name }} + selector: + app: jaeger +- apiVersion: v1 + kind: Service + metadata: + name: tracing + namespace: {{ .Release.Namespace }} + annotations: + {{- range $key, $val := .Values.service.annotations }} + {{ $key }}: {{ $val }} + {{- end }} + labels: + app: jaeger + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + spec: + ports: + - name: http-query + port: 80 + protocol: TCP + targetPort: {{ .Values.jaeger.ui.port }} + selector: + app: jaeger diff --git a/istio-1.0.4/install/kubernetes/helm/istio/requirements.yaml b/istio-1.0.4/install/kubernetes/helm/istio/requirements.yaml new file mode 100644 index 0000000..98eabca --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/requirements.yaml @@ -0,0 +1,40 @@ +dependencies: + - name: sidecarInjectorWebhook + version: 1.0.4 + condition: sidecarInjectorWebhook.enabled + - name: security + version: 1.0.4 + condition: security.enabled + - name: ingress + version: 1.0.4 + condition: ingress.enabled + - name: gateways + version: 1.0.4 + condition: gateways.enabled + - name: mixer + version: 1.0.4 + condition: mixer.enabled + - name: pilot + version: 1.0.4 + condition: pilot.enabled + - name: grafana + version: 1.0.4 + condition: grafana.enabled + - name: prometheus + version: 1.0.4 + condition: prometheus.enabled + - name: servicegraph + version: 1.0.4 + condition: servicegraph.enabled + - name: tracing + version: 1.0.4 + condition: tracing.enabled + - name: galley + version: 1.0.4 + condition: galley.enabled + - name: kiali + version: 1.0.4 + condition: kiali.enabled + - name: certmanager + version: 1.0.4 + condition: certmanager.enabled diff --git a/istio-1.0.4/install/kubernetes/helm/istio/templates/_affinity.tpl b/istio-1.0.4/install/kubernetes/helm/istio/templates/_affinity.tpl new file mode 100644 index 0000000..0a702d4 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/templates/_affinity.tpl @@ -0,0 +1,36 @@ +{{/* affinity - https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ */}} + +{{- define "nodeaffinity" }} + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + {{- include "nodeAffinityRequiredDuringScheduling" . }} + preferredDuringSchedulingIgnoredDuringExecution: + {{- include "nodeAffinityPreferredDuringScheduling" . }} +{{- end }} + +{{- define "nodeAffinityRequiredDuringScheduling" }} + nodeSelectorTerms: + - matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + {{- range $key, $val := .Values.global.arch }} + {{- if gt ($val | int) 0 }} + - {{ $key }} + {{- end }} + {{- end }} +{{- end }} + +{{- define "nodeAffinityPreferredDuringScheduling" }} + {{- range $key, $val := .Values.global.arch }} + {{- if gt ($val | int) 0 }} + - weight: {{ $val | int }} + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - {{ $key }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/istio-1.0.4/install/kubernetes/helm/istio/templates/_helpers.tpl b/istio-1.0.4/install/kubernetes/helm/istio/templates/_helpers.tpl new file mode 100644 index 0000000..b85468d --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/templates/_helpers.tpl @@ -0,0 +1,30 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "istio.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "istio.fullname" -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a fully qualified configmap name. +*/}} +{{- define "istio.configmap.fullname" -}} +{{- printf "%s-%s" .Release.Name "istio-mesh-config" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Configmap checksum. +*/}} +{{- define "istio.configmap.checksum" -}} +{{- print $.Template.BasePath "/configmap.yaml" | sha256sum -}} +{{- end -}} diff --git a/istio-1.0.4/install/kubernetes/helm/istio/templates/configmap.yaml b/istio-1.0.4/install/kubernetes/helm/istio/templates/configmap.yaml new file mode 100644 index 0000000..584f895 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/templates/configmap.yaml @@ -0,0 +1,117 @@ +{{- if .Values.pilot.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "istio.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +data: + mesh: |- + # Set the following variable to true to disable policy checks by the Mixer. + # Note that metrics will still be reported to the Mixer. + disablePolicyChecks: {{ .Values.global.disablePolicyChecks }} + + # Set enableTracing to false to disable request tracing. + enableTracing: {{ .Values.global.enableTracing }} + + # Set accessLogFile to empty string to disable access log. + accessLogFile: "{{ .Values.global.proxy.accessLogFile }}" + # + # Deprecated: mixer is using EDS + {{- if .Values.mixer.enabled }} + {{- if .Values.global.controlPlaneSecurityEnabled }} + mixerCheckServer: istio-policy.{{ .Release.Namespace }}.svc.cluster.local:15004 + mixerReportServer: istio-telemetry.{{ .Release.Namespace }}.svc.cluster.local:15004 + {{- else }} + mixerCheckServer: istio-policy.{{ .Release.Namespace }}.svc.cluster.local:9091 + mixerReportServer: istio-telemetry.{{ .Release.Namespace }}.svc.cluster.local:9091 + {{- end }} + + # policyCheckFailOpen allows traffic in cases when the mixer policy service cannot be reached. + # Default is false which means the traffic is denied when the client is unable to connect to Mixer. + policyCheckFailOpen: {{ .Values.global.policyCheckFailOpen }} + {{- end }} + + {{- if .Values.ingress.enabled }} + # This is the k8s ingress service name, update if you used a different name + ingressService: istio-{{ .Values.global.k8sIngressSelector }} + {{- end }} + + # Unix Domain Socket through which envoy communicates with NodeAgent SDS to get + # key/cert for mTLS. Use secret-mount files instead of SDS if set to empty. + sdsUdsPath: "" + + # How frequently should Envoy fetch key/cert from NodeAgent. + sdsRefreshDelay: 15s + + # + defaultConfig: + # + # TCP connection timeout between Envoy & the application, and between Envoys. + connectTimeout: 10s + # + ### ADVANCED SETTINGS ############# + # Where should envoy's configuration be stored in the istio-proxy container + configPath: "/etc/istio/proxy" + binaryPath: "/usr/local/bin/envoy" + # The pseudo service name used for Envoy. + serviceCluster: istio-proxy + # These settings that determine how long an old Envoy + # process should be kept alive after an occasional reload. + drainDuration: 45s + parentShutdownDuration: 1m0s + # + # The mode used to redirect inbound connections to Envoy. This setting + # has no effect on outbound traffic: iptables REDIRECT is always used for + # outbound connections. + # If "REDIRECT", use iptables REDIRECT to NAT and redirect to Envoy. + # The "REDIRECT" mode loses source addresses during redirection. + # If "TPROXY", use iptables TPROXY to redirect to Envoy. + # The "TPROXY" mode preserves both the source and destination IP + # addresses and ports, so that they can be used for advanced filtering + # and manipulation. + # The "TPROXY" mode also configures the sidecar to run with the + # CAP_NET_ADMIN capability, which is required to use TPROXY. + #interceptionMode: REDIRECT + # + # Port where Envoy listens (on local host) for admin commands + # You can exec into the istio-proxy container in a pod and + # curl the admin port (curl http://localhost:15000/) to obtain + # diagnostic information from Envoy. See + # https://lyft.github.io/envoy/docs/operations/admin.html + # for more details + proxyAdminPort: 15000 + # + # Set concurrency to a specific number to control the number of Proxy worker threads. + # If set to 0 (default), then start worker thread for each CPU thread/core. + concurrency: {{ .Values.global.proxy.concurrency }} + # + # Zipkin trace collector + zipkinAddress: zipkin.{{ .Release.Namespace }}:9411 + + {{- if .Values.global.proxy.envoyStatsd.enabled }} + # + # Statsd metrics collector converts statsd metrics into Prometheus metrics. + statsdUdpAddress: {{ .Values.global.proxy.envoyStatsd.host }}.{{ .Release.Namespace }}:{{ .Values.global.proxy.envoyStatsd.port }} + {{- end }} + + {{- if .Values.global.controlPlaneSecurityEnabled }} + # + # Mutual TLS authentication between sidecars and istio control plane. + controlPlaneAuthPolicy: MUTUAL_TLS + # + # Address where istio Pilot service is running + discoveryAddress: istio-pilot.{{ .Release.Namespace }}:15005 + {{- else }} + # + # Mutual TLS authentication between sidecars and istio control plane. + controlPlaneAuthPolicy: NONE + # + # Address where istio Pilot service is running + discoveryAddress: istio-pilot.{{ .Release.Namespace }}:15007 + {{- end }} +{{- end }} diff --git a/istio-1.0.4/install/kubernetes/helm/istio/templates/crds.yaml b/istio-1.0.4/install/kubernetes/helm/istio/templates/crds.yaml new file mode 100644 index 0000000..18b64e7 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/templates/crds.yaml @@ -0,0 +1,1116 @@ +# {{ if or .Values.global.crds (semverCompare ">=2.10.0-0" .Capabilities.TillerVersion.SemVer) }} +# these CRDs only make sense when pilot is enabled +# {{- if .Values.pilot.enabled }} +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: virtualservices.networking.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: istio-pilot +spec: + group: networking.istio.io + names: + kind: VirtualService + listKind: VirtualServiceList + plural: virtualservices + singular: virtualservice + categories: + - istio-io + - networking-istio-io + scope: Namespaced + version: v1alpha3 +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: destinationrules.networking.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: istio-pilot +spec: + group: networking.istio.io + names: + kind: DestinationRule + listKind: DestinationRuleList + plural: destinationrules + singular: destinationrule + categories: + - istio-io + - networking-istio-io + scope: Namespaced + version: v1alpha3 +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: serviceentries.networking.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: istio-pilot +spec: + group: networking.istio.io + names: + kind: ServiceEntry + listKind: ServiceEntryList + plural: serviceentries + singular: serviceentry + categories: + - istio-io + - networking-istio-io + scope: Namespaced + version: v1alpha3 +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: gateways.networking.istio.io + annotations: + "helm.sh/hook": crd-install + "helm.sh/hook-weight": "-5" + labels: + app: istio-pilot +spec: + group: networking.istio.io + names: + kind: Gateway + plural: gateways + singular: gateway + categories: + - istio-io + - networking-istio-io + scope: Namespaced + version: v1alpha3 +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: envoyfilters.networking.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: istio-pilot +spec: + group: networking.istio.io + names: + kind: EnvoyFilter + plural: envoyfilters + singular: envoyfilter + categories: + - istio-io + - networking-istio-io + scope: Namespaced + version: v1alpha3 +--- +# {{- end }} + +# these CRDs only make sense when security is enabled +# {{- if .Values.security.enabled }} +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + annotations: + "helm.sh/hook": crd-install + name: policies.authentication.istio.io +spec: + group: authentication.istio.io + names: + kind: Policy + plural: policies + singular: policy + categories: + - istio-io + - authentication-istio-io + scope: Namespaced + version: v1alpha1 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + annotations: + "helm.sh/hook": crd-install + name: meshpolicies.authentication.istio.io +spec: + group: authentication.istio.io + names: + kind: MeshPolicy + listKind: MeshPolicyList + plural: meshpolicies + singular: meshpolicy + categories: + - istio-io + - authentication-istio-io + scope: Cluster + version: v1alpha1 +--- +# {{- end }} + +# {{- if .Values.mixer.enabled }} +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + annotations: + "helm.sh/hook": crd-install + name: httpapispecbindings.config.istio.io +spec: + group: config.istio.io + names: + kind: HTTPAPISpecBinding + plural: httpapispecbindings + singular: httpapispecbinding + categories: + - istio-io + - apim-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + annotations: + "helm.sh/hook": crd-install + name: httpapispecs.config.istio.io +spec: + group: config.istio.io + names: + kind: HTTPAPISpec + plural: httpapispecs + singular: httpapispec + categories: + - istio-io + - apim-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + annotations: + "helm.sh/hook": crd-install + name: quotaspecbindings.config.istio.io +spec: + group: config.istio.io + names: + kind: QuotaSpecBinding + plural: quotaspecbindings + singular: quotaspecbinding + categories: + - istio-io + - apim-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + annotations: + "helm.sh/hook": crd-install + name: quotaspecs.config.istio.io +spec: + group: config.istio.io + names: + kind: QuotaSpec + plural: quotaspecs + singular: quotaspec + categories: + - istio-io + - apim-istio-io + scope: Namespaced + version: v1alpha2 +--- + +# Mixer CRDs +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: rules.config.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: istio.io.mixer + istio: core +spec: + group: config.istio.io + names: + kind: rule + plural: rules + singular: rule + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: attributemanifests.config.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: istio.io.mixer + istio: core +spec: + group: config.istio.io + names: + kind: attributemanifest + plural: attributemanifests + singular: attributemanifest + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: bypasses.config.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: bypass + istio: mixer-adapter +spec: + group: config.istio.io + names: + kind: bypass + plural: bypasses + singular: bypass + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: circonuses.config.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: circonus + istio: mixer-adapter +spec: + group: config.istio.io + names: + kind: circonus + plural: circonuses + singular: circonus + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: deniers.config.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: denier + istio: mixer-adapter +spec: + group: config.istio.io + names: + kind: denier + plural: deniers + singular: denier + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: fluentds.config.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: fluentd + istio: mixer-adapter +spec: + group: config.istio.io + names: + kind: fluentd + plural: fluentds + singular: fluentd + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: kubernetesenvs.config.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: kubernetesenv + istio: mixer-adapter +spec: + group: config.istio.io + names: + kind: kubernetesenv + plural: kubernetesenvs + singular: kubernetesenv + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: listcheckers.config.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: listchecker + istio: mixer-adapter +spec: + group: config.istio.io + names: + kind: listchecker + plural: listcheckers + singular: listchecker + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: memquotas.config.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: memquota + istio: mixer-adapter +spec: + group: config.istio.io + names: + kind: memquota + plural: memquotas + singular: memquota + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: noops.config.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: noop + istio: mixer-adapter +spec: + group: config.istio.io + names: + kind: noop + plural: noops + singular: noop + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: opas.config.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: opa + istio: mixer-adapter +spec: + group: config.istio.io + names: + kind: opa + plural: opas + singular: opa + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: prometheuses.config.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: prometheus + istio: mixer-adapter +spec: + group: config.istio.io + names: + kind: prometheus + plural: prometheuses + singular: prometheus + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: rbacs.config.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: rbac + istio: mixer-adapter +spec: + group: config.istio.io + names: + kind: rbac + plural: rbacs + singular: rbac + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: redisquotas.config.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + package: redisquota + istio: mixer-adapter +spec: + group: config.istio.io + names: + kind: redisquota + plural: redisquotas + singular: redisquota + scope: Namespaced + version: v1alpha2 +--- + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: servicecontrols.config.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: servicecontrol + istio: mixer-adapter +spec: + group: config.istio.io + names: + kind: servicecontrol + plural: servicecontrols + singular: servicecontrol + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 + +--- + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: signalfxs.config.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: signalfx + istio: mixer-adapter +spec: + group: config.istio.io + names: + kind: signalfx + plural: signalfxs + singular: signalfx + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: solarwindses.config.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: solarwinds + istio: mixer-adapter +spec: + group: config.istio.io + names: + kind: solarwinds + plural: solarwindses + singular: solarwinds + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: stackdrivers.config.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: stackdriver + istio: mixer-adapter +spec: + group: config.istio.io + names: + kind: stackdriver + plural: stackdrivers + singular: stackdriver + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: statsds.config.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: statsd + istio: mixer-adapter +spec: + group: config.istio.io + names: + kind: statsd + plural: statsds + singular: statsd + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: stdios.config.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: stdio + istio: mixer-adapter +spec: + group: config.istio.io + names: + kind: stdio + plural: stdios + singular: stdio + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: apikeys.config.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: apikey + istio: mixer-instance +spec: + group: config.istio.io + names: + kind: apikey + plural: apikeys + singular: apikey + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: authorizations.config.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: authorization + istio: mixer-instance +spec: + group: config.istio.io + names: + kind: authorization + plural: authorizations + singular: authorization + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: checknothings.config.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: checknothing + istio: mixer-instance +spec: + group: config.istio.io + names: + kind: checknothing + plural: checknothings + singular: checknothing + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: kuberneteses.config.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: adapter.template.kubernetes + istio: mixer-instance +spec: + group: config.istio.io + names: + kind: kubernetes + plural: kuberneteses + singular: kubernetes + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: listentries.config.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: listentry + istio: mixer-instance +spec: + group: config.istio.io + names: + kind: listentry + plural: listentries + singular: listentry + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: logentries.config.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: logentry + istio: mixer-instance +spec: + group: config.istio.io + names: + kind: logentry + plural: logentries + singular: logentry + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: edges.config.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: edge + istio: mixer-instance +spec: + group: config.istio.io + names: + kind: edge + plural: edges + singular: edge + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: metrics.config.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: metric + istio: mixer-instance +spec: + group: config.istio.io + names: + kind: metric + plural: metrics + singular: metric + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: quotas.config.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: quota + istio: mixer-instance +spec: + group: config.istio.io + names: + kind: quota + plural: quotas + singular: quota + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: reportnothings.config.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: reportnothing + istio: mixer-instance +spec: + group: config.istio.io + names: + kind: reportnothing + plural: reportnothings + singular: reportnothing + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: servicecontrolreports.config.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: servicecontrolreport + istio: mixer-instance +spec: + group: config.istio.io + names: + kind: servicecontrolreport + plural: servicecontrolreports + singular: servicecontrolreport + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: tracespans.config.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: tracespan + istio: mixer-instance +spec: + group: config.istio.io + names: + kind: tracespan + plural: tracespans + singular: tracespan + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: rbacconfigs.rbac.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: istio.io.mixer + istio: rbac +spec: + group: rbac.istio.io + names: + kind: RbacConfig + plural: rbacconfigs + singular: rbacconfig + categories: + - istio-io + - rbac-istio-io + scope: Namespaced + version: v1alpha1 +--- + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: serviceroles.rbac.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: istio.io.mixer + istio: rbac +spec: + group: rbac.istio.io + names: + kind: ServiceRole + plural: serviceroles + singular: servicerole + categories: + - istio-io + - rbac-istio-io + scope: Namespaced + version: v1alpha1 +--- + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: servicerolebindings.rbac.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: istio.io.mixer + istio: rbac +spec: + group: rbac.istio.io + names: + kind: ServiceRoleBinding + plural: servicerolebindings + singular: servicerolebinding + categories: + - istio-io + - rbac-istio-io + scope: Namespaced + version: v1alpha1 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: adapters.config.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: adapter + istio: mixer-adapter +spec: + group: config.istio.io + names: + kind: adapter + plural: adapters + singular: adapter + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: instances.config.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: instance + istio: mixer-instance +spec: + group: config.istio.io + names: + kind: instance + plural: instances + singular: instance + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: templates.config.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: template + istio: mixer-template +spec: + group: config.istio.io + names: + kind: template + plural: templates + singular: template + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: handlers.config.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: handler + istio: mixer-handler +spec: + group: config.istio.io + names: + kind: handler + plural: handlers + singular: handler + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +# {{- end }} +# {{ end }} diff --git a/istio-1.0.4/install/kubernetes/helm/istio/templates/install-custom-resources.sh.tpl b/istio-1.0.4/install/kubernetes/helm/istio/templates/install-custom-resources.sh.tpl new file mode 100644 index 0000000..6123902 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/templates/install-custom-resources.sh.tpl @@ -0,0 +1,32 @@ +{{ define "install-custom-resources.sh.tpl" }} +#!/bin/sh + +set -x + +if [ "$#" -ne "1" ]; then + echo "first argument should be path to custom resource yaml" + exit 1 +fi + +pathToResourceYAML=${1} + +/kubectl get validatingwebhookconfiguration istio-galley 2>/dev/null +if [ "$?" -eq 0 ]; then + echo "istio-galley validatingwebhookconfiguration found - waiting for istio-galley deployment to be ready" + while true; do + /kubectl -n {{ .Release.Namespace }} get deployment istio-galley 2>/dev/null + if [ "$?" -eq 0 ]; then + break + fi + sleep 1 + done + /kubectl -n {{ .Release.Namespace }} rollout status deployment istio-galley + if [ "$?" -ne 0 ]; then + echo "istio-galley deployment rollout status check failed" + exit 1 + fi + echo "istio-galley deployment ready for configuration validation" +fi +sleep 5 +/kubectl apply -f ${pathToResourceYAML} +{{ end }} diff --git a/istio-1.0.4/install/kubernetes/helm/istio/templates/sidecar-injector-configmap.yaml b/istio-1.0.4/install/kubernetes/helm/istio/templates/sidecar-injector-configmap.yaml new file mode 100644 index 0000000..97b82b2 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/templates/sidecar-injector-configmap.yaml @@ -0,0 +1,198 @@ +{{- if not .Values.global.omitSidecarInjectorConfigMap }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-sidecar-injector + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "istio.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + istio: sidecar-injector +data: + config: |- + policy: {{ .Values.global.proxy.autoInject }} + template: |- + initContainers: + - name: istio-init +{{- if contains "/" .Values.global.proxy_init.image }} + image: "{{ .Values.global.proxy_init.image }}" +{{- else }} + image: "{{ .Values.global.hub }}/{{ .Values.global.proxy_init.image }}:{{ .Values.global.tag }}" +{{- end }} + args: + - "-p" + - {{ "[[ .MeshConfig.ProxyListenPort ]]" }} + - "-u" + - 1337 + - "-m" + - {{ "[[ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode ]]" }} + - "-i" + - {{ "\"[[ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` " }} "{{ .Values.global.proxy.includeIPRanges }}" {{ " ]]\"" }} + - "-x" + - {{ "\"[[ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` " }} "{{ .Values.global.proxy.excludeIPRanges }}" {{ " ]]\"" }} + - "-b" + - {{ "\"[[ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` (includeInboundPorts .Spec.Containers) ]]\"" }} + - "-d" + - {{ "\"[[ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` " }} {{ .Values.global.proxy.statusPort }} {{ ") (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` " }} "{{ .Values.global.proxy.excludeInboundPorts }}" {{ ") ]]\"" }} + imagePullPolicy: {{ .Values.global.imagePullPolicy }} + securityContext: + capabilities: + add: + - NET_ADMIN + privileged: true + restartPolicy: Always + {{- if .Values.global.proxy.enableCoreDump }} + - args: + - -c + - sysctl -w kernel.core_pattern=/var/lib/istio/core.proxy && ulimit -c unlimited + command: + - /bin/sh + image: {{ .Values.global.hub }}/proxy_init:{{ .Values.global.tag }} + imagePullPolicy: IfNotPresent + name: enable-core-dump + resources: {} + securityContext: + privileged: true + {{ end }} + containers: + - name: istio-proxy +{{- if contains "/" .Values.global.proxy.image }} + image: {{ "[[ annotation .ObjectMeta `sidecar.istio.io/proxyImage` " }} "{{ .Values.global.proxy.image }}" {{ " ]]" }} +{{- else }} + image: {{ "[[ annotation .ObjectMeta `sidecar.istio.io/proxyImage` " }} "{{ .Values.global.hub }}/{{ .Values.global.proxy.image }}:{{ .Values.global.tag }}" {{ " ]]" }} +{{- end }} +{{ if ne .Values.global.proxy.stats.prometheusPort 0. }} + ports: + - containerPort: {{ .Values.global.proxy.stats.prometheusPort }} + protocol: TCP + name: http-envoy-prom +{{ end }} + args: + - proxy + - sidecar + - --configPath + - {{ "[[ .ProxyConfig.ConfigPath ]]" }} + - --binaryPath + - {{ "[[ .ProxyConfig.BinaryPath ]]" }} + - --serviceCluster + {{ "[[ if ne \"\" (index .ObjectMeta.Labels \"app\") -]]" }} + - {{ "[[ index .ObjectMeta.Labels \"app\" ]]" }} + {{ "[[ else -]]" }} + - "istio-proxy" + {{ "[[ end -]]" }} + - --drainDuration + - {{ "[[ formatDuration .ProxyConfig.DrainDuration ]]" }} + - --parentShutdownDuration + - {{ "[[ formatDuration .ProxyConfig.ParentShutdownDuration ]]" }} + - --discoveryAddress + - {{ "[[ annotation .ObjectMeta `sidecar.istio.io/discoveryAddress` .ProxyConfig.DiscoveryAddress ]]" }} + - --discoveryRefreshDelay + - {{ "[[ formatDuration .ProxyConfig.DiscoveryRefreshDelay ]]" }} + - --zipkinAddress + - {{ "[[ .ProxyConfig.ZipkinAddress ]]" }} + - --connectTimeout + - {{ "[[ formatDuration .ProxyConfig.ConnectTimeout ]]" }} + {{- if .Values.global.proxy.envoyStatsd.enabled }} + - --statsdUdpAddress + - {{ "[[ .ProxyConfig.StatsdUdpAddress ]]" }} + {{- end }} + - --proxyAdminPort + - {{ "[[ .ProxyConfig.ProxyAdminPort ]]" }} + {{ "[[ if gt .ProxyConfig.Concurrency 0 -]]" }} + - --concurrency + - {{ "[[ .ProxyConfig.Concurrency ]]" }} + {{ "[[ end -]]" }} + - --controlPlaneAuthPolicy + - {{ "[[ annotation .ObjectMeta `sidecar.istio.io/controlPlaneAuthPolicy` .ProxyConfig.ControlPlaneAuthPolicy ]]" }} + {{ "[[- if (ne (annotation .ObjectMeta `status.sidecar.istio.io/port` " }} {{ .Values.global.proxy.statusPort }} {{ ") \"0\") ]]" }} + - --statusPort + - {{ "[[ annotation .ObjectMeta `status.sidecar.istio.io/port` " }} {{ .Values.global.proxy.statusPort }} {{ " ]]" }} + - --applicationPorts + - {{ "\"[[ annotation .ObjectMeta `readiness.status.sidecar.istio.io/applicationPorts` (applicationPorts .Spec.Containers) ]]\"" }} + {{ "[[- end ]]" }} + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: ISTIO_META_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: ISTIO_META_INTERCEPTION_MODE + value: {{ "[[ or (index .ObjectMeta.Annotations \"sidecar.istio.io/interceptionMode\") .ProxyConfig.InterceptionMode.String ]]" }} + {{ "[[ if .ObjectMeta.Annotations ]]" }} + - name: ISTIO_METAJSON_ANNOTATIONS + value: | + {{ "[[ toJson .ObjectMeta.Annotations ]]" }} + {{ "[[ end ]]" }} + {{ "[[ if .ObjectMeta.Labels ]]" }} + - name: ISTIO_METAJSON_LABELS + value: | + {{ "[[ toJson .ObjectMeta.Labels ]]" }} + {{ "[[ end ]]" }} + imagePullPolicy: {{ .Values.global.imagePullPolicy }} + {{ "[[ if (ne (annotation .ObjectMeta `status.sidecar.istio.io/port` " }} {{ .Values.global.proxy.statusPort }} {{ ") \"0\") ]]" }} + readinessProbe: + httpGet: + path: /healthz/ready + port: {{ "[[ annotation .ObjectMeta `status.sidecar.istio.io/port` " }} {{ .Values.global.proxy.statusPort }} {{ " ]]" }} + initialDelaySeconds: {{ "[[ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` " }} {{ .Values.global.proxy.readinessInitialDelaySeconds }} {{ " ]]" }} + periodSeconds: {{ "[[ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` " }} {{ .Values.global.proxy.readinessPeriodSeconds }} {{ " ]]" }} + failureThreshold: {{ "[[ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` " }} {{ .Values.global.proxy.readinessFailureThreshold }} {{ " ]]" }} + {{ "[[ end -]]" -}} + securityContext: + {{ if .Values.global.proxy.privileged }} + privileged: true + {{ end -}} + {{- if ne .Values.global.proxy.enableCoreDump true }} + readOnlyRootFilesystem: true + {{- end }} + {{ "[[ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) \"TPROXY\" -]]" }} + capabilities: + add: + - NET_ADMIN + runAsGroup: 1337 + {{ "[[ else -]]" }} + runAsUser: 1337 + {{ "[[ end -]]" }} + restartPolicy: Always + resources: + {{ "[[ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -]]" }} + requests: + cpu: {{ "\"[[ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` ]]\"" }} + memory: {{ "\"[[ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` ]]\"" }} + {{ "[[ else -]]" }} +{{- if .Values.global.proxy.resources }} +{{ toYaml .Values.global.proxy.resources | indent 10 }} +{{- end }} + {{ "[[ end -]]" }} + volumeMounts: + - mountPath: /etc/istio/proxy + name: istio-envoy + - mountPath: /etc/certs/ + name: istio-certs + readOnly: true + volumes: + - emptyDir: + medium: Memory + name: istio-envoy + - name: istio-certs + secret: + optional: true + {{ "[[ if eq .Spec.ServiceAccountName \"\" -]]" }} + secretName: istio.default + {{ "[[ else -]]" }} + secretName: {{ "[[ printf \"istio.%s\" .Spec.ServiceAccountName ]]" }} + {{ "[[ end -]]" }} +{{- end }} diff --git a/istio-1.0.4/install/kubernetes/helm/istio/values-istio-auth-galley.yaml b/istio-1.0.4/install/kubernetes/helm/istio/values-istio-auth-galley.yaml new file mode 100644 index 0000000..c95b299 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/values-istio-auth-galley.yaml @@ -0,0 +1,26 @@ +# This is used to generate istio.yaml +global: + # controlPlaneMtls enabled. Will result in delays starting the pods while secrets are + # propagated, not recommended for tests. + controlPlaneSecurityEnabled: true + + mtls: + # Default setting for service-to-service mtls. Can be set explicitly using + # destination rules or service annotations. + enabled: true + + ## imagePullSecrets for all ServiceAccount. Must be set for any clustser configured with privte docker registry. + # imagePullSecrets: + # - name: "private-registry-key" + + # Default is 10s second + refreshInterval: 1s + +istiotesting: + oneNameSpace: false + +prometheus: + enabled: true + +galley: + enabled: true diff --git a/istio-1.0.4/install/kubernetes/helm/istio/values-istio-auth-multicluster.yaml b/istio-1.0.4/install/kubernetes/helm/istio/values-istio-auth-multicluster.yaml new file mode 100644 index 0000000..4c79999 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/values-istio-auth-multicluster.yaml @@ -0,0 +1,21 @@ +# This is used to generate istio-auth-multicluster.yaml, used for CI/CD. +global: + # controlPlaneMtls enabled. Will result in delays starting the pods while secrets are + # propagated, not recommended for tests. + controlPlaneSecurityEnabled: true + + mtls: + # Default setting for service-to-service mtls. Can be set explicitly using + # destination rules or service annotations. + enabled: true + + ## imagePullSecrets for all ServiceAccount. Must be set for any clustser configured with privte docker registry. + # imagePullSecrets: + # - name: "private-registry-key" + + # Default is 10s second + refreshInterval: 1s + +# In a multiple cluster environment, citadel uses the same root certificate in all the clusters +security: + selfSigned: false diff --git a/istio-1.0.4/install/kubernetes/helm/istio/values-istio-auth.yaml b/istio-1.0.4/install/kubernetes/helm/istio/values-istio-auth.yaml new file mode 100644 index 0000000..49ad827 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/values-istio-auth.yaml @@ -0,0 +1,20 @@ +# This is used to generate istio-auth.yaml for automated CI/CD test, using v1/alpha1 +# or v2/alpha3 with 'gradual migration' (using env variable at inject time). +global: + # controlPlaneMtls enabled. Will result in delays starting the pods while secrets are + # propagated, not recommended for tests. + controlPlaneSecurityEnabled: true + + mtls: + # Default setting for service-to-service mtls. Can be set explicitly using + # destination rules or service annotations. + enabled: true + + + ## imagePullSecrets for all ServiceAccount. Must be set for any clustser configured with privte docker registry. + # imagePullSecrets: + # - name: "private-registry-key" + + # Default is 10s second + refreshInterval: 1s + diff --git a/istio-1.0.4/install/kubernetes/helm/istio/values-istio-demo-auth.yaml b/istio-1.0.4/install/kubernetes/helm/istio/values-istio-demo-auth.yaml new file mode 100644 index 0000000..6e9cd98 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/values-istio-demo-auth.yaml @@ -0,0 +1,36 @@ +# This is used to generate istio-auth.yaml for minimal, demo mode with MTLS enabled. +# It is shipped with the release, used for bookinfo or quick installation of istio. +# Includes components used in the demo, defaults to alpha3 rules. +global: + controlPlaneSecurityEnabled: true + + mtls: + # Default setting for service-to-service mtls. Can be set explicitly using + # destination rules or service annotations. + enabled: true + +ingress: + # Ingress is used for migration, for alpha3 we expect ingressgateway + enabled: false + +prometheus: + enabled: true + +pilot: + traceSampling: 100.0 + +sidecarInjectorWebhook: + enabled: true + enableNamespacesByDefault: false + +grafana: + enabled: true + +tracing: + enabled: true + +servicegraph: + enabled: true + +galley: + enabled: true diff --git a/istio-1.0.4/install/kubernetes/helm/istio/values-istio-demo.yaml b/istio-1.0.4/install/kubernetes/helm/istio/values-istio-demo.yaml new file mode 100644 index 0000000..78d3887 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/values-istio-demo.yaml @@ -0,0 +1,35 @@ +# This is used to generate istio.yaml for minimal, demo mode. +# It is shipped with the release, used for bookinfo or quick installation of istio. +# Includes components used in the demo, defaults to alpha3 rules. + +# If running in minikube you may add: +# --set global.nodePort=true +# --set ingressgateway.service.type=NodePort +global: + nodePort: false + +ingress: + # Ingress is used for migration, for alpha3 we expect ingressgateway + enabled: false + +prometheus: + enabled: true + +pilot: + traceSampling: 100.0 + +sidecarInjectorWebhook: + enabled: true + enableNamespacesByDefault: false + +grafana: + enabled: true + +tracing: + enabled: true + +servicegraph: + enabled: true + +galley: + enabled: true diff --git a/istio-1.0.4/install/kubernetes/helm/istio/values-istio-galley.yaml b/istio-1.0.4/install/kubernetes/helm/istio/values-istio-galley.yaml new file mode 100644 index 0000000..858fbb0 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/values-istio-galley.yaml @@ -0,0 +1,26 @@ +# This is used to generate istio.yaml +global: + # controlPlaneMtls enabled. Will result in delays starting the pods while secrets are + # propagated, not recommended for tests. + controlPlaneSecurityEnabled: false + + mtls: + # Default setting for service-to-service mtls. Can be set explicitly using + # destination rules or service annotations. + enabled: false + + ## imagePullSecrets for all ServiceAccount. Must be set for any clustser configured with privte docker registry. + # imagePullSecrets: + # - name: "private-registry-key" + + # Default is 10s second + refreshInterval: 1s + +istiotesting: + oneNameSpace: false + +prometheus: + enabled: true + +galley: + enabled: true diff --git a/istio-1.0.4/install/kubernetes/helm/istio/values-istio-gateways.yaml b/istio-1.0.4/install/kubernetes/helm/istio/values-istio-gateways.yaml new file mode 100644 index 0000000..cadbb7f --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/values-istio-gateways.yaml @@ -0,0 +1,135 @@ +# Common settings. +global: + # Include the crd definition when generating the template. + # For 'helm template' and helm install > 2.10 it should be true. + # For helm < 2.9, crds must be installed ahead of time with + # 'kubectl apply -f install/kubernetes/helm/istio/templates/crds.yaml + # and this options must be set off. + crds: false + + # Omit the istio-sidecar-injector configmap when generate a + # standalone gateway. Gateways may be created in namespaces other + # than `istio-system` and we don't want to re-create the injector + # configmap in those. + omitSidecarInjectorConfigMap: true + + # Istio control plane namespace: This specifies where the Istio control + # plane was installed earlier. Modify this if you installed the control + # plane in a different namespace than istio-system. + istioNamespace: istio-system + + proxy: + # Sets the destination Statsd in envoy (the value of the "--statsdUdpAddress" proxy argument + # would be :). + # Disabled by default. + # The istio-statsd-prom-bridge is deprecated and should not be used moving forward. + envoyStatsd: + # If enabled is set to true, host and port must also be provided. Istio no longer provides a statsd collector. + enabled: false + host: # example: statsd-svc + port: # example: 9125 + + +# +# Gateways Configuration +# By default (if enabled) a pair of Ingress and Egress Gateways will be created for the mesh. +# You can add more gateways in addition to the defaults but make sure those are uniquely named +# and that NodePorts are not conflicting. +# Disable specifc gateway by setting the `enabled` to false. +# +gateways: + enabled: true + + custom-gateway: + enabled: true + labels: + app: custom-gateway + replicaCount: 1 + autoscaleMin: 1 + autoscaleMax: 5 + resources: {} + # limits: + # cpu: 100m + # memory: 128Mi + #requests: + # cpu: 1800m + # memory: 256Mi + + loadBalancerIP: "" + serviceAnnotations: {} + type: LoadBalancer #change to NodePort, ClusterIP or LoadBalancer if need be + # Uncomment the following line to preserve client source ip. + # externalTrafficPolicy: Local + + ports: + ## You can add custom gateway ports + - port: 80 + targetPort: 80 + name: http2 + # nodePort: 31380 + - port: 443 + name: https + # nodePort: 31390 + - port: 31400 + name: tcp + # nodePort: 31400 + # Pilot and Citadel MTLS ports are enabled in gateway - but will only redirect + # to pilot/citadel if global.meshExpansion settings are enabled. + - port: 15011 + targetPort: 15011 + name: tcp-pilot-grpc-tls + - port: 8060 + targetPort: 8060 + name: tcp-citadel-grpc-tls + # Telemetry-related ports are enabled in gateway - but will only redirect if + # the gateway configration for the various components are enabled. + - port: 15030 + targetPort: 15030 + name: http2-prometheus + - port: 15031 + targetPort: 15031 + name: http2-grafana + secretVolumes: + - name: customgateway-certs + secretName: istio-customgateway-certs + mountPath: /etc/istio/customgateway-certs + - name: customgateway-ca-certs + secretName: istio-customgateway-ca-certs + mountPath: /etc/istio/customgateway-ca-certs + +# all other components are disabled except the gateways +ingress: + enabled: false + +security: + enabled: false + +sidecarInjectorWebhook: + enabled: false + +galley: + enabled: false + +mixer: + enabled: false + +pilot: + enabled: false + +grafana: + enabled: false + +prometheus: + enabled: false + +servicegraph: + enabled: false + +tracing: + enabled: false + +kiali: + enabled: false + +certmanager: + enabled: false diff --git a/istio-1.0.4/install/kubernetes/helm/istio/values-istio-multicluster.yaml b/istio-1.0.4/install/kubernetes/helm/istio/values-istio-multicluster.yaml new file mode 100644 index 0000000..6974a55 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/values-istio-multicluster.yaml @@ -0,0 +1,24 @@ +# This is used to generate istio-multicluster.yaml, used for CI/CD. +global: + # controlPlaneMtls enabled. Will result in delays starting the pods while secrets are + # propagated, not recommended for tests. + controlPlaneSecurityEnabled: false + + mtls: + # Default setting for service-to-service mtls. Can be set explicitly using + # destination rules or service annotations. + enabled: false + + ## imagePullSecrets for all ServiceAccount. Must be set for any clustser configured with privte docker registry. + # imagePullSecrets: + # - name: "private-registry-key" + + # Default is 10s second + refreshInterval: 1s + +prometheus: + enabled: true + +# In a multiple cluster environment, citadel uses the same root certificate in all the clusters +security: + selfSigned: false diff --git a/istio-1.0.4/install/kubernetes/helm/istio/values-istio-one-namespace-auth.yaml b/istio-1.0.4/install/kubernetes/helm/istio/values-istio-one-namespace-auth.yaml new file mode 100644 index 0000000..d0a11d7 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/values-istio-one-namespace-auth.yaml @@ -0,0 +1,20 @@ +# This is used to generate istio.yaml used for deprecated CI/CD testing. +global: + # controlPlaneMtls enabled. Will result in delays starting the pods while secrets are + # propagated, not recommended for tests. + controlPlaneSecurityEnabled: true + + mtls: + # Default setting for service-to-service mtls. Can be set explicitly using + # destination rules or service annotations. + enabled: true + + ## imagePullSecrets for all ServiceAccount. Must be set for any clustser configured with privte docker registry. + # imagePullSecrets: + # - name: "private-registry-key" + + # Default is 10s second + refreshInterval: 1s + +istiotesting: + oneNameSpace: true diff --git a/istio-1.0.4/install/kubernetes/helm/istio/values-istio-one-namespace.yaml b/istio-1.0.4/install/kubernetes/helm/istio/values-istio-one-namespace.yaml new file mode 100644 index 0000000..c097b97 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/values-istio-one-namespace.yaml @@ -0,0 +1,20 @@ +# This is used to generate istio.yaml used for deprecated CI/CD testing. +global: + # controlPlaneMtls enabled. Will result in delays starting the pods while secrets are + # propagated, not recommended for tests. + controlPlaneSecurityEnabled: false + + mtls: + # Default setting for service-to-service mtls. Can be set explicitly using + # destination rules or service annotations. + enabled: false + + ## imagePullSecrets for all ServiceAccount. Must be set for any clustser configured with privte docker registry. + # imagePullSecrets: + # - name: "private-registry-key" + + # Default is 10s second + refreshInterval: 1s + +istiotesting: + oneNameSpace: true diff --git a/istio-1.0.4/install/kubernetes/helm/istio/values-istio.yaml b/istio-1.0.4/install/kubernetes/helm/istio/values-istio.yaml new file mode 100644 index 0000000..37eba9c --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/values-istio.yaml @@ -0,0 +1,9 @@ +# This is used to generate istio.yaml for automated CI/CD test, using v1/alpha1 +# or v2/alpha3 with 'gradual migration' (using env variable at inject time). +global: + ## imagePullSecrets for all ServiceAccount. Must be set for any clustser configured with privte docker registry. + # imagePullSecrets: + # - name: "private-registry-key" + + # Default is 10s second + refreshInterval: 1s diff --git a/istio-1.0.4/install/kubernetes/helm/istio/values.yaml b/istio-1.0.4/install/kubernetes/helm/istio/values.yaml new file mode 100644 index 0000000..453bd06 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/helm/istio/values.yaml @@ -0,0 +1,580 @@ +# Common settings. +global: + # Default hub for Istio images. + # Releases are published to docker hub under 'istio' project. + # Daily builds from prow are on gcr.io, and nightly builds from circle on docker.io/istionightly + hub: docker.io/istio + + # Default tag for Istio images. + tag: 1.0.4 + + # Gateway used for legacy k8s Ingress resources. By default it is + # using 'istio:ingress', to match 0.8 config. It requires that + # ingress.enabled is set to true. You can also set it + # to ingressgateway, or any other gateway you define in the 'gateway' + # section. + k8sIngressSelector: ingress + + # k8sIngressHttps will add port 443 on the ingress and ingressgateway. + # It REQUIRES that the certificates are installed in the + # expected secrets - enabling this option without certificates + # will result in LDS rejection and the ingress will not work. + k8sIngressHttps: false + + proxy: + image: proxyv2 + + # Resources for the sidecar. + resources: + requests: + cpu: 10m + # memory: 128Mi + # limits: + # cpu: 100m + # memory: 128Mi + + # Controls number of Proxy worker threads. + # If set to 0 (default), then start worker thread for each CPU thread/core. + concurrency: 0 + + # Configures the access log for each sidecar. Setting it to an empty string will + # disable access log for sidecar. + accessLogFile: "/dev/stdout" + + #If set to true, istio-proxy container will have privileged securityContext + privileged: false + + # If set, newly injected sidecars will have core dumps enabled. Core dumps will always be written to the same + # file to prevent storage filling up indefinitely. Add a timestamp option to core_pattern to keep all cores: + # e.g. sysctl -w kernel.core_pattern=/var/lib/istio/core.%e.%p.%t + enableCoreDump: false + + # Default port for Pilot agent health checks. A value of 0 will disable health checking. + # statusPort: 15020 + statusPort: 0 + + # The initial delay for readiness probes in seconds. + readinessInitialDelaySeconds: 1 + + # The period between readiness probes. + readinessPeriodSeconds: 2 + + # The number of successive failed probes before indicating readiness failure. + readinessFailureThreshold: 30 + + # istio egress capture whitelist + # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly + # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16" + # would only capture egress traffic on those two IP Ranges, all other outbound traffic would + # be allowed by the sidecar + includeIPRanges: "*" + excludeIPRanges: "" + + # istio ingress capture whitelist + # examples: + # Redirect no inbound traffic to Envoy: --includeInboundPorts="" + # Redirect all inbound traffic to Envoy: --includeInboundPorts="*" + # Redirect only selected ports: --includeInboundPorts="80,8080" + includeInboundPorts: "*" + excludeInboundPorts: "" + + # This controls the 'policy' in the sidecar injector. + autoInject: enabled + + # Sets the destination Statsd in envoy (the value of the "--statsdUdpAddress" proxy argument + # would be :). + # Disabled by default. + # The istio-statsd-prom-bridge is deprecated and should not be used moving forward. + envoyStatsd: + # If enabled is set to true, host and port must also be provided. Istio no longer provides a statsd collector. + enabled: false + host: # example: statsd-svc + port: # example: 9125 + + # This controls the stats collection for proxies. To disable stats + # collection, set the prometheusPort to 0. + stats: + prometheusPort: 15090 + + proxy_init: + # Base name for the proxy_init container, used to configure iptables. + image: proxy_init + + # imagePullPolicy is applied to istio control plane components. + # local tests require IfNotPresent, to avoid uploading to dockerhub. + # TODO: Switch to Always as default, and override in the local tests. + imagePullPolicy: IfNotPresent + + # controlPlaneMtls enabled. Will result in delays starting the pods while secrets are + # propagated, not recommended for tests. + controlPlaneSecurityEnabled: false + + # disablePolicyChecks disables mixer policy checks. + # Will set the value with same name in istio config map - pilot needs to be restarted to take effect. + disablePolicyChecks: false + + # policyCheckFailOpen allows traffic in cases when the mixer policy service cannot be reached. + # Default is false which means the traffic is denied when the client is unable to connect to Mixer. + policyCheckFailOpen: false + + # EnableTracing sets the value with same name in istio config map, requires pilot restart to take effect. + enableTracing: true + + # Default mtls policy. If true, mtls between services will be enabled by default. + mtls: + # Default setting for service-to-service mtls. Can be set explicitly using + # destination rules or service annotations. + enabled: false + + # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace + # to use for pulling any images in pods that reference this ServiceAccount. + # Must be set for any clustser configured with privte docker registry. + imagePullSecrets: + # - private-registry-key + + # Specify pod scheduling arch(amd64, ppc64le, s390x) and weight as follows: + # 0 - Never scheduled + # 1 - Least preferred + # 2 - No preference + # 3 - Most preferred + arch: + amd64: 2 + s390x: 2 + ppc64le: 2 + + # Whether to restrict the applications namespace the controller manages; + # If not set, controller watches all namespaces + oneNamespace: false + + # Whether to perform server-side validation of configuration. + configValidation: true + + # If set to true, the pilot and citadel mtls will be exposed on the + # ingress gateway + meshExpansion: false + + # If set to true, the pilot and citadel mtls and the plain text pilot ports + # will be exposed on an internal gateway + meshExpansionILB: false + + # A minimal set of requested resources to applied to all deployments so that + # Horizontal Pod Autoscaler will be able to function (if set). + # Each component can overwrite these default values by adding its own resources + # block in the relevant section below and setting the desired resources values. + defaultResources: + requests: + cpu: 10m + # memory: 128Mi + # limits: + # cpu: 100m + # memory: 128Mi + + # Not recommended for user to configure this. Hyperkube image to use when creating custom resources + hyperkube: + hub: quay.io/coreos + tag: v1.7.6_coreos.0 + + # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and + # system-node-critical, it is better to configure this in order to make sure your Istio pods + # will not be killed because of low prioroty class. + # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + # for more detail. + priorityClassName: "" + + # Include the crd definition when generating the template. + # For 'helm template' and helm install > 2.10 it should be true. + # For helm < 2.9, crds must be installed ahead of time with + # 'kubectl apply -f install/kubernetes/helm/istio/templates/crds.yaml + # and this options must be set off. + crds: true + +# +# ingress configuration +# +ingress: + enabled: false + replicaCount: 1 + autoscaleMin: 1 + autoscaleMax: 5 + service: + annotations: {} + loadBalancerIP: "" + type: LoadBalancer #change to NodePort, ClusterIP or LoadBalancer if need be + # Uncomment the following line to preserve client source ip. + # externalTrafficPolicy: Local + ports: + - port: 80 + name: http + nodePort: 32000 + - port: 443 + name: https + selector: + istio: ingress + +# +# Gateways Configuration +# By default (if enabled) a pair of Ingress and Egress Gateways will be created for the mesh. +# You can add more gateways in addition to the defaults but make sure those are uniquely named +# and that NodePorts are not conflicting. +# Disable specifc gateway by setting the `enabled` to false. +# +gateways: + enabled: true + + istio-ingressgateway: + enabled: true + labels: + app: istio-ingressgateway + istio: ingressgateway + replicaCount: 1 + autoscaleMin: 1 + autoscaleMax: 5 + resources: {} + # limits: + # cpu: 100m + # memory: 128Mi + #requests: + # cpu: 1800m + # memory: 256Mi + cpu: + targetAverageUtilization: 80 + loadBalancerIP: "" + serviceAnnotations: {} + type: LoadBalancer #change to NodePort, ClusterIP or LoadBalancer if need be + # Uncomment the following line to preserve client source ip. + # externalTrafficPolicy: Local + + ports: + ## You can add custom gateway ports + - port: 80 + targetPort: 80 + name: http2 + nodePort: 31380 + - port: 443 + name: https + nodePort: 31390 + - port: 31400 + name: tcp + nodePort: 31400 + # Pilot and Citadel MTLS ports are enabled in gateway - but will only redirect + # to pilot/citadel if global.meshExpansion settings are enabled. + - port: 15011 + targetPort: 15011 + name: tcp-pilot-grpc-tls + - port: 8060 + targetPort: 8060 + name: tcp-citadel-grpc-tls + - port: 853 + targetPort: 853 + name: tcp-dns-tls + - port: 15030 + targetPort: 15030 + name: http2-prometheus + - port: 15031 + targetPort: 15031 + name: http2-grafana + secretVolumes: + - name: ingressgateway-certs + secretName: istio-ingressgateway-certs + mountPath: /etc/istio/ingressgateway-certs + - name: ingressgateway-ca-certs + secretName: istio-ingressgateway-ca-certs + mountPath: /etc/istio/ingressgateway-ca-certs + + istio-egressgateway: + enabled: true + labels: + app: istio-egressgateway + istio: egressgateway + replicaCount: 1 + autoscaleMin: 1 + autoscaleMax: 5 + cpu: + targetAverageUtilization: 80 + serviceAnnotations: {} + type: ClusterIP #change to NodePort or LoadBalancer if need be + ports: + - port: 80 + name: http2 + - port: 443 + name: https + secretVolumes: + - name: egressgateway-certs + secretName: istio-egressgateway-certs + mountPath: /etc/istio/egressgateway-certs + - name: egressgateway-ca-certs + secretName: istio-egressgateway-ca-certs + mountPath: /etc/istio/egressgateway-ca-certs + + # Mesh ILB gateway creates a gateway of type InternalLoadBalancer, + # for mesh expansion. It exposes the mtls ports for Pilot,CA as well + # as non-mtls ports to support upgrades and gradual transition. + istio-ilbgateway: + enabled: false + labels: + app: istio-ilbgateway + istio: ilbgateway + replicaCount: 1 + autoscaleMin: 1 + autoscaleMax: 5 + resources: + requests: + cpu: 800m + memory: 512Mi + #limits: + # cpu: 1800m + # memory: 256Mi + cpu: + targetAverageUtilization: 80 + loadBalancerIP: "" + serviceAnnotations: + cloud.google.com/load-balancer-type: "internal" + type: LoadBalancer + ports: + ## You can add custom gateway ports - google ILB default quota is 5 ports, + - port: 15011 + name: grpc-pilot-mtls + # Insecure port - only for migration from 0.8. Will be removed in 1.1 + - port: 15010 + name: grpc-pilot + - port: 8060 + targetPort: 8060 + name: tcp-citadel-grpc-tls + # Port 853 is reserved for the kube-dns gateway + - port: 853 + name: tcp-dns + secretVolumes: + - name: ilbgateway-certs + secretName: istio-ilbgateway-certs + mountPath: /etc/istio/ilbgateway-certs + - name: ilbgateway-ca-certs + secretName: istio-ilbgateway-ca-certs + mountPath: /etc/istio/ilbgateway-ca-certs + +# +# sidecar-injector webhook configuration +# +sidecarInjectorWebhook: + enabled: true + replicaCount: 1 + image: sidecar_injector + enableNamespacesByDefault: false + +# +# galley configuration +# +galley: + enabled: true + replicaCount: 1 + image: galley + +# +# mixer configuration +# +mixer: + enabled: true + replicaCount: 1 + autoscaleMin: 1 + autoscaleMax: 5 + image: mixer + + env: + GODEBUG: gctrace=2 + + istio-policy: + autoscaleEnabled: true + autoscaleMin: 1 + autoscaleMax: 5 + cpu: + targetAverageUtilization: 80 + + istio-telemetry: + autoscaleEnabled: true + autoscaleMin: 1 + autoscaleMax: 5 + cpu: + targetAverageUtilization: 80 + + prometheusStatsdExporter: + hub: docker.io/prom + tag: v0.6.0 + +# +# pilot configuration +# +pilot: + enabled: true + replicaCount: 1 + autoscaleMin: 1 + autoscaleMax: 5 + image: pilot + sidecar: true + traceSampling: 1.0 + # Resources for a small pilot install + resources: + requests: + cpu: 500m + memory: 2048Mi + env: + PILOT_PUSH_THROTTLE_COUNT: 100 + GODEBUG: gctrace=2 + cpu: + targetAverageUtilization: 80 + +# +# security configuration +# +security: + replicaCount: 1 + image: citadel + selfSigned: true # indicate if self-signed CA is used. + +# +# addons configuration +# +telemetry-gateway: + gatewayName: ingressgateway + grafanaEnabled: false + prometheusEnabled: false + +grafana: + enabled: false + replicaCount: 1 + image: + repository: grafana/grafana + tag: 5.2.3 + persist: false + storageClassName: "" + security: + enabled: false + adminUser: admin + adminPassword: admin + service: + annotations: {} + name: http + type: ClusterIP + externalPort: 3000 + internalPort: 3000 + +prometheus: + enabled: true + replicaCount: 1 + hub: docker.io/prom + tag: v2.3.1 + + service: + annotations: {} + nodePort: + enabled: false + port: 32090 + +servicegraph: + enabled: false + replicaCount: 1 + image: servicegraph + service: + annotations: {} + name: http + type: ClusterIP + externalPort: 8088 + internalPort: 8088 + ingress: + enabled: false + # Used to create an Ingress record. + hosts: + - servicegraph.local + annotations: + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + tls: + # Secrets must be manually created in the namespace. + # - secretName: servicegraph-tls + # hosts: + # - servicegraph.local + # prometheus addres + prometheusAddr: http://prometheus:9090 + +tracing: + enabled: false + provider: jaeger + jaeger: + hub: docker.io/jaegertracing + tag: 1.5 + memory: + max_traces: 50000 + ui: + port: 16686 + ingress: + enabled: false + # Used to create an Ingress record. + hosts: + - jaeger.local + annotations: + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + tls: + # Secrets must be manually created in the namespace. + # - secretName: jaeger-tls + # hosts: + # - jaeger.local + replicaCount: 1 + service: + annotations: {} + name: http + type: ClusterIP + externalPort: 9411 + internalPort: 9411 + ingress: + enabled: false + # Used to create an Ingress record. + hosts: + - tracing.local + annotations: + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + tls: + # Secrets must be manually created in the namespace. + # - secretName: tracing-tls + # hosts: + # - tracing.local + +kiali: + enabled: false + replicaCount: 1 + hub: docker.io/kiali + tag: v0.9 + ingress: + enabled: false + ## Used to create an Ingress record. + # hosts: + # - kiali.local + annotations: + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + tls: + # Secrets must be manually created in the namespace. + # - secretName: kiali-tls + # hosts: + # - kiali.local + dashboard: + username: admin + # Default admin passphrase for kiali. Must be set during setup, and + # changed by overriding the secret + passphrase: admin + + # Override the automatically detected Grafana URL, usefull when Grafana service has no ExternalIPs + # grafanaURL: + + # Override the automatically detected Jaeger URL, usefull when Jaeger service has no ExternalIPs + # jaegerURL: + +# Certmanager uses ACME to sign certificates. Since Istio gateways are +# mounting the TLS secrets the Certificate CRDs must be created in the +# istio-system namespace. Once the certificate has been created, the +# gateway must be updated by adding 'secretVolumes'. After the gateway +# restart, DestinationRules can be created using the ACME-signed certificates. +certmanager: + enabled: false + hub: quay.io/jetstack + tag: v0.3.1 + resources: {} diff --git a/istio-1.0.4/install/kubernetes/istio-citadel-plugin-certs.yaml b/istio-1.0.4/install/kubernetes/istio-citadel-plugin-certs.yaml new file mode 100644 index 0000000..c6c536f --- /dev/null +++ b/istio-1.0.4/install/kubernetes/istio-citadel-plugin-certs.yaml @@ -0,0 +1,50 @@ +################################ +# Citadel with plug-in key/certs. Run this after istio-auth.yaml +################################ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: istio-citadel-service-account + namespace: istio-system +--- +apiVersion: v1 +kind: Deployment +apiVersion: extensions/v1beta1 +metadata: + name: istio-citadel + namespace: istio-system +spec: + replicas: 1 + template: + metadata: + labels: + istio: citadel + annotations: + sidecar.istio.io/inject: "false" + spec: + serviceAccountName: istio-citadel-service-account + containers: + - name: citadel + image: docker.io/istio/citadel:1.0.4 + imagePullPolicy: IfNotPresent + command: ["/usr/local/bin/istio_ca"] + args: + - --append-dns-names=true + - --citadel-storage-namespace=istio-system + - --grpc-port=8060 + - --grpc-hostname=citadel + - --self-signed-ca=false + - --signing-cert=/etc/cacerts/ca-cert.pem + - --signing-key=/etc/cacerts/ca-key.pem + - --root-cert=/etc/cacerts/root-cert.pem + - --cert-chain=/etc/cacerts/cert-chain.pem + volumeMounts: + - name: cacerts + mountPath: /etc/cacerts + readOnly: true + volumes: + - name: cacerts + secret: + secretName: cacerts + optional: true +--- diff --git a/istio-1.0.4/install/kubernetes/istio-citadel-standalone.yaml b/istio-1.0.4/install/kubernetes/istio-citadel-standalone.yaml new file mode 100644 index 0000000..f982262 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/istio-citadel-standalone.yaml @@ -0,0 +1,90 @@ +################################ +# Deploy Citadel as a stand alone service in a cluster +################################ +apiVersion: v1 +kind: Namespace +metadata: + name: istio-system +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: istio-citadel-istio-system +rules: +- apiGroups: [""] + resources: ["secrets"] + verbs: ["create", "get", "watch", "list", "update", "delete"] +- apiGroups: [""] + resources: ["serviceaccounts"] + verbs: ["get", "watch", "list"] +- apiGroups: [""] + resources: ["services"] + verbs: ["get", "watch", "list"] +--- +# Grant permissions to Citadel. +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: istio-citadel-role-binding-istio-system +subjects: +- kind: ServiceAccount + name: istio-citadel-service-account + namespace: istio-system +roleRef: + kind: ClusterRole + name: istio-citadel-istio-system + apiGroup: rbac.authorization.k8s.io +--- +# Service account for Citadel +apiVersion: v1 +kind: ServiceAccount +metadata: + name: istio-citadel-service-account + namespace: istio-system +--- +apiVersion: v1 +kind: Deployment +apiVersion: extensions/v1beta1 +metadata: + name: istio-standalone-citadel + namespace: istio-system +spec: + replicas: 1 + template: + metadata: + labels: + istio: standalone-citadel + annotations: + sidecar.istio.io/inject: "false" + spec: + serviceAccountName: istio-citadel-service-account + containers: + - name: citadel + image: docker.io/istio/citadel:1.0.4 + imagePullPolicy: IfNotPresent + args: + - --citadel-storage-namespace=istio-system + - --grpc-port=8060 + - --grpc-host-identities=istio-standalone-citadel + - --self-signed-ca=true + - --self-signed-ca-org=test-org + - --self-signed-ca-cert-ttl=24000h + - --sign-ca-certs=true # Whether Citadel issues certs for other Citadels. + - --workload-cert-ttl=21h +--- +apiVersion: v1 +kind: Service +metadata: + name: standalone-citadel-ilb + namespace: istio-system + annotations: + cloud.google.com/load-balancer-type: "internal" + labels: + istio: standalone-citadel +spec: + type: LoadBalancer + ports: + - port: 8060 + protocol: TCP + selector: + istio: standalone-citadel diff --git a/istio-1.0.4/install/kubernetes/istio-citadel-with-health-check.yaml b/istio-1.0.4/install/kubernetes/istio-citadel-with-health-check.yaml new file mode 100644 index 0000000..360eace --- /dev/null +++ b/istio-1.0.4/install/kubernetes/istio-citadel-with-health-check.yaml @@ -0,0 +1,64 @@ +################################ +# Citadel cluster-wide +################################ +# Service account for Citadel +apiVersion: v1 +kind: ServiceAccount +metadata: + name: istio-citadel-service-account + namespace: istio-system +--- +apiVersion: v1 +kind: Service +metadata: + name: istio-citadel + namespace: istio-system + labels: + istio: citadel +spec: + ports: + - port: 8060 + selector: + istio: citadel +--- +# Citadel watching all namespaces +apiVersion: v1 +kind: Deployment +apiVersion: extensions/v1beta1 +metadata: + name: istio-citadel + namespace: istio-system +spec: + replicas: 1 + template: + metadata: + labels: + istio: citadel + annotations: + sidecar.istio.io/inject: "false" + spec: + serviceAccountName: istio-citadel-service-account + containers: + - name: citadel + image: docker.io/istio/citadel:1.0.4 + imagePullPolicy: IfNotPresent + command: ["/usr/local/bin/istio_ca"] + args: + - --append-dns-names=true + - --citadel-storage-namespace=istio-system + - --grpc-port=8060 + - --grpc-hostname=citadel + - --self-signed-ca=true + - --liveness-probe-path=/tmp/ca.liveness # path to the liveness health check status file + - --liveness-probe-interval=60s # interval for health check file update + - --probe-check-interval=15s # interval for health status check + livenessProbe: + exec: + command: + - /usr/local/bin/istio_ca + - probe + - --probe-path=/tmp/ca.liveness # path to the liveness health check status file + - --interval=125s # the maximum time gap allowed between the file mtime and the current sys clock. + initialDelaySeconds: 60 + periodSeconds: 60 +--- diff --git a/istio-1.0.4/install/kubernetes/istio-demo-auth.yaml b/istio-1.0.4/install/kubernetes/istio-demo-auth.yaml new file mode 100644 index 0000000..4ba55ad --- /dev/null +++ b/istio-1.0.4/install/kubernetes/istio-demo-auth.yaml @@ -0,0 +1,15174 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: istio-system + labels: + istio-injection: disabled +--- +# Source: istio/charts/galley/templates/configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-galley-configuration + namespace: istio-system + labels: + app: istio-galley + chart: galley-1.0.4 + release: istio + heritage: Tiller + istio: mixer +data: + validatingwebhookconfiguration.yaml: |- + apiVersion: admissionregistration.k8s.io/v1beta1 + kind: ValidatingWebhookConfiguration + metadata: + name: istio-galley + namespace: istio-system + labels: + app: istio-galley + chart: galley-1.0.4 + release: istio + heritage: Tiller + webhooks: + - name: pilot.validation.istio.io + clientConfig: + service: + name: istio-galley + namespace: istio-system + path: "/admitpilot" + caBundle: "" + rules: + - operations: + - CREATE + - UPDATE + apiGroups: + - config.istio.io + apiVersions: + - v1alpha2 + resources: + - httpapispecs + - httpapispecbindings + - quotaspecs + - quotaspecbindings + - operations: + - CREATE + - UPDATE + apiGroups: + - rbac.istio.io + apiVersions: + - "*" + resources: + - "*" + - operations: + - CREATE + - UPDATE + apiGroups: + - authentication.istio.io + apiVersions: + - "*" + resources: + - "*" + - operations: + - CREATE + - UPDATE + apiGroups: + - networking.istio.io + apiVersions: + - "*" + resources: + - destinationrules + - envoyfilters + - gateways + - serviceentries + - virtualservices + failurePolicy: Fail + - name: mixer.validation.istio.io + clientConfig: + service: + name: istio-galley + namespace: istio-system + path: "/admitmixer" + caBundle: "" + rules: + - operations: + - CREATE + - UPDATE + apiGroups: + - config.istio.io + apiVersions: + - v1alpha2 + resources: + - rules + - attributemanifests + - circonuses + - deniers + - fluentds + - kubernetesenvs + - listcheckers + - memquotas + - noops + - opas + - prometheuses + - rbacs + - servicecontrols + - solarwindses + - stackdrivers + - statsds + - stdios + - apikeys + - authorizations + - checknothings + # - kuberneteses + - listentries + - logentries + - metrics + - quotas + - reportnothings + - servicecontrolreports + - tracespans + failurePolicy: Fail + + +--- +# Source: istio/charts/grafana/templates/configmap-custom-resources.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-grafana-custom-resources + namespace: istio-system + labels: + app: istio-grafana + chart: grafana-1.0.4 + release: istio + heritage: Tiller + istio: grafana +data: + custom-resources.yaml: |- + apiVersion: authentication.istio.io/v1alpha1 + kind: Policy + metadata: + name: grafana-ports-mtls-disabled + namespace: istio-system + spec: + targets: + - name: grafana + ports: + - number: 3000 + run.sh: |- + #!/bin/sh + + set -x + + if [ "$#" -ne "1" ]; then + echo "first argument should be path to custom resource yaml" + exit 1 + fi + + pathToResourceYAML=${1} + + /kubectl get validatingwebhookconfiguration istio-galley 2>/dev/null + if [ "$?" -eq 0 ]; then + echo "istio-galley validatingwebhookconfiguration found - waiting for istio-galley deployment to be ready" + while true; do + /kubectl -n istio-system get deployment istio-galley 2>/dev/null + if [ "$?" -eq 0 ]; then + break + fi + sleep 1 + done + /kubectl -n istio-system rollout status deployment istio-galley + if [ "$?" -ne 0 ]; then + echo "istio-galley deployment rollout status check failed" + exit 1 + fi + echo "istio-galley deployment ready for configuration validation" + fi + sleep 5 + /kubectl apply -f ${pathToResourceYAML} + + +--- +# Source: istio/charts/grafana/templates/configmap-dashboards.yaml +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-grafana-configuration-dashboards + namespace: istio-system + labels: + app: istio-grafana + chart: grafana-1.0.4 + release: istio + heritage: Tiller + istio: grafana + +data: + + galley-dashboard.json: '{ + "__inputs": [ + { + "name": "DS_PROMETHEUS", + "label": "Prometheus", + "description": "", + "type": "datasource", + "pluginId": "prometheus", + "pluginName": "Prometheus" + } + ], + "__requires": [ + { + "type": "grafana", + "id": "grafana", + "name": "Grafana", + "version": "5.0.4" + }, + { + "type": "panel", + "id": "graph", + "name": "Graph", + "version": "5.0.0" + }, + { + "type": "datasource", + "id": "prometheus", + "name": "Prometheus", + "version": "5.0.0" + } + ], + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": "-- Grafana --", + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "type": "dashboard" + } + ] + }, + "editable": false, + "gnetId": null, + "graphTooltip": 0, + "id": null, + "links": [], + "panels": [ + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 0, + "y": 0 + }, + "id": 2, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "galley_validation_cert_key_updates{job=\"galley\"}", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Key Updates", + "refId": "A" + }, + { + "expr": "galley_validation_cert_key_update_errors{job=\"galley\"}", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Key Update Errors: {{ error }}", + "refId": "B" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Validation Webhook Certificate", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 8, + "y": 0 + }, + "id": 3, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(galley_validation_passed{job=\"galley\"}) by (group, version, resource)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Passed: {{ group }}/{{ version }}/{{resource}}", + "refId": "A" + }, + { + "expr": "sum(galley_validation_failed{job=\"galley\"}) by (group, version, resource, reason)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Failed: {{ group }}/{{ version }}/{{resource}} ({{ reason}})", + "refId": "B" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Resource Validation", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 16, + "y": 0 + }, + "id": 4, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(galley_validation_http_error{job=\"galley\"}) by (status)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ status }}", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Validation HTTP Errors", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ] + } + ], + "schemaVersion": 16, + "style": "dark", + "tags": [], + "templating": { + "list": [] + }, + "time": { + "from": "now-6h", + "to": "now" + }, + "timepicker": { + "refresh_intervals": [ + "5s", + "10s", + "30s", + "1m", + "5m", + "15m", + "30m", + "1h", + "2h", + "1d" + ], + "time_options": [ + "5m", + "15m", + "1h", + "6h", + "12h", + "24h", + "2d", + "7d", + "30d" + ] + }, + "timezone": "", + "title": "Istio Galley Dashboard", + "uid": "DMXUJ6dmz", + "version": 1 + } +' + + istio-mesh-dashboard.json: '{ + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": "-- Grafana --", + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "type": "dashboard" + } + ] + }, + "editable": false, + "gnetId": null, + "graphTooltip": 0, + "links": [], + "panels": [ + { + "content": "
    \n
    \n Istio\n
    \n
    \n Istio is an open platform that provides a uniform way to connect,\n manage, and \n secure microservices.\n
    \n Need help? Join the Istio community.\n
    \n
    ", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 0 + }, + "height": "50px", + "id": 13, + "links": [], + "mode": "html", + "style": { + "font-size": "18pt" + }, + "title": "", + "transparent": true, + "type": "text" + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "datasource": "Prometheus", + "format": "ops", + "gauge": { + "maxValue": 100, + "minValue": 0, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": true + }, + "gridPos": { + "h": 3, + "w": 6, + "x": 0, + "y": 3 + }, + "id": 20, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "round(sum(irate(istio_requests_total{reporter=\"destination\"}[1m])), 0.001)", + "intervalFactor": 1, + "refId": "A", + "step": 4 + } + ], + "thresholds": "", + "title": "Global Request Volume", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "avg" + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "datasource": "Prometheus", + "format": "percentunit", + "gauge": { + "maxValue": 100, + "minValue": 80, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": false + }, + "gridPos": { + "h": 3, + "w": 6, + "x": 6, + "y": 3 + }, + "id": 21, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "sum(rate(istio_requests_total{reporter=\"destination\", response_code!~\"5.*\"}[1m])) / sum(rate(istio_requests_total{reporter=\"destination\"}[1m]))", + "format": "time_series", + "intervalFactor": 1, + "refId": "A", + "step": 4 + } + ], + "thresholds": "95, 99, 99.5", + "title": "Global Success Rate (non-5xx responses)", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "avg" + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "datasource": "Prometheus", + "format": "ops", + "gauge": { + "maxValue": 100, + "minValue": 0, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": true + }, + "gridPos": { + "h": 3, + "w": 6, + "x": 12, + "y": 3 + }, + "id": 22, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "sum(irate(istio_requests_total{reporter=\"destination\", response_code=~\"4.*\"}[1m])) ", + "format": "time_series", + "intervalFactor": 1, + "refId": "A", + "step": 4 + } + ], + "thresholds": "", + "title": "4xxs", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "avg" + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "datasource": "Prometheus", + "format": "ops", + "gauge": { + "maxValue": 100, + "minValue": 0, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": true + }, + "gridPos": { + "h": 3, + "w": 6, + "x": 18, + "y": 3 + }, + "id": 23, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "sum(irate(istio_requests_total{reporter=\"destination\", response_code=~\"5.*\"}[1m])) ", + "format": "time_series", + "intervalFactor": 1, + "refId": "A", + "step": 4 + } + ], + "thresholds": "", + "title": "5xxs", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "avg" + }, + { + "columns": [], + "datasource": "Prometheus", + "fontSize": "100%", + "gridPos": { + "h": 21, + "w": 24, + "x": 0, + "y": 6 + }, + "hideTimeOverride": false, + "id": 73, + "links": [], + "pageSize": null, + "repeat": null, + "repeatDirection": "v", + "scroll": true, + "showHeader": true, + "sort": { + "col": 4, + "desc": true + }, + "styles": [ + { + "alias": "Workload", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "link": false, + "linkTargetBlank": false, + "linkTooltip": "Workload dashboard", + "linkUrl": "/dashboard/db/istio-workload-dashboard?var-namespace=$__cell_2&var-workload=$__cell_", + "pattern": "destination_workload", + "preserveFormat": false, + "sanitize": false, + "thresholds": [], + "type": "hidden", + "unit": "short" + }, + { + "alias": "", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "pattern": "Time", + "thresholds": [], + "type": "hidden", + "unit": "short" + }, + { + "alias": "Requests", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "pattern": "Value #A", + "thresholds": [], + "type": "number", + "unit": "ops" + }, + { + "alias": "P50 Latency", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "pattern": "Value #B", + "thresholds": [], + "type": "number", + "unit": "s" + }, + { + "alias": "P90 Latency", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "pattern": "Value #D", + "thresholds": [], + "type": "number", + "unit": "s" + }, + { + "alias": "P99 Latency", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "pattern": "Value #E", + "thresholds": [], + "type": "number", + "unit": "s" + }, + { + "alias": "Success Rate", + "colorMode": "cell", + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "pattern": "Value #F", + "thresholds": [ + ".95", + " 1.00" + ], + "type": "number", + "unit": "percentunit" + }, + { + "alias": "Workload", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "link": true, + "linkTooltip": "$__cell dashboard", + "linkUrl": "/dashboard/db/istio-workload-dashboard?var-workload=$__cell_2&var-namespace=$__cell_3", + "pattern": "destination_workload_var", + "thresholds": [], + "type": "number", + "unit": "short" + }, + { + "alias": "Service", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "link": true, + "linkTooltip": "$__cell dashboard", + "linkUrl": "/dashboard/db/istio-service-dashboard?var-service=$__cell", + "pattern": "destination_service", + "thresholds": [], + "type": "string", + "unit": "short" + }, + { + "alias": "", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "pattern": "destination_workload_namespace", + "thresholds": [], + "type": "hidden", + "unit": "short" + } + ], + "targets": [ + { + "expr": "label_join(sum(rate(istio_requests_total{reporter=\"destination\", response_code=\"200\"}[1m])) by (destination_workload, destination_workload_namespace, destination_service), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")", + "format": "table", + "hide": false, + "instant": true, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload}}.{{ destination_workload_namespace }}", + "refId": "A" + }, + { + "expr": "label_join(histogram_quantile(0.50, sum(rate(istio_request_duration_seconds_bucket{reporter=\"destination\"}[1m])) by (le, destination_workload, destination_workload_namespace)), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")", + "format": "table", + "hide": false, + "instant": true, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload}}.{{ destination_workload_namespace }}", + "refId": "B" + }, + { + "expr": "label_join(histogram_quantile(0.90, sum(rate(istio_request_duration_seconds_bucket{reporter=\"destination\"}[1m])) by (le, destination_workload, destination_workload_namespace)), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")", + "format": "table", + "hide": false, + "instant": true, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }}", + "refId": "D" + }, + { + "expr": "label_join(histogram_quantile(0.99, sum(rate(istio_request_duration_seconds_bucket{reporter=\"destination\"}[1m])) by (le, destination_workload, destination_workload_namespace)), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")", + "format": "table", + "hide": false, + "instant": true, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }}", + "refId": "E" + }, + { + "expr": "label_join((sum(rate(istio_requests_total{reporter=\"destination\", response_code!~\"5.*\"}[1m])) by (destination_workload, destination_workload_namespace) / sum(rate(istio_requests_total{reporter=\"destination\"}[1m])) by (destination_workload, destination_workload_namespace)), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")", + "format": "table", + "hide": false, + "instant": true, + "interval": "", + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }}", + "refId": "F" + } + ], + "timeFrom": null, + "title": "HTTP/GRPC Workloads", + "transform": "table", + "transparent": false, + "type": "table" + }, + { + "columns": [], + "datasource": "Prometheus", + "fontSize": "100%", + "gridPos": { + "h": 18, + "w": 24, + "x": 0, + "y": 27 + }, + "hideTimeOverride": false, + "id": 109, + "links": [], + "pageSize": null, + "repeatDirection": "v", + "scroll": true, + "showHeader": true, + "sort": { + "col": 2, + "desc": true + }, + "styles": [ + { + "alias": "Workload", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "link": false, + "linkTargetBlank": false, + "linkTooltip": "$__cell dashboard", + "linkUrl": "/dashboard/db/istio-tcp-workload-dashboard?var-namespace=$__cell_2&&var-workload=$__cell", + "pattern": "destination_workload", + "preserveFormat": false, + "sanitize": false, + "thresholds": [], + "type": "hidden", + "unit": "short" + }, + { + "alias": "Bytes Sent", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "pattern": "Value #A", + "thresholds": [ + "" + ], + "type": "number", + "unit": "Bps" + }, + { + "alias": "Bytes Received", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "pattern": "Value #C", + "thresholds": [], + "type": "number", + "unit": "Bps" + }, + { + "alias": "", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "pattern": "Time", + "thresholds": [], + "type": "hidden", + "unit": "short" + }, + { + "alias": "Workload", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "link": true, + "linkTooltip": "$__cell dashboard", + "linkUrl": "/dashboard/db/istio-workload-dashboard?var-namespace=$__cell_3&var-workload=$__cell_2", + "pattern": "destination_workload_var", + "thresholds": [], + "type": "string", + "unit": "short" + }, + { + "alias": "", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "pattern": "destination_workload_namespace", + "thresholds": [], + "type": "hidden", + "unit": "short" + }, + { + "alias": "Service", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "link": true, + "linkTooltip": "$__cell dashboard", + "linkUrl": "/dashboard/db/istio-service-dashboard?var-service=$__cell", + "pattern": "destination_service", + "thresholds": [], + "type": "number", + "unit": "short" + } + ], + "targets": [ + { + "expr": "label_join(sum(rate(istio_tcp_received_bytes_total{reporter=\"source\"}[1m])) by (destination_workload, destination_workload_namespace, destination_service), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")", + "format": "table", + "hide": false, + "instant": true, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}", + "refId": "C" + }, + { + "expr": "label_join(sum(rate(istio_tcp_sent_bytes_total{reporter=\"source\"}[1m])) by (destination_workload, destination_workload_namespace, destination_service), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")", + "format": "table", + "hide": false, + "instant": true, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}", + "refId": "A" + } + ], + "timeFrom": null, + "title": "TCP Workloads", + "transform": "table", + "transparent": false, + "type": "table" + } + ], + "refresh": "5s", + "schemaVersion": 16, + "style": "dark", + "tags": [], + "templating": { + "list": [] + }, + "time": { + "from": "now-5m", + "to": "now" + }, + "timepicker": { + "refresh_intervals": [ + "5s", + "10s", + "30s", + "1m", + "5m", + "15m", + "30m", + "1h", + "2h", + "1d" + ], + "time_options": [ + "5m", + "15m", + "1h", + "6h", + "12h", + "24h", + "2d", + "7d", + "30d" + ] + }, + "timezone": "browser", + "title": "Istio Mesh Dashboard", + "uid": "1", + "version": 2 +} +' + + istio-performance-dashboard.json: '{ + "__inputs": [ + { + "name": "DS_PROMETHEUS", + "label": "Prometheus", + "description": "", + "type": "datasource", + "pluginId": "prometheus", + "pluginName": "Prometheus" + } + ], + "__requires": [ + { + "type": "grafana", + "id": "grafana", + "name": "Grafana", + "version": "5.2.3" + }, + { + "type": "panel", + "id": "graph", + "name": "Graph", + "version": "5.0.0" + }, + { + "type": "datasource", + "id": "prometheus", + "name": "Prometheus", + "version": "5.0.0" + } + ], + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": "-- Grafana --", + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "type": "dashboard" + } + ] + }, + "editable": true, + "gnetId": null, + "graphTooltip": 0, + "id": null, + "links": [], + "panels": [ + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 9, + "w": 12, + "x": 0, + "y": 0 + }, + "id": 2, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(rate(container_cpu_usage_seconds_total{pod_name=~\"istio-telemetry-.*\"}[1m]))/ (round(sum(irate(istio_requests_total[1m])), 0.001)/1000)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-telemetry", + "refId": "A" + }, + { + "expr": "sum(rate(container_cpu_usage_seconds_total{pod_name=~\"istio-ingressgateway-.*\"}[1m])) / (round(sum(irate(istio_requests_total{source_workload=\"istio-ingressgateway\", reporter=\"source\"}[1m])), 0.001)/1000)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-ingressgateway", + "refId": "B" + }, + { + "expr": "sum(rate(container_cpu_usage_seconds_total{container_name=\"istio-proxy\"}[1m]))/ (round(sum(irate(istio_requests_total[1m])), 0.001)/1000)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-proxy", + "refId": "C" + }, + { + "expr": "sum(rate(container_cpu_usage_seconds_total{pod_name=~\"istio-policy-.*\"}[1m]))/ (round(sum(irate(istio_requests_total[1m])), 0.001)/1000)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-policy", + "refId": "D" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "vCPU / 1k rps", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 9, + "w": 12, + "x": 12, + "y": 0 + }, + "id": 6, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(rate(container_cpu_usage_seconds_total{pod_name=~\"istio-telemetry-.*\"}[1m]))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-telemetry", + "refId": "A" + }, + { + "expr": "sum(rate(container_cpu_usage_seconds_total{pod_name=~\"istio-ingressgateway-.*\"}[1m]))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-ingressgateway", + "refId": "B" + }, + { + "expr": "sum(rate(container_cpu_usage_seconds_total{container_name=\"istio-proxy\"}[1m]))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-proxy", + "refId": "C" + }, + { + "expr": "sum(rate(container_cpu_usage_seconds_total{pod_name=~\"istio-policy-.*\"}[1m]))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-policy", + "refId": "D" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "vCPU", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 9, + "w": 12, + "x": 0, + "y": 9 + }, + "id": 4, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(container_memory_usage_bytes{pod_name=~\"istio-telemetry-.*\"}) / (sum(irate(istio_requests_total[1m])) / 1000)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-telemetry / 1k rps", + "refId": "A" + }, + { + "expr": "sum(container_memory_usage_bytes{pod_name=~\"istio-ingressgateway-.*\"}) / count(container_memory_usage_bytes{pod_name=~\"istio-ingressgateway-.*\"})", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "per istio-ingressgateway", + "refId": "C" + }, + { + "expr": "sum(container_memory_usage_bytes{container_name=\"istio-proxy\"}) / count(container_memory_usage_bytes{container_name=\"istio-proxy\"})", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "per istio-proxy", + "refId": "B" + }, + { + "expr": "sum(container_memory_usage_bytes{pod_name=~\"istio-policy-.*\"}) / (sum(irate(istio_requests_total[1m])) / 1000)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-policy / 1k rps", + "refId": "D" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Memory", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "decbytes", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 9, + "w": 12, + "x": 12, + "y": 9 + }, + "id": 5, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(irate(istio_response_bytes_sum{destination_workload=\"istio-telemetry\"}[1m])) + sum(irate(istio_request_bytes_sum{destination_workload=\"istio-telemetry\"}[1m]))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-telemetry", + "refId": "A" + }, + { + "expr": "sum(irate(istio_response_bytes_sum{source_workload=\"istio-ingressgateway\", reporter=\"source\"}[1m]))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-ingressgateway", + "refId": "C" + }, + { + "expr": "sum(irate(istio_response_bytes_sum{source_workload_namespace!=\"istio-system\", reporter=\"source\"}[1m])) + sum(irate(istio_response_bytes_sum{destination_workload_namespace!=\"istio-system\", reporter=\"destination\"}[1m])) + sum(irate(istio_request_bytes_sum{source_workload_namespace!=\"istio-system\", reporter=\"source\"}[1m])) + sum(irate(istio_request_bytes_sum{destination_workload_namespace!=\"istio-system\", reporter=\"destination\"}[1m]))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-proxy", + "refId": "D" + }, + { + "expr": "sum(irate(istio_response_bytes_sum{destination_workload=\"istio-policy\"}[1m])) + sum(irate(istio_request_bytes_sum{destination_workload=\"istio-policy\"}[1m]))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-policy", + "refId": "E" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Bytes transferred / sec", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "bytes", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + } + ], + "schemaVersion": 16, + "style": "dark", + "tags": [], + "templating": { + "list": [] + }, + "time": { + "from": "now-5m", + "to": "now" + }, + "timepicker": { + "refresh_intervals": [ + "5s", + "10s", + "30s", + "1m", + "5m", + "15m", + "30m", + "1h", + "2h", + "1d" + ], + "time_options": [ + "5m", + "15m", + "1h", + "6h", + "12h", + "24h", + "2d", + "7d", + "30d" + ] + }, + "timezone": "", + "title": "Istio Performance Dashboard", + "uid": "t8BUIg1mz", + "version": 5 +} +' + + istio-service-dashboard.json: '{ + "__inputs": [ + { + "name": "DS_PROMETHEUS", + "label": "Prometheus", + "description": "", + "type": "datasource", + "pluginId": "prometheus", + "pluginName": "Prometheus" + } + ], + "__requires": [ + { + "type": "grafana", + "id": "grafana", + "name": "Grafana", + "version": "5.0.4" + }, + { + "type": "panel", + "id": "graph", + "name": "Graph", + "version": "5.0.0" + }, + { + "type": "datasource", + "id": "prometheus", + "name": "Prometheus", + "version": "5.0.0" + }, + { + "type": "panel", + "id": "singlestat", + "name": "Singlestat", + "version": "5.0.0" + }, + { + "type": "panel", + "id": "text", + "name": "Text", + "version": "5.0.0" + } + ], + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": "-- Grafana --", + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "type": "dashboard" + } + ] + }, + "editable": true, + "gnetId": null, + "graphTooltip": 0, + "id": null, + "iteration": 1530559387240, + "links": [], + "panels": [ + { + "content": "
    \nSERVICE: $service\n
    ", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 0 + }, + "id": 89, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "datasource": "Prometheus", + "format": "ops", + "gauge": { + "maxValue": 100, + "minValue": 0, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": true + }, + "gridPos": { + "h": 4, + "w": 6, + "x": 0, + "y": 3 + }, + "id": 12, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "round(sum(rate(istio_requests_total{reporter=\"source\",destination_service=~\"$service\"}[30s])), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "refId": "A", + "step": 4 + } + ], + "thresholds": "", + "title": "Client Request Volume", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "current" + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "rgba(50, 172, 45, 0.97)", + "rgba(237, 129, 40, 0.89)", + "rgba(245, 54, 54, 0.9)" + ], + "datasource": "Prometheus", + "decimals": null, + "format": "percentunit", + "gauge": { + "maxValue": 100, + "minValue": 80, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": false + }, + "gridPos": { + "h": 4, + "w": 6, + "x": 6, + "y": 3 + }, + "id": 14, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "sum(irate(istio_requests_total{reporter=\"source\",destination_service=~\"$service\",response_code!~\"5.*\"}[30s])) / sum(irate(istio_requests_total{reporter=\"source\",destination_service=~\"$service\"}[30s]))", + "format": "time_series", + "intervalFactor": 1, + "refId": "B" + } + ], + "thresholds": "95, 99, 99.5", + "title": "Client Success Rate (non-5xx responses)", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "avg" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 4, + "w": 6, + "x": 12, + "y": 3 + }, + "id": 87, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": false, + "hideZero": false, + "max": false, + "min": false, + "rightSide": true, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\",destination_service=~\"$service\"}[1m])) by (le))", + "format": "time_series", + "interval": "", + "intervalFactor": 1, + "legendFormat": "P50", + "refId": "A" + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\",destination_service=~\"$service\"}[1m])) by (le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "P90", + "refId": "B" + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\",destination_service=~\"$service\"}[1m])) by (le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "P99", + "refId": "C" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Client Request Duration", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "s", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "#299c46", + "rgba(237, 129, 40, 0.89)", + "#d44a3a" + ], + "datasource": "Prometheus", + "format": "Bps", + "gauge": { + "maxValue": 100, + "minValue": 0, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": true + }, + "gridPos": { + "h": 4, + "w": 6, + "x": 18, + "y": 3 + }, + "id": 84, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "sum(irate(istio_tcp_sent_bytes_total{reporter=\"source\", destination_service=~\"$service\"}[1m])) + sum(irate(istio_tcp_received_bytes_total{reporter=\"source\", destination_service=~\"$service\"}[1m]))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "", + "refId": "A" + } + ], + "thresholds": "", + "title": "Client TCP Bandwidth", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "avg" + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "datasource": "Prometheus", + "format": "ops", + "gauge": { + "maxValue": 100, + "minValue": 0, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": true + }, + "gridPos": { + "h": 4, + "w": 6, + "x": 0, + "y": 7 + }, + "id": 97, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "round(sum(rate(istio_requests_total{reporter=\"destination\",destination_service=~\"$service\"}[30s])), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "refId": "A", + "step": 4 + } + ], + "thresholds": "", + "title": "Server Request Volume", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "current" + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "rgba(50, 172, 45, 0.97)", + "rgba(237, 129, 40, 0.89)", + "rgba(245, 54, 54, 0.9)" + ], + "datasource": "Prometheus", + "decimals": null, + "format": "percentunit", + "gauge": { + "maxValue": 100, + "minValue": 80, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": false + }, + "gridPos": { + "h": 4, + "w": 6, + "x": 6, + "y": 7 + }, + "id": 98, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "sum(irate(istio_requests_total{reporter=\"destination\",destination_service=~\"$service\",response_code!~\"5.*\"}[30s])) / sum(irate(istio_requests_total{reporter=\"destination\",destination_service=~\"$service\"}[30s]))", + "format": "time_series", + "intervalFactor": 1, + "refId": "B" + } + ], + "thresholds": "95, 99, 99.5", + "title": "Server Success Rate (non-5xx responses)", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "avg" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 4, + "w": 6, + "x": 12, + "y": 7 + }, + "id": 99, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": false, + "hideZero": false, + "max": false, + "min": false, + "rightSide": true, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\",destination_service=~\"$service\"}[1m])) by (le))", + "format": "time_series", + "interval": "", + "intervalFactor": 1, + "legendFormat": "P50", + "refId": "A" + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\",destination_service=~\"$service\"}[1m])) by (le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "P90", + "refId": "B" + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\",destination_service=~\"$service\"}[1m])) by (le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "P99", + "refId": "C" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Server Request Duration", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "s", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "#299c46", + "rgba(237, 129, 40, 0.89)", + "#d44a3a" + ], + "datasource": "Prometheus", + "format": "Bps", + "gauge": { + "maxValue": 100, + "minValue": 0, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": true + }, + "gridPos": { + "h": 4, + "w": 6, + "x": 18, + "y": 7 + }, + "id": 100, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "sum(irate(istio_tcp_sent_bytes_total{reporter=\"destination\", destination_service=~\"$service\"}[1m])) + sum(irate(istio_tcp_received_bytes_total{reporter=\"destination\", destination_service=~\"$service\"}[1m]))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "", + "refId": "A" + } + ], + "thresholds": "", + "title": "Server TCP Bandwidth", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "avg" + }, + { + "content": "
    \nCLIENT WORKLOADS\n
    ", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 11 + }, + "id": 45, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 0, + "gridPos": { + "h": 6, + "w": 12, + "x": 0, + "y": 14 + }, + "id": 25, + "legend": { + "avg": false, + "current": false, + "hideEmpty": true, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null as zero", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(irate(istio_requests_total{connection_security_policy=\"mutual_tls\",destination_service=~\"$service\",reporter=\"source\",source_workload=~\"$srcwl\",source_workload_namespace=~\"$srcns\"}[30s])) by (source_workload, source_workload_namespace, response_code), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace }} : {{ response_code }} (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "round(sum(irate(istio_requests_total{connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", reporter=\"source\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[30s])) by (source_workload, source_workload_namespace, response_code), 0.001)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace }} : {{ response_code }}", + "refId": "A", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Requests by Source And Response Code", + "tooltip": { + "shared": false, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [ + "total" + ] + }, + "yaxes": [ + { + "format": "ops", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 12, + "x": 12, + "y": 14 + }, + "id": 26, + "legend": { + "avg": false, + "current": false, + "hideEmpty": true, + "hideZero": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(rate(istio_requests_total{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\",response_code!~\"5.*\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[30s])) by (source_workload, source_workload_namespace) / sum(rate(istio_requests_total{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[30s])) by (source_workload, source_workload_namespace)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace }} (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "sum(rate(istio_requests_total{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\",response_code!~\"5.*\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[30s])) by (source_workload, source_workload_namespace) / sum(rate(istio_requests_total{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[30s])) by (source_workload, source_workload_namespace)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace }}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Success Rate (non-5xx responses) By Source", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "percentunit", + "label": null, + "logBase": 1, + "max": "1.01", + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "description": "", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 0, + "y": 20 + }, + "id": 27, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": true, + "hideZero": false, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50 (🔐mTLS)", + "refId": "D", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90 (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95 (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99 (🔐mTLS)", + "refId": "C", + "step": 2 + }, + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50", + "refId": "E", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90", + "refId": "F", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95", + "refId": "G", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99", + "refId": "H", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Request Duration by Source", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "s", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 8, + "y": 20 + }, + "id": 28, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": true, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50 (🔐mTLS)", + "refId": "D", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90 (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95 (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99 (🔐mTLS)", + "refId": "C", + "step": 2 + }, + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50", + "refId": "E", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90", + "refId": "F", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95", + "refId": "G", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99", + "refId": "H", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Request Size By Source", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "decbytes", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 16, + "y": 20 + }, + "id": 68, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": true, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50 (🔐mTLS)", + "refId": "D", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90 (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95 (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99 (🔐mTLS)", + "refId": "C", + "step": 2 + }, + { + "expr": "histogram_quantile(0.50, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50", + "refId": "E", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90", + "refId": "F", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95", + "refId": "G", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99", + "refId": "H", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Response Size By Source", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "decbytes", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 12, + "x": 0, + "y": 26 + }, + "id": 80, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(irate(istio_tcp_received_bytes_total{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace), 0.001)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace}} (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "round(sum(irate(istio_tcp_received_bytes_total{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace}}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Bytes Received from Incoming TCP Connection", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "Bps", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 12, + "x": 12, + "y": 26 + }, + "id": 82, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy=\"mutual_tls\", reporter=\"source\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace}} (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy!=\"mutual_tls\", reporter=\"source\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace}}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Bytes Sent to Incoming TCP Connection", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "Bps", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ] + }, + { + "content": "
    \nSERVICE WORKLOADS\n
    ", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 32 + }, + "id": 69, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 0, + "gridPos": { + "h": 6, + "w": 12, + "x": 0, + "y": 35 + }, + "id": 90, + "legend": { + "avg": false, + "current": false, + "hideEmpty": true, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null as zero", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(irate(istio_requests_total{connection_security_policy=\"mutual_tls\",destination_service=~\"$service\",reporter=\"destination\",destination_workload=~\"$dstwl\",destination_workload_namespace=~\"$dstns\"}[30s])) by (destination_workload, destination_workload_namespace, response_code), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} : {{ response_code }} (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "round(sum(irate(istio_requests_total{connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", reporter=\"destination\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[30s])) by (destination_workload, destination_workload_namespace, response_code), 0.001)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} : {{ response_code }}", + "refId": "A", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Requests by Destination And Response Code", + "tooltip": { + "shared": false, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [ + "total" + ] + }, + "yaxes": [ + { + "format": "ops", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 12, + "x": 12, + "y": 35 + }, + "id": 91, + "legend": { + "avg": false, + "current": false, + "hideEmpty": true, + "hideZero": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(rate(istio_requests_total{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\",response_code!~\"5.*\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[30s])) by (destination_workload, destination_workload_namespace) / sum(rate(istio_requests_total{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[30s])) by (destination_workload, destination_workload_namespace)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "sum(rate(istio_requests_total{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\",response_code!~\"5.*\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[30s])) by (destination_workload, destination_workload_namespace) / sum(rate(istio_requests_total{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[30s])) by (destination_workload, destination_workload_namespace)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Success Rate (non-5xx responses) By Source", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "percentunit", + "label": null, + "logBase": 1, + "max": "1.01", + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "description": "", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 0, + "y": 41 + }, + "id": 94, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": true, + "hideZero": false, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P50 (🔐mTLS)", + "refId": "D", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P90 (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P95 (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P99 (🔐mTLS)", + "refId": "C", + "step": 2 + }, + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P50", + "refId": "E", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P90", + "refId": "F", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P95", + "refId": "G", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P99", + "refId": "H", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Request Duration by Source", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "s", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 8, + "y": 41 + }, + "id": 95, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": true, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P50 (🔐mTLS)", + "refId": "D", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P90 (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P95 (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P99 (🔐mTLS)", + "refId": "C", + "step": 2 + }, + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P50", + "refId": "E", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P90", + "refId": "F", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P95", + "refId": "G", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P99", + "refId": "H", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Request Size By Source", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "decbytes", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 16, + "y": 41 + }, + "id": 96, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": true, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P50 (🔐mTLS)", + "refId": "D", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P90 (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P95 (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P99 (🔐mTLS)", + "refId": "C", + "step": 2 + }, + { + "expr": "histogram_quantile(0.50, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P50", + "refId": "E", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P90", + "refId": "F", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P95", + "refId": "G", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P99", + "refId": "H", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Response Size By Source", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "decbytes", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 12, + "x": 0, + "y": 47 + }, + "id": 92, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(irate(istio_tcp_received_bytes_total{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace), 0.001)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace}} (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "round(sum(irate(istio_tcp_received_bytes_total{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace}}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Bytes Received from Incoming TCP Connection", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "Bps", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 12, + "x": 12, + "y": 47 + }, + "id": 93, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy=\"mutual_tls\", reporter=\"destination\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{destination_workload_namespace }} (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy!=\"mutual_tls\", reporter=\"destination\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{destination_workload_namespace }}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Bytes Sent to Incoming TCP Connection", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "Bps", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ] + } + ], + "refresh": "10s", + "schemaVersion": 16, + "style": "dark", + "tags": [], + "templating": { + "list": [ + { + "allValue": null, + "current": {}, + "datasource": "Prometheus", + "hide": 0, + "includeAll": false, + "label": "Service", + "multi": false, + "name": "service", + "options": [], + "query": "label_values(destination_service)", + "refresh": 1, + "regex": "", + "sort": 0, + "tagValuesQuery": "", + "tags": [], + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "allValue": null, + "current": {}, + "datasource": "Prometheus", + "hide": 0, + "includeAll": true, + "label": "Client Workload Namespace", + "multi": true, + "name": "srcns", + "options": [], + "query": "query_result( sum(istio_requests_total{reporter=\"destination\", destination_service=\"$service\"}) by (source_workload_namespace) or sum(istio_tcp_sent_bytes_total{reporter=\"destination\", destination_service=~\"$service\"}) by (source_workload_namespace))", + "refresh": 1, + "regex": "/.*namespace=\"([^\"]*).*/", + "sort": 2, + "tagValuesQuery": "", + "tags": [], + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "allValue": null, + "current": {}, + "datasource": "Prometheus", + "hide": 0, + "includeAll": true, + "label": "Client Workload", + "multi": true, + "name": "srcwl", + "options": [], + "query": "query_result( sum(istio_requests_total{reporter=\"destination\", destination_service=~\"$service\", source_workload_namespace=~\"$srcns\"}) by (source_workload) or sum(istio_tcp_sent_bytes_total{reporter=\"destination\", destination_service=~\"$service\", source_workload_namespace=~\"$srcns\"}) by (source_workload))", + "refresh": 1, + "regex": "/.*workload=\"([^\"]*).*/", + "sort": 3, + "tagValuesQuery": "", + "tags": [], + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "allValue": null, + "current": {}, + "datasource": "Prometheus", + "hide": 0, + "includeAll": true, + "label": "Service Workload Namespace", + "multi": true, + "name": "dstns", + "options": [], + "query": "query_result( sum(istio_requests_total{reporter=\"destination\", destination_service=\"$service\"}) by (destination_workload_namespace) or sum(istio_tcp_sent_bytes_total{reporter=\"destination\", destination_service=~\"$service\"}) by (destination_workload_namespace))", + "refresh": 1, + "regex": "/.*namespace=\"([^\"]*).*/", + "sort": 2, + "tagValuesQuery": "", + "tags": [], + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "allValue": null, + "current": {}, + "datasource": "Prometheus", + "hide": 0, + "includeAll": true, + "label": "Service Workload", + "multi": true, + "name": "dstwl", + "options": [], + "query": "query_result( sum(istio_requests_total{reporter=\"destination\", destination_service=~\"$service\", destination_workload_namespace=~\"$dstns\"}) by (destination_workload) or sum(istio_tcp_sent_bytes_total{reporter=\"destination\", destination_service=~\"$service\", destination_workload_namespace=~\"$dstns\"}) by (destination_workload))", + "refresh": 1, + "regex": "/.*workload=\"([^\"]*).*/", + "sort": 3, + "tagValuesQuery": "", + "tags": [], + "tagsQuery": "", + "type": "query", + "useTags": false + } + ] + }, + "time": { + "from": "now-5m", + "to": "now" + }, + "timepicker": { + "refresh_intervals": [ + "5s", + "10s", + "30s", + "1m", + "5m", + "15m", + "30m", + "1h", + "2h", + "1d" + ], + "time_options": [ + "5m", + "15m", + "1h", + "6h", + "12h", + "24h", + "2d", + "7d", + "30d" + ] + }, + "timezone": "", + "title": "Istio Service Dashboard", + "uid": "LJ_uJAvmk", + "version": 10 +} +' + + istio-workload-dashboard.json: '{ + "__inputs": [ + { + "name": "DS_PROMETHEUS", + "label": "Prometheus", + "description": "", + "type": "datasource", + "pluginId": "prometheus", + "pluginName": "Prometheus" + } + ], + "__requires": [ + { + "type": "grafana", + "id": "grafana", + "name": "Grafana", + "version": "5.0.4" + }, + { + "type": "panel", + "id": "graph", + "name": "Graph", + "version": "5.0.0" + }, + { + "type": "datasource", + "id": "prometheus", + "name": "Prometheus", + "version": "5.0.0" + }, + { + "type": "panel", + "id": "singlestat", + "name": "Singlestat", + "version": "5.0.0" + }, + { + "type": "panel", + "id": "text", + "name": "Text", + "version": "5.0.0" + } + ], + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": "-- Grafana --", + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "type": "dashboard" + } + ] + }, + "editable": false, + "gnetId": null, + "graphTooltip": 0, + "id": null, + "iteration": 1531345461465, + "links": [], + "panels": [ + { + "content": "
    \nWORKLOAD: $workload.$namespace\n
    ", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 0 + }, + "id": 89, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "datasource": "Prometheus", + "format": "ops", + "gauge": { + "maxValue": 100, + "minValue": 0, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": true + }, + "gridPos": { + "h": 4, + "w": 8, + "x": 0, + "y": 3 + }, + "id": 12, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "round(sum(rate(istio_requests_total{reporter=\"destination\",destination_workload_namespace=~\"$namespace\",destination_workload=~\"$workload\"}[30s])), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "refId": "A", + "step": 4 + } + ], + "thresholds": "", + "title": "Incoming Request Volume", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "current" + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "rgba(50, 172, 45, 0.97)", + "rgba(237, 129, 40, 0.89)", + "rgba(245, 54, 54, 0.9)" + ], + "datasource": "Prometheus", + "decimals": null, + "format": "percentunit", + "gauge": { + "maxValue": 100, + "minValue": 80, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": false + }, + "gridPos": { + "h": 4, + "w": 8, + "x": 8, + "y": 3 + }, + "id": 14, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "sum(irate(istio_requests_total{reporter=\"destination\",destination_workload_namespace=~\"$namespace\",destination_workload=~\"$workload\",response_code!~\"5.*\"}[30s])) / sum(irate(istio_requests_total{reporter=\"destination\",destination_workload_namespace=~\"$namespace\",destination_workload=~\"$workload\"}[30s]))", + "format": "time_series", + "intervalFactor": 1, + "refId": "B" + } + ], + "thresholds": "95, 99, 99.5", + "title": "Incoming Success Rate (non-5xx responses)", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "avg" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 4, + "w": 8, + "x": 16, + "y": 3 + }, + "id": 87, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": false, + "hideZero": false, + "max": false, + "min": false, + "rightSide": true, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\",destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\"}[1m])) by (le))", + "format": "time_series", + "interval": "", + "intervalFactor": 1, + "legendFormat": "P50", + "refId": "A" + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\",destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\"}[1m])) by (le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "P90", + "refId": "B" + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\",destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\"}[1m])) by (le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "P99", + "refId": "C" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Request Duration", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "s", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "#299c46", + "rgba(237, 129, 40, 0.89)", + "#d44a3a" + ], + "datasource": "Prometheus", + "format": "Bps", + "gauge": { + "maxValue": 100, + "minValue": 0, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": true + }, + "gridPos": { + "h": 4, + "w": 12, + "x": 0, + "y": 7 + }, + "id": 84, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "sum(irate(istio_tcp_sent_bytes_total{reporter=\"destination\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\"}[1m])) + sum(irate(istio_tcp_received_bytes_total{reporter=\"destination\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\"}[1m]))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "", + "refId": "A" + } + ], + "thresholds": "", + "title": "TCP Server Traffic", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "avg" + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "#299c46", + "rgba(237, 129, 40, 0.89)", + "#d44a3a" + ], + "datasource": "Prometheus", + "format": "Bps", + "gauge": { + "maxValue": 100, + "minValue": 0, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": true + }, + "gridPos": { + "h": 4, + "w": 12, + "x": 12, + "y": 7 + }, + "id": 85, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "sum(irate(istio_tcp_sent_bytes_total{reporter=\"source\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\"}[1m])) + sum(irate(istio_tcp_received_bytes_total{reporter=\"source\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\"}[1m]))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "", + "refId": "A" + } + ], + "thresholds": "", + "title": "TCP Client Traffic", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "avg" + }, + { + "content": "
    \nINBOUND WORKLOADS\n
    ", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 11 + }, + "id": 45, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 0, + "gridPos": { + "h": 6, + "w": 12, + "x": 0, + "y": 14 + }, + "id": 25, + "legend": { + "avg": false, + "current": false, + "hideEmpty": true, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null as zero", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(irate(istio_requests_total{connection_security_policy=\"mutual_tls\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\", reporter=\"destination\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[30s])) by (source_workload, source_workload_namespace, response_code), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace }} : {{ response_code }} (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "round(sum(irate(istio_requests_total{connection_security_policy!=\"mutual_tls\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\", reporter=\"destination\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[30s])) by (source_workload, source_workload_namespace, response_code), 0.001)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace }} : {{ response_code }}", + "refId": "A", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Requests by Source And Response Code", + "tooltip": { + "shared": false, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [ + "total" + ] + }, + "yaxes": [ + { + "format": "ops", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 12, + "x": 12, + "y": 14 + }, + "id": 26, + "legend": { + "avg": false, + "current": false, + "hideEmpty": true, + "hideZero": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(rate(istio_requests_total{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\",response_code!~\"5.*\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[30s])) by (source_workload, source_workload_namespace) / sum(rate(istio_requests_total{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[30s])) by (source_workload, source_workload_namespace)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace }} (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "sum(rate(istio_requests_total{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\",response_code!~\"5.*\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[30s])) by (source_workload, source_workload_namespace) / sum(rate(istio_requests_total{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[30s])) by (source_workload, source_workload_namespace)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace }}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Success Rate (non-5xx responses) By Source", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "percentunit", + "label": null, + "logBase": 1, + "max": "1.01", + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "description": "", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 0, + "y": 20 + }, + "id": 27, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": true, + "hideZero": false, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50 (🔐mTLS)", + "refId": "D", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90 (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95 (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99 (🔐mTLS)", + "refId": "C", + "step": 2 + }, + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50", + "refId": "E", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90", + "refId": "F", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95", + "refId": "G", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99", + "refId": "H", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Request Duration by Source", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "s", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 8, + "y": 20 + }, + "id": 28, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": true, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50 (🔐mTLS)", + "refId": "D", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90 (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95 (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99 (🔐mTLS)", + "refId": "C", + "step": 2 + }, + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50", + "refId": "E", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90", + "refId": "F", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95", + "refId": "G", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99", + "refId": "H", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Request Size By Source", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "decbytes", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 16, + "y": 20 + }, + "id": 68, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": true, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50 (🔐mTLS)", + "refId": "D", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90 (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95 (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99 (🔐mTLS)", + "refId": "C", + "step": 2 + }, + { + "expr": "histogram_quantile(0.50, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50", + "refId": "E", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90", + "refId": "F", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95", + "refId": "G", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99", + "refId": "H", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Response Size By Source", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "decbytes", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 12, + "x": 0, + "y": 26 + }, + "id": 80, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(irate(istio_tcp_received_bytes_total{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace), 0.001)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace}} (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "round(sum(irate(istio_tcp_received_bytes_total{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace}}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Bytes Received from Incoming TCP Connection", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "Bps", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 12, + "x": 12, + "y": 26 + }, + "id": 82, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy=\"mutual_tls\", reporter=\"destination\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace}} (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy!=\"mutual_tls\", reporter=\"destination\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace}}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Bytes Sent to Incoming TCP Connection", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "Bps", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ] + }, + { + "content": "
    \nOUTBOUND SERVICES\n
    ", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 32 + }, + "id": 69, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 0, + "gridPos": { + "h": 6, + "w": 12, + "x": 0, + "y": 35 + }, + "id": 70, + "legend": { + "avg": false, + "current": false, + "hideEmpty": true, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null as zero", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(irate(istio_requests_total{connection_security_policy=\"mutual_tls\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\", reporter=\"source\", destination_service=~\"$dstsvc\"}[30s])) by (destination_service, response_code), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} : {{ response_code }} (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "round(sum(irate(istio_requests_total{connection_security_policy!=\"mutual_tls\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\", reporter=\"source\", destination_service=~\"$dstsvc\"}[30s])) by (destination_service, response_code), 0.001)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} : {{ response_code }}", + "refId": "A", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Outgoing Requests by Destination And Response Code", + "tooltip": { + "shared": false, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [ + "total" + ] + }, + "yaxes": [ + { + "format": "ops", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 12, + "x": 12, + "y": 35 + }, + "id": 71, + "legend": { + "avg": false, + "current": false, + "hideEmpty": true, + "hideZero": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(rate(istio_requests_total{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\",response_code!~\"5.*\", destination_service=~\"$dstsvc\"}[30s])) by (destination_service) / sum(rate(istio_requests_total{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\", destination_service=~\"$dstsvc\"}[30s])) by (destination_service)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "sum(rate(istio_requests_total{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\",response_code!~\"5.*\", destination_service=~\"$dstsvc\"}[30s])) by (destination_service) / sum(rate(istio_requests_total{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\", destination_service=~\"$dstsvc\"}[30s])) by (destination_service)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{destination_service }}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Outgoing Success Rate (non-5xx responses) By Destination", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "percentunit", + "label": null, + "logBase": 1, + "max": "1.01", + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "description": "", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 0, + "y": 41 + }, + "id": 72, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": true, + "hideZero": false, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P50 (🔐mTLS)", + "refId": "D", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P90 (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P95 (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P99 (🔐mTLS)", + "refId": "C", + "step": 2 + }, + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P50", + "refId": "E", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P90", + "refId": "F", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P95", + "refId": "G", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P99", + "refId": "H", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Outgoing Request Duration by Destination", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "s", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 8, + "y": 41 + }, + "id": 73, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": true, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P50 (🔐mTLS)", + "refId": "D", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P90 (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P95 (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P99 (🔐mTLS)", + "refId": "C", + "step": 2 + }, + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P50", + "refId": "E", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P90", + "refId": "F", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P95", + "refId": "G", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P99", + "refId": "H", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Outgoing Request Size By Destination", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "decbytes", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 16, + "y": 41 + }, + "id": 74, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": true, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P50 (🔐mTLS)", + "refId": "D", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P90 (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P95 (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P99 (🔐mTLS)", + "refId": "C", + "step": 2 + }, + { + "expr": "histogram_quantile(0.50, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P50", + "refId": "E", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P90", + "refId": "F", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P95", + "refId": "G", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P99", + "refId": "H", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Response Size By Destination", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "decbytes", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 12, + "x": 0, + "y": 47 + }, + "id": 76, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy=\"mutual_tls\", reporter=\"source\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy!=\"mutual_tls\", reporter=\"source\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ destination_service }}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Bytes Sent on Outgoing TCP Connection", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "Bps", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 12, + "x": 12, + "y": 47 + }, + "id": 78, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(irate(istio_tcp_received_bytes_total{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "round(sum(irate(istio_tcp_received_bytes_total{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ destination_service }}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Bytes Received from Outgoing TCP Connection", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "Bps", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ] + } + ], + "refresh": "10s", + "schemaVersion": 16, + "style": "dark", + "tags": [], + "templating": { + "list": [ + { + "allValue": null, + "current": {}, + "datasource": "Prometheus", + "hide": 0, + "includeAll": false, + "label": "Namespace", + "multi": false, + "name": "namespace", + "options": [], + "query": "query_result(sum(istio_requests_total) by (destination_workload_namespace) or sum(istio_tcp_sent_bytes_total) by (destination_workload_namespace))", + "refresh": 1, + "regex": "/.*_namespace=\"([^\"]*).*/", + "sort": 0, + "tagValuesQuery": "", + "tags": [], + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "allValue": null, + "current": {}, + "datasource": "Prometheus", + "hide": 0, + "includeAll": false, + "label": "Workload", + "multi": false, + "name": "workload", + "options": [], + "query": "query_result((sum(istio_requests_total{destination_workload_namespace=~\"$namespace\"}) by (destination_workload) or sum(istio_requests_total{source_workload_namespace=~\"$namespace\"}) by (source_workload)) or (sum(istio_tcp_sent_bytes_total{destination_workload_namespace=~\"$namespace\"}) by (destination_workload) or sum(istio_tcp_sent_bytes_total{source_workload_namespace=~\"$namespace\"}) by (source_workload)))", + "refresh": 1, + "regex": "/.*workload=\"([^\"]*).*/", + "sort": 1, + "tagValuesQuery": "", + "tags": [], + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "allValue": null, + "current": {}, + "datasource": "Prometheus", + "hide": 0, + "includeAll": true, + "label": "Inbound Workload Namespace", + "multi": true, + "name": "srcns", + "options": [], + "query": "query_result( sum(istio_requests_total{reporter=\"destination\", destination_workload=\"$workload\", destination_workload_namespace=~\"$namespace\"}) by (source_workload_namespace) or sum(istio_tcp_sent_bytes_total{reporter=\"destination\", destination_workload=\"$workload\", destination_workload_namespace=~\"$namespace\"}) by (source_workload_namespace))", + "refresh": 1, + "regex": "/.*namespace=\"([^\"]*).*/", + "sort": 2, + "tagValuesQuery": "", + "tags": [], + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "allValue": null, + "current": {}, + "datasource": "Prometheus", + "hide": 0, + "includeAll": true, + "label": "Inbound Workload", + "multi": true, + "name": "srcwl", + "options": [], + "query": "query_result( sum(istio_requests_total{reporter=\"destination\", destination_workload=\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload_namespace=~\"$srcns\"}) by (source_workload) or sum(istio_tcp_sent_bytes_total{reporter=\"destination\", destination_workload=\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload_namespace=~\"$srcns\"}) by (source_workload))", + "refresh": 1, + "regex": "/.*workload=\"([^\"]*).*/", + "sort": 3, + "tagValuesQuery": "", + "tags": [], + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "allValue": null, + "current": {}, + "datasource": "Prometheus", + "hide": 0, + "includeAll": true, + "label": "Destination Service", + "multi": true, + "name": "dstsvc", + "options": [], + "query": "query_result( sum(istio_requests_total{reporter=\"source\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\"}) by (destination_service) or sum(istio_tcp_sent_bytes_total{reporter=\"source\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\"}) by (destination_service))", + "refresh": 1, + "regex": "/.*destination_service=\"([^\"]*).*/", + "sort": 4, + "tagValuesQuery": "", + "tags": [], + "tagsQuery": "", + "type": "query", + "useTags": false + } + ] + }, + "time": { + "from": "now-5m", + "to": "now" + }, + "timepicker": { + "refresh_intervals": [ + "5s", + "10s", + "30s", + "1m", + "5m", + "15m", + "30m", + "1h", + "2h", + "1d" + ], + "time_options": [ + "5m", + "15m", + "1h", + "6h", + "12h", + "24h", + "2d", + "7d", + "30d" + ] + }, + "timezone": "", + "title": "Istio Workload Dashboard", + "uid": "UbsSZTDik", + "version": 1 +} +' + + mixer-dashboard.json: '{ + "__inputs": [ + { + "name": "DS_PROMETHEUS", + "label": "Prometheus", + "description": "", + "type": "datasource", + "pluginId": "prometheus", + "pluginName": "Prometheus" + } + ], + "__requires": [ + { + "type": "grafana", + "id": "grafana", + "name": "Grafana", + "version": "5.2.2" + }, + { + "type": "panel", + "id": "graph", + "name": "Graph", + "version": "5.0.0" + }, + { + "type": "datasource", + "id": "prometheus", + "name": "Prometheus", + "version": "5.0.0" + }, + { + "type": "panel", + "id": "text", + "name": "Text", + "version": "5.0.0" + } + ], + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": "-- Grafana --", + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "type": "dashboard" + } + ] + }, + "editable": false, + "gnetId": null, + "graphTooltip": 1, + "id": null, + "iteration": 1535646398209, + "links": [], + "panels": [ + { + "content": "

    Resource Usage

    ", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 0 + }, + "height": "40", + "id": 29, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 0, + "y": 3 + }, + "id": 5, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(process_virtual_memory_bytes{job=~\"istio-telemetry|istio-policy\"}) by (job)", + "format": "time_series", + "instant": false, + "intervalFactor": 2, + "legendFormat": "Virtual Memory ({{ job }})", + "refId": "I" + }, + { + "expr": "sum(process_resident_memory_bytes{job=~\"istio-telemetry|istio-policy\"}) by (job)", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Resident Memory ({{ job }})", + "refId": "H" + }, + { + "expr": "sum(go_memstats_heap_sys_bytes{job=~\"istio-telemetry|istio-policy\"}) by (job)", + "format": "time_series", + "hide": true, + "intervalFactor": 2, + "legendFormat": "heap sys ({{ job }})", + "refId": "A" + }, + { + "expr": "sum(go_memstats_heap_alloc_bytes{job=~\"istio-telemetry|istio-policy\"}) by (job)", + "format": "time_series", + "hide": true, + "intervalFactor": 2, + "legendFormat": "heap alloc ({{ job }})", + "refId": "D" + }, + { + "expr": "sum(go_memstats_alloc_bytes{job=~\"istio-telemetry|istio-policy\"}) by (job)", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Alloc ({{ job }})", + "refId": "F" + }, + { + "expr": "sum(go_memstats_heap_inuse_bytes{job=~\"istio-telemetry|istio-policy\"}) by (job)", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "Heap in-use ({{ job }})", + "refId": "E" + }, + { + "expr": "sum(go_memstats_stack_inuse_bytes{job=~\"istio-telemetry|istio-policy\"}) by (job)", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Stack in-use ({{ job }})", + "refId": "G" + }, + { + "expr": "sum(label_replace(container_memory_usage_bytes{container_name=~\"mixer|istio-proxy\", pod_name=~\"istio-telemetry-.*|istio-policy-.*\"}, \"service\", \"$1\" , \"pod_name\", \"(istio-telemetry|istio-policy)-.*\")) by (service)", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "{{ service }} total (k8s)", + "refId": "C" + }, + { + "expr": "sum(label_replace(container_memory_usage_bytes{container_name=~\"mixer|istio-proxy\", pod_name=~\"istio-telemetry-.*|istio-policy-.*\"}, \"service\", \"$1\" , \"pod_name\", \"(istio-telemetry|istio-policy)-.*\")) by (container_name, service)", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "{{ service }} - {{ container_name }} (k8s)", + "refId": "B" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Memory", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "bytes", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 6, + "y": 3 + }, + "id": 6, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "label_replace(sum(rate(container_cpu_usage_seconds_total{container_name=~\"mixer|istio-proxy\", pod_name=~\"istio-telemetry-.*|istio-policy-.*\"}[1m])) by (pod_name), \"service\", \"$1\" , \"pod_name\", \"(istio-telemetry|istio-policy)-.*\")", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "{{ service }} total (k8s)", + "refId": "A" + }, + { + "expr": "label_replace(sum(rate(container_cpu_usage_seconds_total{container_name=~\"mixer|istio-proxy\", pod_name=~\"istio-telemetry-.*|istio-policy-.*\"}[1m])) by (container_name, pod_name), \"service\", \"$1\" , \"pod_name\", \"(istio-telemetry|istio-policy)-.*\")", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "{{ service }} - {{ container_name }} (k8s)", + "refId": "B" + }, + { + "expr": "sum(irate(process_cpu_seconds_total{job=~\"istio-telemetry|istio-policy\"}[1m])) by (job)", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "{{ job }} (self-reported)", + "refId": "C" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "CPU", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 12, + "y": 3 + }, + "id": 7, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(process_open_fds{job=~\"istio-telemetry|istio-policy\"}) by (job)", + "format": "time_series", + "hide": true, + "instant": false, + "interval": "", + "intervalFactor": 2, + "legendFormat": "Open FDs ({{ job }})", + "refId": "A" + }, + { + "expr": "sum(label_replace(container_fs_usage_bytes{container_name=~\"mixer|istio-proxy\", pod_name=~\"istio-telemetry-.*|istio-policy-.*\"}, \"service\", \"$1\" , \"pod_name\", \"(istio-telemetry|istio-policy)-.*\")) by (container_name, service)", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "{{ service }} - {{ container_name }}", + "refId": "B" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Disk", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "bytes", + "label": "", + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "decimals": null, + "format": "none", + "label": "", + "logBase": 1024, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 18, + "y": 3 + }, + "id": 4, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": false, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(go_goroutines{job=~\"istio-telemetry|istio-policy\"}) by (job)", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Number of Goroutines ({{ job }})", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Goroutines", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": "", + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "content": "

    Mixer Overview

    ", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 10 + }, + "height": "40px", + "id": 30, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 6, + "x": 0, + "y": 13 + }, + "id": 9, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(rate(grpc_server_handled_total[1m]))", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "mixer (Total)", + "refId": "B" + }, + { + "expr": "sum(rate(grpc_server_handled_total[1m])) by (grpc_method)", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "mixer ({{ grpc_method }})", + "refId": "C" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Requests", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "ops", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 6, + "x": 6, + "y": 13 + }, + "id": 8, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [ + { + "alias": "{}", + "yaxis": 1 + } + ], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.5, sum(rate(grpc_server_handling_seconds_bucket{}[1m])) by (grpc_method, le)) * 1000", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "{{ grpc_method }} 0.5", + "refId": "B" + }, + { + "expr": "histogram_quantile(0.9, sum(rate(grpc_server_handling_seconds_bucket{}[1m])) by (grpc_method, le)) * 1000", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "{{ grpc_method }} 0.9", + "refId": "C" + }, + { + "expr": "histogram_quantile(0.99, sum(rate(grpc_server_handling_seconds_bucket{}[1m])) by (grpc_method, le)) * 1000", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "{{ grpc_method }} 0.99", + "refId": "D" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Response Durations", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "ms", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 6, + "x": 12, + "y": 13 + }, + "id": 11, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(rate(grpc_server_handled_total{grpc_code=~\"Unknown|Unimplemented|Internal|DataLoss\"}[1m])) by (grpc_method)", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Mixer {{ grpc_method }}", + "refId": "B" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Server Error Rate (5xx responses)", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 6, + "x": 18, + "y": 13 + }, + "id": 12, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(irate(grpc_server_handled_total{grpc_code!=\"OK\",grpc_service=~\".*Mixer\"}[1m])) by (grpc_method)", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Mixer {{ grpc_method }}", + "refId": "B" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Non-successes (4xxs)", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "content": "

    Adapters and Config

    ", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 19 + }, + "id": 28, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 12, + "x": 0, + "y": 22 + }, + "id": 13, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(irate(mixer_runtime_dispatch_count{adapter=~\"$adapter\"}[1m])) by (adapter)", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "{{ adapter }}", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Adapter Dispatch Count", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 12, + "x": 12, + "y": 22 + }, + "id": 14, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.5, sum(irate(mixer_runtime_dispatch_duration_bucket{adapter=~\"$adapter\"}[1m])) by (adapter, le))", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "{{ adapter }} - p50", + "refId": "A" + }, + { + "expr": "histogram_quantile(0.9, sum(irate(mixer_runtime_dispatch_duration_bucket{adapter=~\"$adapter\"}[1m])) by (adapter, le))", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "{{ adapter }} - p90 ", + "refId": "B" + }, + { + "expr": "histogram_quantile(0.99, sum(irate(mixer_runtime_dispatch_duration_bucket{adapter=~\"$adapter\"}[1m])) by (adapter, le))", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "{{ adapter }} - p99", + "refId": "C" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Adapter Dispatch Duration", + "tooltip": { + "shared": true, + "sort": 1, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "s", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 0, + "y": 29 + }, + "id": 60, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "scalar(topk(1, max(mixer_config_rule_config_count) by (configID)))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Rules", + "refId": "A" + }, + { + "expr": "scalar(topk(1, max(mixer_config_rule_config_error_count) by (configID)))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Config Errors", + "refId": "B" + }, + { + "expr": "scalar(topk(1, max(mixer_config_rule_config_match_error_count) by (configID)))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Match Errors", + "refId": "C" + }, + { + "expr": "scalar(topk(1, max(mixer_config_unsatisfied_action_handler_count) by (configID)))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Unsatisfied Actions", + "refId": "D" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Rules", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 6, + "y": 29 + }, + "id": 56, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "scalar(topk(1, max(mixer_config_instance_config_count) by (configID)))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Instances", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Instances in Latest Config", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 12, + "y": 29 + }, + "id": 54, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "scalar(topk(1, max(mixer_config_handler_config_count) by (configID)))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Handlers", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Handlers in Latest Config", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 18, + "y": 29 + }, + "id": 58, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "scalar(topk(1, max(mixer_config_attribute_count) by (configID)))", + "format": "time_series", + "instant": false, + "intervalFactor": 1, + "legendFormat": "Attributes", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Attributes in Latest Config", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "content": "

    Individual Adapters

    ", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 36 + }, + "id": 23, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "collapsed": false, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 39 + }, + "id": 46, + "panels": [], + "repeat": "adapter", + "title": "$adapter Adapter", + "type": "row" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 12, + "x": 0, + "y": 40 + }, + "id": 17, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "label_replace(irate(mixer_runtime_dispatch_count{adapter=\"$adapter\"}[1m]),\"handler\", \"$1 ($3)\", \"handler\", \"(.*)\\\\.(.*)\\\\.(.*)\")", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "{{ handler }} (error: {{ error }})", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Dispatch Count By Handler", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 12, + "x": 12, + "y": 40 + }, + "id": 18, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "label_replace(histogram_quantile(0.5, sum(rate(mixer_runtime_dispatch_duration_bucket{adapter=\"$adapter\"}[1m])) by (handler, error, le)), \"handler_short\", \"$1 ($3)\", \"handler\", \"(.*)\\\\.(.*)\\\\.(.*)\")", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "p50 - {{ handler_short }} (error: {{ error }})", + "refId": "A" + }, + { + "expr": "label_replace(histogram_quantile(0.9, sum(irate(mixer_runtime_dispatch_duration_bucket{adapter=\"$adapter\"}[1m])) by (handler, error, le)), \"handler_short\", \"$1 ($3)\", \"handler\", \"(.*)\\\\.(.*)\\\\.(.*)\")", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "p90 - {{ handler_short }} (error: {{ error }})", + "refId": "D" + }, + { + "expr": "label_replace(histogram_quantile(0.99, sum(irate(mixer_runtime_dispatch_duration_bucket{adapter=\"$adapter\"}[1m])) by (handler, error, le)), \"handler_short\", \"$1 ($3)\", \"handler\", \"(.*)\\\\.(.*)\\\\.(.*)\")", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "p99 - {{ handler_short }} (error: {{ error }})", + "refId": "E" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Dispatch Duration By Handler", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "s", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + } + ], + "refresh": "5s", + "schemaVersion": 16, + "style": "dark", + "tags": [], + "templating": { + "list": [ + { + "allValue": null, + "current": {}, + "datasource": "Prometheus", + "hide": 0, + "includeAll": true, + "label": "Adapter", + "multi": true, + "name": "adapter", + "options": [], + "query": "label_values(adapter)", + "refresh": 2, + "regex": "", + "sort": 1, + "tagValuesQuery": "", + "tags": [], + "tagsQuery": "", + "type": "query", + "useTags": false + } + ] + }, + "time": { + "from": "now-5m", + "to": "now" + }, + "timepicker": { + "refresh_intervals": [ + "5s", + "10s", + "30s", + "1m", + "5m", + "15m", + "30m", + "1h", + "2h", + "1d" + ], + "time_options": [ + "5m", + "15m", + "1h", + "6h", + "12h", + "24h", + "2d", + "7d", + "30d" + ] + }, + "timezone": "", + "title": "Mixer Dashboard", + "uid": "2", + "version": 2 +} +' + + pilot-dashboard.json: '{ + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": "-- Grafana --", + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "type": "dashboard" + } + ] + }, + "editable": false, + "gnetId": null, + "graphTooltip": 1, + "links": [], + "panels": [ + { + "content": "

    Resource Usage

    ", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 0 + }, + "height": "40", + "id": 29, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 0, + "y": 3 + }, + "id": 5, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "process_virtual_memory_bytes{job=\"pilot\"}", + "format": "time_series", + "instant": false, + "intervalFactor": 2, + "legendFormat": "Virtual Memory", + "refId": "I", + "step": 2 + }, + { + "expr": "process_resident_memory_bytes{job=\"pilot\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Resident Memory", + "refId": "H", + "step": 2 + }, + { + "expr": "go_memstats_heap_sys_bytes{job=\"pilot\"}", + "format": "time_series", + "hide": true, + "intervalFactor": 2, + "legendFormat": "heap sys", + "refId": "A" + }, + { + "expr": "go_memstats_heap_alloc_bytes{job=\"pilot\"}", + "format": "time_series", + "hide": true, + "intervalFactor": 2, + "legendFormat": "heap alloc", + "refId": "D" + }, + { + "expr": "go_memstats_alloc_bytes{job=\"pilot\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Alloc", + "refId": "F", + "step": 2 + }, + { + "expr": "go_memstats_heap_inuse_bytes{job=\"pilot\"}", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "Heap in-use", + "refId": "E", + "step": 2 + }, + { + "expr": "go_memstats_stack_inuse_bytes{job=\"pilot\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Stack in-use", + "refId": "G", + "step": 2 + }, + { + "expr": "sum(container_memory_usage_bytes{container_name=~\"discovery|istio-proxy\", pod_name=~\"istio-pilot-.*\"})", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "Total (k8s)", + "refId": "C", + "step": 2 + }, + { + "expr": "container_memory_usage_bytes{container_name=~\"discovery|istio-proxy\", pod_name=~\"istio-pilot-.*\"}", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "{{ container_name }} (k8s)", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Memory", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "bytes", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 6, + "y": 3 + }, + "id": 6, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(rate(container_cpu_usage_seconds_total{container_name=~\"discovery|istio-proxy\", pod_name=~\"istio-pilot-.*\"}[1m]))", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "Total (k8s)", + "refId": "A", + "step": 2 + }, + { + "expr": "sum(rate(container_cpu_usage_seconds_total{container_name=~\"discovery|istio-proxy\", pod_name=~\"istio-pilot-.*\"}[1m])) by (container_name)", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "{{ container_name }} (k8s)", + "refId": "B", + "step": 2 + }, + { + "expr": "irate(process_cpu_seconds_total{job=\"pilot\"}[1m])", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "pilot (self-reported)", + "refId": "C", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "CPU", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 12, + "y": 3 + }, + "id": 7, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "process_open_fds{job=\"pilot\"}", + "format": "time_series", + "hide": true, + "instant": false, + "interval": "", + "intervalFactor": 2, + "legendFormat": "Open FDs (pilot)", + "refId": "A" + }, + { + "expr": "container_fs_usage_bytes{container_name=~\"discovery|istio-proxy\", pod_name=~\"istio-pilot-.*\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "{{ container_name }}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Disk", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "bytes", + "label": "", + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "decimals": null, + "format": "none", + "label": "", + "logBase": 1024, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 18, + "y": 3 + }, + "id": 4, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": false, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "go_goroutines{job=\"pilot\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Number of Goroutines", + "refId": "A", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Goroutines", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": "", + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "content": "

    xDS

    ", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 10 + }, + "id": 28, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 0, + "y": 13 + }, + "id": 40, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(irate(envoy_cluster_update_success{cluster_name=\"xds-grpc\"}[1m]))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "XDS GRPC Successes", + "refId": "C" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Updates", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "ops", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "ops", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 8, + "y": 13 + }, + "id": 42, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(rate(envoy_cluster_update_attempt{cluster_name=\"xds-grpc\"}[1m])) - sum(rate(envoy_cluster_update_success{cluster_name=\"xds-grpc\"}[1m])))", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "XDS GRPC ", + "refId": "A", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Failures", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "ops", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 16, + "y": 13 + }, + "id": 41, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(envoy_cluster_upstream_cx_active{cluster_name=\"xds-grpc\"})", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Pilot (XDS GRPC)", + "refId": "C", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Active Connections", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 8, + "w": 8, + "x": 0, + "y": 19 + }, + "id": 45, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "pilot_conflict_inbound_listener{job=\"pilot\"}", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Inbound Listeners", + "refId": "B" + }, + { + "expr": "pilot_conflict_outbound_listener_http_over_current_tcp{job=\"pilot\"}", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Outbound Listeners (http over current tcp)", + "refId": "A" + }, + { + "expr": "pilot_conflict_outbound_listener_tcp_over_current_tcp{job=\"pilot\"}", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Outbound Listeners (tcp over current tcp)", + "refId": "C" + }, + { + "expr": "pilot_conflict_outbound_listener_tcp_over_current_http{job=\"pilot\"}", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Outbound Listeners (tcp over current http)", + "refId": "D" + }, + { + "expr": "pilot_conf_filter_chains{job=\"pilot\"}", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Filter Chains", + "refId": "E" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Conflicts", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 8, + "w": 8, + "x": 8, + "y": 19 + }, + "id": 47, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "pilot_virt_services{job=\"pilot\"}", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Virtual Services", + "refId": "A" + }, + { + "expr": "pilot_services{job=\"pilot\"}", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Services", + "refId": "B" + }, + { + "expr": "label_replace(sum(pilot_xds_cds_reject{job=\"pilot\"}) by (node, err), \"node\", \"$1\", \"node\", \".*~.*~(.*)~.*\")", + "format": "time_series", + "hide": true, + "intervalFactor": 1, + "legendFormat": "Rejected CDS Configs - {{ node }}: {{ err }}", + "refId": "C" + }, + { + "expr": "pilot_xds_eds_reject{job=\"pilot\"}", + "format": "time_series", + "hide": true, + "intervalFactor": 1, + "legendFormat": "Rejected EDS Configs", + "refId": "D" + }, + { + "expr": "pilot_xds{job=\"pilot\"}", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Connected Endpoints", + "refId": "E" + }, + { + "expr": "rate(pilot_xds_write_timeout{job=\"pilot\"}[1m])", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Write Timeouts", + "refId": "F" + }, + { + "expr": "rate(pilot_xds_push_timeout{job=\"pilot\"}[1m])", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Push Timeouts", + "refId": "G" + }, + { + "expr": "rate(pilot_xds_pushes{job=\"pilot\"}[1m])", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Pushes ({{ type }})", + "refId": "H" + }, + { + "expr": "rate(pilot_xds_push_errors{job=\"pilot\"}[1m])", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Push Errors ({{ type }})", + "refId": "I" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "ADS Monitoring", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 8, + "w": 8, + "x": 16, + "y": 19 + }, + "id": 49, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "label_replace(sum(pilot_xds_cds_reject{job=\"pilot\"}) by (node, err), \"node\", \"$1\", \"node\", \".*~.*~(.*)~.*\")", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ node }} ({{ err }})", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Rejected CDS Configs", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 8, + "x": 0, + "y": 27 + }, + "id": 52, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "label_replace(sum(pilot_xds_eds_reject{job=\"pilot\"}) by (node, err), \"node\", \"$1\", \"node\", \".*~.*~(.*)~.*\")", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ node }} ({{err}})", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Rejected EDS Configs", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 8, + "x": 8, + "y": 27 + }, + "id": 54, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "label_replace(sum(pilot_xds_lds_reject{job=\"pilot\"}) by (node, err), \"node\", \"$1\", \"node\", \".*~.*~(.*)~.*\")", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ node }} ({{err}})", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Rejected LDS Configs", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 8, + "x": 16, + "y": 27 + }, + "id": 53, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "label_replace(sum(pilot_xds_rds_reject{job=\"pilot\"}) by (node, err), \"node\", \"$1\", \"node\", \".*~.*~(.*)~.*\")", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ node }} ({{err}})", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Rejected RDS Configs", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": { + "outbound|80||default-http-backend.kube-system.svc.cluster.local": "rgba(255, 255, 255, 0.97)" + }, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 8, + "x": 0, + "y": 34 + }, + "id": 51, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [ + { + "alias": "outbound|80||default-http-backend.kube-system.svc.cluster.local", + "yaxis": 1 + } + ], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(pilot_xds_eds_instances{job=\"pilot\"}) by (cluster)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ cluster }}", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "EDS Instances", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + } + ], + "refresh": "5s", + "schemaVersion": 16, + "style": "dark", + "tags": [], + "templating": { + "list": [] + }, + "time": { + "from": "now-5m", + "to": "now" + }, + "timepicker": { + "refresh_intervals": [ + "5s", + "10s", + "30s", + "1m", + "5m", + "15m", + "30m", + "1h", + "2h", + "1d" + ], + "time_options": [ + "5m", + "15m", + "1h", + "6h", + "12h", + "24h", + "2d", + "7d", + "30d" + ] + }, + "timezone": "browser", + "title": "Pilot Dashboard", + "uid": "3", + "version": 1 +} +' + + +--- +# Source: istio/charts/grafana/templates/configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-grafana + namespace: istio-system + labels: + app: istio-grafana + chart: grafana-1.0.4 + release: istio + heritage: Tiller + istio: grafana +data: + datasources.yaml: | + apiVersion: 1 + datasources: + - access: proxy + editable: true + isDefault: true + jsonData: + timeInterval: 5s + name: Prometheus + orgId: 1 + type: prometheus + url: http://prometheus:9090 + + dashboardproviders.yaml: | + apiVersion: 1 + providers: + - disableDeletion: false + folder: istio + name: istio + options: + path: /var/lib/grafana/dashboards/istio + orgId: 1 + type: file + +--- +# Source: istio/charts/mixer/templates/configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-statsd-prom-bridge + namespace: istio-system + labels: + app: istio-statsd-prom-bridge + chart: mixer-1.0.4 + release: istio + heritage: Tiller + istio: mixer +data: + mapping.conf: |- + +--- +# Source: istio/charts/prometheus/templates/configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: prometheus + namespace: istio-system + labels: + app: prometheus + chart: prometheus-1.0.4 + release: istio + heritage: Tiller +data: + prometheus.yml: |- + global: + scrape_interval: 15s + scrape_configs: + + - job_name: 'istio-mesh' + # Override the global default and scrape targets from this job every 5 seconds. + scrape_interval: 5s + + kubernetes_sd_configs: + - role: endpoints + namespaces: + names: + - istio-system + + relabel_configs: + - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] + action: keep + regex: istio-telemetry;prometheus + + + # Scrape config for envoy stats + - job_name: 'envoy-stats' + metrics_path: /stats/prometheus + kubernetes_sd_configs: + - role: pod + + relabel_configs: + - source_labels: [__meta_kubernetes_pod_container_port_name] + action: keep + regex: '.*-envoy-prom' + - source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port] + action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:15090 + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_pod_label_(.+) + - source_labels: [__meta_kubernetes_namespace] + action: replace + target_label: namespace + - source_labels: [__meta_kubernetes_pod_name] + action: replace + target_label: pod_name + + metric_relabel_configs: + # Exclude some of the envoy metrics that have massive cardinality + # This list may need to be pruned further moving forward, as informed + # by performance and scalability testing. + - source_labels: [ cluster_name ] + regex: '(outbound|inbound|prometheus_stats).*' + action: drop + - source_labels: [ tcp_prefix ] + regex: '(outbound|inbound|prometheus_stats).*' + action: drop + - source_labels: [ listener_address ] + regex: '(.+)' + action: drop + - source_labels: [ http_conn_manager_listener_prefix ] + regex: '(.+)' + action: drop + - source_labels: [ http_conn_manager_prefix ] + regex: '(.+)' + action: drop + - source_labels: [ __name__ ] + regex: 'envoy_tls.*' + action: drop + - source_labels: [ __name__ ] + regex: 'envoy_tcp_downstream.*' + action: drop + - source_labels: [ __name__ ] + regex: 'envoy_http_(stats|admin).*' + action: drop + - source_labels: [ __name__ ] + regex: 'envoy_cluster_(lb|retry|bind|internal|max|original).*' + action: drop + + + - job_name: 'istio-policy' + # Override the global default and scrape targets from this job every 5 seconds. + scrape_interval: 5s + # metrics_path defaults to '/metrics' + # scheme defaults to 'http'. + + kubernetes_sd_configs: + - role: endpoints + namespaces: + names: + - istio-system + + + relabel_configs: + - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] + action: keep + regex: istio-policy;http-monitoring + + - job_name: 'istio-telemetry' + # Override the global default and scrape targets from this job every 5 seconds. + scrape_interval: 5s + # metrics_path defaults to '/metrics' + # scheme defaults to 'http'. + + kubernetes_sd_configs: + - role: endpoints + namespaces: + names: + - istio-system + + relabel_configs: + - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] + action: keep + regex: istio-telemetry;http-monitoring + + - job_name: 'pilot' + # Override the global default and scrape targets from this job every 5 seconds. + scrape_interval: 5s + # metrics_path defaults to '/metrics' + # scheme defaults to 'http'. + + kubernetes_sd_configs: + - role: endpoints + namespaces: + names: + - istio-system + + relabel_configs: + - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] + action: keep + regex: istio-pilot;http-monitoring + + - job_name: 'galley' + # Override the global default and scrape targets from this job every 5 seconds. + scrape_interval: 5s + # metrics_path defaults to '/metrics' + # scheme defaults to 'http'. + + kubernetes_sd_configs: + - role: endpoints + namespaces: + names: + - istio-system + + relabel_configs: + - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] + action: keep + regex: istio-galley;http-monitoring + + # scrape config for API servers + - job_name: 'kubernetes-apiservers' + kubernetes_sd_configs: + - role: endpoints + namespaces: + names: + - default + scheme: https + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + relabel_configs: + - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] + action: keep + regex: kubernetes;https + + # scrape config for nodes (kubelet) + - job_name: 'kubernetes-nodes' + scheme: https + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + kubernetes_sd_configs: + - role: node + relabel_configs: + - action: labelmap + regex: __meta_kubernetes_node_label_(.+) + - target_label: __address__ + replacement: kubernetes.default.svc:443 + - source_labels: [__meta_kubernetes_node_name] + regex: (.+) + target_label: __metrics_path__ + replacement: /api/v1/nodes/${1}/proxy/metrics + + # Scrape config for Kubelet cAdvisor. + # + # This is required for Kubernetes 1.7.3 and later, where cAdvisor metrics + # (those whose names begin with 'container_') have been removed from the + # Kubelet metrics endpoint. This job scrapes the cAdvisor endpoint to + # retrieve those metrics. + # + # In Kubernetes 1.7.0-1.7.2, these metrics are only exposed on the cAdvisor + # HTTP endpoint; use "replacement: /api/v1/nodes/${1}:4194/proxy/metrics" + # in that case (and ensure cAdvisor's HTTP server hasn't been disabled with + # the --cadvisor-port=0 Kubelet flag). + # + # This job is not necessary and should be removed in Kubernetes 1.6 and + # earlier versions, or it will cause the metrics to be scraped twice. + - job_name: 'kubernetes-cadvisor' + scheme: https + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + kubernetes_sd_configs: + - role: node + relabel_configs: + - action: labelmap + regex: __meta_kubernetes_node_label_(.+) + - target_label: __address__ + replacement: kubernetes.default.svc:443 + - source_labels: [__meta_kubernetes_node_name] + regex: (.+) + target_label: __metrics_path__ + replacement: /api/v1/nodes/${1}/proxy/metrics/cadvisor + + # scrape config for service endpoints. + - job_name: 'kubernetes-service-endpoints' + kubernetes_sd_configs: + - role: endpoints + relabel_configs: + - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scrape] + action: keep + regex: true + - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scheme] + action: replace + target_label: __scheme__ + regex: (https?) + - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_path] + action: replace + target_label: __metrics_path__ + regex: (.+) + - source_labels: [__address__, __meta_kubernetes_service_annotation_prometheus_io_port] + action: replace + target_label: __address__ + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + - action: labelmap + regex: __meta_kubernetes_service_label_(.+) + - source_labels: [__meta_kubernetes_namespace] + action: replace + target_label: kubernetes_namespace + - source_labels: [__meta_kubernetes_service_name] + action: replace + target_label: kubernetes_name + + - job_name: 'kubernetes-pods' + kubernetes_sd_configs: + - role: pod + relabel_configs: # If first two labels are present, pod should be scraped by the istio-secure job. + - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape] + action: keep + regex: true + - source_labels: [__meta_kubernetes_pod_annotation_sidecar_istio_io_status] + action: drop + regex: (.+) + - source_labels: [__meta_kubernetes_pod_annotation_istio_mtls] + action: drop + regex: (true) + - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_path] + action: replace + target_label: __metrics_path__ + regex: (.+) + - source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port] + action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_pod_label_(.+) + - source_labels: [__meta_kubernetes_namespace] + action: replace + target_label: namespace + - source_labels: [__meta_kubernetes_pod_name] + action: replace + target_label: pod_name + + - job_name: 'kubernetes-pods-istio-secure' + scheme: https + tls_config: + ca_file: /etc/istio-certs/root-cert.pem + cert_file: /etc/istio-certs/cert-chain.pem + key_file: /etc/istio-certs/key.pem + insecure_skip_verify: true # prometheus does not support secure naming. + kubernetes_sd_configs: + - role: pod + relabel_configs: + - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape] + action: keep + regex: true + # sidecar status annotation is added by sidecar injector and + # istio_workload_mtls_ability can be specifically placed on a pod to indicate its ability to receive mtls traffic. + - source_labels: [__meta_kubernetes_pod_annotation_sidecar_istio_io_status, __meta_kubernetes_pod_annotation_istio_mtls] + action: keep + regex: (([^;]+);([^;]*))|(([^;]*);(true)) + - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_path] + action: replace + target_label: __metrics_path__ + regex: (.+) + - source_labels: [__address__] # Only keep address that is host:port + action: keep # otherwise an extra target with ':443' is added for https scheme + regex: ([^:]+):(\d+) + - source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port] + action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_pod_label_(.+) + - source_labels: [__meta_kubernetes_namespace] + action: replace + target_label: namespace + - source_labels: [__meta_kubernetes_pod_name] + action: replace + target_label: pod_name +--- +# Source: istio/charts/security/templates/configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-security-custom-resources + namespace: istio-system + labels: + app: istio-security + chart: security-1.0.4 + release: istio + heritage: Tiller + istio: security +data: + custom-resources.yaml: |- + # These policy and destination rules effectively enable mTLS for all services in the mesh. For now, + # they are added to Istio installation yaml for backward compatible. In future, they should be in + # a separated yaml file so that customer can enable mTLS independent from installation. + + # Authentication policy to enable mutual TLS for all services (that have sidecar) in the mesh. + apiVersion: "authentication.istio.io/v1alpha1" + kind: "MeshPolicy" + metadata: + name: "default" + labels: + app: istio-security + chart: security-1.0.4 + release: istio + heritage: Tiller + spec: + peers: + - mtls: {} + --- + # Corresponding destination rule to configure client side to use mutual TLS when talking to + # any service (host) in the mesh. + apiVersion: networking.istio.io/v1alpha3 + kind: DestinationRule + metadata: + name: "default" + labels: + app: istio-security + chart: security-1.0.4 + release: istio + heritage: Tiller + spec: + host: "*.local" + trafficPolicy: + tls: + mode: ISTIO_MUTUAL + --- + # Destination rule to dislabe (m)TLS when talking to API server, as API server doesn't have sidecar. + # Customer should add similar destination rules for other services that dont' have sidecar. + apiVersion: networking.istio.io/v1alpha3 + kind: DestinationRule + metadata: + name: "api-server" + labels: + app: istio-security + chart: security-1.0.4 + release: istio + heritage: Tiller + spec: + host: "kubernetes.default.svc.cluster.local" + trafficPolicy: + tls: + mode: DISABLE + run.sh: |- + #!/bin/sh + + set -x + + if [ "$#" -ne "1" ]; then + echo "first argument should be path to custom resource yaml" + exit 1 + fi + + pathToResourceYAML=${1} + + /kubectl get validatingwebhookconfiguration istio-galley 2>/dev/null + if [ "$?" -eq 0 ]; then + echo "istio-galley validatingwebhookconfiguration found - waiting for istio-galley deployment to be ready" + while true; do + /kubectl -n istio-system get deployment istio-galley 2>/dev/null + if [ "$?" -eq 0 ]; then + break + fi + sleep 1 + done + /kubectl -n istio-system rollout status deployment istio-galley + if [ "$?" -ne 0 ]; then + echo "istio-galley deployment rollout status check failed" + exit 1 + fi + echo "istio-galley deployment ready for configuration validation" + fi + sleep 5 + /kubectl apply -f ${pathToResourceYAML} + + +--- +# Source: istio/templates/configmap.yaml + +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio + namespace: istio-system + labels: + app: istio + chart: istio-1.0.4 + release: istio + heritage: Tiller +data: + mesh: |- + # Set the following variable to true to disable policy checks by the Mixer. + # Note that metrics will still be reported to the Mixer. + disablePolicyChecks: false + + # Set enableTracing to false to disable request tracing. + enableTracing: true + + # Set accessLogFile to empty string to disable access log. + accessLogFile: "/dev/stdout" + # + # Deprecated: mixer is using EDS + mixerCheckServer: istio-policy.istio-system.svc.cluster.local:15004 + mixerReportServer: istio-telemetry.istio-system.svc.cluster.local:15004 + + # policyCheckFailOpen allows traffic in cases when the mixer policy service cannot be reached. + # Default is false which means the traffic is denied when the client is unable to connect to Mixer. + policyCheckFailOpen: false + + # Unix Domain Socket through which envoy communicates with NodeAgent SDS to get + # key/cert for mTLS. Use secret-mount files instead of SDS if set to empty. + sdsUdsPath: "" + + # How frequently should Envoy fetch key/cert from NodeAgent. + sdsRefreshDelay: 15s + + # + defaultConfig: + # + # TCP connection timeout between Envoy & the application, and between Envoys. + connectTimeout: 10s + # + ### ADVANCED SETTINGS ############# + # Where should envoy's configuration be stored in the istio-proxy container + configPath: "/etc/istio/proxy" + binaryPath: "/usr/local/bin/envoy" + # The pseudo service name used for Envoy. + serviceCluster: istio-proxy + # These settings that determine how long an old Envoy + # process should be kept alive after an occasional reload. + drainDuration: 45s + parentShutdownDuration: 1m0s + # + # The mode used to redirect inbound connections to Envoy. This setting + # has no effect on outbound traffic: iptables REDIRECT is always used for + # outbound connections. + # If "REDIRECT", use iptables REDIRECT to NAT and redirect to Envoy. + # The "REDIRECT" mode loses source addresses during redirection. + # If "TPROXY", use iptables TPROXY to redirect to Envoy. + # The "TPROXY" mode preserves both the source and destination IP + # addresses and ports, so that they can be used for advanced filtering + # and manipulation. + # The "TPROXY" mode also configures the sidecar to run with the + # CAP_NET_ADMIN capability, which is required to use TPROXY. + #interceptionMode: REDIRECT + # + # Port where Envoy listens (on local host) for admin commands + # You can exec into the istio-proxy container in a pod and + # curl the admin port (curl http://localhost:15000/) to obtain + # diagnostic information from Envoy. See + # https://lyft.github.io/envoy/docs/operations/admin.html + # for more details + proxyAdminPort: 15000 + # + # Set concurrency to a specific number to control the number of Proxy worker threads. + # If set to 0 (default), then start worker thread for each CPU thread/core. + concurrency: 0 + # + # Zipkin trace collector + zipkinAddress: zipkin.istio-system:9411 + # + # Mutual TLS authentication between sidecars and istio control plane. + controlPlaneAuthPolicy: MUTUAL_TLS + # + # Address where istio Pilot service is running + discoveryAddress: istio-pilot.istio-system:15005 + +--- +# Source: istio/templates/sidecar-injector-configmap.yaml + +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-sidecar-injector + namespace: istio-system + labels: + app: istio + chart: istio-1.0.4 + release: istio + heritage: Tiller + istio: sidecar-injector +data: + config: |- + policy: enabled + template: |- + initContainers: + - name: istio-init + image: "docker.io/istio/proxy_init:1.0.4" + args: + - "-p" + - [[ .MeshConfig.ProxyListenPort ]] + - "-u" + - 1337 + - "-m" + - [[ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode ]] + - "-i" + - "[[ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` "*" ]]" + - "-x" + - "[[ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` "" ]]" + - "-b" + - "[[ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` (includeInboundPorts .Spec.Containers) ]]" + - "-d" + - "[[ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` 0 ) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` "" ) ]]" + imagePullPolicy: IfNotPresent + securityContext: + capabilities: + add: + - NET_ADMIN + privileged: true + restartPolicy: Always + containers: + - name: istio-proxy + image: [[ annotation .ObjectMeta `sidecar.istio.io/proxyImage` "docker.io/istio/proxyv2:1.0.4" ]] + + ports: + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + + args: + - proxy + - sidecar + - --configPath + - [[ .ProxyConfig.ConfigPath ]] + - --binaryPath + - [[ .ProxyConfig.BinaryPath ]] + - --serviceCluster + [[ if ne "" (index .ObjectMeta.Labels "app") -]] + - [[ index .ObjectMeta.Labels "app" ]] + [[ else -]] + - "istio-proxy" + [[ end -]] + - --drainDuration + - [[ formatDuration .ProxyConfig.DrainDuration ]] + - --parentShutdownDuration + - [[ formatDuration .ProxyConfig.ParentShutdownDuration ]] + - --discoveryAddress + - [[ annotation .ObjectMeta `sidecar.istio.io/discoveryAddress` .ProxyConfig.DiscoveryAddress ]] + - --discoveryRefreshDelay + - [[ formatDuration .ProxyConfig.DiscoveryRefreshDelay ]] + - --zipkinAddress + - [[ .ProxyConfig.ZipkinAddress ]] + - --connectTimeout + - [[ formatDuration .ProxyConfig.ConnectTimeout ]] + - --proxyAdminPort + - [[ .ProxyConfig.ProxyAdminPort ]] + [[ if gt .ProxyConfig.Concurrency 0 -]] + - --concurrency + - [[ .ProxyConfig.Concurrency ]] + [[ end -]] + - --controlPlaneAuthPolicy + - [[ annotation .ObjectMeta `sidecar.istio.io/controlPlaneAuthPolicy` .ProxyConfig.ControlPlaneAuthPolicy ]] + [[- if (ne (annotation .ObjectMeta `status.sidecar.istio.io/port` 0 ) "0") ]] + - --statusPort + - [[ annotation .ObjectMeta `status.sidecar.istio.io/port` 0 ]] + - --applicationPorts + - "[[ annotation .ObjectMeta `readiness.status.sidecar.istio.io/applicationPorts` (applicationPorts .Spec.Containers) ]]" + [[- end ]] + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: ISTIO_META_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: ISTIO_META_INTERCEPTION_MODE + value: [[ or (index .ObjectMeta.Annotations "sidecar.istio.io/interceptionMode") .ProxyConfig.InterceptionMode.String ]] + [[ if .ObjectMeta.Annotations ]] + - name: ISTIO_METAJSON_ANNOTATIONS + value: | + [[ toJson .ObjectMeta.Annotations ]] + [[ end ]] + [[ if .ObjectMeta.Labels ]] + - name: ISTIO_METAJSON_LABELS + value: | + [[ toJson .ObjectMeta.Labels ]] + [[ end ]] + imagePullPolicy: IfNotPresent + [[ if (ne (annotation .ObjectMeta `status.sidecar.istio.io/port` 0 ) "0") ]] + readinessProbe: + httpGet: + path: /healthz/ready + port: [[ annotation .ObjectMeta `status.sidecar.istio.io/port` 0 ]] + initialDelaySeconds: [[ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` 1 ]] + periodSeconds: [[ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` 2 ]] + failureThreshold: [[ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` 30 ]] + [[ end -]]securityContext: + + readOnlyRootFilesystem: true + [[ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) "TPROXY" -]] + capabilities: + add: + - NET_ADMIN + runAsGroup: 1337 + [[ else -]] + runAsUser: 1337 + [[ end -]] + restartPolicy: Always + resources: + [[ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -]] + requests: + cpu: "[[ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` ]]" + memory: "[[ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` ]]" + [[ else -]] + requests: + cpu: 10m + + [[ end -]] + volumeMounts: + - mountPath: /etc/istio/proxy + name: istio-envoy + - mountPath: /etc/certs/ + name: istio-certs + readOnly: true + volumes: + - emptyDir: + medium: Memory + name: istio-envoy + - name: istio-certs + secret: + optional: true + [[ if eq .Spec.ServiceAccountName "" -]] + secretName: istio.default + [[ else -]] + secretName: [[ printf "istio.%s" .Spec.ServiceAccountName ]] + [[ end -]] + +--- +# Source: istio/charts/galley/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: istio-galley-service-account + namespace: istio-system + labels: + app: istio-galley + chart: galley-1.0.4 + heritage: Tiller + release: istio + +--- +# Source: istio/charts/gateways/templates/serviceaccount.yaml + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: istio-egressgateway-service-account + namespace: istio-system + labels: + app: egressgateway + chart: gateways-1.0.4 + heritage: Tiller + release: istio +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: istio-ingressgateway-service-account + namespace: istio-system + labels: + app: ingressgateway + chart: gateways-1.0.4 + heritage: Tiller + release: istio +--- + +--- +# Source: istio/charts/grafana/templates/create-custom-resources-job.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: istio-grafana-post-install-account + namespace: istio-system + labels: + app: istio-grafana + chart: grafana-1.0.4 + heritage: Tiller + release: istio +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: istio-grafana-post-install-istio-system + labels: + app: istio-grafana + chart: grafana-1.0.4 + heritage: Tiller + release: istio +rules: +- apiGroups: ["authentication.istio.io"] # needed to create default authn policy + resources: ["*"] + verbs: ["*"] +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: istio-grafana-post-install-role-binding-istio-system + labels: + app: istio-grafana + chart: grafana-1.0.4 + heritage: Tiller + release: istio +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-grafana-post-install-istio-system +subjects: + - kind: ServiceAccount + name: istio-grafana-post-install-account + namespace: istio-system +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: istio-grafana-post-install + namespace: istio-system + annotations: + "helm.sh/hook": post-install + "helm.sh/hook-delete-policy": hook-succeeded + labels: + app: istio-grafana + chart: grafana-1.0.4 + release: istio + heritage: Tiller +spec: + template: + metadata: + name: istio-grafana-post-install + labels: + app: istio-grafana + release: istio + spec: + serviceAccountName: istio-grafana-post-install-account + containers: + - name: hyperkube + image: "quay.io/coreos/hyperkube:v1.7.6_coreos.0" + command: [ "/bin/bash", "/tmp/grafana/run.sh", "/tmp/grafana/custom-resources.yaml" ] + volumeMounts: + - mountPath: "/tmp/grafana" + name: tmp-configmap-grafana + volumes: + - name: tmp-configmap-grafana + configMap: + name: istio-grafana-custom-resources + restartPolicy: OnFailure + +--- +# Source: istio/charts/mixer/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: istio-mixer-service-account + namespace: istio-system + labels: + app: mixer + chart: mixer-1.0.4 + heritage: Tiller + release: istio + +--- +# Source: istio/charts/pilot/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: istio-pilot-service-account + namespace: istio-system + labels: + app: istio-pilot + chart: pilot-1.0.4 + heritage: Tiller + release: istio + +--- +# Source: istio/charts/prometheus/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: prometheus + namespace: istio-system + +--- +# Source: istio/charts/security/templates/cleanup-secrets.yaml +# The reason for creating a ServiceAccount and ClusterRole specifically for this +# post-delete hooked job is because the citadel ServiceAccount is being deleted +# before this hook is launched. On the other hand, running this hook before the +# deletion of the citadel (e.g. pre-delete) won't delete the secrets because they +# will be re-created immediately by the to-be-deleted citadel. +# +# It's also important that the ServiceAccount, ClusterRole and ClusterRoleBinding +# will be ready before running the hooked Job therefore the hook weights. + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: istio-cleanup-secrets-service-account + namespace: istio-system + annotations: + "helm.sh/hook": post-delete + "helm.sh/hook-delete-policy": hook-succeeded + "helm.sh/hook-weight": "1" + labels: + app: security + chart: security-1.0.4 + heritage: Tiller + release: istio +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: istio-cleanup-secrets-istio-system + annotations: + "helm.sh/hook": post-delete + "helm.sh/hook-delete-policy": hook-succeeded + "helm.sh/hook-weight": "1" + labels: + app: security + chart: security-1.0.4 + heritage: Tiller + release: istio +rules: +- apiGroups: [""] + resources: ["secrets"] + verbs: ["list", "delete"] +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: istio-cleanup-secrets-istio-system + annotations: + "helm.sh/hook": post-delete + "helm.sh/hook-delete-policy": hook-succeeded + "helm.sh/hook-weight": "2" + labels: + app: security + chart: security-1.0.4 + heritage: Tiller + release: istio +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-cleanup-secrets-istio-system +subjects: + - kind: ServiceAccount + name: istio-cleanup-secrets-service-account + namespace: istio-system +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: istio-cleanup-secrets + namespace: istio-system + annotations: + "helm.sh/hook": post-delete + "helm.sh/hook-delete-policy": hook-succeeded + "helm.sh/hook-weight": "3" + labels: + app: security + chart: security-1.0.4 + release: istio + heritage: Tiller +spec: + template: + metadata: + name: istio-cleanup-secrets + labels: + app: security + release: istio + spec: + serviceAccountName: istio-cleanup-secrets-service-account + containers: + - name: hyperkube + image: "quay.io/coreos/hyperkube:v1.7.6_coreos.0" + command: + - /bin/bash + - -c + - > + kubectl get secret --all-namespaces | grep "istio.io/key-and-cert" | while read -r entry; do + ns=$(echo $entry | awk '{print $1}'); + name=$(echo $entry | awk '{print $2}'); + kubectl delete secret $name -n $ns; + done + restartPolicy: OnFailure + +--- +# Source: istio/charts/security/templates/create-custom-resources-job.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: istio-security-post-install-account + namespace: istio-system + labels: + app: istio-security + chart: security-1.0.4 + heritage: Tiller + release: istio +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: istio-security-post-install-istio-system + labels: + app: istio-security + chart: security-1.0.4 + heritage: Tiller + release: istio +rules: +- apiGroups: ["authentication.istio.io"] # needed to create default authn policy + resources: ["*"] + verbs: ["*"] +- apiGroups: ["networking.istio.io"] # needed to create security destination rules + resources: ["*"] + verbs: ["*"] +- apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + verbs: ["get"] +- apiGroups: ["extensions"] + resources: ["deployments", "replicasets"] + verbs: ["get", "list", "watch"] +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: istio-security-post-install-role-binding-istio-system + labels: + app: istio-security + chart: security-1.0.4 + heritage: Tiller + release: istio +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-security-post-install-istio-system +subjects: + - kind: ServiceAccount + name: istio-security-post-install-account + namespace: istio-system +--- + +apiVersion: batch/v1 +kind: Job +metadata: + name: istio-security-post-install + namespace: istio-system + annotations: + "helm.sh/hook": post-install + "helm.sh/hook-delete-policy": hook-succeeded + labels: + app: istio-security + chart: security-1.0.4 + release: istio + heritage: Tiller +spec: + template: + metadata: + name: istio-security-post-install + labels: + app: istio-security + release: istio + spec: + serviceAccountName: istio-security-post-install-account + containers: + - name: hyperkube + image: "quay.io/coreos/hyperkube:v1.7.6_coreos.0" + command: [ "/bin/bash", "/tmp/security/run.sh", "/tmp/security/custom-resources.yaml" ] + volumeMounts: + - mountPath: "/tmp/security" + name: tmp-configmap-security + volumes: + - name: tmp-configmap-security + configMap: + name: istio-security-custom-resources + restartPolicy: OnFailure + +--- +# Source: istio/charts/security/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: istio-citadel-service-account + namespace: istio-system + labels: + app: security + chart: security-1.0.4 + heritage: Tiller + release: istio + +--- +# Source: istio/charts/sidecarInjectorWebhook/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: istio-sidecar-injector-service-account + namespace: istio-system + labels: + app: istio-sidecar-injector + chart: sidecarInjectorWebhook-1.0.4 + heritage: Tiller + release: istio + +--- +# Source: istio/templates/crds.yaml +# +# these CRDs only make sense when pilot is enabled +# +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: virtualservices.networking.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: istio-pilot +spec: + group: networking.istio.io + names: + kind: VirtualService + listKind: VirtualServiceList + plural: virtualservices + singular: virtualservice + categories: + - istio-io + - networking-istio-io + scope: Namespaced + version: v1alpha3 +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: destinationrules.networking.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: istio-pilot +spec: + group: networking.istio.io + names: + kind: DestinationRule + listKind: DestinationRuleList + plural: destinationrules + singular: destinationrule + categories: + - istio-io + - networking-istio-io + scope: Namespaced + version: v1alpha3 +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: serviceentries.networking.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: istio-pilot +spec: + group: networking.istio.io + names: + kind: ServiceEntry + listKind: ServiceEntryList + plural: serviceentries + singular: serviceentry + categories: + - istio-io + - networking-istio-io + scope: Namespaced + version: v1alpha3 +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: gateways.networking.istio.io + annotations: + "helm.sh/hook": crd-install + "helm.sh/hook-weight": "-5" + labels: + app: istio-pilot +spec: + group: networking.istio.io + names: + kind: Gateway + plural: gateways + singular: gateway + categories: + - istio-io + - networking-istio-io + scope: Namespaced + version: v1alpha3 +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: envoyfilters.networking.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: istio-pilot +spec: + group: networking.istio.io + names: + kind: EnvoyFilter + plural: envoyfilters + singular: envoyfilter + categories: + - istio-io + - networking-istio-io + scope: Namespaced + version: v1alpha3 +--- +# + +# these CRDs only make sense when security is enabled +# + +# +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + annotations: + "helm.sh/hook": crd-install + name: httpapispecbindings.config.istio.io +spec: + group: config.istio.io + names: + kind: HTTPAPISpecBinding + plural: httpapispecbindings + singular: httpapispecbinding + categories: + - istio-io + - apim-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + annotations: + "helm.sh/hook": crd-install + name: httpapispecs.config.istio.io +spec: + group: config.istio.io + names: + kind: HTTPAPISpec + plural: httpapispecs + singular: httpapispec + categories: + - istio-io + - apim-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + annotations: + "helm.sh/hook": crd-install + name: quotaspecbindings.config.istio.io +spec: + group: config.istio.io + names: + kind: QuotaSpecBinding + plural: quotaspecbindings + singular: quotaspecbinding + categories: + - istio-io + - apim-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + annotations: + "helm.sh/hook": crd-install + name: quotaspecs.config.istio.io +spec: + group: config.istio.io + names: + kind: QuotaSpec + plural: quotaspecs + singular: quotaspec + categories: + - istio-io + - apim-istio-io + scope: Namespaced + version: v1alpha2 +--- + +# Mixer CRDs +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: rules.config.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: istio.io.mixer + istio: core +spec: + group: config.istio.io + names: + kind: rule + plural: rules + singular: rule + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: attributemanifests.config.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: istio.io.mixer + istio: core +spec: + group: config.istio.io + names: + kind: attributemanifest + plural: attributemanifests + singular: attributemanifest + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: bypasses.config.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: bypass + istio: mixer-adapter +spec: + group: config.istio.io + names: + kind: bypass + plural: bypasses + singular: bypass + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: circonuses.config.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: circonus + istio: mixer-adapter +spec: + group: config.istio.io + names: + kind: circonus + plural: circonuses + singular: circonus + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: deniers.config.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: denier + istio: mixer-adapter +spec: + group: config.istio.io + names: + kind: denier + plural: deniers + singular: denier + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: fluentds.config.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: fluentd + istio: mixer-adapter +spec: + group: config.istio.io + names: + kind: fluentd + plural: fluentds + singular: fluentd + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: kubernetesenvs.config.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: kubernetesenv + istio: mixer-adapter +spec: + group: config.istio.io + names: + kind: kubernetesenv + plural: kubernetesenvs + singular: kubernetesenv + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: listcheckers.config.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: listchecker + istio: mixer-adapter +spec: + group: config.istio.io + names: + kind: listchecker + plural: listcheckers + singular: listchecker + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: memquotas.config.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: memquota + istio: mixer-adapter +spec: + group: config.istio.io + names: + kind: memquota + plural: memquotas + singular: memquota + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: noops.config.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: noop + istio: mixer-adapter +spec: + group: config.istio.io + names: + kind: noop + plural: noops + singular: noop + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: opas.config.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: opa + istio: mixer-adapter +spec: + group: config.istio.io + names: + kind: opa + plural: opas + singular: opa + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: prometheuses.config.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: prometheus + istio: mixer-adapter +spec: + group: config.istio.io + names: + kind: prometheus + plural: prometheuses + singular: prometheus + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: rbacs.config.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: rbac + istio: mixer-adapter +spec: + group: config.istio.io + names: + kind: rbac + plural: rbacs + singular: rbac + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: redisquotas.config.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + package: redisquota + istio: mixer-adapter +spec: + group: config.istio.io + names: + kind: redisquota + plural: redisquotas + singular: redisquota + scope: Namespaced + version: v1alpha2 +--- + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: servicecontrols.config.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: servicecontrol + istio: mixer-adapter +spec: + group: config.istio.io + names: + kind: servicecontrol + plural: servicecontrols + singular: servicecontrol + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 + +--- + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: signalfxs.config.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: signalfx + istio: mixer-adapter +spec: + group: config.istio.io + names: + kind: signalfx + plural: signalfxs + singular: signalfx + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: solarwindses.config.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: solarwinds + istio: mixer-adapter +spec: + group: config.istio.io + names: + kind: solarwinds + plural: solarwindses + singular: solarwinds + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: stackdrivers.config.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: stackdriver + istio: mixer-adapter +spec: + group: config.istio.io + names: + kind: stackdriver + plural: stackdrivers + singular: stackdriver + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: statsds.config.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: statsd + istio: mixer-adapter +spec: + group: config.istio.io + names: + kind: statsd + plural: statsds + singular: statsd + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: stdios.config.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: stdio + istio: mixer-adapter +spec: + group: config.istio.io + names: + kind: stdio + plural: stdios + singular: stdio + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: apikeys.config.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: apikey + istio: mixer-instance +spec: + group: config.istio.io + names: + kind: apikey + plural: apikeys + singular: apikey + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: authorizations.config.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: authorization + istio: mixer-instance +spec: + group: config.istio.io + names: + kind: authorization + plural: authorizations + singular: authorization + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: checknothings.config.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: checknothing + istio: mixer-instance +spec: + group: config.istio.io + names: + kind: checknothing + plural: checknothings + singular: checknothing + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: kuberneteses.config.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: adapter.template.kubernetes + istio: mixer-instance +spec: + group: config.istio.io + names: + kind: kubernetes + plural: kuberneteses + singular: kubernetes + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: listentries.config.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: listentry + istio: mixer-instance +spec: + group: config.istio.io + names: + kind: listentry + plural: listentries + singular: listentry + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: logentries.config.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: logentry + istio: mixer-instance +spec: + group: config.istio.io + names: + kind: logentry + plural: logentries + singular: logentry + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: edges.config.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: edge + istio: mixer-instance +spec: + group: config.istio.io + names: + kind: edge + plural: edges + singular: edge + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: metrics.config.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: metric + istio: mixer-instance +spec: + group: config.istio.io + names: + kind: metric + plural: metrics + singular: metric + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: quotas.config.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: quota + istio: mixer-instance +spec: + group: config.istio.io + names: + kind: quota + plural: quotas + singular: quota + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: reportnothings.config.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: reportnothing + istio: mixer-instance +spec: + group: config.istio.io + names: + kind: reportnothing + plural: reportnothings + singular: reportnothing + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: servicecontrolreports.config.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: servicecontrolreport + istio: mixer-instance +spec: + group: config.istio.io + names: + kind: servicecontrolreport + plural: servicecontrolreports + singular: servicecontrolreport + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: tracespans.config.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: tracespan + istio: mixer-instance +spec: + group: config.istio.io + names: + kind: tracespan + plural: tracespans + singular: tracespan + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: rbacconfigs.rbac.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: istio.io.mixer + istio: rbac +spec: + group: rbac.istio.io + names: + kind: RbacConfig + plural: rbacconfigs + singular: rbacconfig + categories: + - istio-io + - rbac-istio-io + scope: Namespaced + version: v1alpha1 +--- + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: serviceroles.rbac.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: istio.io.mixer + istio: rbac +spec: + group: rbac.istio.io + names: + kind: ServiceRole + plural: serviceroles + singular: servicerole + categories: + - istio-io + - rbac-istio-io + scope: Namespaced + version: v1alpha1 +--- + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: servicerolebindings.rbac.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: istio.io.mixer + istio: rbac +spec: + group: rbac.istio.io + names: + kind: ServiceRoleBinding + plural: servicerolebindings + singular: servicerolebinding + categories: + - istio-io + - rbac-istio-io + scope: Namespaced + version: v1alpha1 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: adapters.config.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: adapter + istio: mixer-adapter +spec: + group: config.istio.io + names: + kind: adapter + plural: adapters + singular: adapter + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: instances.config.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: instance + istio: mixer-instance +spec: + group: config.istio.io + names: + kind: instance + plural: instances + singular: instance + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: templates.config.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: template + istio: mixer-template +spec: + group: config.istio.io + names: + kind: template + plural: templates + singular: template + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: handlers.config.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: handler + istio: mixer-handler +spec: + group: config.istio.io + names: + kind: handler + plural: handlers + singular: handler + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +# +# + +--- +# Source: istio/charts/galley/templates/clusterrole.yaml +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: istio-galley-istio-system + labels: + app: istio-galley + chart: galley-1.0.4 + heritage: Tiller + release: istio +rules: +- apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + verbs: ["*"] +- apiGroups: ["config.istio.io"] # istio mixer CRD watcher + resources: ["*"] + verbs: ["get", "list", "watch"] +- apiGroups: ["*"] + resources: ["deployments"] + resourceNames: ["istio-galley"] + verbs: ["get"] +- apiGroups: ["*"] + resources: ["endpoints"] + resourceNames: ["istio-galley"] + verbs: ["get"] + +--- +# Source: istio/charts/gateways/templates/clusterrole.yaml + +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + labels: + app: gateways + chart: gateways-1.0.4 + heritage: Tiller + release: istio + name: istio-egressgateway-istio-system +rules: +- apiGroups: ["extensions"] + resources: ["thirdpartyresources", "virtualservices", "destinationrules", "gateways"] + verbs: ["get", "watch", "list", "update"] +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + labels: + app: gateways + chart: gateways-1.0.4 + heritage: Tiller + release: istio + name: istio-ingressgateway-istio-system +rules: +- apiGroups: ["extensions"] + resources: ["thirdpartyresources", "virtualservices", "destinationrules", "gateways"] + verbs: ["get", "watch", "list", "update"] +--- + +--- +# Source: istio/charts/mixer/templates/clusterrole.yaml +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: istio-mixer-istio-system + labels: + app: mixer + chart: mixer-1.0.4 + heritage: Tiller + release: istio +rules: +- apiGroups: ["config.istio.io"] # istio CRD watcher + resources: ["*"] + verbs: ["create", "get", "list", "watch", "patch"] +- apiGroups: ["rbac.istio.io"] # istio RBAC watcher + resources: ["*"] + verbs: ["get", "list", "watch"] +- apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "list", "watch"] +- apiGroups: [""] + resources: ["configmaps", "endpoints", "pods", "services", "namespaces", "secrets", "replicationcontrollers"] + verbs: ["get", "list", "watch"] +- apiGroups: ["extensions"] + resources: ["replicasets"] + verbs: ["get", "list", "watch"] +- apiGroups: ["apps"] + resources: ["replicasets"] + verbs: ["get", "list", "watch"] + +--- +# Source: istio/charts/pilot/templates/clusterrole.yaml +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: istio-pilot-istio-system + labels: + app: istio-pilot + chart: pilot-1.0.4 + heritage: Tiller + release: istio +rules: +- apiGroups: ["config.istio.io"] + resources: ["*"] + verbs: ["*"] +- apiGroups: ["rbac.istio.io"] + resources: ["*"] + verbs: ["get", "watch", "list"] +- apiGroups: ["networking.istio.io"] + resources: ["*"] + verbs: ["*"] +- apiGroups: ["authentication.istio.io"] + resources: ["*"] + verbs: ["*"] +- apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["*"] +- apiGroups: ["extensions"] + resources: ["thirdpartyresources", "thirdpartyresources.extensions", "ingresses", "ingresses/status"] + verbs: ["*"] +- apiGroups: [""] + resources: ["configmaps"] + verbs: ["create", "get", "list", "watch", "update"] +- apiGroups: [""] + resources: ["endpoints", "pods", "services"] + verbs: ["get", "list", "watch"] +- apiGroups: [""] + resources: ["namespaces", "nodes", "secrets"] + verbs: ["get", "list", "watch"] + +--- +# Source: istio/charts/prometheus/templates/clusterrole.yaml +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: prometheus-istio-system +rules: +- apiGroups: [""] + resources: + - nodes + - services + - endpoints + - pods + - nodes/proxy + verbs: ["get", "list", "watch"] +- apiGroups: [""] + resources: + - configmaps + verbs: ["get"] +- nonResourceURLs: ["/metrics"] + verbs: ["get"] + +--- +# Source: istio/charts/security/templates/clusterrole.yaml +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: istio-citadel-istio-system + labels: + app: security + chart: security-1.0.4 + heritage: Tiller + release: istio +rules: +- apiGroups: [""] + resources: ["secrets"] + verbs: ["create", "get", "watch", "list", "update", "delete"] +- apiGroups: [""] + resources: ["serviceaccounts"] + verbs: ["get", "watch", "list"] +- apiGroups: [""] + resources: ["services"] + verbs: ["get", "watch", "list"] + +--- +# Source: istio/charts/sidecarInjectorWebhook/templates/clusterrole.yaml +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: istio-sidecar-injector-istio-system + labels: + app: istio-sidecar-injector + chart: sidecarInjectorWebhook-1.0.4 + heritage: Tiller + release: istio +rules: +- apiGroups: ["*"] + resources: ["configmaps"] + verbs: ["get", "list", "watch"] +- apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "patch"] + +--- +# Source: istio/charts/galley/templates/clusterrolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: istio-galley-admin-role-binding-istio-system + labels: + app: istio-galley + chart: galley-1.0.4 + heritage: Tiller + release: istio +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-galley-istio-system +subjects: + - kind: ServiceAccount + name: istio-galley-service-account + namespace: istio-system + +--- +# Source: istio/charts/gateways/templates/clusterrolebindings.yaml + +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: istio-egressgateway-istio-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-egressgateway-istio-system +subjects: + - kind: ServiceAccount + name: istio-egressgateway-service-account + namespace: istio-system +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: istio-ingressgateway-istio-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-ingressgateway-istio-system +subjects: + - kind: ServiceAccount + name: istio-ingressgateway-service-account + namespace: istio-system +--- + +--- +# Source: istio/charts/mixer/templates/clusterrolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: istio-mixer-admin-role-binding-istio-system + labels: + app: mixer + chart: mixer-1.0.4 + heritage: Tiller + release: istio +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-mixer-istio-system +subjects: + - kind: ServiceAccount + name: istio-mixer-service-account + namespace: istio-system + +--- +# Source: istio/charts/pilot/templates/clusterrolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: istio-pilot-istio-system + labels: + app: istio-pilot + chart: pilot-1.0.4 + heritage: Tiller + release: istio +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-pilot-istio-system +subjects: + - kind: ServiceAccount + name: istio-pilot-service-account + namespace: istio-system + +--- +# Source: istio/charts/prometheus/templates/clusterrolebindings.yaml +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: prometheus-istio-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: prometheus-istio-system +subjects: +- kind: ServiceAccount + name: prometheus + namespace: istio-system + +--- +# Source: istio/charts/security/templates/clusterrolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: istio-citadel-istio-system + labels: + app: security + chart: security-1.0.4 + heritage: Tiller + release: istio +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-citadel-istio-system +subjects: + - kind: ServiceAccount + name: istio-citadel-service-account + namespace: istio-system + +--- +# Source: istio/charts/sidecarInjectorWebhook/templates/clusterrolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: istio-sidecar-injector-admin-role-binding-istio-system + labels: + app: istio-sidecar-injector + chart: sidecarInjectorWebhook-1.0.4 + heritage: Tiller + release: istio +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-sidecar-injector-istio-system +subjects: + - kind: ServiceAccount + name: istio-sidecar-injector-service-account + namespace: istio-system + +--- +# Source: istio/charts/galley/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: istio-galley + namespace: istio-system + labels: + istio: galley +spec: + ports: + - port: 443 + name: https-validation + - port: 9093 + name: http-monitoring + selector: + istio: galley + +--- +# Source: istio/charts/gateways/templates/service.yaml + +apiVersion: v1 +kind: Service +metadata: + name: istio-egressgateway + namespace: istio-system + annotations: + labels: + chart: gateways-1.0.4 + release: istio + heritage: Tiller + app: istio-egressgateway + istio: egressgateway +spec: + type: ClusterIP + selector: + app: istio-egressgateway + istio: egressgateway + ports: + - + name: http2 + port: 80 + - + name: https + port: 443 +--- +apiVersion: v1 +kind: Service +metadata: + name: istio-ingressgateway + namespace: istio-system + annotations: + labels: + chart: gateways-1.0.4 + release: istio + heritage: Tiller + app: istio-ingressgateway + istio: ingressgateway +spec: + type: LoadBalancer + selector: + app: istio-ingressgateway + istio: ingressgateway + ports: + - + name: http2 + nodePort: 31380 + port: 80 + targetPort: 80 + - + name: https + nodePort: 31390 + port: 443 + - + name: tcp + nodePort: 31400 + port: 31400 + - + name: tcp-pilot-grpc-tls + port: 15011 + targetPort: 15011 + - + name: tcp-citadel-grpc-tls + port: 8060 + targetPort: 8060 + - + name: tcp-dns-tls + port: 853 + targetPort: 853 + - + name: http2-prometheus + port: 15030 + targetPort: 15030 + - + name: http2-grafana + port: 15031 + targetPort: 15031 +--- + +--- +# Source: istio/charts/grafana/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: grafana + namespace: istio-system + annotations: + labels: + app: istio-grafana + chart: grafana-1.0.4 + release: istio + heritage: Tiller +spec: + type: ClusterIP + ports: + - port: 3000 + targetPort: 3000 + protocol: TCP + name: http + selector: + app: grafana + +--- +# Source: istio/charts/mixer/templates/service.yaml + +apiVersion: v1 +kind: Service +metadata: + name: istio-policy + namespace: istio-system + labels: + chart: mixer-1.0.4 + release: istio + istio: mixer +spec: + ports: + - name: grpc-mixer + port: 9091 + - name: grpc-mixer-mtls + port: 15004 + - name: http-monitoring + port: 9093 + selector: + istio: mixer + istio-mixer-type: policy +--- +apiVersion: v1 +kind: Service +metadata: + name: istio-telemetry + namespace: istio-system + labels: + chart: mixer-1.0.4 + release: istio + istio: mixer +spec: + ports: + - name: grpc-mixer + port: 9091 + - name: grpc-mixer-mtls + port: 15004 + - name: http-monitoring + port: 9093 + - name: prometheus + port: 42422 + selector: + istio: mixer + istio-mixer-type: telemetry +--- + +--- +# Source: istio/charts/pilot/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: istio-pilot + namespace: istio-system + labels: + app: istio-pilot + chart: pilot-1.0.4 + release: istio + heritage: Tiller +spec: + ports: + - port: 15010 + name: grpc-xds # direct + - port: 15011 + name: https-xds # mTLS + - port: 8080 + name: http-legacy-discovery # direct + - port: 9093 + name: http-monitoring + selector: + istio: pilot + +--- +# Source: istio/charts/prometheus/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: prometheus + namespace: istio-system + annotations: + prometheus.io/scrape: 'true' + labels: + name: prometheus +spec: + selector: + app: prometheus + ports: + - name: http-prometheus + protocol: TCP + port: 9090 + +--- +# Source: istio/charts/security/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + # we use the normal name here (e.g. 'prometheus') + # as grafana is configured to use this as a data source + name: istio-citadel + namespace: istio-system + labels: + app: istio-citadel +spec: + ports: + - name: grpc-citadel + port: 8060 + targetPort: 8060 + protocol: TCP + - name: http-monitoring + port: 9093 + selector: + istio: citadel + +--- +# Source: istio/charts/servicegraph/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: servicegraph + namespace: istio-system + annotations: + labels: + app: servicegraph + chart: servicegraph-1.0.4 + release: istio + heritage: Tiller +spec: + type: ClusterIP + ports: + - port: 8088 + targetPort: 8088 + protocol: TCP + name: http + selector: + app: servicegraph + +--- +# Source: istio/charts/sidecarInjectorWebhook/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: istio-sidecar-injector + namespace: istio-system + labels: + istio: sidecar-injector +spec: + ports: + - port: 443 + selector: + istio: sidecar-injector + +--- +# Source: istio/charts/galley/templates/deployment.yaml +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: istio-galley + namespace: istio-system + labels: + app: galley + chart: galley-1.0.4 + release: istio + heritage: Tiller + istio: galley +spec: + replicas: 1 + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + template: + metadata: + labels: + istio: galley + annotations: + sidecar.istio.io/inject: "false" + scheduler.alpha.kubernetes.io/critical-pod: "" + spec: + serviceAccountName: istio-galley-service-account + containers: + - name: validator + image: "docker.io/istio/galley:1.0.4" + imagePullPolicy: IfNotPresent + ports: + - containerPort: 443 + - containerPort: 9093 + command: + - /usr/local/bin/galley + - validator + - --deployment-namespace=istio-system + - --caCertFile=/etc/istio/certs/root-cert.pem + - --tlsCertFile=/etc/istio/certs/cert-chain.pem + - --tlsKeyFile=/etc/istio/certs/key.pem + - --healthCheckInterval=1s + - --healthCheckFile=/health + - --webhook-config-file + - /etc/istio/config/validatingwebhookconfiguration.yaml + volumeMounts: + - name: certs + mountPath: /etc/istio/certs + readOnly: true + - name: config + mountPath: /etc/istio/config + readOnly: true + livenessProbe: + exec: + command: + - /usr/local/bin/galley + - probe + - --probe-path=/health + - --interval=10s + initialDelaySeconds: 5 + periodSeconds: 5 + readinessProbe: + exec: + command: + - /usr/local/bin/galley + - probe + - --probe-path=/health + - --interval=10s + initialDelaySeconds: 5 + periodSeconds: 5 + resources: + requests: + cpu: 10m + + volumes: + - name: certs + secret: + secretName: istio.istio-galley-service-account + - name: config + configMap: + name: istio-galley-configuration + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - ppc64le + - s390x + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - ppc64le + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - s390x + +--- +# Source: istio/charts/gateways/templates/deployment.yaml + +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: istio-egressgateway + namespace: istio-system + labels: + chart: gateways-1.0.4 + release: istio + heritage: Tiller + app: istio-egressgateway + istio: egressgateway +spec: + replicas: 1 + template: + metadata: + labels: + app: istio-egressgateway + istio: egressgateway + annotations: + sidecar.istio.io/inject: "false" + scheduler.alpha.kubernetes.io/critical-pod: "" + spec: + serviceAccountName: istio-egressgateway-service-account + containers: + - name: istio-proxy + image: "docker.io/istio/proxyv2:1.0.4" + imagePullPolicy: IfNotPresent + ports: + - containerPort: 80 + - containerPort: 443 + + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + + args: + - proxy + - router + - -v + - "2" + - --discoveryRefreshDelay + - '1s' #discoveryRefreshDelay + - --drainDuration + - '45s' #drainDuration + - --parentShutdownDuration + - '1m0s' #parentShutdownDuration + - --connectTimeout + - '10s' #connectTimeout + - --serviceCluster + - istio-egressgateway + - --zipkinAddress + - zipkin:9411 + - --proxyAdminPort + - "15000" + - --controlPlaneAuthPolicy + - MUTUAL_TLS + - --discoveryAddress + - istio-pilot:15005 + resources: + requests: + cpu: 10m + + env: + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + - name: ISTIO_META_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + volumeMounts: + - name: istio-certs + mountPath: /etc/certs + readOnly: true + - name: egressgateway-certs + mountPath: "/etc/istio/egressgateway-certs" + readOnly: true + - name: egressgateway-ca-certs + mountPath: "/etc/istio/egressgateway-ca-certs" + readOnly: true + volumes: + - name: istio-certs + secret: + secretName: istio.istio-egressgateway-service-account + optional: true + - name: egressgateway-certs + secret: + secretName: "istio-egressgateway-certs" + optional: true + - name: egressgateway-ca-certs + secret: + secretName: "istio-egressgateway-ca-certs" + optional: true + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - ppc64le + - s390x + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - ppc64le + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - s390x +--- +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: istio-ingressgateway + namespace: istio-system + labels: + chart: gateways-1.0.4 + release: istio + heritage: Tiller + app: istio-ingressgateway + istio: ingressgateway +spec: + replicas: 1 + template: + metadata: + labels: + app: istio-ingressgateway + istio: ingressgateway + annotations: + sidecar.istio.io/inject: "false" + scheduler.alpha.kubernetes.io/critical-pod: "" + spec: + serviceAccountName: istio-ingressgateway-service-account + containers: + - name: istio-proxy + image: "docker.io/istio/proxyv2:1.0.4" + imagePullPolicy: IfNotPresent + ports: + - containerPort: 80 + - containerPort: 443 + - containerPort: 31400 + - containerPort: 15011 + - containerPort: 8060 + - containerPort: 853 + - containerPort: 15030 + - containerPort: 15031 + + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + + args: + - proxy + - router + - -v + - "2" + - --discoveryRefreshDelay + - '1s' #discoveryRefreshDelay + - --drainDuration + - '45s' #drainDuration + - --parentShutdownDuration + - '1m0s' #parentShutdownDuration + - --connectTimeout + - '10s' #connectTimeout + - --serviceCluster + - istio-ingressgateway + - --zipkinAddress + - zipkin:9411 + - --proxyAdminPort + - "15000" + - --controlPlaneAuthPolicy + - MUTUAL_TLS + - --discoveryAddress + - istio-pilot:15005 + resources: + requests: + cpu: 10m + + env: + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + - name: ISTIO_META_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + volumeMounts: + - name: istio-certs + mountPath: /etc/certs + readOnly: true + - name: ingressgateway-certs + mountPath: "/etc/istio/ingressgateway-certs" + readOnly: true + - name: ingressgateway-ca-certs + mountPath: "/etc/istio/ingressgateway-ca-certs" + readOnly: true + volumes: + - name: istio-certs + secret: + secretName: istio.istio-ingressgateway-service-account + optional: true + - name: ingressgateway-certs + secret: + secretName: "istio-ingressgateway-certs" + optional: true + - name: ingressgateway-ca-certs + secret: + secretName: "istio-ingressgateway-ca-certs" + optional: true + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - ppc64le + - s390x + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - ppc64le + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - s390x +--- + +--- +# Source: istio/charts/grafana/templates/deployment.yaml +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: grafana + namespace: istio-system + labels: + app: istio-grafana + chart: grafana-1.0.4 + release: istio + heritage: Tiller +spec: + replicas: 1 + template: + metadata: + labels: + app: grafana + annotations: + sidecar.istio.io/inject: "false" + scheduler.alpha.kubernetes.io/critical-pod: "" + spec: + containers: + - name: grafana + image: "grafana/grafana:5.2.3" + imagePullPolicy: IfNotPresent + ports: + - containerPort: 3000 + readinessProbe: + httpGet: + path: /login + port: 3000 + env: + - name: GRAFANA_PORT + value: "3000" + - name: GF_AUTH_BASIC_ENABLED + value: "false" + - name: GF_AUTH_ANONYMOUS_ENABLED + value: "true" + - name: GF_AUTH_ANONYMOUS_ORG_ROLE + value: Admin + - name: GF_PATHS_DATA + value: /data/grafana + resources: + requests: + cpu: 10m + + volumeMounts: + - name: data + mountPath: /data/grafana + - name: dashboards-istio + mountPath: "/var/lib/grafana/dashboards/istio" + - name: config + mountPath: "/etc/grafana/provisioning/datasources/datasources.yaml" + subPath: datasources.yaml + - name: config + mountPath: "/etc/grafana/provisioning/dashboards/dashboardproviders.yaml" + subPath: dashboardproviders.yaml + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - ppc64le + - s390x + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - ppc64le + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - s390x + volumes: + - name: config + configMap: + name: istio-grafana + - name: data + emptyDir: {} + - name: dashboards-istio + configMap: + name: istio-grafana-configuration-dashboards + +--- +# Source: istio/charts/mixer/templates/deployment.yaml + +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: istio-policy + namespace: istio-system + labels: + chart: mixer-1.0.4 + release: istio + istio: mixer +spec: + replicas: 1 + template: + metadata: + labels: + app: policy + istio: mixer + istio-mixer-type: policy + annotations: + sidecar.istio.io/inject: "false" + scheduler.alpha.kubernetes.io/critical-pod: "" + spec: + serviceAccountName: istio-mixer-service-account + volumes: + - name: istio-certs + secret: + secretName: istio.istio-mixer-service-account + optional: true + - name: uds-socket + emptyDir: {} + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - ppc64le + - s390x + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - ppc64le + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - s390x + containers: + - name: mixer + image: "docker.io/istio/mixer:1.0.4" + imagePullPolicy: IfNotPresent + ports: + - containerPort: 9093 + - containerPort: 42422 + args: + - --address + - unix:///sock/mixer.socket + - --configStoreURL=k8s:// + - --configDefaultNamespace=istio-system + - --trace_zipkin_url=http://zipkin:9411/api/v1/spans + env: + - name: GODEBUG + value: "gctrace=2" + resources: + requests: + cpu: 10m + + volumeMounts: + - name: uds-socket + mountPath: /sock + livenessProbe: + httpGet: + path: /version + port: 9093 + initialDelaySeconds: 5 + periodSeconds: 5 + - name: istio-proxy + image: "docker.io/istio/proxyv2:1.0.4" + imagePullPolicy: IfNotPresent + ports: + - containerPort: 9091 + - containerPort: 15004 + + ports: + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + + args: + - proxy + - --serviceCluster + - istio-policy + - --templateFile + - /etc/istio/proxy/envoy_policy.yaml.tmpl + - --controlPlaneAuthPolicy + - MUTUAL_TLS + env: + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + resources: + requests: + cpu: 10m + + volumeMounts: + - name: istio-certs + mountPath: /etc/certs + readOnly: true + - name: uds-socket + mountPath: /sock + +--- +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: istio-telemetry + namespace: istio-system + labels: + chart: mixer-1.0.4 + release: istio + istio: mixer +spec: + replicas: 1 + template: + metadata: + labels: + app: telemetry + istio: mixer + istio-mixer-type: telemetry + annotations: + sidecar.istio.io/inject: "false" + scheduler.alpha.kubernetes.io/critical-pod: "" + spec: + serviceAccountName: istio-mixer-service-account + volumes: + - name: istio-certs + secret: + secretName: istio.istio-mixer-service-account + optional: true + - name: uds-socket + emptyDir: {} + containers: + - name: mixer + image: "docker.io/istio/mixer:1.0.4" + imagePullPolicy: IfNotPresent + ports: + - containerPort: 9093 + - containerPort: 42422 + args: + - --address + - unix:///sock/mixer.socket + - --configStoreURL=k8s:// + - --configDefaultNamespace=istio-system + - --trace_zipkin_url=http://zipkin:9411/api/v1/spans + env: + - name: GODEBUG + value: "gctrace=2" + resources: + requests: + cpu: 10m + + volumeMounts: + - name: uds-socket + mountPath: /sock + livenessProbe: + httpGet: + path: /version + port: 9093 + initialDelaySeconds: 5 + periodSeconds: 5 + - name: istio-proxy + image: "docker.io/istio/proxyv2:1.0.4" + imagePullPolicy: IfNotPresent + ports: + - containerPort: 9091 + - containerPort: 15004 + + ports: + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + + args: + - proxy + - --serviceCluster + - istio-telemetry + - --templateFile + - /etc/istio/proxy/envoy_telemetry.yaml.tmpl + - --controlPlaneAuthPolicy + - MUTUAL_TLS + env: + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + resources: + requests: + cpu: 10m + + volumeMounts: + - name: istio-certs + mountPath: /etc/certs + readOnly: true + - name: uds-socket + mountPath: /sock + +--- + +--- +# Source: istio/charts/pilot/templates/deployment.yaml +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: istio-pilot + namespace: istio-system + # TODO: default template doesn't have this, which one is right ? + labels: + app: istio-pilot + chart: pilot-1.0.4 + release: istio + heritage: Tiller + istio: pilot + annotations: + checksum/config-volume: f8da08b6b8c170dde721efd680270b2901e750d4aa186ebb6c22bef5b78a43f9 +spec: + replicas: 1 + template: + metadata: + labels: + istio: pilot + app: pilot + annotations: + sidecar.istio.io/inject: "false" + scheduler.alpha.kubernetes.io/critical-pod: "" + spec: + serviceAccountName: istio-pilot-service-account + containers: + - name: discovery + image: "docker.io/istio/pilot:1.0.4" + imagePullPolicy: IfNotPresent + args: + - "discovery" + ports: + - containerPort: 8080 + - containerPort: 15010 + readinessProbe: + httpGet: + path: /ready + port: 8080 + initialDelaySeconds: 5 + periodSeconds: 30 + timeoutSeconds: 5 + env: + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: PILOT_CACHE_SQUASH + value: "5" + - name: GODEBUG + value: "gctrace=2" + - name: PILOT_PUSH_THROTTLE_COUNT + value: "100" + - name: PILOT_TRACE_SAMPLING + value: "100" + resources: + requests: + cpu: 500m + memory: 2048Mi + + volumeMounts: + - name: config-volume + mountPath: /etc/istio/config + - name: istio-certs + mountPath: /etc/certs + readOnly: true + - name: istio-proxy + image: "docker.io/istio/proxyv2:1.0.4" + imagePullPolicy: IfNotPresent + ports: + - containerPort: 15003 + - containerPort: 15005 + - containerPort: 15007 + - containerPort: 15011 + args: + - proxy + - --serviceCluster + - istio-pilot + - --templateFile + - /etc/istio/proxy/envoy_pilot.yaml.tmpl + - --controlPlaneAuthPolicy + - MUTUAL_TLS + env: + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + resources: + requests: + cpu: 10m + + volumeMounts: + - name: istio-certs + mountPath: /etc/certs + readOnly: true + volumes: + - name: config-volume + configMap: + name: istio + - name: istio-certs + secret: + secretName: istio.istio-pilot-service-account + optional: true + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - ppc64le + - s390x + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - ppc64le + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - s390x + +--- +# Source: istio/charts/prometheus/templates/deployment.yaml +# TODO: the original template has service account, roles, etc +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: prometheus + namespace: istio-system + labels: + app: prometheus + chart: prometheus-1.0.4 + release: istio + heritage: Tiller +spec: + replicas: 1 + selector: + matchLabels: + app: prometheus + template: + metadata: + labels: + app: prometheus + annotations: + sidecar.istio.io/inject: "false" + scheduler.alpha.kubernetes.io/critical-pod: "" + spec: + serviceAccountName: prometheus + containers: + - name: prometheus + image: "docker.io/prom/prometheus:v2.3.1" + imagePullPolicy: IfNotPresent + args: + - '--storage.tsdb.retention=6h' + - '--config.file=/etc/prometheus/prometheus.yml' + ports: + - containerPort: 9090 + name: http + livenessProbe: + httpGet: + path: /-/healthy + port: 9090 + readinessProbe: + httpGet: + path: /-/ready + port: 9090 + resources: + requests: + cpu: 10m + + volumeMounts: + - name: config-volume + mountPath: /etc/prometheus + - mountPath: /etc/istio-certs + name: istio-certs + volumes: + - name: config-volume + configMap: + name: prometheus + - name: istio-certs + secret: + defaultMode: 420 + optional: true + secretName: istio.default + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - ppc64le + - s390x + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - ppc64le + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - s390x + +--- +# Source: istio/charts/security/templates/deployment.yaml +# istio CA watching all namespaces +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: istio-citadel + namespace: istio-system + labels: + app: security + chart: security-1.0.4 + release: istio + heritage: Tiller + istio: citadel +spec: + replicas: 1 + template: + metadata: + labels: + istio: citadel + annotations: + sidecar.istio.io/inject: "false" + scheduler.alpha.kubernetes.io/critical-pod: "" + spec: + serviceAccountName: istio-citadel-service-account + containers: + - name: citadel + image: "docker.io/istio/citadel:1.0.4" + imagePullPolicy: IfNotPresent + args: + - --append-dns-names=true + - --grpc-port=8060 + - --grpc-hostname=citadel + - --citadel-storage-namespace=istio-system + - --custom-dns-names=istio-pilot-service-account.istio-system:istio-pilot.istio-system,istio-ingressgateway-service-account.istio-system:istio-ingressgateway.istio-system + - --self-signed-ca=true + resources: + requests: + cpu: 10m + + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - ppc64le + - s390x + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - ppc64le + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - s390x + +--- +# Source: istio/charts/servicegraph/templates/deployment.yaml +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: servicegraph + namespace: istio-system + labels: + app: servicegraph + chart: servicegraph-1.0.4 + release: istio + heritage: Tiller +spec: + replicas: 1 + template: + metadata: + labels: + app: servicegraph + annotations: + sidecar.istio.io/inject: "false" + scheduler.alpha.kubernetes.io/critical-pod: "" + spec: + containers: + - name: servicegraph + image: "docker.io/istio/servicegraph:1.0.4" + imagePullPolicy: IfNotPresent + ports: + - containerPort: 8088 + args: + - --prometheusAddr=http://prometheus:9090 + livenessProbe: + httpGet: + path: /graph + port: 8088 + readinessProbe: + httpGet: + path: /graph + port: 8088 + resources: + requests: + cpu: 10m + + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - ppc64le + - s390x + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - ppc64le + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - s390x + +--- +# Source: istio/charts/sidecarInjectorWebhook/templates/deployment.yaml +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: istio-sidecar-injector + namespace: istio-system + labels: + app: sidecarInjectorWebhook + chart: sidecarInjectorWebhook-1.0.4 + release: istio + heritage: Tiller + istio: sidecar-injector +spec: + replicas: 1 + template: + metadata: + labels: + istio: sidecar-injector + annotations: + sidecar.istio.io/inject: "false" + scheduler.alpha.kubernetes.io/critical-pod: "" + spec: + serviceAccountName: istio-sidecar-injector-service-account + containers: + - name: sidecar-injector-webhook + image: "docker.io/istio/sidecar_injector:1.0.4" + imagePullPolicy: IfNotPresent + args: + - --caCertFile=/etc/istio/certs/root-cert.pem + - --tlsCertFile=/etc/istio/certs/cert-chain.pem + - --tlsKeyFile=/etc/istio/certs/key.pem + - --injectConfig=/etc/istio/inject/config + - --meshConfig=/etc/istio/config/mesh + - --healthCheckInterval=2s + - --healthCheckFile=/health + volumeMounts: + - name: config-volume + mountPath: /etc/istio/config + readOnly: true + - name: certs + mountPath: /etc/istio/certs + readOnly: true + - name: inject-config + mountPath: /etc/istio/inject + readOnly: true + livenessProbe: + exec: + command: + - /usr/local/bin/sidecar-injector + - probe + - --probe-path=/health + - --interval=4s + initialDelaySeconds: 4 + periodSeconds: 4 + readinessProbe: + exec: + command: + - /usr/local/bin/sidecar-injector + - probe + - --probe-path=/health + - --interval=4s + initialDelaySeconds: 4 + periodSeconds: 4 + resources: + requests: + cpu: 10m + + volumes: + - name: config-volume + configMap: + name: istio + - name: certs + secret: + secretName: istio.istio-sidecar-injector-service-account + - name: inject-config + configMap: + name: istio-sidecar-injector + items: + - key: config + path: config + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - ppc64le + - s390x + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - ppc64le + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - s390x + +--- +# Source: istio/charts/tracing/templates/deployment.yaml +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: istio-tracing + namespace: istio-system + labels: + app: istio-tracing + chart: tracing-1.0.4 + release: istio + heritage: Tiller +spec: + replicas: 1 + template: + metadata: + labels: + app: jaeger + annotations: + sidecar.istio.io/inject: "false" + scheduler.alpha.kubernetes.io/critical-pod: "" + spec: + containers: + - name: jaeger + image: "docker.io/jaegertracing/all-in-one:1.5" + imagePullPolicy: IfNotPresent + ports: + - containerPort: 9411 + - containerPort: 16686 + - containerPort: 5775 + protocol: UDP + - containerPort: 6831 + protocol: UDP + - containerPort: 6832 + protocol: UDP + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: COLLECTOR_ZIPKIN_HTTP_PORT + value: "9411" + - name: MEMORY_MAX_TRACES + value: "50000" + livenessProbe: + httpGet: + path: / + port: 16686 + readinessProbe: + httpGet: + path: / + port: 16686 + resources: + requests: + cpu: 10m + + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - ppc64le + - s390x + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - ppc64le + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - s390x + +--- +# Source: istio/charts/pilot/templates/gateway.yaml +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: istio-autogenerated-k8s-ingress + namespace: istio-system +spec: + selector: + istio: ingress + servers: + - port: + number: 80 + protocol: HTTP2 + name: http + hosts: + - "*" + +--- + +--- +# Source: istio/charts/gateways/templates/autoscale.yaml + +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: istio-egressgateway + namespace: istio-system +spec: + maxReplicas: 5 + minReplicas: 1 + scaleTargetRef: + apiVersion: apps/v1beta1 + kind: Deployment + name: istio-egressgateway + metrics: + - type: Resource + resource: + name: cpu + targetAverageUtilization: 80 +--- +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: istio-ingressgateway + namespace: istio-system +spec: + maxReplicas: 5 + minReplicas: 1 + scaleTargetRef: + apiVersion: apps/v1beta1 + kind: Deployment + name: istio-ingressgateway + metrics: + - type: Resource + resource: + name: cpu + targetAverageUtilization: 80 +--- + +--- +# Source: istio/charts/mixer/templates/autoscale.yaml + +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: istio-policy + namespace: istio-system +spec: + maxReplicas: 5 + minReplicas: 1 + scaleTargetRef: + apiVersion: apps/v1beta1 + kind: Deployment + name: istio-policy + metrics: + - type: Resource + resource: + name: cpu + targetAverageUtilization: 80 +--- +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: istio-telemetry + namespace: istio-system +spec: + maxReplicas: 5 + minReplicas: 1 + scaleTargetRef: + apiVersion: apps/v1beta1 + kind: Deployment + name: istio-telemetry + metrics: + - type: Resource + resource: + name: cpu + targetAverageUtilization: 80 +--- + +--- +# Source: istio/charts/pilot/templates/autoscale.yaml + +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: istio-pilot + namespace: istio-system +spec: + maxReplicas: 5 + minReplicas: 1 + scaleTargetRef: + apiVersion: apps/v1beta1 + kind: Deployment + name: istio-pilot + metrics: + - type: Resource + resource: + name: cpu + targetAverageUtilization: 80 +--- + +--- +# Source: istio/charts/tracing/templates/service-jaeger.yaml + + +apiVersion: v1 +kind: List +items: +- apiVersion: v1 + kind: Service + metadata: + name: jaeger-query + namespace: istio-system + annotations: + labels: + app: jaeger + jaeger-infra: jaeger-service + chart: tracing-1.0.4 + release: istio + heritage: Tiller + spec: + ports: + - name: query-http + port: 16686 + protocol: TCP + targetPort: 16686 + selector: + app: jaeger +- apiVersion: v1 + kind: Service + metadata: + name: jaeger-collector + namespace: istio-system + labels: + app: jaeger + jaeger-infra: collector-service + chart: tracing-1.0.4 + release: istio + heritage: Tiller + spec: + ports: + - name: jaeger-collector-tchannel + port: 14267 + protocol: TCP + targetPort: 14267 + - name: jaeger-collector-http + port: 14268 + targetPort: 14268 + protocol: TCP + selector: + app: jaeger + type: ClusterIP +- apiVersion: v1 + kind: Service + metadata: + name: jaeger-agent + namespace: istio-system + labels: + app: jaeger + jaeger-infra: agent-service + chart: tracing-1.0.4 + release: istio + heritage: Tiller + spec: + ports: + - name: agent-zipkin-thrift + port: 5775 + protocol: UDP + targetPort: 5775 + - name: agent-compact + port: 6831 + protocol: UDP + targetPort: 6831 + - name: agent-binary + port: 6832 + protocol: UDP + targetPort: 6832 + clusterIP: None + selector: + app: jaeger + + + +--- +# Source: istio/charts/tracing/templates/service.yaml +apiVersion: v1 +kind: List +items: +- apiVersion: v1 + kind: Service + metadata: + name: zipkin + namespace: istio-system + labels: + app: jaeger + chart: tracing-1.0.4 + release: istio + heritage: Tiller + spec: + type: ClusterIP + ports: + - port: 9411 + targetPort: 9411 + protocol: TCP + name: http + selector: + app: jaeger +- apiVersion: v1 + kind: Service + metadata: + name: tracing + namespace: istio-system + annotations: + labels: + app: jaeger + chart: tracing-1.0.4 + release: istio + heritage: Tiller + spec: + ports: + - name: http-query + port: 80 + protocol: TCP + targetPort: 16686 + selector: + app: jaeger + +--- +# Source: istio/charts/sidecarInjectorWebhook/templates/mutatingwebhook.yaml +apiVersion: admissionregistration.k8s.io/v1beta1 +kind: MutatingWebhookConfiguration +metadata: + name: istio-sidecar-injector + namespace: istio-system + labels: + app: istio-sidecar-injector + chart: sidecarInjectorWebhook-1.0.4 + release: istio + heritage: Tiller +webhooks: + - name: sidecar-injector.istio.io + clientConfig: + service: + name: istio-sidecar-injector + namespace: istio-system + path: "/inject" + caBundle: "" + rules: + - operations: [ "CREATE" ] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + failurePolicy: Fail + namespaceSelector: + matchLabels: + istio-injection: enabled + + +--- +# Source: istio/charts/galley/templates/validatingwehookconfiguration.yaml.tpl + + +--- +# Source: istio/charts/grafana/templates/grafana-ports-mtls.yaml + + +--- +# Source: istio/charts/grafana/templates/pvc.yaml + + +--- +# Source: istio/charts/grafana/templates/secret.yaml + +--- +# Source: istio/charts/pilot/templates/meshexpansion.yaml + + +--- +# Source: istio/charts/security/templates/enable-mesh-mtls.yaml + + +--- +# Source: istio/charts/security/templates/enable-mesh-permissive.yaml + + +--- +# Source: istio/charts/security/templates/meshexpansion.yaml + + +--- + +--- +# Source: istio/charts/servicegraph/templates/ingress.yaml + +--- +# Source: istio/charts/telemetry-gateway/templates/gateway.yaml + + +--- +# Source: istio/charts/tracing/templates/ingress-jaeger.yaml + +--- +# Source: istio/charts/tracing/templates/ingress.yaml + +--- +# Source: istio/templates/install-custom-resources.sh.tpl + + +--- +# Source: istio/charts/mixer/templates/config.yaml +apiVersion: "config.istio.io/v1alpha2" +kind: attributemanifest +metadata: + name: istioproxy + namespace: istio-system +spec: + attributes: + origin.ip: + valueType: IP_ADDRESS + origin.uid: + valueType: STRING + origin.user: + valueType: STRING + request.headers: + valueType: STRING_MAP + request.id: + valueType: STRING + request.host: + valueType: STRING + request.method: + valueType: STRING + request.path: + valueType: STRING + request.reason: + valueType: STRING + request.referer: + valueType: STRING + request.scheme: + valueType: STRING + request.total_size: + valueType: INT64 + request.size: + valueType: INT64 + request.time: + valueType: TIMESTAMP + request.useragent: + valueType: STRING + response.code: + valueType: INT64 + response.duration: + valueType: DURATION + response.headers: + valueType: STRING_MAP + response.total_size: + valueType: INT64 + response.size: + valueType: INT64 + response.time: + valueType: TIMESTAMP + source.uid: + valueType: STRING + source.user: # DEPRECATED + valueType: STRING + source.principal: + valueType: STRING + destination.uid: + valueType: STRING + destination.principal: + valueType: STRING + destination.port: + valueType: INT64 + connection.event: + valueType: STRING + connection.id: + valueType: STRING + connection.received.bytes: + valueType: INT64 + connection.received.bytes_total: + valueType: INT64 + connection.sent.bytes: + valueType: INT64 + connection.sent.bytes_total: + valueType: INT64 + connection.duration: + valueType: DURATION + connection.mtls: + valueType: BOOL + connection.requested_server_name: + valueType: STRING + context.protocol: + valueType: STRING + context.timestamp: + valueType: TIMESTAMP + context.time: + valueType: TIMESTAMP + # Deprecated, kept for compatibility + context.reporter.local: + valueType: BOOL + context.reporter.kind: + valueType: STRING + context.reporter.uid: + valueType: STRING + api.service: + valueType: STRING + api.version: + valueType: STRING + api.operation: + valueType: STRING + api.protocol: + valueType: STRING + request.auth.principal: + valueType: STRING + request.auth.audiences: + valueType: STRING + request.auth.presenter: + valueType: STRING + request.auth.claims: + valueType: STRING_MAP + request.auth.raw_claims: + valueType: STRING + request.api_key: + valueType: STRING + +--- +apiVersion: "config.istio.io/v1alpha2" +kind: attributemanifest +metadata: + name: kubernetes + namespace: istio-system +spec: + attributes: + source.ip: + valueType: IP_ADDRESS + source.labels: + valueType: STRING_MAP + source.metadata: + valueType: STRING_MAP + source.name: + valueType: STRING + source.namespace: + valueType: STRING + source.owner: + valueType: STRING + source.service: # DEPRECATED + valueType: STRING + source.serviceAccount: + valueType: STRING + source.services: + valueType: STRING + source.workload.uid: + valueType: STRING + source.workload.name: + valueType: STRING + source.workload.namespace: + valueType: STRING + destination.ip: + valueType: IP_ADDRESS + destination.labels: + valueType: STRING_MAP + destination.metadata: + valueType: STRING_MAP + destination.owner: + valueType: STRING + destination.name: + valueType: STRING + destination.container.name: + valueType: STRING + destination.namespace: + valueType: STRING + destination.service: # DEPRECATED + valueType: STRING + destination.service.uid: + valueType: STRING + destination.service.name: + valueType: STRING + destination.service.namespace: + valueType: STRING + destination.service.host: + valueType: STRING + destination.serviceAccount: + valueType: STRING + destination.workload.uid: + valueType: STRING + destination.workload.name: + valueType: STRING + destination.workload.namespace: + valueType: STRING +--- +apiVersion: "config.istio.io/v1alpha2" +kind: stdio +metadata: + name: handler + namespace: istio-system +spec: + outputAsJson: true +--- +apiVersion: "config.istio.io/v1alpha2" +kind: logentry +metadata: + name: accesslog + namespace: istio-system +spec: + severity: '"Info"' + timestamp: request.time + variables: + sourceIp: source.ip | ip("0.0.0.0") + sourceApp: source.labels["app"] | "" + sourcePrincipal: source.principal | "" + sourceName: source.name | "" + sourceWorkload: source.workload.name | "" + sourceNamespace: source.namespace | "" + sourceOwner: source.owner | "" + destinationApp: destination.labels["app"] | "" + destinationIp: destination.ip | ip("0.0.0.0") + destinationServiceHost: destination.service.host | "" + destinationWorkload: destination.workload.name | "" + destinationName: destination.name | "" + destinationNamespace: destination.namespace | "" + destinationOwner: destination.owner | "" + destinationPrincipal: destination.principal | "" + apiClaims: request.auth.raw_claims | "" + apiKey: request.api_key | request.headers["x-api-key"] | "" + protocol: request.scheme | context.protocol | "http" + method: request.method | "" + url: request.path | "" + responseCode: response.code | 0 + responseSize: response.size | 0 + requestSize: request.size | 0 + requestId: request.headers["x-request-id"] | "" + clientTraceId: request.headers["x-client-trace-id"] | "" + latency: response.duration | "0ms" + connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) + requestedServerName: connection.requested_server_name | "" + userAgent: request.useragent | "" + responseTimestamp: response.time + receivedBytes: request.total_size | 0 + sentBytes: response.total_size | 0 + referer: request.referer | "" + httpAuthority: request.headers[":authority"] | request.host | "" + xForwardedFor: request.headers["x-forwarded-for"] | "0.0.0.0" + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") + monitored_resource_type: '"global"' +--- +apiVersion: "config.istio.io/v1alpha2" +kind: logentry +metadata: + name: tcpaccesslog + namespace: istio-system +spec: + severity: '"Info"' + timestamp: context.time | timestamp("2017-01-01T00:00:00Z") + variables: + connectionEvent: connection.event | "" + sourceIp: source.ip | ip("0.0.0.0") + sourceApp: source.labels["app"] | "" + sourcePrincipal: source.principal | "" + sourceName: source.name | "" + sourceWorkload: source.workload.name | "" + sourceNamespace: source.namespace | "" + sourceOwner: source.owner | "" + destinationApp: destination.labels["app"] | "" + destinationIp: destination.ip | ip("0.0.0.0") + destinationServiceHost: destination.service.host | "" + destinationWorkload: destination.workload.name | "" + destinationName: destination.name | "" + destinationNamespace: destination.namespace | "" + destinationOwner: destination.owner | "" + destinationPrincipal: destination.principal | "" + protocol: context.protocol | "tcp" + connectionDuration: connection.duration | "0ms" + connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) + requestedServerName: connection.requested_server_name | "" + receivedBytes: connection.received.bytes | 0 + sentBytes: connection.sent.bytes | 0 + totalReceivedBytes: connection.received.bytes_total | 0 + totalSentBytes: connection.sent.bytes_total | 0 + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") + monitored_resource_type: '"global"' +--- +apiVersion: "config.istio.io/v1alpha2" +kind: rule +metadata: + name: stdio + namespace: istio-system +spec: + match: context.protocol == "http" || context.protocol == "grpc" + actions: + - handler: handler.stdio + instances: + - accesslog.logentry +--- +apiVersion: "config.istio.io/v1alpha2" +kind: rule +metadata: + name: stdiotcp + namespace: istio-system +spec: + match: context.protocol == "tcp" + actions: + - handler: handler.stdio + instances: + - tcpaccesslog.logentry +--- +apiVersion: "config.istio.io/v1alpha2" +kind: metric +metadata: + name: requestcount + namespace: istio-system +spec: + value: "1" + dimensions: + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") + source_workload: source.workload.name | "unknown" + source_workload_namespace: source.workload.namespace | "unknown" + source_principal: source.principal | "unknown" + source_app: source.labels["app"] | "unknown" + source_version: source.labels["version"] | "unknown" + destination_workload: destination.workload.name | "unknown" + destination_workload_namespace: destination.workload.namespace | "unknown" + destination_principal: destination.principal | "unknown" + destination_app: destination.labels["app"] | "unknown" + destination_version: destination.labels["version"] | "unknown" + destination_service: destination.service.host | "unknown" + destination_service_name: destination.service.name | "unknown" + destination_service_namespace: destination.service.namespace | "unknown" + request_protocol: api.protocol | context.protocol | "unknown" + response_code: response.code | 200 + connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) + monitored_resource_type: '"UNSPECIFIED"' +--- +apiVersion: "config.istio.io/v1alpha2" +kind: metric +metadata: + name: requestduration + namespace: istio-system +spec: + value: response.duration | "0ms" + dimensions: + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") + source_workload: source.workload.name | "unknown" + source_workload_namespace: source.workload.namespace | "unknown" + source_principal: source.principal | "unknown" + source_app: source.labels["app"] | "unknown" + source_version: source.labels["version"] | "unknown" + destination_workload: destination.workload.name | "unknown" + destination_workload_namespace: destination.workload.namespace | "unknown" + destination_principal: destination.principal | "unknown" + destination_app: destination.labels["app"] | "unknown" + destination_version: destination.labels["version"] | "unknown" + destination_service: destination.service.host | "unknown" + destination_service_name: destination.service.name | "unknown" + destination_service_namespace: destination.service.namespace | "unknown" + request_protocol: api.protocol | context.protocol | "unknown" + response_code: response.code | 200 + connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) + monitored_resource_type: '"UNSPECIFIED"' +--- +apiVersion: "config.istio.io/v1alpha2" +kind: metric +metadata: + name: requestsize + namespace: istio-system +spec: + value: request.size | 0 + dimensions: + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") + source_workload: source.workload.name | "unknown" + source_workload_namespace: source.workload.namespace | "unknown" + source_principal: source.principal | "unknown" + source_app: source.labels["app"] | "unknown" + source_version: source.labels["version"] | "unknown" + destination_workload: destination.workload.name | "unknown" + destination_workload_namespace: destination.workload.namespace | "unknown" + destination_principal: destination.principal | "unknown" + destination_app: destination.labels["app"] | "unknown" + destination_version: destination.labels["version"] | "unknown" + destination_service: destination.service.host | "unknown" + destination_service_name: destination.service.name | "unknown" + destination_service_namespace: destination.service.namespace | "unknown" + request_protocol: api.protocol | context.protocol | "unknown" + response_code: response.code | 200 + connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) + monitored_resource_type: '"UNSPECIFIED"' +--- +apiVersion: "config.istio.io/v1alpha2" +kind: metric +metadata: + name: responsesize + namespace: istio-system +spec: + value: response.size | 0 + dimensions: + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") + source_workload: source.workload.name | "unknown" + source_workload_namespace: source.workload.namespace | "unknown" + source_principal: source.principal | "unknown" + source_app: source.labels["app"] | "unknown" + source_version: source.labels["version"] | "unknown" + destination_workload: destination.workload.name | "unknown" + destination_workload_namespace: destination.workload.namespace | "unknown" + destination_principal: destination.principal | "unknown" + destination_app: destination.labels["app"] | "unknown" + destination_version: destination.labels["version"] | "unknown" + destination_service: destination.service.host | "unknown" + destination_service_name: destination.service.name | "unknown" + destination_service_namespace: destination.service.namespace | "unknown" + request_protocol: api.protocol | context.protocol | "unknown" + response_code: response.code | 200 + connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) + monitored_resource_type: '"UNSPECIFIED"' +--- +apiVersion: "config.istio.io/v1alpha2" +kind: metric +metadata: + name: tcpbytesent + namespace: istio-system +spec: + value: connection.sent.bytes | 0 + dimensions: + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") + source_workload: source.workload.name | "unknown" + source_workload_namespace: source.workload.namespace | "unknown" + source_principal: source.principal | "unknown" + source_app: source.labels["app"] | "unknown" + source_version: source.labels["version"] | "unknown" + destination_workload: destination.workload.name | "unknown" + destination_workload_namespace: destination.workload.namespace | "unknown" + destination_principal: destination.principal | "unknown" + destination_app: destination.labels["app"] | "unknown" + destination_version: destination.labels["version"] | "unknown" + destination_service: destination.service.name | "unknown" + destination_service_name: destination.service.name | "unknown" + destination_service_namespace: destination.service.namespace | "unknown" + connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) + monitored_resource_type: '"UNSPECIFIED"' +--- +apiVersion: "config.istio.io/v1alpha2" +kind: metric +metadata: + name: tcpbytereceived + namespace: istio-system +spec: + value: connection.received.bytes | 0 + dimensions: + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") + source_workload: source.workload.name | "unknown" + source_workload_namespace: source.workload.namespace | "unknown" + source_principal: source.principal | "unknown" + source_app: source.labels["app"] | "unknown" + source_version: source.labels["version"] | "unknown" + destination_workload: destination.workload.name | "unknown" + destination_workload_namespace: destination.workload.namespace | "unknown" + destination_principal: destination.principal | "unknown" + destination_app: destination.labels["app"] | "unknown" + destination_version: destination.labels["version"] | "unknown" + destination_service: destination.service.name | "unknown" + destination_service_name: destination.service.name | "unknown" + destination_service_namespace: destination.service.namespace | "unknown" + connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) + monitored_resource_type: '"UNSPECIFIED"' +--- +apiVersion: "config.istio.io/v1alpha2" +kind: prometheus +metadata: + name: handler + namespace: istio-system +spec: + metrics: + - name: requests_total + instance_name: requestcount.metric.istio-system + kind: COUNTER + label_names: + - reporter + - source_app + - source_principal + - source_workload + - source_workload_namespace + - source_version + - destination_app + - destination_principal + - destination_workload + - destination_workload_namespace + - destination_version + - destination_service + - destination_service_name + - destination_service_namespace + - request_protocol + - response_code + - connection_security_policy + - name: request_duration_seconds + instance_name: requestduration.metric.istio-system + kind: DISTRIBUTION + label_names: + - reporter + - source_app + - source_principal + - source_workload + - source_workload_namespace + - source_version + - destination_app + - destination_principal + - destination_workload + - destination_workload_namespace + - destination_version + - destination_service + - destination_service_name + - destination_service_namespace + - request_protocol + - response_code + - connection_security_policy + buckets: + explicit_buckets: + bounds: [0.005, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1, 2.5, 5, 10] + - name: request_bytes + instance_name: requestsize.metric.istio-system + kind: DISTRIBUTION + label_names: + - reporter + - source_app + - source_principal + - source_workload + - source_workload_namespace + - source_version + - destination_app + - destination_principal + - destination_workload + - destination_workload_namespace + - destination_version + - destination_service + - destination_service_name + - destination_service_namespace + - request_protocol + - response_code + - connection_security_policy + buckets: + exponentialBuckets: + numFiniteBuckets: 8 + scale: 1 + growthFactor: 10 + - name: response_bytes + instance_name: responsesize.metric.istio-system + kind: DISTRIBUTION + label_names: + - reporter + - source_app + - source_principal + - source_workload + - source_workload_namespace + - source_version + - destination_app + - destination_principal + - destination_workload + - destination_workload_namespace + - destination_version + - destination_service + - destination_service_name + - destination_service_namespace + - request_protocol + - response_code + - connection_security_policy + buckets: + exponentialBuckets: + numFiniteBuckets: 8 + scale: 1 + growthFactor: 10 + - name: tcp_sent_bytes_total + instance_name: tcpbytesent.metric.istio-system + kind: COUNTER + label_names: + - reporter + - source_app + - source_principal + - source_workload + - source_workload_namespace + - source_version + - destination_app + - destination_principal + - destination_workload + - destination_workload_namespace + - destination_version + - destination_service + - destination_service_name + - destination_service_namespace + - connection_security_policy + - name: tcp_received_bytes_total + instance_name: tcpbytereceived.metric.istio-system + kind: COUNTER + label_names: + - reporter + - source_app + - source_principal + - source_workload + - source_workload_namespace + - source_version + - destination_app + - destination_principal + - destination_workload + - destination_workload_namespace + - destination_version + - destination_service + - destination_service_name + - destination_service_namespace + - connection_security_policy +--- +apiVersion: "config.istio.io/v1alpha2" +kind: rule +metadata: + name: promhttp + namespace: istio-system +spec: + match: context.protocol == "http" || context.protocol == "grpc" + actions: + - handler: handler.prometheus + instances: + - requestcount.metric + - requestduration.metric + - requestsize.metric + - responsesize.metric +--- +apiVersion: "config.istio.io/v1alpha2" +kind: rule +metadata: + name: promtcp + namespace: istio-system +spec: + match: context.protocol == "tcp" + actions: + - handler: handler.prometheus + instances: + - tcpbytesent.metric + - tcpbytereceived.metric +--- + +apiVersion: "config.istio.io/v1alpha2" +kind: kubernetesenv +metadata: + name: handler + namespace: istio-system +spec: + # when running from mixer root, use the following config after adding a + # symbolic link to a kubernetes config file via: + # + # $ ln -s ~/.kube/config mixer/adapter/kubernetes/kubeconfig + # + # kubeconfig_path: "mixer/adapter/kubernetes/kubeconfig" + +--- +apiVersion: "config.istio.io/v1alpha2" +kind: rule +metadata: + name: kubeattrgenrulerule + namespace: istio-system +spec: + actions: + - handler: handler.kubernetesenv + instances: + - attributes.kubernetes +--- +apiVersion: "config.istio.io/v1alpha2" +kind: rule +metadata: + name: tcpkubeattrgenrulerule + namespace: istio-system +spec: + match: context.protocol == "tcp" + actions: + - handler: handler.kubernetesenv + instances: + - attributes.kubernetes +--- +apiVersion: "config.istio.io/v1alpha2" +kind: kubernetes +metadata: + name: attributes + namespace: istio-system +spec: + # Pass the required attribute data to the adapter + source_uid: source.uid | "" + source_ip: source.ip | ip("0.0.0.0") # default to unspecified ip addr + destination_uid: destination.uid | "" + destination_port: destination.port | 0 + attribute_bindings: + # Fill the new attributes from the adapter produced output. + # $out refers to an instance of OutputTemplate message + source.ip: $out.source_pod_ip | ip("0.0.0.0") + source.uid: $out.source_pod_uid | "unknown" + source.labels: $out.source_labels | emptyStringMap() + source.name: $out.source_pod_name | "unknown" + source.namespace: $out.source_namespace | "default" + source.owner: $out.source_owner | "unknown" + source.serviceAccount: $out.source_service_account_name | "unknown" + source.workload.uid: $out.source_workload_uid | "unknown" + source.workload.name: $out.source_workload_name | "unknown" + source.workload.namespace: $out.source_workload_namespace | "unknown" + destination.ip: $out.destination_pod_ip | ip("0.0.0.0") + destination.uid: $out.destination_pod_uid | "unknown" + destination.labels: $out.destination_labels | emptyStringMap() + destination.name: $out.destination_pod_name | "unknown" + destination.container.name: $out.destination_container_name | "unknown" + destination.namespace: $out.destination_namespace | "default" + destination.owner: $out.destination_owner | "unknown" + destination.serviceAccount: $out.destination_service_account_name | "unknown" + destination.workload.uid: $out.destination_workload_uid | "unknown" + destination.workload.name: $out.destination_workload_name | "unknown" + destination.workload.namespace: $out.destination_workload_namespace | "unknown" + +--- +# Configuration needed by Mixer. +# Mixer cluster is delivered via CDS +# Specify mixer cluster settings +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: istio-policy + namespace: istio-system +spec: + host: istio-policy.istio-system.svc.cluster.local + trafficPolicy: + portLevelSettings: + - port: + number: 15004 + tls: + mode: ISTIO_MUTUAL + connectionPool: + http: + http2MaxRequests: 10000 + maxRequestsPerConnection: 10000 +--- +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: istio-telemetry + namespace: istio-system +spec: + host: istio-telemetry.istio-system.svc.cluster.local + trafficPolicy: + portLevelSettings: + - port: + number: 15004 + tls: + mode: ISTIO_MUTUAL + connectionPool: + http: + http2MaxRequests: 10000 + maxRequestsPerConnection: 10000 +--- + diff --git a/istio-1.0.4/install/kubernetes/istio-demo.yaml b/istio-1.0.4/install/kubernetes/istio-demo.yaml new file mode 100644 index 0000000..788d73d --- /dev/null +++ b/istio-1.0.4/install/kubernetes/istio-demo.yaml @@ -0,0 +1,15127 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: istio-system + labels: + istio-injection: disabled +--- +# Source: istio/charts/galley/templates/configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-galley-configuration + namespace: istio-system + labels: + app: istio-galley + chart: galley-1.0.4 + release: istio + heritage: Tiller + istio: mixer +data: + validatingwebhookconfiguration.yaml: |- + apiVersion: admissionregistration.k8s.io/v1beta1 + kind: ValidatingWebhookConfiguration + metadata: + name: istio-galley + namespace: istio-system + labels: + app: istio-galley + chart: galley-1.0.4 + release: istio + heritage: Tiller + webhooks: + - name: pilot.validation.istio.io + clientConfig: + service: + name: istio-galley + namespace: istio-system + path: "/admitpilot" + caBundle: "" + rules: + - operations: + - CREATE + - UPDATE + apiGroups: + - config.istio.io + apiVersions: + - v1alpha2 + resources: + - httpapispecs + - httpapispecbindings + - quotaspecs + - quotaspecbindings + - operations: + - CREATE + - UPDATE + apiGroups: + - rbac.istio.io + apiVersions: + - "*" + resources: + - "*" + - operations: + - CREATE + - UPDATE + apiGroups: + - authentication.istio.io + apiVersions: + - "*" + resources: + - "*" + - operations: + - CREATE + - UPDATE + apiGroups: + - networking.istio.io + apiVersions: + - "*" + resources: + - destinationrules + - envoyfilters + - gateways + - serviceentries + - virtualservices + failurePolicy: Fail + - name: mixer.validation.istio.io + clientConfig: + service: + name: istio-galley + namespace: istio-system + path: "/admitmixer" + caBundle: "" + rules: + - operations: + - CREATE + - UPDATE + apiGroups: + - config.istio.io + apiVersions: + - v1alpha2 + resources: + - rules + - attributemanifests + - circonuses + - deniers + - fluentds + - kubernetesenvs + - listcheckers + - memquotas + - noops + - opas + - prometheuses + - rbacs + - servicecontrols + - solarwindses + - stackdrivers + - statsds + - stdios + - apikeys + - authorizations + - checknothings + # - kuberneteses + - listentries + - logentries + - metrics + - quotas + - reportnothings + - servicecontrolreports + - tracespans + failurePolicy: Fail + + +--- +# Source: istio/charts/grafana/templates/configmap-custom-resources.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-grafana-custom-resources + namespace: istio-system + labels: + app: istio-grafana + chart: grafana-1.0.4 + release: istio + heritage: Tiller + istio: grafana +data: + custom-resources.yaml: |- + apiVersion: authentication.istio.io/v1alpha1 + kind: Policy + metadata: + name: grafana-ports-mtls-disabled + namespace: istio-system + spec: + targets: + - name: grafana + ports: + - number: 3000 + run.sh: |- + #!/bin/sh + + set -x + + if [ "$#" -ne "1" ]; then + echo "first argument should be path to custom resource yaml" + exit 1 + fi + + pathToResourceYAML=${1} + + /kubectl get validatingwebhookconfiguration istio-galley 2>/dev/null + if [ "$?" -eq 0 ]; then + echo "istio-galley validatingwebhookconfiguration found - waiting for istio-galley deployment to be ready" + while true; do + /kubectl -n istio-system get deployment istio-galley 2>/dev/null + if [ "$?" -eq 0 ]; then + break + fi + sleep 1 + done + /kubectl -n istio-system rollout status deployment istio-galley + if [ "$?" -ne 0 ]; then + echo "istio-galley deployment rollout status check failed" + exit 1 + fi + echo "istio-galley deployment ready for configuration validation" + fi + sleep 5 + /kubectl apply -f ${pathToResourceYAML} + + +--- +# Source: istio/charts/grafana/templates/configmap-dashboards.yaml +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-grafana-configuration-dashboards + namespace: istio-system + labels: + app: istio-grafana + chart: grafana-1.0.4 + release: istio + heritage: Tiller + istio: grafana + +data: + + galley-dashboard.json: '{ + "__inputs": [ + { + "name": "DS_PROMETHEUS", + "label": "Prometheus", + "description": "", + "type": "datasource", + "pluginId": "prometheus", + "pluginName": "Prometheus" + } + ], + "__requires": [ + { + "type": "grafana", + "id": "grafana", + "name": "Grafana", + "version": "5.0.4" + }, + { + "type": "panel", + "id": "graph", + "name": "Graph", + "version": "5.0.0" + }, + { + "type": "datasource", + "id": "prometheus", + "name": "Prometheus", + "version": "5.0.0" + } + ], + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": "-- Grafana --", + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "type": "dashboard" + } + ] + }, + "editable": false, + "gnetId": null, + "graphTooltip": 0, + "id": null, + "links": [], + "panels": [ + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 0, + "y": 0 + }, + "id": 2, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "galley_validation_cert_key_updates{job=\"galley\"}", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Key Updates", + "refId": "A" + }, + { + "expr": "galley_validation_cert_key_update_errors{job=\"galley\"}", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Key Update Errors: {{ error }}", + "refId": "B" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Validation Webhook Certificate", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 8, + "y": 0 + }, + "id": 3, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(galley_validation_passed{job=\"galley\"}) by (group, version, resource)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Passed: {{ group }}/{{ version }}/{{resource}}", + "refId": "A" + }, + { + "expr": "sum(galley_validation_failed{job=\"galley\"}) by (group, version, resource, reason)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Failed: {{ group }}/{{ version }}/{{resource}} ({{ reason}})", + "refId": "B" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Resource Validation", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 16, + "y": 0 + }, + "id": 4, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(galley_validation_http_error{job=\"galley\"}) by (status)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ status }}", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Validation HTTP Errors", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ] + } + ], + "schemaVersion": 16, + "style": "dark", + "tags": [], + "templating": { + "list": [] + }, + "time": { + "from": "now-6h", + "to": "now" + }, + "timepicker": { + "refresh_intervals": [ + "5s", + "10s", + "30s", + "1m", + "5m", + "15m", + "30m", + "1h", + "2h", + "1d" + ], + "time_options": [ + "5m", + "15m", + "1h", + "6h", + "12h", + "24h", + "2d", + "7d", + "30d" + ] + }, + "timezone": "", + "title": "Istio Galley Dashboard", + "uid": "DMXUJ6dmz", + "version": 1 + } +' + + istio-mesh-dashboard.json: '{ + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": "-- Grafana --", + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "type": "dashboard" + } + ] + }, + "editable": false, + "gnetId": null, + "graphTooltip": 0, + "links": [], + "panels": [ + { + "content": "
    \n
    \n Istio\n
    \n
    \n Istio is an open platform that provides a uniform way to connect,\n manage, and \n secure microservices.\n
    \n Need help? Join the Istio community.\n
    \n
    ", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 0 + }, + "height": "50px", + "id": 13, + "links": [], + "mode": "html", + "style": { + "font-size": "18pt" + }, + "title": "", + "transparent": true, + "type": "text" + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "datasource": "Prometheus", + "format": "ops", + "gauge": { + "maxValue": 100, + "minValue": 0, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": true + }, + "gridPos": { + "h": 3, + "w": 6, + "x": 0, + "y": 3 + }, + "id": 20, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "round(sum(irate(istio_requests_total{reporter=\"destination\"}[1m])), 0.001)", + "intervalFactor": 1, + "refId": "A", + "step": 4 + } + ], + "thresholds": "", + "title": "Global Request Volume", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "avg" + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "datasource": "Prometheus", + "format": "percentunit", + "gauge": { + "maxValue": 100, + "minValue": 80, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": false + }, + "gridPos": { + "h": 3, + "w": 6, + "x": 6, + "y": 3 + }, + "id": 21, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "sum(rate(istio_requests_total{reporter=\"destination\", response_code!~\"5.*\"}[1m])) / sum(rate(istio_requests_total{reporter=\"destination\"}[1m]))", + "format": "time_series", + "intervalFactor": 1, + "refId": "A", + "step": 4 + } + ], + "thresholds": "95, 99, 99.5", + "title": "Global Success Rate (non-5xx responses)", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "avg" + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "datasource": "Prometheus", + "format": "ops", + "gauge": { + "maxValue": 100, + "minValue": 0, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": true + }, + "gridPos": { + "h": 3, + "w": 6, + "x": 12, + "y": 3 + }, + "id": 22, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "sum(irate(istio_requests_total{reporter=\"destination\", response_code=~\"4.*\"}[1m])) ", + "format": "time_series", + "intervalFactor": 1, + "refId": "A", + "step": 4 + } + ], + "thresholds": "", + "title": "4xxs", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "avg" + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "datasource": "Prometheus", + "format": "ops", + "gauge": { + "maxValue": 100, + "minValue": 0, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": true + }, + "gridPos": { + "h": 3, + "w": 6, + "x": 18, + "y": 3 + }, + "id": 23, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "sum(irate(istio_requests_total{reporter=\"destination\", response_code=~\"5.*\"}[1m])) ", + "format": "time_series", + "intervalFactor": 1, + "refId": "A", + "step": 4 + } + ], + "thresholds": "", + "title": "5xxs", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "avg" + }, + { + "columns": [], + "datasource": "Prometheus", + "fontSize": "100%", + "gridPos": { + "h": 21, + "w": 24, + "x": 0, + "y": 6 + }, + "hideTimeOverride": false, + "id": 73, + "links": [], + "pageSize": null, + "repeat": null, + "repeatDirection": "v", + "scroll": true, + "showHeader": true, + "sort": { + "col": 4, + "desc": true + }, + "styles": [ + { + "alias": "Workload", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "link": false, + "linkTargetBlank": false, + "linkTooltip": "Workload dashboard", + "linkUrl": "/dashboard/db/istio-workload-dashboard?var-namespace=$__cell_2&var-workload=$__cell_", + "pattern": "destination_workload", + "preserveFormat": false, + "sanitize": false, + "thresholds": [], + "type": "hidden", + "unit": "short" + }, + { + "alias": "", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "pattern": "Time", + "thresholds": [], + "type": "hidden", + "unit": "short" + }, + { + "alias": "Requests", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "pattern": "Value #A", + "thresholds": [], + "type": "number", + "unit": "ops" + }, + { + "alias": "P50 Latency", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "pattern": "Value #B", + "thresholds": [], + "type": "number", + "unit": "s" + }, + { + "alias": "P90 Latency", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "pattern": "Value #D", + "thresholds": [], + "type": "number", + "unit": "s" + }, + { + "alias": "P99 Latency", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "pattern": "Value #E", + "thresholds": [], + "type": "number", + "unit": "s" + }, + { + "alias": "Success Rate", + "colorMode": "cell", + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "pattern": "Value #F", + "thresholds": [ + ".95", + " 1.00" + ], + "type": "number", + "unit": "percentunit" + }, + { + "alias": "Workload", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "link": true, + "linkTooltip": "$__cell dashboard", + "linkUrl": "/dashboard/db/istio-workload-dashboard?var-workload=$__cell_2&var-namespace=$__cell_3", + "pattern": "destination_workload_var", + "thresholds": [], + "type": "number", + "unit": "short" + }, + { + "alias": "Service", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "link": true, + "linkTooltip": "$__cell dashboard", + "linkUrl": "/dashboard/db/istio-service-dashboard?var-service=$__cell", + "pattern": "destination_service", + "thresholds": [], + "type": "string", + "unit": "short" + }, + { + "alias": "", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "pattern": "destination_workload_namespace", + "thresholds": [], + "type": "hidden", + "unit": "short" + } + ], + "targets": [ + { + "expr": "label_join(sum(rate(istio_requests_total{reporter=\"destination\", response_code=\"200\"}[1m])) by (destination_workload, destination_workload_namespace, destination_service), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")", + "format": "table", + "hide": false, + "instant": true, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload}}.{{ destination_workload_namespace }}", + "refId": "A" + }, + { + "expr": "label_join(histogram_quantile(0.50, sum(rate(istio_request_duration_seconds_bucket{reporter=\"destination\"}[1m])) by (le, destination_workload, destination_workload_namespace)), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")", + "format": "table", + "hide": false, + "instant": true, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload}}.{{ destination_workload_namespace }}", + "refId": "B" + }, + { + "expr": "label_join(histogram_quantile(0.90, sum(rate(istio_request_duration_seconds_bucket{reporter=\"destination\"}[1m])) by (le, destination_workload, destination_workload_namespace)), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")", + "format": "table", + "hide": false, + "instant": true, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }}", + "refId": "D" + }, + { + "expr": "label_join(histogram_quantile(0.99, sum(rate(istio_request_duration_seconds_bucket{reporter=\"destination\"}[1m])) by (le, destination_workload, destination_workload_namespace)), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")", + "format": "table", + "hide": false, + "instant": true, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }}", + "refId": "E" + }, + { + "expr": "label_join((sum(rate(istio_requests_total{reporter=\"destination\", response_code!~\"5.*\"}[1m])) by (destination_workload, destination_workload_namespace) / sum(rate(istio_requests_total{reporter=\"destination\"}[1m])) by (destination_workload, destination_workload_namespace)), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")", + "format": "table", + "hide": false, + "instant": true, + "interval": "", + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }}", + "refId": "F" + } + ], + "timeFrom": null, + "title": "HTTP/GRPC Workloads", + "transform": "table", + "transparent": false, + "type": "table" + }, + { + "columns": [], + "datasource": "Prometheus", + "fontSize": "100%", + "gridPos": { + "h": 18, + "w": 24, + "x": 0, + "y": 27 + }, + "hideTimeOverride": false, + "id": 109, + "links": [], + "pageSize": null, + "repeatDirection": "v", + "scroll": true, + "showHeader": true, + "sort": { + "col": 2, + "desc": true + }, + "styles": [ + { + "alias": "Workload", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "link": false, + "linkTargetBlank": false, + "linkTooltip": "$__cell dashboard", + "linkUrl": "/dashboard/db/istio-tcp-workload-dashboard?var-namespace=$__cell_2&&var-workload=$__cell", + "pattern": "destination_workload", + "preserveFormat": false, + "sanitize": false, + "thresholds": [], + "type": "hidden", + "unit": "short" + }, + { + "alias": "Bytes Sent", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "pattern": "Value #A", + "thresholds": [ + "" + ], + "type": "number", + "unit": "Bps" + }, + { + "alias": "Bytes Received", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "pattern": "Value #C", + "thresholds": [], + "type": "number", + "unit": "Bps" + }, + { + "alias": "", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "pattern": "Time", + "thresholds": [], + "type": "hidden", + "unit": "short" + }, + { + "alias": "Workload", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "link": true, + "linkTooltip": "$__cell dashboard", + "linkUrl": "/dashboard/db/istio-workload-dashboard?var-namespace=$__cell_3&var-workload=$__cell_2", + "pattern": "destination_workload_var", + "thresholds": [], + "type": "string", + "unit": "short" + }, + { + "alias": "", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "pattern": "destination_workload_namespace", + "thresholds": [], + "type": "hidden", + "unit": "short" + }, + { + "alias": "Service", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "link": true, + "linkTooltip": "$__cell dashboard", + "linkUrl": "/dashboard/db/istio-service-dashboard?var-service=$__cell", + "pattern": "destination_service", + "thresholds": [], + "type": "number", + "unit": "short" + } + ], + "targets": [ + { + "expr": "label_join(sum(rate(istio_tcp_received_bytes_total{reporter=\"source\"}[1m])) by (destination_workload, destination_workload_namespace, destination_service), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")", + "format": "table", + "hide": false, + "instant": true, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}", + "refId": "C" + }, + { + "expr": "label_join(sum(rate(istio_tcp_sent_bytes_total{reporter=\"source\"}[1m])) by (destination_workload, destination_workload_namespace, destination_service), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")", + "format": "table", + "hide": false, + "instant": true, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}", + "refId": "A" + } + ], + "timeFrom": null, + "title": "TCP Workloads", + "transform": "table", + "transparent": false, + "type": "table" + } + ], + "refresh": "5s", + "schemaVersion": 16, + "style": "dark", + "tags": [], + "templating": { + "list": [] + }, + "time": { + "from": "now-5m", + "to": "now" + }, + "timepicker": { + "refresh_intervals": [ + "5s", + "10s", + "30s", + "1m", + "5m", + "15m", + "30m", + "1h", + "2h", + "1d" + ], + "time_options": [ + "5m", + "15m", + "1h", + "6h", + "12h", + "24h", + "2d", + "7d", + "30d" + ] + }, + "timezone": "browser", + "title": "Istio Mesh Dashboard", + "uid": "1", + "version": 2 +} +' + + istio-performance-dashboard.json: '{ + "__inputs": [ + { + "name": "DS_PROMETHEUS", + "label": "Prometheus", + "description": "", + "type": "datasource", + "pluginId": "prometheus", + "pluginName": "Prometheus" + } + ], + "__requires": [ + { + "type": "grafana", + "id": "grafana", + "name": "Grafana", + "version": "5.2.3" + }, + { + "type": "panel", + "id": "graph", + "name": "Graph", + "version": "5.0.0" + }, + { + "type": "datasource", + "id": "prometheus", + "name": "Prometheus", + "version": "5.0.0" + } + ], + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": "-- Grafana --", + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "type": "dashboard" + } + ] + }, + "editable": true, + "gnetId": null, + "graphTooltip": 0, + "id": null, + "links": [], + "panels": [ + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 9, + "w": 12, + "x": 0, + "y": 0 + }, + "id": 2, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(rate(container_cpu_usage_seconds_total{pod_name=~\"istio-telemetry-.*\"}[1m]))/ (round(sum(irate(istio_requests_total[1m])), 0.001)/1000)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-telemetry", + "refId": "A" + }, + { + "expr": "sum(rate(container_cpu_usage_seconds_total{pod_name=~\"istio-ingressgateway-.*\"}[1m])) / (round(sum(irate(istio_requests_total{source_workload=\"istio-ingressgateway\", reporter=\"source\"}[1m])), 0.001)/1000)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-ingressgateway", + "refId": "B" + }, + { + "expr": "sum(rate(container_cpu_usage_seconds_total{container_name=\"istio-proxy\"}[1m]))/ (round(sum(irate(istio_requests_total[1m])), 0.001)/1000)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-proxy", + "refId": "C" + }, + { + "expr": "sum(rate(container_cpu_usage_seconds_total{pod_name=~\"istio-policy-.*\"}[1m]))/ (round(sum(irate(istio_requests_total[1m])), 0.001)/1000)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-policy", + "refId": "D" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "vCPU / 1k rps", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 9, + "w": 12, + "x": 12, + "y": 0 + }, + "id": 6, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(rate(container_cpu_usage_seconds_total{pod_name=~\"istio-telemetry-.*\"}[1m]))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-telemetry", + "refId": "A" + }, + { + "expr": "sum(rate(container_cpu_usage_seconds_total{pod_name=~\"istio-ingressgateway-.*\"}[1m]))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-ingressgateway", + "refId": "B" + }, + { + "expr": "sum(rate(container_cpu_usage_seconds_total{container_name=\"istio-proxy\"}[1m]))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-proxy", + "refId": "C" + }, + { + "expr": "sum(rate(container_cpu_usage_seconds_total{pod_name=~\"istio-policy-.*\"}[1m]))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-policy", + "refId": "D" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "vCPU", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 9, + "w": 12, + "x": 0, + "y": 9 + }, + "id": 4, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(container_memory_usage_bytes{pod_name=~\"istio-telemetry-.*\"}) / (sum(irate(istio_requests_total[1m])) / 1000)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-telemetry / 1k rps", + "refId": "A" + }, + { + "expr": "sum(container_memory_usage_bytes{pod_name=~\"istio-ingressgateway-.*\"}) / count(container_memory_usage_bytes{pod_name=~\"istio-ingressgateway-.*\"})", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "per istio-ingressgateway", + "refId": "C" + }, + { + "expr": "sum(container_memory_usage_bytes{container_name=\"istio-proxy\"}) / count(container_memory_usage_bytes{container_name=\"istio-proxy\"})", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "per istio-proxy", + "refId": "B" + }, + { + "expr": "sum(container_memory_usage_bytes{pod_name=~\"istio-policy-.*\"}) / (sum(irate(istio_requests_total[1m])) / 1000)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-policy / 1k rps", + "refId": "D" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Memory", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "decbytes", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 9, + "w": 12, + "x": 12, + "y": 9 + }, + "id": 5, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(irate(istio_response_bytes_sum{destination_workload=\"istio-telemetry\"}[1m])) + sum(irate(istio_request_bytes_sum{destination_workload=\"istio-telemetry\"}[1m]))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-telemetry", + "refId": "A" + }, + { + "expr": "sum(irate(istio_response_bytes_sum{source_workload=\"istio-ingressgateway\", reporter=\"source\"}[1m]))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-ingressgateway", + "refId": "C" + }, + { + "expr": "sum(irate(istio_response_bytes_sum{source_workload_namespace!=\"istio-system\", reporter=\"source\"}[1m])) + sum(irate(istio_response_bytes_sum{destination_workload_namespace!=\"istio-system\", reporter=\"destination\"}[1m])) + sum(irate(istio_request_bytes_sum{source_workload_namespace!=\"istio-system\", reporter=\"source\"}[1m])) + sum(irate(istio_request_bytes_sum{destination_workload_namespace!=\"istio-system\", reporter=\"destination\"}[1m]))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-proxy", + "refId": "D" + }, + { + "expr": "sum(irate(istio_response_bytes_sum{destination_workload=\"istio-policy\"}[1m])) + sum(irate(istio_request_bytes_sum{destination_workload=\"istio-policy\"}[1m]))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-policy", + "refId": "E" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Bytes transferred / sec", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "bytes", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + } + ], + "schemaVersion": 16, + "style": "dark", + "tags": [], + "templating": { + "list": [] + }, + "time": { + "from": "now-5m", + "to": "now" + }, + "timepicker": { + "refresh_intervals": [ + "5s", + "10s", + "30s", + "1m", + "5m", + "15m", + "30m", + "1h", + "2h", + "1d" + ], + "time_options": [ + "5m", + "15m", + "1h", + "6h", + "12h", + "24h", + "2d", + "7d", + "30d" + ] + }, + "timezone": "", + "title": "Istio Performance Dashboard", + "uid": "t8BUIg1mz", + "version": 5 +} +' + + istio-service-dashboard.json: '{ + "__inputs": [ + { + "name": "DS_PROMETHEUS", + "label": "Prometheus", + "description": "", + "type": "datasource", + "pluginId": "prometheus", + "pluginName": "Prometheus" + } + ], + "__requires": [ + { + "type": "grafana", + "id": "grafana", + "name": "Grafana", + "version": "5.0.4" + }, + { + "type": "panel", + "id": "graph", + "name": "Graph", + "version": "5.0.0" + }, + { + "type": "datasource", + "id": "prometheus", + "name": "Prometheus", + "version": "5.0.0" + }, + { + "type": "panel", + "id": "singlestat", + "name": "Singlestat", + "version": "5.0.0" + }, + { + "type": "panel", + "id": "text", + "name": "Text", + "version": "5.0.0" + } + ], + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": "-- Grafana --", + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "type": "dashboard" + } + ] + }, + "editable": true, + "gnetId": null, + "graphTooltip": 0, + "id": null, + "iteration": 1530559387240, + "links": [], + "panels": [ + { + "content": "
    \nSERVICE: $service\n
    ", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 0 + }, + "id": 89, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "datasource": "Prometheus", + "format": "ops", + "gauge": { + "maxValue": 100, + "minValue": 0, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": true + }, + "gridPos": { + "h": 4, + "w": 6, + "x": 0, + "y": 3 + }, + "id": 12, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "round(sum(rate(istio_requests_total{reporter=\"source\",destination_service=~\"$service\"}[30s])), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "refId": "A", + "step": 4 + } + ], + "thresholds": "", + "title": "Client Request Volume", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "current" + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "rgba(50, 172, 45, 0.97)", + "rgba(237, 129, 40, 0.89)", + "rgba(245, 54, 54, 0.9)" + ], + "datasource": "Prometheus", + "decimals": null, + "format": "percentunit", + "gauge": { + "maxValue": 100, + "minValue": 80, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": false + }, + "gridPos": { + "h": 4, + "w": 6, + "x": 6, + "y": 3 + }, + "id": 14, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "sum(irate(istio_requests_total{reporter=\"source\",destination_service=~\"$service\",response_code!~\"5.*\"}[30s])) / sum(irate(istio_requests_total{reporter=\"source\",destination_service=~\"$service\"}[30s]))", + "format": "time_series", + "intervalFactor": 1, + "refId": "B" + } + ], + "thresholds": "95, 99, 99.5", + "title": "Client Success Rate (non-5xx responses)", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "avg" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 4, + "w": 6, + "x": 12, + "y": 3 + }, + "id": 87, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": false, + "hideZero": false, + "max": false, + "min": false, + "rightSide": true, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\",destination_service=~\"$service\"}[1m])) by (le))", + "format": "time_series", + "interval": "", + "intervalFactor": 1, + "legendFormat": "P50", + "refId": "A" + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\",destination_service=~\"$service\"}[1m])) by (le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "P90", + "refId": "B" + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\",destination_service=~\"$service\"}[1m])) by (le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "P99", + "refId": "C" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Client Request Duration", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "s", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "#299c46", + "rgba(237, 129, 40, 0.89)", + "#d44a3a" + ], + "datasource": "Prometheus", + "format": "Bps", + "gauge": { + "maxValue": 100, + "minValue": 0, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": true + }, + "gridPos": { + "h": 4, + "w": 6, + "x": 18, + "y": 3 + }, + "id": 84, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "sum(irate(istio_tcp_sent_bytes_total{reporter=\"source\", destination_service=~\"$service\"}[1m])) + sum(irate(istio_tcp_received_bytes_total{reporter=\"source\", destination_service=~\"$service\"}[1m]))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "", + "refId": "A" + } + ], + "thresholds": "", + "title": "Client TCP Bandwidth", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "avg" + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "datasource": "Prometheus", + "format": "ops", + "gauge": { + "maxValue": 100, + "minValue": 0, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": true + }, + "gridPos": { + "h": 4, + "w": 6, + "x": 0, + "y": 7 + }, + "id": 97, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "round(sum(rate(istio_requests_total{reporter=\"destination\",destination_service=~\"$service\"}[30s])), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "refId": "A", + "step": 4 + } + ], + "thresholds": "", + "title": "Server Request Volume", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "current" + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "rgba(50, 172, 45, 0.97)", + "rgba(237, 129, 40, 0.89)", + "rgba(245, 54, 54, 0.9)" + ], + "datasource": "Prometheus", + "decimals": null, + "format": "percentunit", + "gauge": { + "maxValue": 100, + "minValue": 80, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": false + }, + "gridPos": { + "h": 4, + "w": 6, + "x": 6, + "y": 7 + }, + "id": 98, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "sum(irate(istio_requests_total{reporter=\"destination\",destination_service=~\"$service\",response_code!~\"5.*\"}[30s])) / sum(irate(istio_requests_total{reporter=\"destination\",destination_service=~\"$service\"}[30s]))", + "format": "time_series", + "intervalFactor": 1, + "refId": "B" + } + ], + "thresholds": "95, 99, 99.5", + "title": "Server Success Rate (non-5xx responses)", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "avg" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 4, + "w": 6, + "x": 12, + "y": 7 + }, + "id": 99, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": false, + "hideZero": false, + "max": false, + "min": false, + "rightSide": true, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\",destination_service=~\"$service\"}[1m])) by (le))", + "format": "time_series", + "interval": "", + "intervalFactor": 1, + "legendFormat": "P50", + "refId": "A" + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\",destination_service=~\"$service\"}[1m])) by (le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "P90", + "refId": "B" + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\",destination_service=~\"$service\"}[1m])) by (le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "P99", + "refId": "C" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Server Request Duration", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "s", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "#299c46", + "rgba(237, 129, 40, 0.89)", + "#d44a3a" + ], + "datasource": "Prometheus", + "format": "Bps", + "gauge": { + "maxValue": 100, + "minValue": 0, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": true + }, + "gridPos": { + "h": 4, + "w": 6, + "x": 18, + "y": 7 + }, + "id": 100, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "sum(irate(istio_tcp_sent_bytes_total{reporter=\"destination\", destination_service=~\"$service\"}[1m])) + sum(irate(istio_tcp_received_bytes_total{reporter=\"destination\", destination_service=~\"$service\"}[1m]))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "", + "refId": "A" + } + ], + "thresholds": "", + "title": "Server TCP Bandwidth", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "avg" + }, + { + "content": "
    \nCLIENT WORKLOADS\n
    ", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 11 + }, + "id": 45, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 0, + "gridPos": { + "h": 6, + "w": 12, + "x": 0, + "y": 14 + }, + "id": 25, + "legend": { + "avg": false, + "current": false, + "hideEmpty": true, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null as zero", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(irate(istio_requests_total{connection_security_policy=\"mutual_tls\",destination_service=~\"$service\",reporter=\"source\",source_workload=~\"$srcwl\",source_workload_namespace=~\"$srcns\"}[30s])) by (source_workload, source_workload_namespace, response_code), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace }} : {{ response_code }} (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "round(sum(irate(istio_requests_total{connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", reporter=\"source\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[30s])) by (source_workload, source_workload_namespace, response_code), 0.001)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace }} : {{ response_code }}", + "refId": "A", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Requests by Source And Response Code", + "tooltip": { + "shared": false, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [ + "total" + ] + }, + "yaxes": [ + { + "format": "ops", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 12, + "x": 12, + "y": 14 + }, + "id": 26, + "legend": { + "avg": false, + "current": false, + "hideEmpty": true, + "hideZero": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(rate(istio_requests_total{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\",response_code!~\"5.*\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[30s])) by (source_workload, source_workload_namespace) / sum(rate(istio_requests_total{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[30s])) by (source_workload, source_workload_namespace)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace }} (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "sum(rate(istio_requests_total{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\",response_code!~\"5.*\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[30s])) by (source_workload, source_workload_namespace) / sum(rate(istio_requests_total{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[30s])) by (source_workload, source_workload_namespace)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace }}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Success Rate (non-5xx responses) By Source", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "percentunit", + "label": null, + "logBase": 1, + "max": "1.01", + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "description": "", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 0, + "y": 20 + }, + "id": 27, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": true, + "hideZero": false, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50 (🔐mTLS)", + "refId": "D", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90 (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95 (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99 (🔐mTLS)", + "refId": "C", + "step": 2 + }, + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50", + "refId": "E", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90", + "refId": "F", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95", + "refId": "G", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99", + "refId": "H", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Request Duration by Source", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "s", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 8, + "y": 20 + }, + "id": 28, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": true, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50 (🔐mTLS)", + "refId": "D", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90 (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95 (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99 (🔐mTLS)", + "refId": "C", + "step": 2 + }, + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50", + "refId": "E", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90", + "refId": "F", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95", + "refId": "G", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99", + "refId": "H", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Request Size By Source", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "decbytes", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 16, + "y": 20 + }, + "id": 68, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": true, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50 (🔐mTLS)", + "refId": "D", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90 (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95 (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99 (🔐mTLS)", + "refId": "C", + "step": 2 + }, + { + "expr": "histogram_quantile(0.50, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50", + "refId": "E", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90", + "refId": "F", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95", + "refId": "G", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99", + "refId": "H", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Response Size By Source", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "decbytes", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 12, + "x": 0, + "y": 26 + }, + "id": 80, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(irate(istio_tcp_received_bytes_total{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace), 0.001)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace}} (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "round(sum(irate(istio_tcp_received_bytes_total{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace}}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Bytes Received from Incoming TCP Connection", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "Bps", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 12, + "x": 12, + "y": 26 + }, + "id": 82, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy=\"mutual_tls\", reporter=\"source\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace}} (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy!=\"mutual_tls\", reporter=\"source\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace}}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Bytes Sent to Incoming TCP Connection", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "Bps", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ] + }, + { + "content": "
    \nSERVICE WORKLOADS\n
    ", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 32 + }, + "id": 69, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 0, + "gridPos": { + "h": 6, + "w": 12, + "x": 0, + "y": 35 + }, + "id": 90, + "legend": { + "avg": false, + "current": false, + "hideEmpty": true, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null as zero", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(irate(istio_requests_total{connection_security_policy=\"mutual_tls\",destination_service=~\"$service\",reporter=\"destination\",destination_workload=~\"$dstwl\",destination_workload_namespace=~\"$dstns\"}[30s])) by (destination_workload, destination_workload_namespace, response_code), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} : {{ response_code }} (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "round(sum(irate(istio_requests_total{connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", reporter=\"destination\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[30s])) by (destination_workload, destination_workload_namespace, response_code), 0.001)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} : {{ response_code }}", + "refId": "A", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Requests by Destination And Response Code", + "tooltip": { + "shared": false, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [ + "total" + ] + }, + "yaxes": [ + { + "format": "ops", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 12, + "x": 12, + "y": 35 + }, + "id": 91, + "legend": { + "avg": false, + "current": false, + "hideEmpty": true, + "hideZero": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(rate(istio_requests_total{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\",response_code!~\"5.*\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[30s])) by (destination_workload, destination_workload_namespace) / sum(rate(istio_requests_total{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[30s])) by (destination_workload, destination_workload_namespace)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "sum(rate(istio_requests_total{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\",response_code!~\"5.*\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[30s])) by (destination_workload, destination_workload_namespace) / sum(rate(istio_requests_total{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[30s])) by (destination_workload, destination_workload_namespace)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Success Rate (non-5xx responses) By Source", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "percentunit", + "label": null, + "logBase": 1, + "max": "1.01", + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "description": "", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 0, + "y": 41 + }, + "id": 94, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": true, + "hideZero": false, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P50 (🔐mTLS)", + "refId": "D", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P90 (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P95 (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P99 (🔐mTLS)", + "refId": "C", + "step": 2 + }, + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P50", + "refId": "E", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P90", + "refId": "F", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P95", + "refId": "G", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P99", + "refId": "H", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Request Duration by Source", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "s", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 8, + "y": 41 + }, + "id": 95, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": true, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P50 (🔐mTLS)", + "refId": "D", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P90 (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P95 (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P99 (🔐mTLS)", + "refId": "C", + "step": 2 + }, + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P50", + "refId": "E", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P90", + "refId": "F", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P95", + "refId": "G", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P99", + "refId": "H", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Request Size By Source", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "decbytes", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 16, + "y": 41 + }, + "id": 96, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": true, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P50 (🔐mTLS)", + "refId": "D", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P90 (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P95 (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P99 (🔐mTLS)", + "refId": "C", + "step": 2 + }, + { + "expr": "histogram_quantile(0.50, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P50", + "refId": "E", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P90", + "refId": "F", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P95", + "refId": "G", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P99", + "refId": "H", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Response Size By Source", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "decbytes", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 12, + "x": 0, + "y": 47 + }, + "id": 92, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(irate(istio_tcp_received_bytes_total{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace), 0.001)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace}} (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "round(sum(irate(istio_tcp_received_bytes_total{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace}}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Bytes Received from Incoming TCP Connection", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "Bps", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 12, + "x": 12, + "y": 47 + }, + "id": 93, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy=\"mutual_tls\", reporter=\"destination\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{destination_workload_namespace }} (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy!=\"mutual_tls\", reporter=\"destination\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{destination_workload_namespace }}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Bytes Sent to Incoming TCP Connection", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "Bps", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ] + } + ], + "refresh": "10s", + "schemaVersion": 16, + "style": "dark", + "tags": [], + "templating": { + "list": [ + { + "allValue": null, + "current": {}, + "datasource": "Prometheus", + "hide": 0, + "includeAll": false, + "label": "Service", + "multi": false, + "name": "service", + "options": [], + "query": "label_values(destination_service)", + "refresh": 1, + "regex": "", + "sort": 0, + "tagValuesQuery": "", + "tags": [], + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "allValue": null, + "current": {}, + "datasource": "Prometheus", + "hide": 0, + "includeAll": true, + "label": "Client Workload Namespace", + "multi": true, + "name": "srcns", + "options": [], + "query": "query_result( sum(istio_requests_total{reporter=\"destination\", destination_service=\"$service\"}) by (source_workload_namespace) or sum(istio_tcp_sent_bytes_total{reporter=\"destination\", destination_service=~\"$service\"}) by (source_workload_namespace))", + "refresh": 1, + "regex": "/.*namespace=\"([^\"]*).*/", + "sort": 2, + "tagValuesQuery": "", + "tags": [], + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "allValue": null, + "current": {}, + "datasource": "Prometheus", + "hide": 0, + "includeAll": true, + "label": "Client Workload", + "multi": true, + "name": "srcwl", + "options": [], + "query": "query_result( sum(istio_requests_total{reporter=\"destination\", destination_service=~\"$service\", source_workload_namespace=~\"$srcns\"}) by (source_workload) or sum(istio_tcp_sent_bytes_total{reporter=\"destination\", destination_service=~\"$service\", source_workload_namespace=~\"$srcns\"}) by (source_workload))", + "refresh": 1, + "regex": "/.*workload=\"([^\"]*).*/", + "sort": 3, + "tagValuesQuery": "", + "tags": [], + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "allValue": null, + "current": {}, + "datasource": "Prometheus", + "hide": 0, + "includeAll": true, + "label": "Service Workload Namespace", + "multi": true, + "name": "dstns", + "options": [], + "query": "query_result( sum(istio_requests_total{reporter=\"destination\", destination_service=\"$service\"}) by (destination_workload_namespace) or sum(istio_tcp_sent_bytes_total{reporter=\"destination\", destination_service=~\"$service\"}) by (destination_workload_namespace))", + "refresh": 1, + "regex": "/.*namespace=\"([^\"]*).*/", + "sort": 2, + "tagValuesQuery": "", + "tags": [], + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "allValue": null, + "current": {}, + "datasource": "Prometheus", + "hide": 0, + "includeAll": true, + "label": "Service Workload", + "multi": true, + "name": "dstwl", + "options": [], + "query": "query_result( sum(istio_requests_total{reporter=\"destination\", destination_service=~\"$service\", destination_workload_namespace=~\"$dstns\"}) by (destination_workload) or sum(istio_tcp_sent_bytes_total{reporter=\"destination\", destination_service=~\"$service\", destination_workload_namespace=~\"$dstns\"}) by (destination_workload))", + "refresh": 1, + "regex": "/.*workload=\"([^\"]*).*/", + "sort": 3, + "tagValuesQuery": "", + "tags": [], + "tagsQuery": "", + "type": "query", + "useTags": false + } + ] + }, + "time": { + "from": "now-5m", + "to": "now" + }, + "timepicker": { + "refresh_intervals": [ + "5s", + "10s", + "30s", + "1m", + "5m", + "15m", + "30m", + "1h", + "2h", + "1d" + ], + "time_options": [ + "5m", + "15m", + "1h", + "6h", + "12h", + "24h", + "2d", + "7d", + "30d" + ] + }, + "timezone": "", + "title": "Istio Service Dashboard", + "uid": "LJ_uJAvmk", + "version": 10 +} +' + + istio-workload-dashboard.json: '{ + "__inputs": [ + { + "name": "DS_PROMETHEUS", + "label": "Prometheus", + "description": "", + "type": "datasource", + "pluginId": "prometheus", + "pluginName": "Prometheus" + } + ], + "__requires": [ + { + "type": "grafana", + "id": "grafana", + "name": "Grafana", + "version": "5.0.4" + }, + { + "type": "panel", + "id": "graph", + "name": "Graph", + "version": "5.0.0" + }, + { + "type": "datasource", + "id": "prometheus", + "name": "Prometheus", + "version": "5.0.0" + }, + { + "type": "panel", + "id": "singlestat", + "name": "Singlestat", + "version": "5.0.0" + }, + { + "type": "panel", + "id": "text", + "name": "Text", + "version": "5.0.0" + } + ], + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": "-- Grafana --", + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "type": "dashboard" + } + ] + }, + "editable": false, + "gnetId": null, + "graphTooltip": 0, + "id": null, + "iteration": 1531345461465, + "links": [], + "panels": [ + { + "content": "
    \nWORKLOAD: $workload.$namespace\n
    ", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 0 + }, + "id": 89, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "datasource": "Prometheus", + "format": "ops", + "gauge": { + "maxValue": 100, + "minValue": 0, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": true + }, + "gridPos": { + "h": 4, + "w": 8, + "x": 0, + "y": 3 + }, + "id": 12, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "round(sum(rate(istio_requests_total{reporter=\"destination\",destination_workload_namespace=~\"$namespace\",destination_workload=~\"$workload\"}[30s])), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "refId": "A", + "step": 4 + } + ], + "thresholds": "", + "title": "Incoming Request Volume", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "current" + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "rgba(50, 172, 45, 0.97)", + "rgba(237, 129, 40, 0.89)", + "rgba(245, 54, 54, 0.9)" + ], + "datasource": "Prometheus", + "decimals": null, + "format": "percentunit", + "gauge": { + "maxValue": 100, + "minValue": 80, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": false + }, + "gridPos": { + "h": 4, + "w": 8, + "x": 8, + "y": 3 + }, + "id": 14, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "sum(irate(istio_requests_total{reporter=\"destination\",destination_workload_namespace=~\"$namespace\",destination_workload=~\"$workload\",response_code!~\"5.*\"}[30s])) / sum(irate(istio_requests_total{reporter=\"destination\",destination_workload_namespace=~\"$namespace\",destination_workload=~\"$workload\"}[30s]))", + "format": "time_series", + "intervalFactor": 1, + "refId": "B" + } + ], + "thresholds": "95, 99, 99.5", + "title": "Incoming Success Rate (non-5xx responses)", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "avg" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 4, + "w": 8, + "x": 16, + "y": 3 + }, + "id": 87, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": false, + "hideZero": false, + "max": false, + "min": false, + "rightSide": true, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\",destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\"}[1m])) by (le))", + "format": "time_series", + "interval": "", + "intervalFactor": 1, + "legendFormat": "P50", + "refId": "A" + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\",destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\"}[1m])) by (le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "P90", + "refId": "B" + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\",destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\"}[1m])) by (le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "P99", + "refId": "C" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Request Duration", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "s", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "#299c46", + "rgba(237, 129, 40, 0.89)", + "#d44a3a" + ], + "datasource": "Prometheus", + "format": "Bps", + "gauge": { + "maxValue": 100, + "minValue": 0, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": true + }, + "gridPos": { + "h": 4, + "w": 12, + "x": 0, + "y": 7 + }, + "id": 84, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "sum(irate(istio_tcp_sent_bytes_total{reporter=\"destination\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\"}[1m])) + sum(irate(istio_tcp_received_bytes_total{reporter=\"destination\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\"}[1m]))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "", + "refId": "A" + } + ], + "thresholds": "", + "title": "TCP Server Traffic", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "avg" + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "#299c46", + "rgba(237, 129, 40, 0.89)", + "#d44a3a" + ], + "datasource": "Prometheus", + "format": "Bps", + "gauge": { + "maxValue": 100, + "minValue": 0, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": true + }, + "gridPos": { + "h": 4, + "w": 12, + "x": 12, + "y": 7 + }, + "id": 85, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "sum(irate(istio_tcp_sent_bytes_total{reporter=\"source\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\"}[1m])) + sum(irate(istio_tcp_received_bytes_total{reporter=\"source\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\"}[1m]))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "", + "refId": "A" + } + ], + "thresholds": "", + "title": "TCP Client Traffic", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "avg" + }, + { + "content": "
    \nINBOUND WORKLOADS\n
    ", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 11 + }, + "id": 45, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 0, + "gridPos": { + "h": 6, + "w": 12, + "x": 0, + "y": 14 + }, + "id": 25, + "legend": { + "avg": false, + "current": false, + "hideEmpty": true, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null as zero", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(irate(istio_requests_total{connection_security_policy=\"mutual_tls\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\", reporter=\"destination\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[30s])) by (source_workload, source_workload_namespace, response_code), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace }} : {{ response_code }} (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "round(sum(irate(istio_requests_total{connection_security_policy!=\"mutual_tls\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\", reporter=\"destination\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[30s])) by (source_workload, source_workload_namespace, response_code), 0.001)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace }} : {{ response_code }}", + "refId": "A", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Requests by Source And Response Code", + "tooltip": { + "shared": false, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [ + "total" + ] + }, + "yaxes": [ + { + "format": "ops", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 12, + "x": 12, + "y": 14 + }, + "id": 26, + "legend": { + "avg": false, + "current": false, + "hideEmpty": true, + "hideZero": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(rate(istio_requests_total{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\",response_code!~\"5.*\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[30s])) by (source_workload, source_workload_namespace) / sum(rate(istio_requests_total{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[30s])) by (source_workload, source_workload_namespace)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace }} (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "sum(rate(istio_requests_total{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\",response_code!~\"5.*\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[30s])) by (source_workload, source_workload_namespace) / sum(rate(istio_requests_total{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[30s])) by (source_workload, source_workload_namespace)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace }}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Success Rate (non-5xx responses) By Source", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "percentunit", + "label": null, + "logBase": 1, + "max": "1.01", + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "description": "", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 0, + "y": 20 + }, + "id": 27, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": true, + "hideZero": false, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50 (🔐mTLS)", + "refId": "D", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90 (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95 (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99 (🔐mTLS)", + "refId": "C", + "step": 2 + }, + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50", + "refId": "E", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90", + "refId": "F", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95", + "refId": "G", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99", + "refId": "H", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Request Duration by Source", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "s", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 8, + "y": 20 + }, + "id": 28, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": true, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50 (🔐mTLS)", + "refId": "D", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90 (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95 (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99 (🔐mTLS)", + "refId": "C", + "step": 2 + }, + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50", + "refId": "E", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90", + "refId": "F", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95", + "refId": "G", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99", + "refId": "H", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Request Size By Source", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "decbytes", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 16, + "y": 20 + }, + "id": 68, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": true, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50 (🔐mTLS)", + "refId": "D", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90 (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95 (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99 (🔐mTLS)", + "refId": "C", + "step": 2 + }, + { + "expr": "histogram_quantile(0.50, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50", + "refId": "E", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90", + "refId": "F", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95", + "refId": "G", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99", + "refId": "H", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Response Size By Source", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "decbytes", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 12, + "x": 0, + "y": 26 + }, + "id": 80, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(irate(istio_tcp_received_bytes_total{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace), 0.001)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace}} (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "round(sum(irate(istio_tcp_received_bytes_total{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace}}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Bytes Received from Incoming TCP Connection", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "Bps", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 12, + "x": 12, + "y": 26 + }, + "id": 82, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy=\"mutual_tls\", reporter=\"destination\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace}} (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy!=\"mutual_tls\", reporter=\"destination\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace}}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Bytes Sent to Incoming TCP Connection", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "Bps", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ] + }, + { + "content": "
    \nOUTBOUND SERVICES\n
    ", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 32 + }, + "id": 69, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 0, + "gridPos": { + "h": 6, + "w": 12, + "x": 0, + "y": 35 + }, + "id": 70, + "legend": { + "avg": false, + "current": false, + "hideEmpty": true, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null as zero", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(irate(istio_requests_total{connection_security_policy=\"mutual_tls\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\", reporter=\"source\", destination_service=~\"$dstsvc\"}[30s])) by (destination_service, response_code), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} : {{ response_code }} (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "round(sum(irate(istio_requests_total{connection_security_policy!=\"mutual_tls\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\", reporter=\"source\", destination_service=~\"$dstsvc\"}[30s])) by (destination_service, response_code), 0.001)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} : {{ response_code }}", + "refId": "A", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Outgoing Requests by Destination And Response Code", + "tooltip": { + "shared": false, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [ + "total" + ] + }, + "yaxes": [ + { + "format": "ops", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 12, + "x": 12, + "y": 35 + }, + "id": 71, + "legend": { + "avg": false, + "current": false, + "hideEmpty": true, + "hideZero": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(rate(istio_requests_total{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\",response_code!~\"5.*\", destination_service=~\"$dstsvc\"}[30s])) by (destination_service) / sum(rate(istio_requests_total{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\", destination_service=~\"$dstsvc\"}[30s])) by (destination_service)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "sum(rate(istio_requests_total{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\",response_code!~\"5.*\", destination_service=~\"$dstsvc\"}[30s])) by (destination_service) / sum(rate(istio_requests_total{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\", destination_service=~\"$dstsvc\"}[30s])) by (destination_service)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{destination_service }}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Outgoing Success Rate (non-5xx responses) By Destination", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "percentunit", + "label": null, + "logBase": 1, + "max": "1.01", + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "description": "", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 0, + "y": 41 + }, + "id": 72, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": true, + "hideZero": false, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P50 (🔐mTLS)", + "refId": "D", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P90 (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P95 (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P99 (🔐mTLS)", + "refId": "C", + "step": 2 + }, + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P50", + "refId": "E", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P90", + "refId": "F", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P95", + "refId": "G", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P99", + "refId": "H", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Outgoing Request Duration by Destination", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "s", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 8, + "y": 41 + }, + "id": 73, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": true, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P50 (🔐mTLS)", + "refId": "D", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P90 (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P95 (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P99 (🔐mTLS)", + "refId": "C", + "step": 2 + }, + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P50", + "refId": "E", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P90", + "refId": "F", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P95", + "refId": "G", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P99", + "refId": "H", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Outgoing Request Size By Destination", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "decbytes", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 16, + "y": 41 + }, + "id": 74, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": true, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P50 (🔐mTLS)", + "refId": "D", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P90 (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P95 (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P99 (🔐mTLS)", + "refId": "C", + "step": 2 + }, + { + "expr": "histogram_quantile(0.50, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P50", + "refId": "E", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P90", + "refId": "F", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P95", + "refId": "G", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P99", + "refId": "H", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Response Size By Destination", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "decbytes", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 12, + "x": 0, + "y": 47 + }, + "id": 76, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy=\"mutual_tls\", reporter=\"source\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy!=\"mutual_tls\", reporter=\"source\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ destination_service }}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Bytes Sent on Outgoing TCP Connection", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "Bps", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 12, + "x": 12, + "y": 47 + }, + "id": 78, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(irate(istio_tcp_received_bytes_total{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "round(sum(irate(istio_tcp_received_bytes_total{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ destination_service }}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Bytes Received from Outgoing TCP Connection", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "Bps", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ] + } + ], + "refresh": "10s", + "schemaVersion": 16, + "style": "dark", + "tags": [], + "templating": { + "list": [ + { + "allValue": null, + "current": {}, + "datasource": "Prometheus", + "hide": 0, + "includeAll": false, + "label": "Namespace", + "multi": false, + "name": "namespace", + "options": [], + "query": "query_result(sum(istio_requests_total) by (destination_workload_namespace) or sum(istio_tcp_sent_bytes_total) by (destination_workload_namespace))", + "refresh": 1, + "regex": "/.*_namespace=\"([^\"]*).*/", + "sort": 0, + "tagValuesQuery": "", + "tags": [], + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "allValue": null, + "current": {}, + "datasource": "Prometheus", + "hide": 0, + "includeAll": false, + "label": "Workload", + "multi": false, + "name": "workload", + "options": [], + "query": "query_result((sum(istio_requests_total{destination_workload_namespace=~\"$namespace\"}) by (destination_workload) or sum(istio_requests_total{source_workload_namespace=~\"$namespace\"}) by (source_workload)) or (sum(istio_tcp_sent_bytes_total{destination_workload_namespace=~\"$namespace\"}) by (destination_workload) or sum(istio_tcp_sent_bytes_total{source_workload_namespace=~\"$namespace\"}) by (source_workload)))", + "refresh": 1, + "regex": "/.*workload=\"([^\"]*).*/", + "sort": 1, + "tagValuesQuery": "", + "tags": [], + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "allValue": null, + "current": {}, + "datasource": "Prometheus", + "hide": 0, + "includeAll": true, + "label": "Inbound Workload Namespace", + "multi": true, + "name": "srcns", + "options": [], + "query": "query_result( sum(istio_requests_total{reporter=\"destination\", destination_workload=\"$workload\", destination_workload_namespace=~\"$namespace\"}) by (source_workload_namespace) or sum(istio_tcp_sent_bytes_total{reporter=\"destination\", destination_workload=\"$workload\", destination_workload_namespace=~\"$namespace\"}) by (source_workload_namespace))", + "refresh": 1, + "regex": "/.*namespace=\"([^\"]*).*/", + "sort": 2, + "tagValuesQuery": "", + "tags": [], + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "allValue": null, + "current": {}, + "datasource": "Prometheus", + "hide": 0, + "includeAll": true, + "label": "Inbound Workload", + "multi": true, + "name": "srcwl", + "options": [], + "query": "query_result( sum(istio_requests_total{reporter=\"destination\", destination_workload=\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload_namespace=~\"$srcns\"}) by (source_workload) or sum(istio_tcp_sent_bytes_total{reporter=\"destination\", destination_workload=\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload_namespace=~\"$srcns\"}) by (source_workload))", + "refresh": 1, + "regex": "/.*workload=\"([^\"]*).*/", + "sort": 3, + "tagValuesQuery": "", + "tags": [], + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "allValue": null, + "current": {}, + "datasource": "Prometheus", + "hide": 0, + "includeAll": true, + "label": "Destination Service", + "multi": true, + "name": "dstsvc", + "options": [], + "query": "query_result( sum(istio_requests_total{reporter=\"source\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\"}) by (destination_service) or sum(istio_tcp_sent_bytes_total{reporter=\"source\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\"}) by (destination_service))", + "refresh": 1, + "regex": "/.*destination_service=\"([^\"]*).*/", + "sort": 4, + "tagValuesQuery": "", + "tags": [], + "tagsQuery": "", + "type": "query", + "useTags": false + } + ] + }, + "time": { + "from": "now-5m", + "to": "now" + }, + "timepicker": { + "refresh_intervals": [ + "5s", + "10s", + "30s", + "1m", + "5m", + "15m", + "30m", + "1h", + "2h", + "1d" + ], + "time_options": [ + "5m", + "15m", + "1h", + "6h", + "12h", + "24h", + "2d", + "7d", + "30d" + ] + }, + "timezone": "", + "title": "Istio Workload Dashboard", + "uid": "UbsSZTDik", + "version": 1 +} +' + + mixer-dashboard.json: '{ + "__inputs": [ + { + "name": "DS_PROMETHEUS", + "label": "Prometheus", + "description": "", + "type": "datasource", + "pluginId": "prometheus", + "pluginName": "Prometheus" + } + ], + "__requires": [ + { + "type": "grafana", + "id": "grafana", + "name": "Grafana", + "version": "5.2.2" + }, + { + "type": "panel", + "id": "graph", + "name": "Graph", + "version": "5.0.0" + }, + { + "type": "datasource", + "id": "prometheus", + "name": "Prometheus", + "version": "5.0.0" + }, + { + "type": "panel", + "id": "text", + "name": "Text", + "version": "5.0.0" + } + ], + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": "-- Grafana --", + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "type": "dashboard" + } + ] + }, + "editable": false, + "gnetId": null, + "graphTooltip": 1, + "id": null, + "iteration": 1535646398209, + "links": [], + "panels": [ + { + "content": "

    Resource Usage

    ", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 0 + }, + "height": "40", + "id": 29, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 0, + "y": 3 + }, + "id": 5, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(process_virtual_memory_bytes{job=~\"istio-telemetry|istio-policy\"}) by (job)", + "format": "time_series", + "instant": false, + "intervalFactor": 2, + "legendFormat": "Virtual Memory ({{ job }})", + "refId": "I" + }, + { + "expr": "sum(process_resident_memory_bytes{job=~\"istio-telemetry|istio-policy\"}) by (job)", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Resident Memory ({{ job }})", + "refId": "H" + }, + { + "expr": "sum(go_memstats_heap_sys_bytes{job=~\"istio-telemetry|istio-policy\"}) by (job)", + "format": "time_series", + "hide": true, + "intervalFactor": 2, + "legendFormat": "heap sys ({{ job }})", + "refId": "A" + }, + { + "expr": "sum(go_memstats_heap_alloc_bytes{job=~\"istio-telemetry|istio-policy\"}) by (job)", + "format": "time_series", + "hide": true, + "intervalFactor": 2, + "legendFormat": "heap alloc ({{ job }})", + "refId": "D" + }, + { + "expr": "sum(go_memstats_alloc_bytes{job=~\"istio-telemetry|istio-policy\"}) by (job)", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Alloc ({{ job }})", + "refId": "F" + }, + { + "expr": "sum(go_memstats_heap_inuse_bytes{job=~\"istio-telemetry|istio-policy\"}) by (job)", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "Heap in-use ({{ job }})", + "refId": "E" + }, + { + "expr": "sum(go_memstats_stack_inuse_bytes{job=~\"istio-telemetry|istio-policy\"}) by (job)", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Stack in-use ({{ job }})", + "refId": "G" + }, + { + "expr": "sum(label_replace(container_memory_usage_bytes{container_name=~\"mixer|istio-proxy\", pod_name=~\"istio-telemetry-.*|istio-policy-.*\"}, \"service\", \"$1\" , \"pod_name\", \"(istio-telemetry|istio-policy)-.*\")) by (service)", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "{{ service }} total (k8s)", + "refId": "C" + }, + { + "expr": "sum(label_replace(container_memory_usage_bytes{container_name=~\"mixer|istio-proxy\", pod_name=~\"istio-telemetry-.*|istio-policy-.*\"}, \"service\", \"$1\" , \"pod_name\", \"(istio-telemetry|istio-policy)-.*\")) by (container_name, service)", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "{{ service }} - {{ container_name }} (k8s)", + "refId": "B" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Memory", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "bytes", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 6, + "y": 3 + }, + "id": 6, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "label_replace(sum(rate(container_cpu_usage_seconds_total{container_name=~\"mixer|istio-proxy\", pod_name=~\"istio-telemetry-.*|istio-policy-.*\"}[1m])) by (pod_name), \"service\", \"$1\" , \"pod_name\", \"(istio-telemetry|istio-policy)-.*\")", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "{{ service }} total (k8s)", + "refId": "A" + }, + { + "expr": "label_replace(sum(rate(container_cpu_usage_seconds_total{container_name=~\"mixer|istio-proxy\", pod_name=~\"istio-telemetry-.*|istio-policy-.*\"}[1m])) by (container_name, pod_name), \"service\", \"$1\" , \"pod_name\", \"(istio-telemetry|istio-policy)-.*\")", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "{{ service }} - {{ container_name }} (k8s)", + "refId": "B" + }, + { + "expr": "sum(irate(process_cpu_seconds_total{job=~\"istio-telemetry|istio-policy\"}[1m])) by (job)", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "{{ job }} (self-reported)", + "refId": "C" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "CPU", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 12, + "y": 3 + }, + "id": 7, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(process_open_fds{job=~\"istio-telemetry|istio-policy\"}) by (job)", + "format": "time_series", + "hide": true, + "instant": false, + "interval": "", + "intervalFactor": 2, + "legendFormat": "Open FDs ({{ job }})", + "refId": "A" + }, + { + "expr": "sum(label_replace(container_fs_usage_bytes{container_name=~\"mixer|istio-proxy\", pod_name=~\"istio-telemetry-.*|istio-policy-.*\"}, \"service\", \"$1\" , \"pod_name\", \"(istio-telemetry|istio-policy)-.*\")) by (container_name, service)", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "{{ service }} - {{ container_name }}", + "refId": "B" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Disk", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "bytes", + "label": "", + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "decimals": null, + "format": "none", + "label": "", + "logBase": 1024, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 18, + "y": 3 + }, + "id": 4, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": false, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(go_goroutines{job=~\"istio-telemetry|istio-policy\"}) by (job)", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Number of Goroutines ({{ job }})", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Goroutines", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": "", + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "content": "

    Mixer Overview

    ", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 10 + }, + "height": "40px", + "id": 30, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 6, + "x": 0, + "y": 13 + }, + "id": 9, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(rate(grpc_server_handled_total[1m]))", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "mixer (Total)", + "refId": "B" + }, + { + "expr": "sum(rate(grpc_server_handled_total[1m])) by (grpc_method)", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "mixer ({{ grpc_method }})", + "refId": "C" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Requests", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "ops", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 6, + "x": 6, + "y": 13 + }, + "id": 8, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [ + { + "alias": "{}", + "yaxis": 1 + } + ], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.5, sum(rate(grpc_server_handling_seconds_bucket{}[1m])) by (grpc_method, le)) * 1000", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "{{ grpc_method }} 0.5", + "refId": "B" + }, + { + "expr": "histogram_quantile(0.9, sum(rate(grpc_server_handling_seconds_bucket{}[1m])) by (grpc_method, le)) * 1000", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "{{ grpc_method }} 0.9", + "refId": "C" + }, + { + "expr": "histogram_quantile(0.99, sum(rate(grpc_server_handling_seconds_bucket{}[1m])) by (grpc_method, le)) * 1000", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "{{ grpc_method }} 0.99", + "refId": "D" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Response Durations", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "ms", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 6, + "x": 12, + "y": 13 + }, + "id": 11, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(rate(grpc_server_handled_total{grpc_code=~\"Unknown|Unimplemented|Internal|DataLoss\"}[1m])) by (grpc_method)", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Mixer {{ grpc_method }}", + "refId": "B" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Server Error Rate (5xx responses)", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 6, + "x": 18, + "y": 13 + }, + "id": 12, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(irate(grpc_server_handled_total{grpc_code!=\"OK\",grpc_service=~\".*Mixer\"}[1m])) by (grpc_method)", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Mixer {{ grpc_method }}", + "refId": "B" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Non-successes (4xxs)", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "content": "

    Adapters and Config

    ", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 19 + }, + "id": 28, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 12, + "x": 0, + "y": 22 + }, + "id": 13, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(irate(mixer_runtime_dispatch_count{adapter=~\"$adapter\"}[1m])) by (adapter)", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "{{ adapter }}", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Adapter Dispatch Count", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 12, + "x": 12, + "y": 22 + }, + "id": 14, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.5, sum(irate(mixer_runtime_dispatch_duration_bucket{adapter=~\"$adapter\"}[1m])) by (adapter, le))", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "{{ adapter }} - p50", + "refId": "A" + }, + { + "expr": "histogram_quantile(0.9, sum(irate(mixer_runtime_dispatch_duration_bucket{adapter=~\"$adapter\"}[1m])) by (adapter, le))", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "{{ adapter }} - p90 ", + "refId": "B" + }, + { + "expr": "histogram_quantile(0.99, sum(irate(mixer_runtime_dispatch_duration_bucket{adapter=~\"$adapter\"}[1m])) by (adapter, le))", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "{{ adapter }} - p99", + "refId": "C" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Adapter Dispatch Duration", + "tooltip": { + "shared": true, + "sort": 1, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "s", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 0, + "y": 29 + }, + "id": 60, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "scalar(topk(1, max(mixer_config_rule_config_count) by (configID)))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Rules", + "refId": "A" + }, + { + "expr": "scalar(topk(1, max(mixer_config_rule_config_error_count) by (configID)))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Config Errors", + "refId": "B" + }, + { + "expr": "scalar(topk(1, max(mixer_config_rule_config_match_error_count) by (configID)))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Match Errors", + "refId": "C" + }, + { + "expr": "scalar(topk(1, max(mixer_config_unsatisfied_action_handler_count) by (configID)))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Unsatisfied Actions", + "refId": "D" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Rules", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 6, + "y": 29 + }, + "id": 56, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "scalar(topk(1, max(mixer_config_instance_config_count) by (configID)))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Instances", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Instances in Latest Config", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 12, + "y": 29 + }, + "id": 54, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "scalar(topk(1, max(mixer_config_handler_config_count) by (configID)))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Handlers", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Handlers in Latest Config", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 18, + "y": 29 + }, + "id": 58, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "scalar(topk(1, max(mixer_config_attribute_count) by (configID)))", + "format": "time_series", + "instant": false, + "intervalFactor": 1, + "legendFormat": "Attributes", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Attributes in Latest Config", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "content": "

    Individual Adapters

    ", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 36 + }, + "id": 23, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "collapsed": false, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 39 + }, + "id": 46, + "panels": [], + "repeat": "adapter", + "title": "$adapter Adapter", + "type": "row" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 12, + "x": 0, + "y": 40 + }, + "id": 17, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "label_replace(irate(mixer_runtime_dispatch_count{adapter=\"$adapter\"}[1m]),\"handler\", \"$1 ($3)\", \"handler\", \"(.*)\\\\.(.*)\\\\.(.*)\")", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "{{ handler }} (error: {{ error }})", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Dispatch Count By Handler", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 12, + "x": 12, + "y": 40 + }, + "id": 18, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "label_replace(histogram_quantile(0.5, sum(rate(mixer_runtime_dispatch_duration_bucket{adapter=\"$adapter\"}[1m])) by (handler, error, le)), \"handler_short\", \"$1 ($3)\", \"handler\", \"(.*)\\\\.(.*)\\\\.(.*)\")", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "p50 - {{ handler_short }} (error: {{ error }})", + "refId": "A" + }, + { + "expr": "label_replace(histogram_quantile(0.9, sum(irate(mixer_runtime_dispatch_duration_bucket{adapter=\"$adapter\"}[1m])) by (handler, error, le)), \"handler_short\", \"$1 ($3)\", \"handler\", \"(.*)\\\\.(.*)\\\\.(.*)\")", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "p90 - {{ handler_short }} (error: {{ error }})", + "refId": "D" + }, + { + "expr": "label_replace(histogram_quantile(0.99, sum(irate(mixer_runtime_dispatch_duration_bucket{adapter=\"$adapter\"}[1m])) by (handler, error, le)), \"handler_short\", \"$1 ($3)\", \"handler\", \"(.*)\\\\.(.*)\\\\.(.*)\")", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "p99 - {{ handler_short }} (error: {{ error }})", + "refId": "E" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Dispatch Duration By Handler", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "s", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + } + ], + "refresh": "5s", + "schemaVersion": 16, + "style": "dark", + "tags": [], + "templating": { + "list": [ + { + "allValue": null, + "current": {}, + "datasource": "Prometheus", + "hide": 0, + "includeAll": true, + "label": "Adapter", + "multi": true, + "name": "adapter", + "options": [], + "query": "label_values(adapter)", + "refresh": 2, + "regex": "", + "sort": 1, + "tagValuesQuery": "", + "tags": [], + "tagsQuery": "", + "type": "query", + "useTags": false + } + ] + }, + "time": { + "from": "now-5m", + "to": "now" + }, + "timepicker": { + "refresh_intervals": [ + "5s", + "10s", + "30s", + "1m", + "5m", + "15m", + "30m", + "1h", + "2h", + "1d" + ], + "time_options": [ + "5m", + "15m", + "1h", + "6h", + "12h", + "24h", + "2d", + "7d", + "30d" + ] + }, + "timezone": "", + "title": "Mixer Dashboard", + "uid": "2", + "version": 2 +} +' + + pilot-dashboard.json: '{ + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": "-- Grafana --", + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "type": "dashboard" + } + ] + }, + "editable": false, + "gnetId": null, + "graphTooltip": 1, + "links": [], + "panels": [ + { + "content": "

    Resource Usage

    ", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 0 + }, + "height": "40", + "id": 29, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 0, + "y": 3 + }, + "id": 5, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "process_virtual_memory_bytes{job=\"pilot\"}", + "format": "time_series", + "instant": false, + "intervalFactor": 2, + "legendFormat": "Virtual Memory", + "refId": "I", + "step": 2 + }, + { + "expr": "process_resident_memory_bytes{job=\"pilot\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Resident Memory", + "refId": "H", + "step": 2 + }, + { + "expr": "go_memstats_heap_sys_bytes{job=\"pilot\"}", + "format": "time_series", + "hide": true, + "intervalFactor": 2, + "legendFormat": "heap sys", + "refId": "A" + }, + { + "expr": "go_memstats_heap_alloc_bytes{job=\"pilot\"}", + "format": "time_series", + "hide": true, + "intervalFactor": 2, + "legendFormat": "heap alloc", + "refId": "D" + }, + { + "expr": "go_memstats_alloc_bytes{job=\"pilot\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Alloc", + "refId": "F", + "step": 2 + }, + { + "expr": "go_memstats_heap_inuse_bytes{job=\"pilot\"}", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "Heap in-use", + "refId": "E", + "step": 2 + }, + { + "expr": "go_memstats_stack_inuse_bytes{job=\"pilot\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Stack in-use", + "refId": "G", + "step": 2 + }, + { + "expr": "sum(container_memory_usage_bytes{container_name=~\"discovery|istio-proxy\", pod_name=~\"istio-pilot-.*\"})", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "Total (k8s)", + "refId": "C", + "step": 2 + }, + { + "expr": "container_memory_usage_bytes{container_name=~\"discovery|istio-proxy\", pod_name=~\"istio-pilot-.*\"}", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "{{ container_name }} (k8s)", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Memory", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "bytes", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 6, + "y": 3 + }, + "id": 6, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(rate(container_cpu_usage_seconds_total{container_name=~\"discovery|istio-proxy\", pod_name=~\"istio-pilot-.*\"}[1m]))", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "Total (k8s)", + "refId": "A", + "step": 2 + }, + { + "expr": "sum(rate(container_cpu_usage_seconds_total{container_name=~\"discovery|istio-proxy\", pod_name=~\"istio-pilot-.*\"}[1m])) by (container_name)", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "{{ container_name }} (k8s)", + "refId": "B", + "step": 2 + }, + { + "expr": "irate(process_cpu_seconds_total{job=\"pilot\"}[1m])", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "pilot (self-reported)", + "refId": "C", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "CPU", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 12, + "y": 3 + }, + "id": 7, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "process_open_fds{job=\"pilot\"}", + "format": "time_series", + "hide": true, + "instant": false, + "interval": "", + "intervalFactor": 2, + "legendFormat": "Open FDs (pilot)", + "refId": "A" + }, + { + "expr": "container_fs_usage_bytes{container_name=~\"discovery|istio-proxy\", pod_name=~\"istio-pilot-.*\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "{{ container_name }}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Disk", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "bytes", + "label": "", + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "decimals": null, + "format": "none", + "label": "", + "logBase": 1024, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 18, + "y": 3 + }, + "id": 4, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": false, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "go_goroutines{job=\"pilot\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Number of Goroutines", + "refId": "A", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Goroutines", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": "", + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "content": "

    xDS

    ", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 10 + }, + "id": 28, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 0, + "y": 13 + }, + "id": 40, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(irate(envoy_cluster_update_success{cluster_name=\"xds-grpc\"}[1m]))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "XDS GRPC Successes", + "refId": "C" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Updates", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "ops", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "ops", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 8, + "y": 13 + }, + "id": 42, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(rate(envoy_cluster_update_attempt{cluster_name=\"xds-grpc\"}[1m])) - sum(rate(envoy_cluster_update_success{cluster_name=\"xds-grpc\"}[1m])))", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "XDS GRPC ", + "refId": "A", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Failures", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "ops", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 16, + "y": 13 + }, + "id": 41, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(envoy_cluster_upstream_cx_active{cluster_name=\"xds-grpc\"})", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Pilot (XDS GRPC)", + "refId": "C", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Active Connections", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 8, + "w": 8, + "x": 0, + "y": 19 + }, + "id": 45, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "pilot_conflict_inbound_listener{job=\"pilot\"}", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Inbound Listeners", + "refId": "B" + }, + { + "expr": "pilot_conflict_outbound_listener_http_over_current_tcp{job=\"pilot\"}", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Outbound Listeners (http over current tcp)", + "refId": "A" + }, + { + "expr": "pilot_conflict_outbound_listener_tcp_over_current_tcp{job=\"pilot\"}", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Outbound Listeners (tcp over current tcp)", + "refId": "C" + }, + { + "expr": "pilot_conflict_outbound_listener_tcp_over_current_http{job=\"pilot\"}", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Outbound Listeners (tcp over current http)", + "refId": "D" + }, + { + "expr": "pilot_conf_filter_chains{job=\"pilot\"}", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Filter Chains", + "refId": "E" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Conflicts", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 8, + "w": 8, + "x": 8, + "y": 19 + }, + "id": 47, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "pilot_virt_services{job=\"pilot\"}", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Virtual Services", + "refId": "A" + }, + { + "expr": "pilot_services{job=\"pilot\"}", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Services", + "refId": "B" + }, + { + "expr": "label_replace(sum(pilot_xds_cds_reject{job=\"pilot\"}) by (node, err), \"node\", \"$1\", \"node\", \".*~.*~(.*)~.*\")", + "format": "time_series", + "hide": true, + "intervalFactor": 1, + "legendFormat": "Rejected CDS Configs - {{ node }}: {{ err }}", + "refId": "C" + }, + { + "expr": "pilot_xds_eds_reject{job=\"pilot\"}", + "format": "time_series", + "hide": true, + "intervalFactor": 1, + "legendFormat": "Rejected EDS Configs", + "refId": "D" + }, + { + "expr": "pilot_xds{job=\"pilot\"}", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Connected Endpoints", + "refId": "E" + }, + { + "expr": "rate(pilot_xds_write_timeout{job=\"pilot\"}[1m])", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Write Timeouts", + "refId": "F" + }, + { + "expr": "rate(pilot_xds_push_timeout{job=\"pilot\"}[1m])", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Push Timeouts", + "refId": "G" + }, + { + "expr": "rate(pilot_xds_pushes{job=\"pilot\"}[1m])", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Pushes ({{ type }})", + "refId": "H" + }, + { + "expr": "rate(pilot_xds_push_errors{job=\"pilot\"}[1m])", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Push Errors ({{ type }})", + "refId": "I" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "ADS Monitoring", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 8, + "w": 8, + "x": 16, + "y": 19 + }, + "id": 49, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "label_replace(sum(pilot_xds_cds_reject{job=\"pilot\"}) by (node, err), \"node\", \"$1\", \"node\", \".*~.*~(.*)~.*\")", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ node }} ({{ err }})", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Rejected CDS Configs", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 8, + "x": 0, + "y": 27 + }, + "id": 52, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "label_replace(sum(pilot_xds_eds_reject{job=\"pilot\"}) by (node, err), \"node\", \"$1\", \"node\", \".*~.*~(.*)~.*\")", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ node }} ({{err}})", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Rejected EDS Configs", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 8, + "x": 8, + "y": 27 + }, + "id": 54, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "label_replace(sum(pilot_xds_lds_reject{job=\"pilot\"}) by (node, err), \"node\", \"$1\", \"node\", \".*~.*~(.*)~.*\")", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ node }} ({{err}})", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Rejected LDS Configs", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 8, + "x": 16, + "y": 27 + }, + "id": 53, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "label_replace(sum(pilot_xds_rds_reject{job=\"pilot\"}) by (node, err), \"node\", \"$1\", \"node\", \".*~.*~(.*)~.*\")", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ node }} ({{err}})", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Rejected RDS Configs", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": { + "outbound|80||default-http-backend.kube-system.svc.cluster.local": "rgba(255, 255, 255, 0.97)" + }, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 8, + "x": 0, + "y": 34 + }, + "id": 51, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [ + { + "alias": "outbound|80||default-http-backend.kube-system.svc.cluster.local", + "yaxis": 1 + } + ], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(pilot_xds_eds_instances{job=\"pilot\"}) by (cluster)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ cluster }}", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "EDS Instances", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + } + ], + "refresh": "5s", + "schemaVersion": 16, + "style": "dark", + "tags": [], + "templating": { + "list": [] + }, + "time": { + "from": "now-5m", + "to": "now" + }, + "timepicker": { + "refresh_intervals": [ + "5s", + "10s", + "30s", + "1m", + "5m", + "15m", + "30m", + "1h", + "2h", + "1d" + ], + "time_options": [ + "5m", + "15m", + "1h", + "6h", + "12h", + "24h", + "2d", + "7d", + "30d" + ] + }, + "timezone": "browser", + "title": "Pilot Dashboard", + "uid": "3", + "version": 1 +} +' + + +--- +# Source: istio/charts/grafana/templates/configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-grafana + namespace: istio-system + labels: + app: istio-grafana + chart: grafana-1.0.4 + release: istio + heritage: Tiller + istio: grafana +data: + datasources.yaml: | + apiVersion: 1 + datasources: + - access: proxy + editable: true + isDefault: true + jsonData: + timeInterval: 5s + name: Prometheus + orgId: 1 + type: prometheus + url: http://prometheus:9090 + + dashboardproviders.yaml: | + apiVersion: 1 + providers: + - disableDeletion: false + folder: istio + name: istio + options: + path: /var/lib/grafana/dashboards/istio + orgId: 1 + type: file + +--- +# Source: istio/charts/mixer/templates/configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-statsd-prom-bridge + namespace: istio-system + labels: + app: istio-statsd-prom-bridge + chart: mixer-1.0.4 + release: istio + heritage: Tiller + istio: mixer +data: + mapping.conf: |- + +--- +# Source: istio/charts/prometheus/templates/configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: prometheus + namespace: istio-system + labels: + app: prometheus + chart: prometheus-1.0.4 + release: istio + heritage: Tiller +data: + prometheus.yml: |- + global: + scrape_interval: 15s + scrape_configs: + + - job_name: 'istio-mesh' + # Override the global default and scrape targets from this job every 5 seconds. + scrape_interval: 5s + + kubernetes_sd_configs: + - role: endpoints + namespaces: + names: + - istio-system + + relabel_configs: + - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] + action: keep + regex: istio-telemetry;prometheus + + + # Scrape config for envoy stats + - job_name: 'envoy-stats' + metrics_path: /stats/prometheus + kubernetes_sd_configs: + - role: pod + + relabel_configs: + - source_labels: [__meta_kubernetes_pod_container_port_name] + action: keep + regex: '.*-envoy-prom' + - source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port] + action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:15090 + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_pod_label_(.+) + - source_labels: [__meta_kubernetes_namespace] + action: replace + target_label: namespace + - source_labels: [__meta_kubernetes_pod_name] + action: replace + target_label: pod_name + + metric_relabel_configs: + # Exclude some of the envoy metrics that have massive cardinality + # This list may need to be pruned further moving forward, as informed + # by performance and scalability testing. + - source_labels: [ cluster_name ] + regex: '(outbound|inbound|prometheus_stats).*' + action: drop + - source_labels: [ tcp_prefix ] + regex: '(outbound|inbound|prometheus_stats).*' + action: drop + - source_labels: [ listener_address ] + regex: '(.+)' + action: drop + - source_labels: [ http_conn_manager_listener_prefix ] + regex: '(.+)' + action: drop + - source_labels: [ http_conn_manager_prefix ] + regex: '(.+)' + action: drop + - source_labels: [ __name__ ] + regex: 'envoy_tls.*' + action: drop + - source_labels: [ __name__ ] + regex: 'envoy_tcp_downstream.*' + action: drop + - source_labels: [ __name__ ] + regex: 'envoy_http_(stats|admin).*' + action: drop + - source_labels: [ __name__ ] + regex: 'envoy_cluster_(lb|retry|bind|internal|max|original).*' + action: drop + + + - job_name: 'istio-policy' + # Override the global default and scrape targets from this job every 5 seconds. + scrape_interval: 5s + # metrics_path defaults to '/metrics' + # scheme defaults to 'http'. + + kubernetes_sd_configs: + - role: endpoints + namespaces: + names: + - istio-system + + + relabel_configs: + - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] + action: keep + regex: istio-policy;http-monitoring + + - job_name: 'istio-telemetry' + # Override the global default and scrape targets from this job every 5 seconds. + scrape_interval: 5s + # metrics_path defaults to '/metrics' + # scheme defaults to 'http'. + + kubernetes_sd_configs: + - role: endpoints + namespaces: + names: + - istio-system + + relabel_configs: + - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] + action: keep + regex: istio-telemetry;http-monitoring + + - job_name: 'pilot' + # Override the global default and scrape targets from this job every 5 seconds. + scrape_interval: 5s + # metrics_path defaults to '/metrics' + # scheme defaults to 'http'. + + kubernetes_sd_configs: + - role: endpoints + namespaces: + names: + - istio-system + + relabel_configs: + - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] + action: keep + regex: istio-pilot;http-monitoring + + - job_name: 'galley' + # Override the global default and scrape targets from this job every 5 seconds. + scrape_interval: 5s + # metrics_path defaults to '/metrics' + # scheme defaults to 'http'. + + kubernetes_sd_configs: + - role: endpoints + namespaces: + names: + - istio-system + + relabel_configs: + - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] + action: keep + regex: istio-galley;http-monitoring + + # scrape config for API servers + - job_name: 'kubernetes-apiservers' + kubernetes_sd_configs: + - role: endpoints + namespaces: + names: + - default + scheme: https + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + relabel_configs: + - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] + action: keep + regex: kubernetes;https + + # scrape config for nodes (kubelet) + - job_name: 'kubernetes-nodes' + scheme: https + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + kubernetes_sd_configs: + - role: node + relabel_configs: + - action: labelmap + regex: __meta_kubernetes_node_label_(.+) + - target_label: __address__ + replacement: kubernetes.default.svc:443 + - source_labels: [__meta_kubernetes_node_name] + regex: (.+) + target_label: __metrics_path__ + replacement: /api/v1/nodes/${1}/proxy/metrics + + # Scrape config for Kubelet cAdvisor. + # + # This is required for Kubernetes 1.7.3 and later, where cAdvisor metrics + # (those whose names begin with 'container_') have been removed from the + # Kubelet metrics endpoint. This job scrapes the cAdvisor endpoint to + # retrieve those metrics. + # + # In Kubernetes 1.7.0-1.7.2, these metrics are only exposed on the cAdvisor + # HTTP endpoint; use "replacement: /api/v1/nodes/${1}:4194/proxy/metrics" + # in that case (and ensure cAdvisor's HTTP server hasn't been disabled with + # the --cadvisor-port=0 Kubelet flag). + # + # This job is not necessary and should be removed in Kubernetes 1.6 and + # earlier versions, or it will cause the metrics to be scraped twice. + - job_name: 'kubernetes-cadvisor' + scheme: https + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + kubernetes_sd_configs: + - role: node + relabel_configs: + - action: labelmap + regex: __meta_kubernetes_node_label_(.+) + - target_label: __address__ + replacement: kubernetes.default.svc:443 + - source_labels: [__meta_kubernetes_node_name] + regex: (.+) + target_label: __metrics_path__ + replacement: /api/v1/nodes/${1}/proxy/metrics/cadvisor + + # scrape config for service endpoints. + - job_name: 'kubernetes-service-endpoints' + kubernetes_sd_configs: + - role: endpoints + relabel_configs: + - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scrape] + action: keep + regex: true + - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scheme] + action: replace + target_label: __scheme__ + regex: (https?) + - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_path] + action: replace + target_label: __metrics_path__ + regex: (.+) + - source_labels: [__address__, __meta_kubernetes_service_annotation_prometheus_io_port] + action: replace + target_label: __address__ + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + - action: labelmap + regex: __meta_kubernetes_service_label_(.+) + - source_labels: [__meta_kubernetes_namespace] + action: replace + target_label: kubernetes_namespace + - source_labels: [__meta_kubernetes_service_name] + action: replace + target_label: kubernetes_name + + - job_name: 'kubernetes-pods' + kubernetes_sd_configs: + - role: pod + relabel_configs: # If first two labels are present, pod should be scraped by the istio-secure job. + - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape] + action: keep + regex: true + - source_labels: [__meta_kubernetes_pod_annotation_sidecar_istio_io_status] + action: drop + regex: (.+) + - source_labels: [__meta_kubernetes_pod_annotation_istio_mtls] + action: drop + regex: (true) + - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_path] + action: replace + target_label: __metrics_path__ + regex: (.+) + - source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port] + action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_pod_label_(.+) + - source_labels: [__meta_kubernetes_namespace] + action: replace + target_label: namespace + - source_labels: [__meta_kubernetes_pod_name] + action: replace + target_label: pod_name + + - job_name: 'kubernetes-pods-istio-secure' + scheme: https + tls_config: + ca_file: /etc/istio-certs/root-cert.pem + cert_file: /etc/istio-certs/cert-chain.pem + key_file: /etc/istio-certs/key.pem + insecure_skip_verify: true # prometheus does not support secure naming. + kubernetes_sd_configs: + - role: pod + relabel_configs: + - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape] + action: keep + regex: true + # sidecar status annotation is added by sidecar injector and + # istio_workload_mtls_ability can be specifically placed on a pod to indicate its ability to receive mtls traffic. + - source_labels: [__meta_kubernetes_pod_annotation_sidecar_istio_io_status, __meta_kubernetes_pod_annotation_istio_mtls] + action: keep + regex: (([^;]+);([^;]*))|(([^;]*);(true)) + - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_path] + action: replace + target_label: __metrics_path__ + regex: (.+) + - source_labels: [__address__] # Only keep address that is host:port + action: keep # otherwise an extra target with ':443' is added for https scheme + regex: ([^:]+):(\d+) + - source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port] + action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_pod_label_(.+) + - source_labels: [__meta_kubernetes_namespace] + action: replace + target_label: namespace + - source_labels: [__meta_kubernetes_pod_name] + action: replace + target_label: pod_name +--- +# Source: istio/charts/security/templates/configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-security-custom-resources + namespace: istio-system + labels: + app: istio-security + chart: security-1.0.4 + release: istio + heritage: Tiller + istio: security +data: + custom-resources.yaml: |- + # Authentication policy to enable permissive mode for all services (that have sidecar) in the mesh. + apiVersion: "authentication.istio.io/v1alpha1" + kind: "MeshPolicy" + metadata: + name: "default" + labels: + app: istio-security + chart: security-1.0.4 + release: istio + heritage: Tiller + spec: + peers: + - mtls: + mode: PERMISSIVE + run.sh: |- + #!/bin/sh + + set -x + + if [ "$#" -ne "1" ]; then + echo "first argument should be path to custom resource yaml" + exit 1 + fi + + pathToResourceYAML=${1} + + /kubectl get validatingwebhookconfiguration istio-galley 2>/dev/null + if [ "$?" -eq 0 ]; then + echo "istio-galley validatingwebhookconfiguration found - waiting for istio-galley deployment to be ready" + while true; do + /kubectl -n istio-system get deployment istio-galley 2>/dev/null + if [ "$?" -eq 0 ]; then + break + fi + sleep 1 + done + /kubectl -n istio-system rollout status deployment istio-galley + if [ "$?" -ne 0 ]; then + echo "istio-galley deployment rollout status check failed" + exit 1 + fi + echo "istio-galley deployment ready for configuration validation" + fi + sleep 5 + /kubectl apply -f ${pathToResourceYAML} + + +--- +# Source: istio/templates/configmap.yaml + +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio + namespace: istio-system + labels: + app: istio + chart: istio-1.0.4 + release: istio + heritage: Tiller +data: + mesh: |- + # Set the following variable to true to disable policy checks by the Mixer. + # Note that metrics will still be reported to the Mixer. + disablePolicyChecks: false + + # Set enableTracing to false to disable request tracing. + enableTracing: true + + # Set accessLogFile to empty string to disable access log. + accessLogFile: "/dev/stdout" + # + # Deprecated: mixer is using EDS + mixerCheckServer: istio-policy.istio-system.svc.cluster.local:9091 + mixerReportServer: istio-telemetry.istio-system.svc.cluster.local:9091 + + # policyCheckFailOpen allows traffic in cases when the mixer policy service cannot be reached. + # Default is false which means the traffic is denied when the client is unable to connect to Mixer. + policyCheckFailOpen: false + + # Unix Domain Socket through which envoy communicates with NodeAgent SDS to get + # key/cert for mTLS. Use secret-mount files instead of SDS if set to empty. + sdsUdsPath: "" + + # How frequently should Envoy fetch key/cert from NodeAgent. + sdsRefreshDelay: 15s + + # + defaultConfig: + # + # TCP connection timeout between Envoy & the application, and between Envoys. + connectTimeout: 10s + # + ### ADVANCED SETTINGS ############# + # Where should envoy's configuration be stored in the istio-proxy container + configPath: "/etc/istio/proxy" + binaryPath: "/usr/local/bin/envoy" + # The pseudo service name used for Envoy. + serviceCluster: istio-proxy + # These settings that determine how long an old Envoy + # process should be kept alive after an occasional reload. + drainDuration: 45s + parentShutdownDuration: 1m0s + # + # The mode used to redirect inbound connections to Envoy. This setting + # has no effect on outbound traffic: iptables REDIRECT is always used for + # outbound connections. + # If "REDIRECT", use iptables REDIRECT to NAT and redirect to Envoy. + # The "REDIRECT" mode loses source addresses during redirection. + # If "TPROXY", use iptables TPROXY to redirect to Envoy. + # The "TPROXY" mode preserves both the source and destination IP + # addresses and ports, so that they can be used for advanced filtering + # and manipulation. + # The "TPROXY" mode also configures the sidecar to run with the + # CAP_NET_ADMIN capability, which is required to use TPROXY. + #interceptionMode: REDIRECT + # + # Port where Envoy listens (on local host) for admin commands + # You can exec into the istio-proxy container in a pod and + # curl the admin port (curl http://localhost:15000/) to obtain + # diagnostic information from Envoy. See + # https://lyft.github.io/envoy/docs/operations/admin.html + # for more details + proxyAdminPort: 15000 + # + # Set concurrency to a specific number to control the number of Proxy worker threads. + # If set to 0 (default), then start worker thread for each CPU thread/core. + concurrency: 0 + # + # Zipkin trace collector + zipkinAddress: zipkin.istio-system:9411 + # + # Mutual TLS authentication between sidecars and istio control plane. + controlPlaneAuthPolicy: NONE + # + # Address where istio Pilot service is running + discoveryAddress: istio-pilot.istio-system:15007 + +--- +# Source: istio/templates/sidecar-injector-configmap.yaml + +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-sidecar-injector + namespace: istio-system + labels: + app: istio + chart: istio-1.0.4 + release: istio + heritage: Tiller + istio: sidecar-injector +data: + config: |- + policy: enabled + template: |- + initContainers: + - name: istio-init + image: "docker.io/istio/proxy_init:1.0.4" + args: + - "-p" + - [[ .MeshConfig.ProxyListenPort ]] + - "-u" + - 1337 + - "-m" + - [[ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode ]] + - "-i" + - "[[ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` "*" ]]" + - "-x" + - "[[ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` "" ]]" + - "-b" + - "[[ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` (includeInboundPorts .Spec.Containers) ]]" + - "-d" + - "[[ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` 0 ) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` "" ) ]]" + imagePullPolicy: IfNotPresent + securityContext: + capabilities: + add: + - NET_ADMIN + privileged: true + restartPolicy: Always + containers: + - name: istio-proxy + image: [[ annotation .ObjectMeta `sidecar.istio.io/proxyImage` "docker.io/istio/proxyv2:1.0.4" ]] + + ports: + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + + args: + - proxy + - sidecar + - --configPath + - [[ .ProxyConfig.ConfigPath ]] + - --binaryPath + - [[ .ProxyConfig.BinaryPath ]] + - --serviceCluster + [[ if ne "" (index .ObjectMeta.Labels "app") -]] + - [[ index .ObjectMeta.Labels "app" ]] + [[ else -]] + - "istio-proxy" + [[ end -]] + - --drainDuration + - [[ formatDuration .ProxyConfig.DrainDuration ]] + - --parentShutdownDuration + - [[ formatDuration .ProxyConfig.ParentShutdownDuration ]] + - --discoveryAddress + - [[ annotation .ObjectMeta `sidecar.istio.io/discoveryAddress` .ProxyConfig.DiscoveryAddress ]] + - --discoveryRefreshDelay + - [[ formatDuration .ProxyConfig.DiscoveryRefreshDelay ]] + - --zipkinAddress + - [[ .ProxyConfig.ZipkinAddress ]] + - --connectTimeout + - [[ formatDuration .ProxyConfig.ConnectTimeout ]] + - --proxyAdminPort + - [[ .ProxyConfig.ProxyAdminPort ]] + [[ if gt .ProxyConfig.Concurrency 0 -]] + - --concurrency + - [[ .ProxyConfig.Concurrency ]] + [[ end -]] + - --controlPlaneAuthPolicy + - [[ annotation .ObjectMeta `sidecar.istio.io/controlPlaneAuthPolicy` .ProxyConfig.ControlPlaneAuthPolicy ]] + [[- if (ne (annotation .ObjectMeta `status.sidecar.istio.io/port` 0 ) "0") ]] + - --statusPort + - [[ annotation .ObjectMeta `status.sidecar.istio.io/port` 0 ]] + - --applicationPorts + - "[[ annotation .ObjectMeta `readiness.status.sidecar.istio.io/applicationPorts` (applicationPorts .Spec.Containers) ]]" + [[- end ]] + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: ISTIO_META_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: ISTIO_META_INTERCEPTION_MODE + value: [[ or (index .ObjectMeta.Annotations "sidecar.istio.io/interceptionMode") .ProxyConfig.InterceptionMode.String ]] + [[ if .ObjectMeta.Annotations ]] + - name: ISTIO_METAJSON_ANNOTATIONS + value: | + [[ toJson .ObjectMeta.Annotations ]] + [[ end ]] + [[ if .ObjectMeta.Labels ]] + - name: ISTIO_METAJSON_LABELS + value: | + [[ toJson .ObjectMeta.Labels ]] + [[ end ]] + imagePullPolicy: IfNotPresent + [[ if (ne (annotation .ObjectMeta `status.sidecar.istio.io/port` 0 ) "0") ]] + readinessProbe: + httpGet: + path: /healthz/ready + port: [[ annotation .ObjectMeta `status.sidecar.istio.io/port` 0 ]] + initialDelaySeconds: [[ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` 1 ]] + periodSeconds: [[ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` 2 ]] + failureThreshold: [[ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` 30 ]] + [[ end -]]securityContext: + + readOnlyRootFilesystem: true + [[ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) "TPROXY" -]] + capabilities: + add: + - NET_ADMIN + runAsGroup: 1337 + [[ else -]] + runAsUser: 1337 + [[ end -]] + restartPolicy: Always + resources: + [[ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -]] + requests: + cpu: "[[ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` ]]" + memory: "[[ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` ]]" + [[ else -]] + requests: + cpu: 10m + + [[ end -]] + volumeMounts: + - mountPath: /etc/istio/proxy + name: istio-envoy + - mountPath: /etc/certs/ + name: istio-certs + readOnly: true + volumes: + - emptyDir: + medium: Memory + name: istio-envoy + - name: istio-certs + secret: + optional: true + [[ if eq .Spec.ServiceAccountName "" -]] + secretName: istio.default + [[ else -]] + secretName: [[ printf "istio.%s" .Spec.ServiceAccountName ]] + [[ end -]] + +--- +# Source: istio/charts/galley/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: istio-galley-service-account + namespace: istio-system + labels: + app: istio-galley + chart: galley-1.0.4 + heritage: Tiller + release: istio + +--- +# Source: istio/charts/gateways/templates/serviceaccount.yaml + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: istio-egressgateway-service-account + namespace: istio-system + labels: + app: egressgateway + chart: gateways-1.0.4 + heritage: Tiller + release: istio +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: istio-ingressgateway-service-account + namespace: istio-system + labels: + app: ingressgateway + chart: gateways-1.0.4 + heritage: Tiller + release: istio +--- + +--- +# Source: istio/charts/grafana/templates/create-custom-resources-job.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: istio-grafana-post-install-account + namespace: istio-system + labels: + app: istio-grafana + chart: grafana-1.0.4 + heritage: Tiller + release: istio +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: istio-grafana-post-install-istio-system + labels: + app: istio-grafana + chart: grafana-1.0.4 + heritage: Tiller + release: istio +rules: +- apiGroups: ["authentication.istio.io"] # needed to create default authn policy + resources: ["*"] + verbs: ["*"] +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: istio-grafana-post-install-role-binding-istio-system + labels: + app: istio-grafana + chart: grafana-1.0.4 + heritage: Tiller + release: istio +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-grafana-post-install-istio-system +subjects: + - kind: ServiceAccount + name: istio-grafana-post-install-account + namespace: istio-system +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: istio-grafana-post-install + namespace: istio-system + annotations: + "helm.sh/hook": post-install + "helm.sh/hook-delete-policy": hook-succeeded + labels: + app: istio-grafana + chart: grafana-1.0.4 + release: istio + heritage: Tiller +spec: + template: + metadata: + name: istio-grafana-post-install + labels: + app: istio-grafana + release: istio + spec: + serviceAccountName: istio-grafana-post-install-account + containers: + - name: hyperkube + image: "quay.io/coreos/hyperkube:v1.7.6_coreos.0" + command: [ "/bin/bash", "/tmp/grafana/run.sh", "/tmp/grafana/custom-resources.yaml" ] + volumeMounts: + - mountPath: "/tmp/grafana" + name: tmp-configmap-grafana + volumes: + - name: tmp-configmap-grafana + configMap: + name: istio-grafana-custom-resources + restartPolicy: OnFailure + +--- +# Source: istio/charts/mixer/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: istio-mixer-service-account + namespace: istio-system + labels: + app: mixer + chart: mixer-1.0.4 + heritage: Tiller + release: istio + +--- +# Source: istio/charts/pilot/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: istio-pilot-service-account + namespace: istio-system + labels: + app: istio-pilot + chart: pilot-1.0.4 + heritage: Tiller + release: istio + +--- +# Source: istio/charts/prometheus/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: prometheus + namespace: istio-system + +--- +# Source: istio/charts/security/templates/cleanup-secrets.yaml +# The reason for creating a ServiceAccount and ClusterRole specifically for this +# post-delete hooked job is because the citadel ServiceAccount is being deleted +# before this hook is launched. On the other hand, running this hook before the +# deletion of the citadel (e.g. pre-delete) won't delete the secrets because they +# will be re-created immediately by the to-be-deleted citadel. +# +# It's also important that the ServiceAccount, ClusterRole and ClusterRoleBinding +# will be ready before running the hooked Job therefore the hook weights. + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: istio-cleanup-secrets-service-account + namespace: istio-system + annotations: + "helm.sh/hook": post-delete + "helm.sh/hook-delete-policy": hook-succeeded + "helm.sh/hook-weight": "1" + labels: + app: security + chart: security-1.0.4 + heritage: Tiller + release: istio +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: istio-cleanup-secrets-istio-system + annotations: + "helm.sh/hook": post-delete + "helm.sh/hook-delete-policy": hook-succeeded + "helm.sh/hook-weight": "1" + labels: + app: security + chart: security-1.0.4 + heritage: Tiller + release: istio +rules: +- apiGroups: [""] + resources: ["secrets"] + verbs: ["list", "delete"] +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: istio-cleanup-secrets-istio-system + annotations: + "helm.sh/hook": post-delete + "helm.sh/hook-delete-policy": hook-succeeded + "helm.sh/hook-weight": "2" + labels: + app: security + chart: security-1.0.4 + heritage: Tiller + release: istio +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-cleanup-secrets-istio-system +subjects: + - kind: ServiceAccount + name: istio-cleanup-secrets-service-account + namespace: istio-system +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: istio-cleanup-secrets + namespace: istio-system + annotations: + "helm.sh/hook": post-delete + "helm.sh/hook-delete-policy": hook-succeeded + "helm.sh/hook-weight": "3" + labels: + app: security + chart: security-1.0.4 + release: istio + heritage: Tiller +spec: + template: + metadata: + name: istio-cleanup-secrets + labels: + app: security + release: istio + spec: + serviceAccountName: istio-cleanup-secrets-service-account + containers: + - name: hyperkube + image: "quay.io/coreos/hyperkube:v1.7.6_coreos.0" + command: + - /bin/bash + - -c + - > + kubectl get secret --all-namespaces | grep "istio.io/key-and-cert" | while read -r entry; do + ns=$(echo $entry | awk '{print $1}'); + name=$(echo $entry | awk '{print $2}'); + kubectl delete secret $name -n $ns; + done + restartPolicy: OnFailure + +--- +# Source: istio/charts/security/templates/create-custom-resources-job.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: istio-security-post-install-account + namespace: istio-system + labels: + app: istio-security + chart: security-1.0.4 + heritage: Tiller + release: istio +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: istio-security-post-install-istio-system + labels: + app: istio-security + chart: security-1.0.4 + heritage: Tiller + release: istio +rules: +- apiGroups: ["authentication.istio.io"] # needed to create default authn policy + resources: ["*"] + verbs: ["*"] +- apiGroups: ["networking.istio.io"] # needed to create security destination rules + resources: ["*"] + verbs: ["*"] +- apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + verbs: ["get"] +- apiGroups: ["extensions"] + resources: ["deployments", "replicasets"] + verbs: ["get", "list", "watch"] +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: istio-security-post-install-role-binding-istio-system + labels: + app: istio-security + chart: security-1.0.4 + heritage: Tiller + release: istio +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-security-post-install-istio-system +subjects: + - kind: ServiceAccount + name: istio-security-post-install-account + namespace: istio-system +--- + +apiVersion: batch/v1 +kind: Job +metadata: + name: istio-security-post-install + namespace: istio-system + annotations: + "helm.sh/hook": post-install + "helm.sh/hook-delete-policy": hook-succeeded + labels: + app: istio-security + chart: security-1.0.4 + release: istio + heritage: Tiller +spec: + template: + metadata: + name: istio-security-post-install + labels: + app: istio-security + release: istio + spec: + serviceAccountName: istio-security-post-install-account + containers: + - name: hyperkube + image: "quay.io/coreos/hyperkube:v1.7.6_coreos.0" + command: [ "/bin/bash", "/tmp/security/run.sh", "/tmp/security/custom-resources.yaml" ] + volumeMounts: + - mountPath: "/tmp/security" + name: tmp-configmap-security + volumes: + - name: tmp-configmap-security + configMap: + name: istio-security-custom-resources + restartPolicy: OnFailure + +--- +# Source: istio/charts/security/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: istio-citadel-service-account + namespace: istio-system + labels: + app: security + chart: security-1.0.4 + heritage: Tiller + release: istio + +--- +# Source: istio/charts/sidecarInjectorWebhook/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: istio-sidecar-injector-service-account + namespace: istio-system + labels: + app: istio-sidecar-injector + chart: sidecarInjectorWebhook-1.0.4 + heritage: Tiller + release: istio + +--- +# Source: istio/templates/crds.yaml +# +# these CRDs only make sense when pilot is enabled +# +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: virtualservices.networking.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: istio-pilot +spec: + group: networking.istio.io + names: + kind: VirtualService + listKind: VirtualServiceList + plural: virtualservices + singular: virtualservice + categories: + - istio-io + - networking-istio-io + scope: Namespaced + version: v1alpha3 +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: destinationrules.networking.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: istio-pilot +spec: + group: networking.istio.io + names: + kind: DestinationRule + listKind: DestinationRuleList + plural: destinationrules + singular: destinationrule + categories: + - istio-io + - networking-istio-io + scope: Namespaced + version: v1alpha3 +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: serviceentries.networking.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: istio-pilot +spec: + group: networking.istio.io + names: + kind: ServiceEntry + listKind: ServiceEntryList + plural: serviceentries + singular: serviceentry + categories: + - istio-io + - networking-istio-io + scope: Namespaced + version: v1alpha3 +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: gateways.networking.istio.io + annotations: + "helm.sh/hook": crd-install + "helm.sh/hook-weight": "-5" + labels: + app: istio-pilot +spec: + group: networking.istio.io + names: + kind: Gateway + plural: gateways + singular: gateway + categories: + - istio-io + - networking-istio-io + scope: Namespaced + version: v1alpha3 +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: envoyfilters.networking.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: istio-pilot +spec: + group: networking.istio.io + names: + kind: EnvoyFilter + plural: envoyfilters + singular: envoyfilter + categories: + - istio-io + - networking-istio-io + scope: Namespaced + version: v1alpha3 +--- +# + +# these CRDs only make sense when security is enabled +# + +# +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + annotations: + "helm.sh/hook": crd-install + name: httpapispecbindings.config.istio.io +spec: + group: config.istio.io + names: + kind: HTTPAPISpecBinding + plural: httpapispecbindings + singular: httpapispecbinding + categories: + - istio-io + - apim-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + annotations: + "helm.sh/hook": crd-install + name: httpapispecs.config.istio.io +spec: + group: config.istio.io + names: + kind: HTTPAPISpec + plural: httpapispecs + singular: httpapispec + categories: + - istio-io + - apim-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + annotations: + "helm.sh/hook": crd-install + name: quotaspecbindings.config.istio.io +spec: + group: config.istio.io + names: + kind: QuotaSpecBinding + plural: quotaspecbindings + singular: quotaspecbinding + categories: + - istio-io + - apim-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + annotations: + "helm.sh/hook": crd-install + name: quotaspecs.config.istio.io +spec: + group: config.istio.io + names: + kind: QuotaSpec + plural: quotaspecs + singular: quotaspec + categories: + - istio-io + - apim-istio-io + scope: Namespaced + version: v1alpha2 +--- + +# Mixer CRDs +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: rules.config.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: istio.io.mixer + istio: core +spec: + group: config.istio.io + names: + kind: rule + plural: rules + singular: rule + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: attributemanifests.config.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: istio.io.mixer + istio: core +spec: + group: config.istio.io + names: + kind: attributemanifest + plural: attributemanifests + singular: attributemanifest + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: bypasses.config.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: bypass + istio: mixer-adapter +spec: + group: config.istio.io + names: + kind: bypass + plural: bypasses + singular: bypass + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: circonuses.config.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: circonus + istio: mixer-adapter +spec: + group: config.istio.io + names: + kind: circonus + plural: circonuses + singular: circonus + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: deniers.config.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: denier + istio: mixer-adapter +spec: + group: config.istio.io + names: + kind: denier + plural: deniers + singular: denier + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: fluentds.config.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: fluentd + istio: mixer-adapter +spec: + group: config.istio.io + names: + kind: fluentd + plural: fluentds + singular: fluentd + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: kubernetesenvs.config.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: kubernetesenv + istio: mixer-adapter +spec: + group: config.istio.io + names: + kind: kubernetesenv + plural: kubernetesenvs + singular: kubernetesenv + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: listcheckers.config.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: listchecker + istio: mixer-adapter +spec: + group: config.istio.io + names: + kind: listchecker + plural: listcheckers + singular: listchecker + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: memquotas.config.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: memquota + istio: mixer-adapter +spec: + group: config.istio.io + names: + kind: memquota + plural: memquotas + singular: memquota + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: noops.config.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: noop + istio: mixer-adapter +spec: + group: config.istio.io + names: + kind: noop + plural: noops + singular: noop + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: opas.config.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: opa + istio: mixer-adapter +spec: + group: config.istio.io + names: + kind: opa + plural: opas + singular: opa + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: prometheuses.config.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: prometheus + istio: mixer-adapter +spec: + group: config.istio.io + names: + kind: prometheus + plural: prometheuses + singular: prometheus + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: rbacs.config.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: rbac + istio: mixer-adapter +spec: + group: config.istio.io + names: + kind: rbac + plural: rbacs + singular: rbac + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: redisquotas.config.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + package: redisquota + istio: mixer-adapter +spec: + group: config.istio.io + names: + kind: redisquota + plural: redisquotas + singular: redisquota + scope: Namespaced + version: v1alpha2 +--- + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: servicecontrols.config.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: servicecontrol + istio: mixer-adapter +spec: + group: config.istio.io + names: + kind: servicecontrol + plural: servicecontrols + singular: servicecontrol + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 + +--- + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: signalfxs.config.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: signalfx + istio: mixer-adapter +spec: + group: config.istio.io + names: + kind: signalfx + plural: signalfxs + singular: signalfx + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: solarwindses.config.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: solarwinds + istio: mixer-adapter +spec: + group: config.istio.io + names: + kind: solarwinds + plural: solarwindses + singular: solarwinds + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: stackdrivers.config.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: stackdriver + istio: mixer-adapter +spec: + group: config.istio.io + names: + kind: stackdriver + plural: stackdrivers + singular: stackdriver + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: statsds.config.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: statsd + istio: mixer-adapter +spec: + group: config.istio.io + names: + kind: statsd + plural: statsds + singular: statsd + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: stdios.config.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: stdio + istio: mixer-adapter +spec: + group: config.istio.io + names: + kind: stdio + plural: stdios + singular: stdio + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: apikeys.config.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: apikey + istio: mixer-instance +spec: + group: config.istio.io + names: + kind: apikey + plural: apikeys + singular: apikey + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: authorizations.config.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: authorization + istio: mixer-instance +spec: + group: config.istio.io + names: + kind: authorization + plural: authorizations + singular: authorization + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: checknothings.config.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: checknothing + istio: mixer-instance +spec: + group: config.istio.io + names: + kind: checknothing + plural: checknothings + singular: checknothing + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: kuberneteses.config.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: adapter.template.kubernetes + istio: mixer-instance +spec: + group: config.istio.io + names: + kind: kubernetes + plural: kuberneteses + singular: kubernetes + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: listentries.config.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: listentry + istio: mixer-instance +spec: + group: config.istio.io + names: + kind: listentry + plural: listentries + singular: listentry + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: logentries.config.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: logentry + istio: mixer-instance +spec: + group: config.istio.io + names: + kind: logentry + plural: logentries + singular: logentry + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: edges.config.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: edge + istio: mixer-instance +spec: + group: config.istio.io + names: + kind: edge + plural: edges + singular: edge + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: metrics.config.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: metric + istio: mixer-instance +spec: + group: config.istio.io + names: + kind: metric + plural: metrics + singular: metric + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: quotas.config.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: quota + istio: mixer-instance +spec: + group: config.istio.io + names: + kind: quota + plural: quotas + singular: quota + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: reportnothings.config.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: reportnothing + istio: mixer-instance +spec: + group: config.istio.io + names: + kind: reportnothing + plural: reportnothings + singular: reportnothing + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: servicecontrolreports.config.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: servicecontrolreport + istio: mixer-instance +spec: + group: config.istio.io + names: + kind: servicecontrolreport + plural: servicecontrolreports + singular: servicecontrolreport + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: tracespans.config.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: tracespan + istio: mixer-instance +spec: + group: config.istio.io + names: + kind: tracespan + plural: tracespans + singular: tracespan + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: rbacconfigs.rbac.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: istio.io.mixer + istio: rbac +spec: + group: rbac.istio.io + names: + kind: RbacConfig + plural: rbacconfigs + singular: rbacconfig + categories: + - istio-io + - rbac-istio-io + scope: Namespaced + version: v1alpha1 +--- + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: serviceroles.rbac.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: istio.io.mixer + istio: rbac +spec: + group: rbac.istio.io + names: + kind: ServiceRole + plural: serviceroles + singular: servicerole + categories: + - istio-io + - rbac-istio-io + scope: Namespaced + version: v1alpha1 +--- + +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: servicerolebindings.rbac.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: istio.io.mixer + istio: rbac +spec: + group: rbac.istio.io + names: + kind: ServiceRoleBinding + plural: servicerolebindings + singular: servicerolebinding + categories: + - istio-io + - rbac-istio-io + scope: Namespaced + version: v1alpha1 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: adapters.config.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: adapter + istio: mixer-adapter +spec: + group: config.istio.io + names: + kind: adapter + plural: adapters + singular: adapter + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: instances.config.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: instance + istio: mixer-instance +spec: + group: config.istio.io + names: + kind: instance + plural: instances + singular: instance + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: templates.config.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: template + istio: mixer-template +spec: + group: config.istio.io + names: + kind: template + plural: templates + singular: template + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: handlers.config.istio.io + annotations: + "helm.sh/hook": crd-install + labels: + app: mixer + package: handler + istio: mixer-handler +spec: + group: config.istio.io + names: + kind: handler + plural: handlers + singular: handler + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +# +# + +--- +# Source: istio/charts/galley/templates/clusterrole.yaml +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: istio-galley-istio-system + labels: + app: istio-galley + chart: galley-1.0.4 + heritage: Tiller + release: istio +rules: +- apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + verbs: ["*"] +- apiGroups: ["config.istio.io"] # istio mixer CRD watcher + resources: ["*"] + verbs: ["get", "list", "watch"] +- apiGroups: ["*"] + resources: ["deployments"] + resourceNames: ["istio-galley"] + verbs: ["get"] +- apiGroups: ["*"] + resources: ["endpoints"] + resourceNames: ["istio-galley"] + verbs: ["get"] + +--- +# Source: istio/charts/gateways/templates/clusterrole.yaml + +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + labels: + app: gateways + chart: gateways-1.0.4 + heritage: Tiller + release: istio + name: istio-egressgateway-istio-system +rules: +- apiGroups: ["extensions"] + resources: ["thirdpartyresources", "virtualservices", "destinationrules", "gateways"] + verbs: ["get", "watch", "list", "update"] +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + labels: + app: gateways + chart: gateways-1.0.4 + heritage: Tiller + release: istio + name: istio-ingressgateway-istio-system +rules: +- apiGroups: ["extensions"] + resources: ["thirdpartyresources", "virtualservices", "destinationrules", "gateways"] + verbs: ["get", "watch", "list", "update"] +--- + +--- +# Source: istio/charts/mixer/templates/clusterrole.yaml +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: istio-mixer-istio-system + labels: + app: mixer + chart: mixer-1.0.4 + heritage: Tiller + release: istio +rules: +- apiGroups: ["config.istio.io"] # istio CRD watcher + resources: ["*"] + verbs: ["create", "get", "list", "watch", "patch"] +- apiGroups: ["rbac.istio.io"] # istio RBAC watcher + resources: ["*"] + verbs: ["get", "list", "watch"] +- apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "list", "watch"] +- apiGroups: [""] + resources: ["configmaps", "endpoints", "pods", "services", "namespaces", "secrets", "replicationcontrollers"] + verbs: ["get", "list", "watch"] +- apiGroups: ["extensions"] + resources: ["replicasets"] + verbs: ["get", "list", "watch"] +- apiGroups: ["apps"] + resources: ["replicasets"] + verbs: ["get", "list", "watch"] + +--- +# Source: istio/charts/pilot/templates/clusterrole.yaml +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: istio-pilot-istio-system + labels: + app: istio-pilot + chart: pilot-1.0.4 + heritage: Tiller + release: istio +rules: +- apiGroups: ["config.istio.io"] + resources: ["*"] + verbs: ["*"] +- apiGroups: ["rbac.istio.io"] + resources: ["*"] + verbs: ["get", "watch", "list"] +- apiGroups: ["networking.istio.io"] + resources: ["*"] + verbs: ["*"] +- apiGroups: ["authentication.istio.io"] + resources: ["*"] + verbs: ["*"] +- apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["*"] +- apiGroups: ["extensions"] + resources: ["thirdpartyresources", "thirdpartyresources.extensions", "ingresses", "ingresses/status"] + verbs: ["*"] +- apiGroups: [""] + resources: ["configmaps"] + verbs: ["create", "get", "list", "watch", "update"] +- apiGroups: [""] + resources: ["endpoints", "pods", "services"] + verbs: ["get", "list", "watch"] +- apiGroups: [""] + resources: ["namespaces", "nodes", "secrets"] + verbs: ["get", "list", "watch"] + +--- +# Source: istio/charts/prometheus/templates/clusterrole.yaml +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: prometheus-istio-system +rules: +- apiGroups: [""] + resources: + - nodes + - services + - endpoints + - pods + - nodes/proxy + verbs: ["get", "list", "watch"] +- apiGroups: [""] + resources: + - configmaps + verbs: ["get"] +- nonResourceURLs: ["/metrics"] + verbs: ["get"] + +--- +# Source: istio/charts/security/templates/clusterrole.yaml +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: istio-citadel-istio-system + labels: + app: security + chart: security-1.0.4 + heritage: Tiller + release: istio +rules: +- apiGroups: [""] + resources: ["secrets"] + verbs: ["create", "get", "watch", "list", "update", "delete"] +- apiGroups: [""] + resources: ["serviceaccounts"] + verbs: ["get", "watch", "list"] +- apiGroups: [""] + resources: ["services"] + verbs: ["get", "watch", "list"] + +--- +# Source: istio/charts/sidecarInjectorWebhook/templates/clusterrole.yaml +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: istio-sidecar-injector-istio-system + labels: + app: istio-sidecar-injector + chart: sidecarInjectorWebhook-1.0.4 + heritage: Tiller + release: istio +rules: +- apiGroups: ["*"] + resources: ["configmaps"] + verbs: ["get", "list", "watch"] +- apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "patch"] + +--- +# Source: istio/charts/galley/templates/clusterrolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: istio-galley-admin-role-binding-istio-system + labels: + app: istio-galley + chart: galley-1.0.4 + heritage: Tiller + release: istio +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-galley-istio-system +subjects: + - kind: ServiceAccount + name: istio-galley-service-account + namespace: istio-system + +--- +# Source: istio/charts/gateways/templates/clusterrolebindings.yaml + +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: istio-egressgateway-istio-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-egressgateway-istio-system +subjects: + - kind: ServiceAccount + name: istio-egressgateway-service-account + namespace: istio-system +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: istio-ingressgateway-istio-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-ingressgateway-istio-system +subjects: + - kind: ServiceAccount + name: istio-ingressgateway-service-account + namespace: istio-system +--- + +--- +# Source: istio/charts/mixer/templates/clusterrolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: istio-mixer-admin-role-binding-istio-system + labels: + app: mixer + chart: mixer-1.0.4 + heritage: Tiller + release: istio +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-mixer-istio-system +subjects: + - kind: ServiceAccount + name: istio-mixer-service-account + namespace: istio-system + +--- +# Source: istio/charts/pilot/templates/clusterrolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: istio-pilot-istio-system + labels: + app: istio-pilot + chart: pilot-1.0.4 + heritage: Tiller + release: istio +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-pilot-istio-system +subjects: + - kind: ServiceAccount + name: istio-pilot-service-account + namespace: istio-system + +--- +# Source: istio/charts/prometheus/templates/clusterrolebindings.yaml +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: prometheus-istio-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: prometheus-istio-system +subjects: +- kind: ServiceAccount + name: prometheus + namespace: istio-system + +--- +# Source: istio/charts/security/templates/clusterrolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: istio-citadel-istio-system + labels: + app: security + chart: security-1.0.4 + heritage: Tiller + release: istio +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-citadel-istio-system +subjects: + - kind: ServiceAccount + name: istio-citadel-service-account + namespace: istio-system + +--- +# Source: istio/charts/sidecarInjectorWebhook/templates/clusterrolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: istio-sidecar-injector-admin-role-binding-istio-system + labels: + app: istio-sidecar-injector + chart: sidecarInjectorWebhook-1.0.4 + heritage: Tiller + release: istio +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-sidecar-injector-istio-system +subjects: + - kind: ServiceAccount + name: istio-sidecar-injector-service-account + namespace: istio-system + +--- +# Source: istio/charts/galley/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: istio-galley + namespace: istio-system + labels: + istio: galley +spec: + ports: + - port: 443 + name: https-validation + - port: 9093 + name: http-monitoring + selector: + istio: galley + +--- +# Source: istio/charts/gateways/templates/service.yaml + +apiVersion: v1 +kind: Service +metadata: + name: istio-egressgateway + namespace: istio-system + annotations: + labels: + chart: gateways-1.0.4 + release: istio + heritage: Tiller + app: istio-egressgateway + istio: egressgateway +spec: + type: ClusterIP + selector: + app: istio-egressgateway + istio: egressgateway + ports: + - + name: http2 + port: 80 + - + name: https + port: 443 +--- +apiVersion: v1 +kind: Service +metadata: + name: istio-ingressgateway + namespace: istio-system + annotations: + labels: + chart: gateways-1.0.4 + release: istio + heritage: Tiller + app: istio-ingressgateway + istio: ingressgateway +spec: + type: LoadBalancer + selector: + app: istio-ingressgateway + istio: ingressgateway + ports: + - + name: http2 + nodePort: 31380 + port: 80 + targetPort: 80 + - + name: https + nodePort: 31390 + port: 443 + - + name: tcp + nodePort: 31400 + port: 31400 + - + name: tcp-pilot-grpc-tls + port: 15011 + targetPort: 15011 + - + name: tcp-citadel-grpc-tls + port: 8060 + targetPort: 8060 + - + name: tcp-dns-tls + port: 853 + targetPort: 853 + - + name: http2-prometheus + port: 15030 + targetPort: 15030 + - + name: http2-grafana + port: 15031 + targetPort: 15031 +--- + +--- +# Source: istio/charts/grafana/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: grafana + namespace: istio-system + annotations: + labels: + app: istio-grafana + chart: grafana-1.0.4 + release: istio + heritage: Tiller +spec: + type: ClusterIP + ports: + - port: 3000 + targetPort: 3000 + protocol: TCP + name: http + selector: + app: grafana + +--- +# Source: istio/charts/mixer/templates/service.yaml + +apiVersion: v1 +kind: Service +metadata: + name: istio-policy + namespace: istio-system + labels: + chart: mixer-1.0.4 + release: istio + istio: mixer +spec: + ports: + - name: grpc-mixer + port: 9091 + - name: grpc-mixer-mtls + port: 15004 + - name: http-monitoring + port: 9093 + selector: + istio: mixer + istio-mixer-type: policy +--- +apiVersion: v1 +kind: Service +metadata: + name: istio-telemetry + namespace: istio-system + labels: + chart: mixer-1.0.4 + release: istio + istio: mixer +spec: + ports: + - name: grpc-mixer + port: 9091 + - name: grpc-mixer-mtls + port: 15004 + - name: http-monitoring + port: 9093 + - name: prometheus + port: 42422 + selector: + istio: mixer + istio-mixer-type: telemetry +--- + +--- +# Source: istio/charts/pilot/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: istio-pilot + namespace: istio-system + labels: + app: istio-pilot + chart: pilot-1.0.4 + release: istio + heritage: Tiller +spec: + ports: + - port: 15010 + name: grpc-xds # direct + - port: 15011 + name: https-xds # mTLS + - port: 8080 + name: http-legacy-discovery # direct + - port: 9093 + name: http-monitoring + selector: + istio: pilot + +--- +# Source: istio/charts/prometheus/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: prometheus + namespace: istio-system + annotations: + prometheus.io/scrape: 'true' + labels: + name: prometheus +spec: + selector: + app: prometheus + ports: + - name: http-prometheus + protocol: TCP + port: 9090 + +--- +# Source: istio/charts/security/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + # we use the normal name here (e.g. 'prometheus') + # as grafana is configured to use this as a data source + name: istio-citadel + namespace: istio-system + labels: + app: istio-citadel +spec: + ports: + - name: grpc-citadel + port: 8060 + targetPort: 8060 + protocol: TCP + - name: http-monitoring + port: 9093 + selector: + istio: citadel + +--- +# Source: istio/charts/servicegraph/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: servicegraph + namespace: istio-system + annotations: + labels: + app: servicegraph + chart: servicegraph-1.0.4 + release: istio + heritage: Tiller +spec: + type: ClusterIP + ports: + - port: 8088 + targetPort: 8088 + protocol: TCP + name: http + selector: + app: servicegraph + +--- +# Source: istio/charts/sidecarInjectorWebhook/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: istio-sidecar-injector + namespace: istio-system + labels: + istio: sidecar-injector +spec: + ports: + - port: 443 + selector: + istio: sidecar-injector + +--- +# Source: istio/charts/galley/templates/deployment.yaml +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: istio-galley + namespace: istio-system + labels: + app: galley + chart: galley-1.0.4 + release: istio + heritage: Tiller + istio: galley +spec: + replicas: 1 + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + template: + metadata: + labels: + istio: galley + annotations: + sidecar.istio.io/inject: "false" + scheduler.alpha.kubernetes.io/critical-pod: "" + spec: + serviceAccountName: istio-galley-service-account + containers: + - name: validator + image: "docker.io/istio/galley:1.0.4" + imagePullPolicy: IfNotPresent + ports: + - containerPort: 443 + - containerPort: 9093 + command: + - /usr/local/bin/galley + - validator + - --deployment-namespace=istio-system + - --caCertFile=/etc/istio/certs/root-cert.pem + - --tlsCertFile=/etc/istio/certs/cert-chain.pem + - --tlsKeyFile=/etc/istio/certs/key.pem + - --healthCheckInterval=1s + - --healthCheckFile=/health + - --webhook-config-file + - /etc/istio/config/validatingwebhookconfiguration.yaml + volumeMounts: + - name: certs + mountPath: /etc/istio/certs + readOnly: true + - name: config + mountPath: /etc/istio/config + readOnly: true + livenessProbe: + exec: + command: + - /usr/local/bin/galley + - probe + - --probe-path=/health + - --interval=10s + initialDelaySeconds: 5 + periodSeconds: 5 + readinessProbe: + exec: + command: + - /usr/local/bin/galley + - probe + - --probe-path=/health + - --interval=10s + initialDelaySeconds: 5 + periodSeconds: 5 + resources: + requests: + cpu: 10m + + volumes: + - name: certs + secret: + secretName: istio.istio-galley-service-account + - name: config + configMap: + name: istio-galley-configuration + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - ppc64le + - s390x + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - ppc64le + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - s390x + +--- +# Source: istio/charts/gateways/templates/deployment.yaml + +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: istio-egressgateway + namespace: istio-system + labels: + chart: gateways-1.0.4 + release: istio + heritage: Tiller + app: istio-egressgateway + istio: egressgateway +spec: + replicas: 1 + template: + metadata: + labels: + app: istio-egressgateway + istio: egressgateway + annotations: + sidecar.istio.io/inject: "false" + scheduler.alpha.kubernetes.io/critical-pod: "" + spec: + serviceAccountName: istio-egressgateway-service-account + containers: + - name: istio-proxy + image: "docker.io/istio/proxyv2:1.0.4" + imagePullPolicy: IfNotPresent + ports: + - containerPort: 80 + - containerPort: 443 + + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + + args: + - proxy + - router + - -v + - "2" + - --discoveryRefreshDelay + - '1s' #discoveryRefreshDelay + - --drainDuration + - '45s' #drainDuration + - --parentShutdownDuration + - '1m0s' #parentShutdownDuration + - --connectTimeout + - '10s' #connectTimeout + - --serviceCluster + - istio-egressgateway + - --zipkinAddress + - zipkin:9411 + - --proxyAdminPort + - "15000" + - --controlPlaneAuthPolicy + - NONE + - --discoveryAddress + - istio-pilot:8080 + resources: + requests: + cpu: 10m + + env: + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + - name: ISTIO_META_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + volumeMounts: + - name: istio-certs + mountPath: /etc/certs + readOnly: true + - name: egressgateway-certs + mountPath: "/etc/istio/egressgateway-certs" + readOnly: true + - name: egressgateway-ca-certs + mountPath: "/etc/istio/egressgateway-ca-certs" + readOnly: true + volumes: + - name: istio-certs + secret: + secretName: istio.istio-egressgateway-service-account + optional: true + - name: egressgateway-certs + secret: + secretName: "istio-egressgateway-certs" + optional: true + - name: egressgateway-ca-certs + secret: + secretName: "istio-egressgateway-ca-certs" + optional: true + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - ppc64le + - s390x + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - ppc64le + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - s390x +--- +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: istio-ingressgateway + namespace: istio-system + labels: + chart: gateways-1.0.4 + release: istio + heritage: Tiller + app: istio-ingressgateway + istio: ingressgateway +spec: + replicas: 1 + template: + metadata: + labels: + app: istio-ingressgateway + istio: ingressgateway + annotations: + sidecar.istio.io/inject: "false" + scheduler.alpha.kubernetes.io/critical-pod: "" + spec: + serviceAccountName: istio-ingressgateway-service-account + containers: + - name: istio-proxy + image: "docker.io/istio/proxyv2:1.0.4" + imagePullPolicy: IfNotPresent + ports: + - containerPort: 80 + - containerPort: 443 + - containerPort: 31400 + - containerPort: 15011 + - containerPort: 8060 + - containerPort: 853 + - containerPort: 15030 + - containerPort: 15031 + + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + + args: + - proxy + - router + - -v + - "2" + - --discoveryRefreshDelay + - '1s' #discoveryRefreshDelay + - --drainDuration + - '45s' #drainDuration + - --parentShutdownDuration + - '1m0s' #parentShutdownDuration + - --connectTimeout + - '10s' #connectTimeout + - --serviceCluster + - istio-ingressgateway + - --zipkinAddress + - zipkin:9411 + - --proxyAdminPort + - "15000" + - --controlPlaneAuthPolicy + - NONE + - --discoveryAddress + - istio-pilot:8080 + resources: + requests: + cpu: 10m + + env: + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + - name: ISTIO_META_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + volumeMounts: + - name: istio-certs + mountPath: /etc/certs + readOnly: true + - name: ingressgateway-certs + mountPath: "/etc/istio/ingressgateway-certs" + readOnly: true + - name: ingressgateway-ca-certs + mountPath: "/etc/istio/ingressgateway-ca-certs" + readOnly: true + volumes: + - name: istio-certs + secret: + secretName: istio.istio-ingressgateway-service-account + optional: true + - name: ingressgateway-certs + secret: + secretName: "istio-ingressgateway-certs" + optional: true + - name: ingressgateway-ca-certs + secret: + secretName: "istio-ingressgateway-ca-certs" + optional: true + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - ppc64le + - s390x + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - ppc64le + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - s390x +--- + +--- +# Source: istio/charts/grafana/templates/deployment.yaml +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: grafana + namespace: istio-system + labels: + app: istio-grafana + chart: grafana-1.0.4 + release: istio + heritage: Tiller +spec: + replicas: 1 + template: + metadata: + labels: + app: grafana + annotations: + sidecar.istio.io/inject: "false" + scheduler.alpha.kubernetes.io/critical-pod: "" + spec: + containers: + - name: grafana + image: "grafana/grafana:5.2.3" + imagePullPolicy: IfNotPresent + ports: + - containerPort: 3000 + readinessProbe: + httpGet: + path: /login + port: 3000 + env: + - name: GRAFANA_PORT + value: "3000" + - name: GF_AUTH_BASIC_ENABLED + value: "false" + - name: GF_AUTH_ANONYMOUS_ENABLED + value: "true" + - name: GF_AUTH_ANONYMOUS_ORG_ROLE + value: Admin + - name: GF_PATHS_DATA + value: /data/grafana + resources: + requests: + cpu: 10m + + volumeMounts: + - name: data + mountPath: /data/grafana + - name: dashboards-istio + mountPath: "/var/lib/grafana/dashboards/istio" + - name: config + mountPath: "/etc/grafana/provisioning/datasources/datasources.yaml" + subPath: datasources.yaml + - name: config + mountPath: "/etc/grafana/provisioning/dashboards/dashboardproviders.yaml" + subPath: dashboardproviders.yaml + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - ppc64le + - s390x + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - ppc64le + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - s390x + volumes: + - name: config + configMap: + name: istio-grafana + - name: data + emptyDir: {} + - name: dashboards-istio + configMap: + name: istio-grafana-configuration-dashboards + +--- +# Source: istio/charts/mixer/templates/deployment.yaml + +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: istio-policy + namespace: istio-system + labels: + chart: mixer-1.0.4 + release: istio + istio: mixer +spec: + replicas: 1 + template: + metadata: + labels: + app: policy + istio: mixer + istio-mixer-type: policy + annotations: + sidecar.istio.io/inject: "false" + scheduler.alpha.kubernetes.io/critical-pod: "" + spec: + serviceAccountName: istio-mixer-service-account + volumes: + - name: istio-certs + secret: + secretName: istio.istio-mixer-service-account + optional: true + - name: uds-socket + emptyDir: {} + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - ppc64le + - s390x + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - ppc64le + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - s390x + containers: + - name: mixer + image: "docker.io/istio/mixer:1.0.4" + imagePullPolicy: IfNotPresent + ports: + - containerPort: 9093 + - containerPort: 42422 + args: + - --address + - unix:///sock/mixer.socket + - --configStoreURL=k8s:// + - --configDefaultNamespace=istio-system + - --trace_zipkin_url=http://zipkin:9411/api/v1/spans + env: + - name: GODEBUG + value: "gctrace=2" + resources: + requests: + cpu: 10m + + volumeMounts: + - name: uds-socket + mountPath: /sock + livenessProbe: + httpGet: + path: /version + port: 9093 + initialDelaySeconds: 5 + periodSeconds: 5 + - name: istio-proxy + image: "docker.io/istio/proxyv2:1.0.4" + imagePullPolicy: IfNotPresent + ports: + - containerPort: 9091 + - containerPort: 15004 + + ports: + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + + args: + - proxy + - --serviceCluster + - istio-policy + - --templateFile + - /etc/istio/proxy/envoy_policy.yaml.tmpl + - --controlPlaneAuthPolicy + - NONE + env: + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + resources: + requests: + cpu: 10m + + volumeMounts: + - name: istio-certs + mountPath: /etc/certs + readOnly: true + - name: uds-socket + mountPath: /sock + +--- +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: istio-telemetry + namespace: istio-system + labels: + chart: mixer-1.0.4 + release: istio + istio: mixer +spec: + replicas: 1 + template: + metadata: + labels: + app: telemetry + istio: mixer + istio-mixer-type: telemetry + annotations: + sidecar.istio.io/inject: "false" + scheduler.alpha.kubernetes.io/critical-pod: "" + spec: + serviceAccountName: istio-mixer-service-account + volumes: + - name: istio-certs + secret: + secretName: istio.istio-mixer-service-account + optional: true + - name: uds-socket + emptyDir: {} + containers: + - name: mixer + image: "docker.io/istio/mixer:1.0.4" + imagePullPolicy: IfNotPresent + ports: + - containerPort: 9093 + - containerPort: 42422 + args: + - --address + - unix:///sock/mixer.socket + - --configStoreURL=k8s:// + - --configDefaultNamespace=istio-system + - --trace_zipkin_url=http://zipkin:9411/api/v1/spans + env: + - name: GODEBUG + value: "gctrace=2" + resources: + requests: + cpu: 10m + + volumeMounts: + - name: uds-socket + mountPath: /sock + livenessProbe: + httpGet: + path: /version + port: 9093 + initialDelaySeconds: 5 + periodSeconds: 5 + - name: istio-proxy + image: "docker.io/istio/proxyv2:1.0.4" + imagePullPolicy: IfNotPresent + ports: + - containerPort: 9091 + - containerPort: 15004 + + ports: + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + + args: + - proxy + - --serviceCluster + - istio-telemetry + - --templateFile + - /etc/istio/proxy/envoy_telemetry.yaml.tmpl + - --controlPlaneAuthPolicy + - NONE + env: + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + resources: + requests: + cpu: 10m + + volumeMounts: + - name: istio-certs + mountPath: /etc/certs + readOnly: true + - name: uds-socket + mountPath: /sock + +--- + +--- +# Source: istio/charts/pilot/templates/deployment.yaml +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: istio-pilot + namespace: istio-system + # TODO: default template doesn't have this, which one is right ? + labels: + app: istio-pilot + chart: pilot-1.0.4 + release: istio + heritage: Tiller + istio: pilot + annotations: + checksum/config-volume: f8da08b6b8c170dde721efd680270b2901e750d4aa186ebb6c22bef5b78a43f9 +spec: + replicas: 1 + template: + metadata: + labels: + istio: pilot + app: pilot + annotations: + sidecar.istio.io/inject: "false" + scheduler.alpha.kubernetes.io/critical-pod: "" + spec: + serviceAccountName: istio-pilot-service-account + containers: + - name: discovery + image: "docker.io/istio/pilot:1.0.4" + imagePullPolicy: IfNotPresent + args: + - "discovery" + ports: + - containerPort: 8080 + - containerPort: 15010 + readinessProbe: + httpGet: + path: /ready + port: 8080 + initialDelaySeconds: 5 + periodSeconds: 30 + timeoutSeconds: 5 + env: + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: PILOT_CACHE_SQUASH + value: "5" + - name: GODEBUG + value: "gctrace=2" + - name: PILOT_PUSH_THROTTLE_COUNT + value: "100" + - name: PILOT_TRACE_SAMPLING + value: "100" + resources: + requests: + cpu: 500m + memory: 2048Mi + + volumeMounts: + - name: config-volume + mountPath: /etc/istio/config + - name: istio-certs + mountPath: /etc/certs + readOnly: true + - name: istio-proxy + image: "docker.io/istio/proxyv2:1.0.4" + imagePullPolicy: IfNotPresent + ports: + - containerPort: 15003 + - containerPort: 15005 + - containerPort: 15007 + - containerPort: 15011 + args: + - proxy + - --serviceCluster + - istio-pilot + - --templateFile + - /etc/istio/proxy/envoy_pilot.yaml.tmpl + - --controlPlaneAuthPolicy + - NONE + env: + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + resources: + requests: + cpu: 10m + + volumeMounts: + - name: istio-certs + mountPath: /etc/certs + readOnly: true + volumes: + - name: config-volume + configMap: + name: istio + - name: istio-certs + secret: + secretName: istio.istio-pilot-service-account + optional: true + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - ppc64le + - s390x + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - ppc64le + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - s390x + +--- +# Source: istio/charts/prometheus/templates/deployment.yaml +# TODO: the original template has service account, roles, etc +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: prometheus + namespace: istio-system + labels: + app: prometheus + chart: prometheus-1.0.4 + release: istio + heritage: Tiller +spec: + replicas: 1 + selector: + matchLabels: + app: prometheus + template: + metadata: + labels: + app: prometheus + annotations: + sidecar.istio.io/inject: "false" + scheduler.alpha.kubernetes.io/critical-pod: "" + spec: + serviceAccountName: prometheus + containers: + - name: prometheus + image: "docker.io/prom/prometheus:v2.3.1" + imagePullPolicy: IfNotPresent + args: + - '--storage.tsdb.retention=6h' + - '--config.file=/etc/prometheus/prometheus.yml' + ports: + - containerPort: 9090 + name: http + livenessProbe: + httpGet: + path: /-/healthy + port: 9090 + readinessProbe: + httpGet: + path: /-/ready + port: 9090 + resources: + requests: + cpu: 10m + + volumeMounts: + - name: config-volume + mountPath: /etc/prometheus + - mountPath: /etc/istio-certs + name: istio-certs + volumes: + - name: config-volume + configMap: + name: prometheus + - name: istio-certs + secret: + defaultMode: 420 + optional: true + secretName: istio.default + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - ppc64le + - s390x + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - ppc64le + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - s390x + +--- +# Source: istio/charts/security/templates/deployment.yaml +# istio CA watching all namespaces +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: istio-citadel + namespace: istio-system + labels: + app: security + chart: security-1.0.4 + release: istio + heritage: Tiller + istio: citadel +spec: + replicas: 1 + template: + metadata: + labels: + istio: citadel + annotations: + sidecar.istio.io/inject: "false" + scheduler.alpha.kubernetes.io/critical-pod: "" + spec: + serviceAccountName: istio-citadel-service-account + containers: + - name: citadel + image: "docker.io/istio/citadel:1.0.4" + imagePullPolicy: IfNotPresent + args: + - --append-dns-names=true + - --grpc-port=8060 + - --grpc-hostname=citadel + - --citadel-storage-namespace=istio-system + - --custom-dns-names=istio-pilot-service-account.istio-system:istio-pilot.istio-system,istio-ingressgateway-service-account.istio-system:istio-ingressgateway.istio-system + - --self-signed-ca=true + resources: + requests: + cpu: 10m + + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - ppc64le + - s390x + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - ppc64le + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - s390x + +--- +# Source: istio/charts/servicegraph/templates/deployment.yaml +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: servicegraph + namespace: istio-system + labels: + app: servicegraph + chart: servicegraph-1.0.4 + release: istio + heritage: Tiller +spec: + replicas: 1 + template: + metadata: + labels: + app: servicegraph + annotations: + sidecar.istio.io/inject: "false" + scheduler.alpha.kubernetes.io/critical-pod: "" + spec: + containers: + - name: servicegraph + image: "docker.io/istio/servicegraph:1.0.4" + imagePullPolicy: IfNotPresent + ports: + - containerPort: 8088 + args: + - --prometheusAddr=http://prometheus:9090 + livenessProbe: + httpGet: + path: /graph + port: 8088 + readinessProbe: + httpGet: + path: /graph + port: 8088 + resources: + requests: + cpu: 10m + + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - ppc64le + - s390x + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - ppc64le + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - s390x + +--- +# Source: istio/charts/sidecarInjectorWebhook/templates/deployment.yaml +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: istio-sidecar-injector + namespace: istio-system + labels: + app: sidecarInjectorWebhook + chart: sidecarInjectorWebhook-1.0.4 + release: istio + heritage: Tiller + istio: sidecar-injector +spec: + replicas: 1 + template: + metadata: + labels: + istio: sidecar-injector + annotations: + sidecar.istio.io/inject: "false" + scheduler.alpha.kubernetes.io/critical-pod: "" + spec: + serviceAccountName: istio-sidecar-injector-service-account + containers: + - name: sidecar-injector-webhook + image: "docker.io/istio/sidecar_injector:1.0.4" + imagePullPolicy: IfNotPresent + args: + - --caCertFile=/etc/istio/certs/root-cert.pem + - --tlsCertFile=/etc/istio/certs/cert-chain.pem + - --tlsKeyFile=/etc/istio/certs/key.pem + - --injectConfig=/etc/istio/inject/config + - --meshConfig=/etc/istio/config/mesh + - --healthCheckInterval=2s + - --healthCheckFile=/health + volumeMounts: + - name: config-volume + mountPath: /etc/istio/config + readOnly: true + - name: certs + mountPath: /etc/istio/certs + readOnly: true + - name: inject-config + mountPath: /etc/istio/inject + readOnly: true + livenessProbe: + exec: + command: + - /usr/local/bin/sidecar-injector + - probe + - --probe-path=/health + - --interval=4s + initialDelaySeconds: 4 + periodSeconds: 4 + readinessProbe: + exec: + command: + - /usr/local/bin/sidecar-injector + - probe + - --probe-path=/health + - --interval=4s + initialDelaySeconds: 4 + periodSeconds: 4 + resources: + requests: + cpu: 10m + + volumes: + - name: config-volume + configMap: + name: istio + - name: certs + secret: + secretName: istio.istio-sidecar-injector-service-account + - name: inject-config + configMap: + name: istio-sidecar-injector + items: + - key: config + path: config + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - ppc64le + - s390x + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - ppc64le + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - s390x + +--- +# Source: istio/charts/tracing/templates/deployment.yaml +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: istio-tracing + namespace: istio-system + labels: + app: istio-tracing + chart: tracing-1.0.4 + release: istio + heritage: Tiller +spec: + replicas: 1 + template: + metadata: + labels: + app: jaeger + annotations: + sidecar.istio.io/inject: "false" + scheduler.alpha.kubernetes.io/critical-pod: "" + spec: + containers: + - name: jaeger + image: "docker.io/jaegertracing/all-in-one:1.5" + imagePullPolicy: IfNotPresent + ports: + - containerPort: 9411 + - containerPort: 16686 + - containerPort: 5775 + protocol: UDP + - containerPort: 6831 + protocol: UDP + - containerPort: 6832 + protocol: UDP + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: COLLECTOR_ZIPKIN_HTTP_PORT + value: "9411" + - name: MEMORY_MAX_TRACES + value: "50000" + livenessProbe: + httpGet: + path: / + port: 16686 + readinessProbe: + httpGet: + path: / + port: 16686 + resources: + requests: + cpu: 10m + + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - ppc64le + - s390x + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - ppc64le + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - s390x + +--- +# Source: istio/charts/pilot/templates/gateway.yaml +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: istio-autogenerated-k8s-ingress + namespace: istio-system +spec: + selector: + istio: ingress + servers: + - port: + number: 80 + protocol: HTTP2 + name: http + hosts: + - "*" + +--- + +--- +# Source: istio/charts/gateways/templates/autoscale.yaml + +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: istio-egressgateway + namespace: istio-system +spec: + maxReplicas: 5 + minReplicas: 1 + scaleTargetRef: + apiVersion: apps/v1beta1 + kind: Deployment + name: istio-egressgateway + metrics: + - type: Resource + resource: + name: cpu + targetAverageUtilization: 80 +--- +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: istio-ingressgateway + namespace: istio-system +spec: + maxReplicas: 5 + minReplicas: 1 + scaleTargetRef: + apiVersion: apps/v1beta1 + kind: Deployment + name: istio-ingressgateway + metrics: + - type: Resource + resource: + name: cpu + targetAverageUtilization: 80 +--- + +--- +# Source: istio/charts/mixer/templates/autoscale.yaml + +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: istio-policy + namespace: istio-system +spec: + maxReplicas: 5 + minReplicas: 1 + scaleTargetRef: + apiVersion: apps/v1beta1 + kind: Deployment + name: istio-policy + metrics: + - type: Resource + resource: + name: cpu + targetAverageUtilization: 80 +--- +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: istio-telemetry + namespace: istio-system +spec: + maxReplicas: 5 + minReplicas: 1 + scaleTargetRef: + apiVersion: apps/v1beta1 + kind: Deployment + name: istio-telemetry + metrics: + - type: Resource + resource: + name: cpu + targetAverageUtilization: 80 +--- + +--- +# Source: istio/charts/pilot/templates/autoscale.yaml + +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: istio-pilot + namespace: istio-system +spec: + maxReplicas: 5 + minReplicas: 1 + scaleTargetRef: + apiVersion: apps/v1beta1 + kind: Deployment + name: istio-pilot + metrics: + - type: Resource + resource: + name: cpu + targetAverageUtilization: 80 +--- + +--- +# Source: istio/charts/tracing/templates/service-jaeger.yaml + + +apiVersion: v1 +kind: List +items: +- apiVersion: v1 + kind: Service + metadata: + name: jaeger-query + namespace: istio-system + annotations: + labels: + app: jaeger + jaeger-infra: jaeger-service + chart: tracing-1.0.4 + release: istio + heritage: Tiller + spec: + ports: + - name: query-http + port: 16686 + protocol: TCP + targetPort: 16686 + selector: + app: jaeger +- apiVersion: v1 + kind: Service + metadata: + name: jaeger-collector + namespace: istio-system + labels: + app: jaeger + jaeger-infra: collector-service + chart: tracing-1.0.4 + release: istio + heritage: Tiller + spec: + ports: + - name: jaeger-collector-tchannel + port: 14267 + protocol: TCP + targetPort: 14267 + - name: jaeger-collector-http + port: 14268 + targetPort: 14268 + protocol: TCP + selector: + app: jaeger + type: ClusterIP +- apiVersion: v1 + kind: Service + metadata: + name: jaeger-agent + namespace: istio-system + labels: + app: jaeger + jaeger-infra: agent-service + chart: tracing-1.0.4 + release: istio + heritage: Tiller + spec: + ports: + - name: agent-zipkin-thrift + port: 5775 + protocol: UDP + targetPort: 5775 + - name: agent-compact + port: 6831 + protocol: UDP + targetPort: 6831 + - name: agent-binary + port: 6832 + protocol: UDP + targetPort: 6832 + clusterIP: None + selector: + app: jaeger + + + +--- +# Source: istio/charts/tracing/templates/service.yaml +apiVersion: v1 +kind: List +items: +- apiVersion: v1 + kind: Service + metadata: + name: zipkin + namespace: istio-system + labels: + app: jaeger + chart: tracing-1.0.4 + release: istio + heritage: Tiller + spec: + type: ClusterIP + ports: + - port: 9411 + targetPort: 9411 + protocol: TCP + name: http + selector: + app: jaeger +- apiVersion: v1 + kind: Service + metadata: + name: tracing + namespace: istio-system + annotations: + labels: + app: jaeger + chart: tracing-1.0.4 + release: istio + heritage: Tiller + spec: + ports: + - name: http-query + port: 80 + protocol: TCP + targetPort: 16686 + selector: + app: jaeger + +--- +# Source: istio/charts/sidecarInjectorWebhook/templates/mutatingwebhook.yaml +apiVersion: admissionregistration.k8s.io/v1beta1 +kind: MutatingWebhookConfiguration +metadata: + name: istio-sidecar-injector + namespace: istio-system + labels: + app: istio-sidecar-injector + chart: sidecarInjectorWebhook-1.0.4 + release: istio + heritage: Tiller +webhooks: + - name: sidecar-injector.istio.io + clientConfig: + service: + name: istio-sidecar-injector + namespace: istio-system + path: "/inject" + caBundle: "" + rules: + - operations: [ "CREATE" ] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + failurePolicy: Fail + namespaceSelector: + matchLabels: + istio-injection: enabled + + +--- +# Source: istio/charts/galley/templates/validatingwehookconfiguration.yaml.tpl + + +--- +# Source: istio/charts/grafana/templates/grafana-ports-mtls.yaml + + +--- +# Source: istio/charts/grafana/templates/pvc.yaml + + +--- +# Source: istio/charts/grafana/templates/secret.yaml + +--- +# Source: istio/charts/pilot/templates/meshexpansion.yaml + + +--- +# Source: istio/charts/security/templates/enable-mesh-mtls.yaml + + +--- +# Source: istio/charts/security/templates/enable-mesh-permissive.yaml + + +--- +# Source: istio/charts/security/templates/meshexpansion.yaml + + +--- + +--- +# Source: istio/charts/servicegraph/templates/ingress.yaml + +--- +# Source: istio/charts/telemetry-gateway/templates/gateway.yaml + + +--- +# Source: istio/charts/tracing/templates/ingress-jaeger.yaml + +--- +# Source: istio/charts/tracing/templates/ingress.yaml + +--- +# Source: istio/templates/install-custom-resources.sh.tpl + + +--- +# Source: istio/charts/mixer/templates/config.yaml +apiVersion: "config.istio.io/v1alpha2" +kind: attributemanifest +metadata: + name: istioproxy + namespace: istio-system +spec: + attributes: + origin.ip: + valueType: IP_ADDRESS + origin.uid: + valueType: STRING + origin.user: + valueType: STRING + request.headers: + valueType: STRING_MAP + request.id: + valueType: STRING + request.host: + valueType: STRING + request.method: + valueType: STRING + request.path: + valueType: STRING + request.reason: + valueType: STRING + request.referer: + valueType: STRING + request.scheme: + valueType: STRING + request.total_size: + valueType: INT64 + request.size: + valueType: INT64 + request.time: + valueType: TIMESTAMP + request.useragent: + valueType: STRING + response.code: + valueType: INT64 + response.duration: + valueType: DURATION + response.headers: + valueType: STRING_MAP + response.total_size: + valueType: INT64 + response.size: + valueType: INT64 + response.time: + valueType: TIMESTAMP + source.uid: + valueType: STRING + source.user: # DEPRECATED + valueType: STRING + source.principal: + valueType: STRING + destination.uid: + valueType: STRING + destination.principal: + valueType: STRING + destination.port: + valueType: INT64 + connection.event: + valueType: STRING + connection.id: + valueType: STRING + connection.received.bytes: + valueType: INT64 + connection.received.bytes_total: + valueType: INT64 + connection.sent.bytes: + valueType: INT64 + connection.sent.bytes_total: + valueType: INT64 + connection.duration: + valueType: DURATION + connection.mtls: + valueType: BOOL + connection.requested_server_name: + valueType: STRING + context.protocol: + valueType: STRING + context.timestamp: + valueType: TIMESTAMP + context.time: + valueType: TIMESTAMP + # Deprecated, kept for compatibility + context.reporter.local: + valueType: BOOL + context.reporter.kind: + valueType: STRING + context.reporter.uid: + valueType: STRING + api.service: + valueType: STRING + api.version: + valueType: STRING + api.operation: + valueType: STRING + api.protocol: + valueType: STRING + request.auth.principal: + valueType: STRING + request.auth.audiences: + valueType: STRING + request.auth.presenter: + valueType: STRING + request.auth.claims: + valueType: STRING_MAP + request.auth.raw_claims: + valueType: STRING + request.api_key: + valueType: STRING + +--- +apiVersion: "config.istio.io/v1alpha2" +kind: attributemanifest +metadata: + name: kubernetes + namespace: istio-system +spec: + attributes: + source.ip: + valueType: IP_ADDRESS + source.labels: + valueType: STRING_MAP + source.metadata: + valueType: STRING_MAP + source.name: + valueType: STRING + source.namespace: + valueType: STRING + source.owner: + valueType: STRING + source.service: # DEPRECATED + valueType: STRING + source.serviceAccount: + valueType: STRING + source.services: + valueType: STRING + source.workload.uid: + valueType: STRING + source.workload.name: + valueType: STRING + source.workload.namespace: + valueType: STRING + destination.ip: + valueType: IP_ADDRESS + destination.labels: + valueType: STRING_MAP + destination.metadata: + valueType: STRING_MAP + destination.owner: + valueType: STRING + destination.name: + valueType: STRING + destination.container.name: + valueType: STRING + destination.namespace: + valueType: STRING + destination.service: # DEPRECATED + valueType: STRING + destination.service.uid: + valueType: STRING + destination.service.name: + valueType: STRING + destination.service.namespace: + valueType: STRING + destination.service.host: + valueType: STRING + destination.serviceAccount: + valueType: STRING + destination.workload.uid: + valueType: STRING + destination.workload.name: + valueType: STRING + destination.workload.namespace: + valueType: STRING +--- +apiVersion: "config.istio.io/v1alpha2" +kind: stdio +metadata: + name: handler + namespace: istio-system +spec: + outputAsJson: true +--- +apiVersion: "config.istio.io/v1alpha2" +kind: logentry +metadata: + name: accesslog + namespace: istio-system +spec: + severity: '"Info"' + timestamp: request.time + variables: + sourceIp: source.ip | ip("0.0.0.0") + sourceApp: source.labels["app"] | "" + sourcePrincipal: source.principal | "" + sourceName: source.name | "" + sourceWorkload: source.workload.name | "" + sourceNamespace: source.namespace | "" + sourceOwner: source.owner | "" + destinationApp: destination.labels["app"] | "" + destinationIp: destination.ip | ip("0.0.0.0") + destinationServiceHost: destination.service.host | "" + destinationWorkload: destination.workload.name | "" + destinationName: destination.name | "" + destinationNamespace: destination.namespace | "" + destinationOwner: destination.owner | "" + destinationPrincipal: destination.principal | "" + apiClaims: request.auth.raw_claims | "" + apiKey: request.api_key | request.headers["x-api-key"] | "" + protocol: request.scheme | context.protocol | "http" + method: request.method | "" + url: request.path | "" + responseCode: response.code | 0 + responseSize: response.size | 0 + requestSize: request.size | 0 + requestId: request.headers["x-request-id"] | "" + clientTraceId: request.headers["x-client-trace-id"] | "" + latency: response.duration | "0ms" + connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) + requestedServerName: connection.requested_server_name | "" + userAgent: request.useragent | "" + responseTimestamp: response.time + receivedBytes: request.total_size | 0 + sentBytes: response.total_size | 0 + referer: request.referer | "" + httpAuthority: request.headers[":authority"] | request.host | "" + xForwardedFor: request.headers["x-forwarded-for"] | "0.0.0.0" + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") + monitored_resource_type: '"global"' +--- +apiVersion: "config.istio.io/v1alpha2" +kind: logentry +metadata: + name: tcpaccesslog + namespace: istio-system +spec: + severity: '"Info"' + timestamp: context.time | timestamp("2017-01-01T00:00:00Z") + variables: + connectionEvent: connection.event | "" + sourceIp: source.ip | ip("0.0.0.0") + sourceApp: source.labels["app"] | "" + sourcePrincipal: source.principal | "" + sourceName: source.name | "" + sourceWorkload: source.workload.name | "" + sourceNamespace: source.namespace | "" + sourceOwner: source.owner | "" + destinationApp: destination.labels["app"] | "" + destinationIp: destination.ip | ip("0.0.0.0") + destinationServiceHost: destination.service.host | "" + destinationWorkload: destination.workload.name | "" + destinationName: destination.name | "" + destinationNamespace: destination.namespace | "" + destinationOwner: destination.owner | "" + destinationPrincipal: destination.principal | "" + protocol: context.protocol | "tcp" + connectionDuration: connection.duration | "0ms" + connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) + requestedServerName: connection.requested_server_name | "" + receivedBytes: connection.received.bytes | 0 + sentBytes: connection.sent.bytes | 0 + totalReceivedBytes: connection.received.bytes_total | 0 + totalSentBytes: connection.sent.bytes_total | 0 + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") + monitored_resource_type: '"global"' +--- +apiVersion: "config.istio.io/v1alpha2" +kind: rule +metadata: + name: stdio + namespace: istio-system +spec: + match: context.protocol == "http" || context.protocol == "grpc" + actions: + - handler: handler.stdio + instances: + - accesslog.logentry +--- +apiVersion: "config.istio.io/v1alpha2" +kind: rule +metadata: + name: stdiotcp + namespace: istio-system +spec: + match: context.protocol == "tcp" + actions: + - handler: handler.stdio + instances: + - tcpaccesslog.logentry +--- +apiVersion: "config.istio.io/v1alpha2" +kind: metric +metadata: + name: requestcount + namespace: istio-system +spec: + value: "1" + dimensions: + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") + source_workload: source.workload.name | "unknown" + source_workload_namespace: source.workload.namespace | "unknown" + source_principal: source.principal | "unknown" + source_app: source.labels["app"] | "unknown" + source_version: source.labels["version"] | "unknown" + destination_workload: destination.workload.name | "unknown" + destination_workload_namespace: destination.workload.namespace | "unknown" + destination_principal: destination.principal | "unknown" + destination_app: destination.labels["app"] | "unknown" + destination_version: destination.labels["version"] | "unknown" + destination_service: destination.service.host | "unknown" + destination_service_name: destination.service.name | "unknown" + destination_service_namespace: destination.service.namespace | "unknown" + request_protocol: api.protocol | context.protocol | "unknown" + response_code: response.code | 200 + connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) + monitored_resource_type: '"UNSPECIFIED"' +--- +apiVersion: "config.istio.io/v1alpha2" +kind: metric +metadata: + name: requestduration + namespace: istio-system +spec: + value: response.duration | "0ms" + dimensions: + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") + source_workload: source.workload.name | "unknown" + source_workload_namespace: source.workload.namespace | "unknown" + source_principal: source.principal | "unknown" + source_app: source.labels["app"] | "unknown" + source_version: source.labels["version"] | "unknown" + destination_workload: destination.workload.name | "unknown" + destination_workload_namespace: destination.workload.namespace | "unknown" + destination_principal: destination.principal | "unknown" + destination_app: destination.labels["app"] | "unknown" + destination_version: destination.labels["version"] | "unknown" + destination_service: destination.service.host | "unknown" + destination_service_name: destination.service.name | "unknown" + destination_service_namespace: destination.service.namespace | "unknown" + request_protocol: api.protocol | context.protocol | "unknown" + response_code: response.code | 200 + connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) + monitored_resource_type: '"UNSPECIFIED"' +--- +apiVersion: "config.istio.io/v1alpha2" +kind: metric +metadata: + name: requestsize + namespace: istio-system +spec: + value: request.size | 0 + dimensions: + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") + source_workload: source.workload.name | "unknown" + source_workload_namespace: source.workload.namespace | "unknown" + source_principal: source.principal | "unknown" + source_app: source.labels["app"] | "unknown" + source_version: source.labels["version"] | "unknown" + destination_workload: destination.workload.name | "unknown" + destination_workload_namespace: destination.workload.namespace | "unknown" + destination_principal: destination.principal | "unknown" + destination_app: destination.labels["app"] | "unknown" + destination_version: destination.labels["version"] | "unknown" + destination_service: destination.service.host | "unknown" + destination_service_name: destination.service.name | "unknown" + destination_service_namespace: destination.service.namespace | "unknown" + request_protocol: api.protocol | context.protocol | "unknown" + response_code: response.code | 200 + connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) + monitored_resource_type: '"UNSPECIFIED"' +--- +apiVersion: "config.istio.io/v1alpha2" +kind: metric +metadata: + name: responsesize + namespace: istio-system +spec: + value: response.size | 0 + dimensions: + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") + source_workload: source.workload.name | "unknown" + source_workload_namespace: source.workload.namespace | "unknown" + source_principal: source.principal | "unknown" + source_app: source.labels["app"] | "unknown" + source_version: source.labels["version"] | "unknown" + destination_workload: destination.workload.name | "unknown" + destination_workload_namespace: destination.workload.namespace | "unknown" + destination_principal: destination.principal | "unknown" + destination_app: destination.labels["app"] | "unknown" + destination_version: destination.labels["version"] | "unknown" + destination_service: destination.service.host | "unknown" + destination_service_name: destination.service.name | "unknown" + destination_service_namespace: destination.service.namespace | "unknown" + request_protocol: api.protocol | context.protocol | "unknown" + response_code: response.code | 200 + connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) + monitored_resource_type: '"UNSPECIFIED"' +--- +apiVersion: "config.istio.io/v1alpha2" +kind: metric +metadata: + name: tcpbytesent + namespace: istio-system +spec: + value: connection.sent.bytes | 0 + dimensions: + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") + source_workload: source.workload.name | "unknown" + source_workload_namespace: source.workload.namespace | "unknown" + source_principal: source.principal | "unknown" + source_app: source.labels["app"] | "unknown" + source_version: source.labels["version"] | "unknown" + destination_workload: destination.workload.name | "unknown" + destination_workload_namespace: destination.workload.namespace | "unknown" + destination_principal: destination.principal | "unknown" + destination_app: destination.labels["app"] | "unknown" + destination_version: destination.labels["version"] | "unknown" + destination_service: destination.service.name | "unknown" + destination_service_name: destination.service.name | "unknown" + destination_service_namespace: destination.service.namespace | "unknown" + connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) + monitored_resource_type: '"UNSPECIFIED"' +--- +apiVersion: "config.istio.io/v1alpha2" +kind: metric +metadata: + name: tcpbytereceived + namespace: istio-system +spec: + value: connection.received.bytes | 0 + dimensions: + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") + source_workload: source.workload.name | "unknown" + source_workload_namespace: source.workload.namespace | "unknown" + source_principal: source.principal | "unknown" + source_app: source.labels["app"] | "unknown" + source_version: source.labels["version"] | "unknown" + destination_workload: destination.workload.name | "unknown" + destination_workload_namespace: destination.workload.namespace | "unknown" + destination_principal: destination.principal | "unknown" + destination_app: destination.labels["app"] | "unknown" + destination_version: destination.labels["version"] | "unknown" + destination_service: destination.service.name | "unknown" + destination_service_name: destination.service.name | "unknown" + destination_service_namespace: destination.service.namespace | "unknown" + connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) + monitored_resource_type: '"UNSPECIFIED"' +--- +apiVersion: "config.istio.io/v1alpha2" +kind: prometheus +metadata: + name: handler + namespace: istio-system +spec: + metrics: + - name: requests_total + instance_name: requestcount.metric.istio-system + kind: COUNTER + label_names: + - reporter + - source_app + - source_principal + - source_workload + - source_workload_namespace + - source_version + - destination_app + - destination_principal + - destination_workload + - destination_workload_namespace + - destination_version + - destination_service + - destination_service_name + - destination_service_namespace + - request_protocol + - response_code + - connection_security_policy + - name: request_duration_seconds + instance_name: requestduration.metric.istio-system + kind: DISTRIBUTION + label_names: + - reporter + - source_app + - source_principal + - source_workload + - source_workload_namespace + - source_version + - destination_app + - destination_principal + - destination_workload + - destination_workload_namespace + - destination_version + - destination_service + - destination_service_name + - destination_service_namespace + - request_protocol + - response_code + - connection_security_policy + buckets: + explicit_buckets: + bounds: [0.005, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1, 2.5, 5, 10] + - name: request_bytes + instance_name: requestsize.metric.istio-system + kind: DISTRIBUTION + label_names: + - reporter + - source_app + - source_principal + - source_workload + - source_workload_namespace + - source_version + - destination_app + - destination_principal + - destination_workload + - destination_workload_namespace + - destination_version + - destination_service + - destination_service_name + - destination_service_namespace + - request_protocol + - response_code + - connection_security_policy + buckets: + exponentialBuckets: + numFiniteBuckets: 8 + scale: 1 + growthFactor: 10 + - name: response_bytes + instance_name: responsesize.metric.istio-system + kind: DISTRIBUTION + label_names: + - reporter + - source_app + - source_principal + - source_workload + - source_workload_namespace + - source_version + - destination_app + - destination_principal + - destination_workload + - destination_workload_namespace + - destination_version + - destination_service + - destination_service_name + - destination_service_namespace + - request_protocol + - response_code + - connection_security_policy + buckets: + exponentialBuckets: + numFiniteBuckets: 8 + scale: 1 + growthFactor: 10 + - name: tcp_sent_bytes_total + instance_name: tcpbytesent.metric.istio-system + kind: COUNTER + label_names: + - reporter + - source_app + - source_principal + - source_workload + - source_workload_namespace + - source_version + - destination_app + - destination_principal + - destination_workload + - destination_workload_namespace + - destination_version + - destination_service + - destination_service_name + - destination_service_namespace + - connection_security_policy + - name: tcp_received_bytes_total + instance_name: tcpbytereceived.metric.istio-system + kind: COUNTER + label_names: + - reporter + - source_app + - source_principal + - source_workload + - source_workload_namespace + - source_version + - destination_app + - destination_principal + - destination_workload + - destination_workload_namespace + - destination_version + - destination_service + - destination_service_name + - destination_service_namespace + - connection_security_policy +--- +apiVersion: "config.istio.io/v1alpha2" +kind: rule +metadata: + name: promhttp + namespace: istio-system +spec: + match: context.protocol == "http" || context.protocol == "grpc" + actions: + - handler: handler.prometheus + instances: + - requestcount.metric + - requestduration.metric + - requestsize.metric + - responsesize.metric +--- +apiVersion: "config.istio.io/v1alpha2" +kind: rule +metadata: + name: promtcp + namespace: istio-system +spec: + match: context.protocol == "tcp" + actions: + - handler: handler.prometheus + instances: + - tcpbytesent.metric + - tcpbytereceived.metric +--- + +apiVersion: "config.istio.io/v1alpha2" +kind: kubernetesenv +metadata: + name: handler + namespace: istio-system +spec: + # when running from mixer root, use the following config after adding a + # symbolic link to a kubernetes config file via: + # + # $ ln -s ~/.kube/config mixer/adapter/kubernetes/kubeconfig + # + # kubeconfig_path: "mixer/adapter/kubernetes/kubeconfig" + +--- +apiVersion: "config.istio.io/v1alpha2" +kind: rule +metadata: + name: kubeattrgenrulerule + namespace: istio-system +spec: + actions: + - handler: handler.kubernetesenv + instances: + - attributes.kubernetes +--- +apiVersion: "config.istio.io/v1alpha2" +kind: rule +metadata: + name: tcpkubeattrgenrulerule + namespace: istio-system +spec: + match: context.protocol == "tcp" + actions: + - handler: handler.kubernetesenv + instances: + - attributes.kubernetes +--- +apiVersion: "config.istio.io/v1alpha2" +kind: kubernetes +metadata: + name: attributes + namespace: istio-system +spec: + # Pass the required attribute data to the adapter + source_uid: source.uid | "" + source_ip: source.ip | ip("0.0.0.0") # default to unspecified ip addr + destination_uid: destination.uid | "" + destination_port: destination.port | 0 + attribute_bindings: + # Fill the new attributes from the adapter produced output. + # $out refers to an instance of OutputTemplate message + source.ip: $out.source_pod_ip | ip("0.0.0.0") + source.uid: $out.source_pod_uid | "unknown" + source.labels: $out.source_labels | emptyStringMap() + source.name: $out.source_pod_name | "unknown" + source.namespace: $out.source_namespace | "default" + source.owner: $out.source_owner | "unknown" + source.serviceAccount: $out.source_service_account_name | "unknown" + source.workload.uid: $out.source_workload_uid | "unknown" + source.workload.name: $out.source_workload_name | "unknown" + source.workload.namespace: $out.source_workload_namespace | "unknown" + destination.ip: $out.destination_pod_ip | ip("0.0.0.0") + destination.uid: $out.destination_pod_uid | "unknown" + destination.labels: $out.destination_labels | emptyStringMap() + destination.name: $out.destination_pod_name | "unknown" + destination.container.name: $out.destination_container_name | "unknown" + destination.namespace: $out.destination_namespace | "default" + destination.owner: $out.destination_owner | "unknown" + destination.serviceAccount: $out.destination_service_account_name | "unknown" + destination.workload.uid: $out.destination_workload_uid | "unknown" + destination.workload.name: $out.destination_workload_name | "unknown" + destination.workload.namespace: $out.destination_workload_namespace | "unknown" + +--- +# Configuration needed by Mixer. +# Mixer cluster is delivered via CDS +# Specify mixer cluster settings +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: istio-policy + namespace: istio-system +spec: + host: istio-policy.istio-system.svc.cluster.local + trafficPolicy: + connectionPool: + http: + http2MaxRequests: 10000 + maxRequestsPerConnection: 10000 +--- +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: istio-telemetry + namespace: istio-system +spec: + host: istio-telemetry.istio-system.svc.cluster.local + trafficPolicy: + connectionPool: + http: + http2MaxRequests: 10000 + maxRequestsPerConnection: 10000 +--- + diff --git a/istio-1.0.4/install/kubernetes/mesh-expansion.yaml b/istio-1.0.4/install/kubernetes/mesh-expansion.yaml new file mode 100644 index 0000000..16b95b4 --- /dev/null +++ b/istio-1.0.4/install/kubernetes/mesh-expansion.yaml @@ -0,0 +1,86 @@ +# Currently specific to GKE. Annotations specific to other providers should be added +# after they get tested. +apiVersion: v1 +kind: Service +metadata: + name: istio-pilot-ilb + namespace: istio-system + annotations: + cloud.google.com/load-balancer-type: "internal" + labels: + istio: pilot +spec: + type: LoadBalancer + ports: + - name: https-pilot + port: 15005 + protocol: TCP + - port: 8080 + name: http-pilot + protocol: TCP + - port: 15010 + name: grpc-pilot + protocol: TCP + - port: 15011 + name: tls-grpc-pilot + protocol: TCP + selector: + istio: pilot +--- +apiVersion: v1 +kind: Service +metadata: + name: dns-ilb + namespace: kube-system + annotations: + cloud.google.com/load-balancer-type: "internal" + labels: + k8s-app: kube-dns +spec: + type: LoadBalancer + ports: + - port: 53 + protocol: UDP + selector: + k8s-app: kube-dns + +--- + +apiVersion: v1 +kind: Service +metadata: + name: mixer-ilb + namespace: istio-system + annotations: + cloud.google.com/load-balancer-type: "internal" + labels: + istio: mixer +spec: + type: LoadBalancer + ports: + - port: 15004 + protocol: TCP + selector: + istio: mixer + istio-mixer-type: telemetry + +# This points to istio-telemetry until we are able to support both +# istio-policy and istio-telemetry as separate services for mesh expansion. + +--- +apiVersion: v1 +kind: Service +metadata: + name: citadel-ilb + namespace: istio-system + annotations: + cloud.google.com/load-balancer-type: "internal" + labels: + istio: citadel +spec: + type: LoadBalancer + ports: + - port: 8060 + protocol: TCP + selector: + istio: citadel diff --git a/istio-1.0.4/install/kubernetes/namespace.yaml b/istio-1.0.4/install/kubernetes/namespace.yaml new file mode 100644 index 0000000..58bebec --- /dev/null +++ b/istio-1.0.4/install/kubernetes/namespace.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: istio-system + labels: + istio-injection: disabled diff --git a/istio-1.0.4/install/tools/setupIstioVM.sh b/istio-1.0.4/install/tools/setupIstioVM.sh new file mode 100755 index 0000000..d6d5589 --- /dev/null +++ b/istio-1.0.4/install/tools/setupIstioVM.sh @@ -0,0 +1,113 @@ +#!/bin/bash +# +# Copyright 2017 Istio Authors. All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +# Script to install istio components for the raw VM. + +# Environment variable pointing to the generated Istio configs and binaries. +# TODO: use curl or tar to fetch the artifacts. +ISTIO_STAGING=${ISTIO_STAGING:-.} + +function istioVersionSource() { + echo "Sourced ${ISTIO_STAGING}/istio.VERSION" + cat ${ISTIO_STAGING}/istio.VERSION + source ${ISTIO_STAGING}/istio.VERSION +} + +# Configure network for istio use, using DNSMasq. +# Will use the generated "kubedns" file. +function istioNetworkInit() { + if [[ ! -r /etc/dnsmasq.d ]] ; then + echo "*** Running apt-get update..." + apt-get update > /dev/null + echo "*** Running apt-get install dnsmasq..." + apt-get --no-install-recommends -y install dnsmasq + fi + + # Copy config files for DNS + chmod go+r ${ISTIO_STAGING}/kubedns + cp ${ISTIO_STAGING}/kubedns /etc/dnsmasq.d + systemctl restart dnsmasq + + # Update DHCP - if needed + grep "^prepend domain-name-servers 127.0.0.1;" /etc/dhcp/dhclient.conf > /dev/null + if [[ $? != 0 ]]; then + echo 'prepend domain-name-servers 127.0.0.1;' >> /etc/dhcp/dhclient.conf + # TODO: find a better way to re-trigger dhclient + dhclient -v -1 + fi +} + +# Install istio components and certificates. The admin (directly or using tools like ansible) +# will generate and copy the files and install the packages on each machine. +function istioInstall() { + echo "*** Fetching istio packages..." + # Current URL for the debian files artifacts. Will be replaced by a proper apt repo. + rm -f istio-sidecar.deb + echo "curl -f -L ${PILOT_DEBIAN_URL}/istio-sidecar.deb > ${ISTIO_STAGING}/istio-sidecar.deb" + curl -f -L ${PILOT_DEBIAN_URL}/istio-sidecar.deb > ${ISTIO_STAGING}/istio-sidecar.deb + + # Install istio binaries + dpkg -i ${ISTIO_STAGING}/istio-sidecar.deb + + mkdir -p /etc/certs + + cp ${ISTIO_STAGING}/*.pem /etc/certs + + # Cluster settings - the CIDR in particular. + cp ${ISTIO_STAGING}/cluster.env /var/lib/istio/envoy + + chown -R istio-proxy /etc/certs + chown -R istio-proxy /var/lib/istio/envoy + + # Useful to test VM extension to istio + apt-get --no-install-recommends -y install host +} + +function istioRestart() { + echo "*** Restarting istio proxy..." + # Node agent + systemctl status istio-auth-node-agent > /dev/null + if [[ $? = 0 ]]; then + systemctl restart istio-auth-node-agent + else + systemctl start istio-auth-node-agent + fi + # Start or restart istio envoy + systemctl status istio > /dev/null + if [[ $? = 0 ]]; then + systemctl restart istio + else + systemctl start istio + fi +} + +if [[ ${1:-} == "initNetwork" ]] ; then + istioNetworkInit +elif [[ ${1:-} == "istioInstall" ]] ; then + istioVersionSource + istioInstall + istioRestart +elif [[ ${1:-} == "help" ]] ; then + echo "$0 initNetwork: Configure DNS" + echo "$0 istioInstall: Install istio components" +else + istioVersionSource + istioNetworkInit + istioInstall + istioRestart +fi diff --git a/istio-1.0.4/install/tools/setupMeshEx.sh b/istio-1.0.4/install/tools/setupMeshEx.sh new file mode 100755 index 0000000..441dcfc --- /dev/null +++ b/istio-1.0.4/install/tools/setupMeshEx.sh @@ -0,0 +1,272 @@ +#!/usr/bin/env bash +# +# Copyright 2017 Istio Authors. All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + + +# Helper functions for extending the mesh with external VMs. + +# Script can be sourced in other files or used from tools like ansible. +# Currently the script include helpers for GKE, other providers will be added as +# they are contributed and we test them. + +# Environment variables used: +# +# ISTIO_NAMESPACE - control plane namespace, defaults to istio-system, only +# needs to be set for custom deployments +# K8S_CLUSTER - name of the K8S cluster. +# SERVICE_ACCOUNT - what account to provision on the VM. Defaults to default. +# SERVICE_NAMESPACE- namespace where the service account and service are +# running. Defaults to the current workspace in kube config. +# ISTIO_SECRET_PREFIX - prefix where the istio CA generates secrets for each +# service account. defaults to "istio." +# TODO: read MeshConfig to get the value of control plane auth policy, for now assume mTLS +# CONTROL_PLANE_AUTH_POLICY - control plane auth policy, defaults to "MUTUAL_TLS", only +# needs to be set when "NONE" is desired + +# GCP_OPTS - optional parameters for gcloud command, for example +# "--project P --zone Z". +# If not set, defaults are used. +# ISTIO_CP - command to use to copy files to the VM. +# ISTIO_RUN - command to use to run a command on the VM. + +# Generate a 'kubedns' Dnsmasq config file using the internal load balancer. +# It will need to be installed on each machine expanding the mesh. +function istioDnsmasq() { + local NS=${ISTIO_NAMESPACE:-istio-system} + # Multiple tries, it may take some time until the controllers generate the IPs + for i in {1..20} + do + PILOT_IP=$(kubectl get -n $NS service istio-pilot-ilb -o jsonpath='{.status.loadBalancer.ingress[0].ip}') + ISTIO_DNS=$(kubectl get -n kube-system service dns-ilb -o jsonpath='{.status.loadBalancer.ingress[0].ip}') + MIXER_IP=$(kubectl get -n $NS service mixer-ilb -o jsonpath='{.status.loadBalancer.ingress[0].ip}') + CITADEL_IP=$(kubectl get -n $NS service citadel-ilb -o jsonpath='{.status.loadBalancer.ingress[0].ip}') + + if [ "${PILOT_IP}" == "" -o "${ISTIO_DNS}" == "" -o "${MIXER_IP}" == "" -o "${CITADEL_IP}" == "" ] ; then + echo "Waiting for ILBs, pilot=$PILOT_IP, MIXER_IP=$MIXER_IP, CITADEL_IP=$CITADEL_IP, DNS=$ISTIO_DNS - kubectl get -n $NS service: $(kubectl get -n $NS service)" + sleep 30 + else + break + fi + done + + if [ "${PILOT_IP}" == "" -o "${ISTIO_DNS}" == "" -o "${MIXER_IP}" == "" -o "${CITADEL_IP}" == "" ] ; then + echo "Failed to create ILBs" + exit 1 + fi + + #/etc/dnsmasq.d/kubedns + echo "server=/svc.cluster.local/$ISTIO_DNS" > kubedns + echo "address=/istio-policy/$MIXER_IP" >> kubedns + echo "address=/istio-telemetry/$MIXER_IP" >> kubedns + echo "address=/istio-pilot/$PILOT_IP" >> kubedns + echo "address=/istio-citadel/$CITADEL_IP" >> kubedns + echo "address=/istio-ca/$CITADEL_IP" >> kubedns # Deprecated. For backward compatibility + # Also generate host entries for the istio-system. The generated config will work with both + # 'cluster-wide' and 'per-namespace'. + echo "address=/istio-policy.$NS/$MIXER_IP" >> kubedns + echo "address=/istio-telemetry.$NS/$MIXER_IP" >> kubedns + echo "address=/istio-pilot.$NS/$PILOT_IP" >> kubedns + echo "address=/istio-citadel.$NS/$CITADEL_IP" >> kubedns + echo "address=/istio-ca.$NS/$CITADEL_IP" >> kubedns # Deprecated. For backward compatibility + + echo "Generated Dnsmaq config file 'kubedns'. Install it in /etc/dnsmasq.d and restart dnsmasq." + echo "$0 machineSetup does this for you." +} + +# Generate a cluster.env config file. +# Parameters: +# - name of the k8s cluster. +function istioClusterEnv() { + local K8S_CLUSTER=${1:-${K8S_CLUSTER}} + local ISTIO_NS=${ISTIO_NAMESPACE:-istio-system} + local CP_AUTH_POLICY=${CONTROL_PLANE_AUTH_POLICY:-MUTUAL_TLS} + + # TODO: parse it all from $(kubectl config current-context) + CIDR=$(gcloud container clusters describe ${K8S_CLUSTER} ${GCP_OPTS:-} --format "value(servicesIpv4Cidr)") + echo "ISTIO_SERVICE_CIDR=$CIDR" > cluster.env + echo "ISTIO_SYSTEM_NAMESPACE=$ISTIO_NS" >> cluster.env + echo "ISTIO_CP_AUTH=$CP_AUTH_POLICY" >> cluster.env + + echo "Generated cluster.env, needs to be installed in each VM as /var/lib/istio/envoy/cluster.env" + echo "the /var/lib/istio/envoy/ directory and files must be readable by 'istio-proxy' user" + echo "$0 machineSetup does this for you." +} + + +# Get an istio service account secret, extract it to files to be provisioned on a raw VM +# Params: +# - service account - defaults to istio.default or SERVICE_ACCOUNT env +# - service namespace - defaults to current namespace. +function istio_provision_certs() { + local SA=${1:-${SERVICE_ACCOUNT:-default}} + local NS=${2:-${SERVICE_NAMESPACE:-}} + local ALL=${3} + local CERT_NAME=${ISTIO_SECRET_PREFIX:-istio.}${SA} + + if [[ -n "$NS" ]] ; then + NS="-n $NS" + fi + local B64_DECODE=${BASE64_DECODE:-base64 --decode} + kubectl get $NS secret $CERT_NAME -o jsonpath='{.data.root-cert\.pem}' | $B64_DECODE > root-cert.pem + echo "Generated root-cert.pem. It should be installed on /etc/certs" + if [ "$ALL" == "all" ] ; then + kubectl get $NS secret $CERT_NAME -o jsonpath='{.data.cert-chain\.pem}' | $B64_DECODE > cert-chain.pem + kubectl get $NS secret $CERT_NAME -o jsonpath='{.data.key\.pem}' | $B64_DECODE > key.pem + echo "Generated cert-chain.pem and key.pem. It should be installed on /etc/certs" + fi + + echo "the directory and files must be owned by 'istio-proxy' user" + echo "$0 machineSetup does this for you." +} + +# Install required files on a VM and run the setup script. +# This is an example to help integrating the steps into the admin automation tools. +# +# Must be run for each VM added to the cluster +# Params: +# - name of the VM - used to copy files over. +# - optional service account to be provisioned (defaults to istio.default) +# - optional namespace of the service account and VM services, defaults to SERVICE_NAMESPACE env +# or kube config. +# +# Expected to be run from the release directory (ie istio-0.2.8/ or istio/) +function istioBootstrapGCE() { + local DESTINATION=${1} + local SA=${2:-${SERVICE_ACCOUNT:-default}} + local NS=${3:-${SERVICE_NAMESPACE:-}} + + DEFAULT_SCRIPT="install/tools/setupIstioVM.sh" + SETUP_ISTIO_VM_SCRIPT=${SETUP_ISTIO_VM_SCRIPT:-${DEFAULT_SCRIPT}} + echo "Making certs for service account $SA (namespace $NS)" + istio_provision_certs $SA $NS "root-cert-only" + + for i in {1..10}; do + # Copy deb, helper and config files + istioCopy $DESTINATION \ + kubedns \ + *.pem \ + cluster.env \ + istio.VERSION \ + ${SETUP_ISTIO_VM_SCRIPT} + + if [[ $? -ne 0 ]]; then + echo "scp failed, retry in 10 sec" + sleep 10 + else + echo "scp succeeded" + break + fi + done + + istioRun $DESTINATION "ls -a" + + # Run the setup script. + istioRun $DESTINATION "sudo bash -c -x ./setupIstioVM.sh" +} + +# Install required files on a VM and run the setup script. +# This is an example to help integrating the steps into the admin automation tools. +# +# Must be run for each VM added to the cluster +# Params: +# - name of the VM - used to copy files over. +# - optional service account to be provisioned (defaults to istio.default) +# - optional namespace of the service account and VM services, defaults to SERVICE_NAMESPACE env +# or kube config. +# +# Expected to be run from the release directory (ie istio-0.2.8/ or istio/) +function istioBootstrapVM() { + local DESTINATION=${1} + local SA=${2:-${SERVICE_ACCOUNT:-default}} + local NS=${3:-${SERVICE_NAMESPACE:-}} + + DEFAULT_SCRIPT="install/tools/setupIstioVM.sh" + SETUP_ISTIO_VM_SCRIPT=${SETUP_ISTIO_VM_SCRIPT:-${DEFAULT_SCRIPT}} + echo "Making certs for service account $SA (namespace $NS)" + istio_provision_certs $SA $NS "all" + + for i in {1..10}; do + # Copy deb, helper and config files + istioCopy $DESTINATION \ + kubedns \ + *.pem \ + cluster.env \ + istio.VERSION \ + ${SETUP_ISTIO_VM_SCRIPT} + + if [[ $? -ne 0 ]]; then + echo "scp failed, retry in 10 sec" + sleep 10 + else + echo "scp succeeded" + break + fi + done + + istioRun $DESTINATION "ls -a" + + # Run the setup script. + istioRun $DESTINATION "sudo bash -c -x ./setupIstioVM.sh" +} + + +# Helper functions for the main script + +# Copy files to the VM. +# - VM name - required, destination where files will be copied +# - list of files and directories to be copied +function istioCopy() { + # TODO: based on some env variable, use different commands for other clusters or for testing with + # bare-metal machines. + local NAME=$1 + shift + local FILES=$* + + ${ISTIO_CP:-gcloud compute scp --recurse ${GCP_OPTS:-}} $FILES ${NAME}: +} + +# Run a command in a VM. +# - VM name +# - command to run, as one parameter. +function istioRun() { + local NAME=$1 + local CMD=$2 + + ${ISTIO_RUN:-gcloud compute ssh ${GCP_OPTS:-}} $NAME --command "$CMD" +} + +if [[ ${1:-} == "generateDnsmasq" ]] ; then + istioDnsmasq +elif [[ ${1:-} == "generateClusterEnv" ]] ; then + shift + istioClusterEnv $1 +elif [[ ${1:-} == "machineCerts" ]] ; then + shift + istio_provision_certs $1 $2 $3 +elif [[ ${1:-} == "machineSetup" ]] ; then + shift + istioBootstrapVM $1 +elif [[ ${1:-} == "gceMachineSetup" ]] ; then + shift + istioBootstrapGCE $1 +else + echo "$0 generateDnsmasq: Generate dnsmasq config files (one time)" + echo "GCP_OPTS=\"--project P --zone Z\" $0 generateClusterEnv K8S_CLUSTER_NAME: Generate cluster range config files (one time)" + echo "$0 machineCerts SERVICE_ACCOUNT: Generate bootstrap machine certs. Uses 'default' account if no parameters (one time per host)" + echo "$0 machineSetup HOST: Copy files to HOST, and run the setup script (one time per host)" + echo "$0 gceMachineSetup HOST: Copy files to a GCE HOST, and run the setup script (one time per host)" +fi diff --git a/istio-1.0.4/istio.VERSION b/istio-1.0.4/istio.VERSION new file mode 100644 index 0000000..b30f14a --- /dev/null +++ b/istio-1.0.4/istio.VERSION @@ -0,0 +1,17 @@ +# DO NOT EDIT THIS FILE MANUALLY instead use +# install/updateVersion.sh (see install/README.md) +export CITADEL_HUB="docker.io/istio" +export CITADEL_TAG="1.0.4" +export MIXER_HUB="docker.io/istio" +export MIXER_TAG="1.0.4" +export PILOT_HUB="docker.io/istio" +export PILOT_TAG="1.0.4" +export PROXY_HUB="docker.io/istio" +export PROXY_TAG="1.0.4" +export PROXY_DEBUG="" +export ISTIO_NAMESPACE="istio-system" +export PILOT_DEBIAN_URL="https://storage.googleapis.com/istio-release/releases/1.0.4/deb" +export FORTIO_HUB="docker.io/istio" +export FORTIO_TAG="latest_release" +export HYPERKUBE_HUB="quay.io/coreos/hyperkube" +export HYPERKUBE_TAG="v1.7.6_coreos.0" diff --git a/istio-1.0.4/samples/CONFIG-MIGRATION.md b/istio-1.0.4/samples/CONFIG-MIGRATION.md new file mode 100644 index 0000000..ca66fe5 --- /dev/null +++ b/istio-1.0.4/samples/CONFIG-MIGRATION.md @@ -0,0 +1,259 @@ +## Config Model Rule Changes + +The following rule resource changes are needed to migrate +from Istio 0.1 (alpha) to Istio 0.2 config format. + +Note that all of the 0.2 Pilot config property names are now aligned with the +[attibute vocabulary](https://istio.io/docs/reference/config/mixer/attribute-vocabulary.html) +used for Mixer config. + +### Create Route Rule + +0.1.x: +``` +istioctl create route-rule -f myrule.yaml +``` +0.2.x: +``` +istioctl create -f myrule.yaml + + or (for Kubernetes users): + +kubectl create -f myrule.yaml +``` + +### Route Rule YAML + +0.1.x: +``` +``` +0.2.x: +``` +apiVersion: config.istio.io/v1alpha2 +``` + +0.1.x: +``` +type: route-rule +``` +0.2.x: +``` +kind: RouteRule +``` + +0.1.x: +``` +name: myRule +``` +0.2.x: +``` +metadata: + name: myRule +``` + +0.1.x: +``` +spec: + destination: foo.bar.svc.cluster.local +``` +0.2.x: +``` +metadata: + namespace: bar # optional (alternatively could use istioctl -n bar ...) +spec: + destination: + name: foo + namespace: bar # optional +``` + +0.1.x: +``` +spec: + match: + httpHeaders: +``` +0.2.x: +``` +spec: + match: + request: + headers: +``` + +0.1.x: +``` +spec: + match: + source: foo.bar.svc.cluster.local +``` +0.2.x: +``` +spec: + match: + source: + name: foo + namespace: bar (optional - default is rule namespace) +``` + +0.1.x: +``` +spec: + match: + sourceTags: +``` +0.2.x: +``` +spec: + match: + source: + labels: +``` + +0.1.x: +``` +spec: + route: + - tags: +``` +0.2.x: +``` +spec: + route: + - labels: +``` + +0.1.x: +``` + exact: abc +``` +0.2.x: +``` + abc +``` + +### Create Destination Policy + +0.1.x: +``` +istioctl create destination-policy -f mypolicy.yaml +``` +0.2.x: +``` +istioctl create -f mypolicy.yaml + + or (for Kubernetes users): + +kubectl create -f mypolicy.yaml +``` + +### Destination Policy YAML + +0.1.x: +``` +``` +0.2.x: +``` +apiVersion: config.istio.io/v1alpha2 +``` + +0.1.x: +``` +spec: + destination: foo.bar.svc.cluster.local +``` +0.2.x: +``` +metadata: + namespace: bar # optional (alternatively could use istioctl -n bar ...) +spec: + destination: + name: foo +``` + +0.1.x: +``` +spec: + policy: + - tags: +``` +0.2.x: +``` +spec: + destination: + labels: +``` + +### Examples + +0.1.x +``` +type: route-rule +name: ratings-test-delay +spec: + destination: ratings.default.svc.cluster.local + precedence: 2 + match: + httpHeaders: + end-user: + exact: jason + route: + - tags: + version: v1 + httpFault: + delay: + percent: 100 + fixedDelay: 7s +``` + +0.2.x: +``` +apiVersion: config.istio.io/v1alpha2 +kind: RouteRule +metadata: + name: ratings-test-delay +spec: + destination: + name: ratings + precedence: 2 + match: + request: + headers: + end-user: + exact: jason + route: + - labels: + version: v1 + httpFault: + delay: + percent: 100 + fixedDelay: 7s +``` + +0.1.x: +``` +type: destination-policy +name: reviews-cb +spec: + destination: reviews.default.svc.cluster.local + policy: + - tags: + version: v1 + circuitBreaker: + simpleCb: + maxConnections: 100 +``` +0.2.x: +``` +apiVersion: config.istio.io/v1alpha2 +kind: DestinationPolicy +metadata: + name: reviews-cb +spec: + destination: + name: reviews + labels: + version: v1 + circuitBreaker: + simpleCb: + maxConnections: 100 +``` diff --git a/istio-1.0.4/samples/README.md b/istio-1.0.4/samples/README.md new file mode 100644 index 0000000..94a4497 --- /dev/null +++ b/istio-1.0.4/samples/README.md @@ -0,0 +1,4 @@ +# Istio Samples + +This directory contains sample applications highlighting Istio's various +features. To run these samples, check out the tutorials [here](https://istio.io/docs/guides/). diff --git a/istio-1.0.4/samples/bookinfo/README.md b/istio-1.0.4/samples/bookinfo/README.md new file mode 100644 index 0000000..0feccbe --- /dev/null +++ b/istio-1.0.4/samples/bookinfo/README.md @@ -0,0 +1,25 @@ +# Bookinfo Sample +See https://istio.io/docs/guides/bookinfo.html. + +## Build docker images without pushing +``` +src/build-services.sh +``` + +The bookinfo versions are different from Istio versions since the sample should work with any version of Istio. + +## Update docker images in the yaml files +``` +sed -i "s/\(istio\/examples-bookinfo-.*\):[[:digit:]]\.[[:digit:]]\.[[:digit:]]//g" */bookinfo*.yaml +``` + +## Push docker images to docker hub +One script to build the docker images, push them to docker hub and to update the yaml files +``` +build_push_update_images.sh +``` + +## Tests +Bookinfo is tested by e2e smoke test on every PR. The Bookinfo e2e test is in [tests/e2e/tests/bookinfo](https://github.com/istio/istio/tree/master/tests/e2e/tests/bookinfo), make target `e2e_bookinfo`. + +The reference productpage HTML files are in [tests/apps/bookinfo/output](https://github.com/istio/istio/tree/master/tests/apps/bookinfo/output). If the productpage HTML produced by the app is changed, remember to regenerate the reference HTML files and commit them with the same PR. diff --git a/istio-1.0.4/samples/bookinfo/networking/ROUTING_RULE_MIGRATION.md b/istio-1.0.4/samples/bookinfo/networking/ROUTING_RULE_MIGRATION.md new file mode 100644 index 0000000..1680ed2 --- /dev/null +++ b/istio-1.0.4/samples/bookinfo/networking/ROUTING_RULE_MIGRATION.md @@ -0,0 +1,36 @@ +## Routing Config Model Changes + +The routing configuration resources in `v1alpha3` have changed as follows: + +1. `RouteRule` -> `VirtualService` +2. `DestinationPolicy` -> `DestinationRule` +3. `EgressRule` -> `ServiceEntry` +4. `Ingress` -> `Gateway` (recommended to use) + +A `VirtualService` configures the set of routes to a particular traffic destination host. +A `DestinationRule` configures the set of policies to be applied at a destination after routing has occurred. + +Note that the `apiVersion` of these resources is also changed: + +`apiVersion: config.istio.io/v1alpha2` -> `apiVersion: networking.istio.io/v1alpha3` + +### Creating and deleting Route Rules + +In the previous config model there could be many `RouteRule` resources for the same destination, where a `precedence` field was used +to control the order of evaluation. In `v1alpha3`, all rules for a given destination are stored together as an ordered +list in a single `VirtualService` resource. Therefore, adding a second and subsequent rules for a particular destination +is no longer done by creating a new `RouteRule` resource, but instead by updating the one-and-only `VirtualService` resource +for the destination. + +old routing rules: +``` +istioctl create -f my-second-rule-for-destination-abc.yaml +``` +v1alpha3 routing rules: +``` +istioctl replace -f my-updated-rules-for-destination-abc.yaml +``` + +>>> Proposal: we should add an `istioctl patch` command, to allow users to only provide the second rule + +Deleting route rules other than the last one for a particular destination is also done using `istioctl replace`. diff --git a/istio-1.0.4/samples/bookinfo/networking/bookinfo-gateway.yaml b/istio-1.0.4/samples/bookinfo/networking/bookinfo-gateway.yaml new file mode 100644 index 0000000..31bbeae --- /dev/null +++ b/istio-1.0.4/samples/bookinfo/networking/bookinfo-gateway.yaml @@ -0,0 +1,39 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: bookinfo-gateway +spec: + selector: + istio: ingressgateway # use istio default controller + servers: + - port: + number: 80 + name: http + protocol: HTTP + hosts: + - "*" +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: bookinfo +spec: + hosts: + - "*" + gateways: + - bookinfo-gateway + http: + - match: + - uri: + exact: /productpage + - uri: + exact: /login + - uri: + exact: /logout + - uri: + prefix: /api/v1/products + route: + - destination: + host: productpage + port: + number: 9080 diff --git a/istio-1.0.4/samples/bookinfo/networking/certmanager-gateway.yaml b/istio-1.0.4/samples/bookinfo/networking/certmanager-gateway.yaml new file mode 100644 index 0000000..3fa6537 --- /dev/null +++ b/istio-1.0.4/samples/bookinfo/networking/certmanager-gateway.yaml @@ -0,0 +1,35 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: cert-manager-gateway + namespace: istio-system +spec: + selector: + istio: ingressgateway + servers: + - port: + number: 80 + name: http + protocol: HTTP + hosts: + - "*" +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: cert-manager + namespace: istio-system +spec: + hosts: + - "*" + gateways: + - cert-manager-gateway + http: + - match: + - uri: + prefix: /.well-known/acme-challenge/ + route: + - destination: + host: cert-manager-resolver + port: + number: 8089 diff --git a/istio-1.0.4/samples/bookinfo/networking/destination-rule-all-mtls.yaml b/istio-1.0.4/samples/bookinfo/networking/destination-rule-all-mtls.yaml new file mode 100644 index 0000000..2a19c3f --- /dev/null +++ b/istio-1.0.4/samples/bookinfo/networking/destination-rule-all-mtls.yaml @@ -0,0 +1,74 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: productpage +spec: + host: productpage + trafficPolicy: + tls: + mode: ISTIO_MUTUAL + subsets: + - name: v1 + labels: + version: v1 +--- +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: reviews +spec: + host: reviews + trafficPolicy: + tls: + mode: ISTIO_MUTUAL + subsets: + - name: v1 + labels: + version: v1 + - name: v2 + labels: + version: v2 + - name: v3 + labels: + version: v3 +--- +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: ratings +spec: + host: ratings + trafficPolicy: + tls: + mode: ISTIO_MUTUAL + subsets: + - name: v1 + labels: + version: v1 + - name: v2 + labels: + version: v2 + - name: v2-mysql + labels: + version: v2-mysql + - name: v2-mysql-vm + labels: + version: v2-mysql-vm +--- +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: details +spec: + host: details + trafficPolicy: + tls: + mode: ISTIO_MUTUAL + subsets: + - name: v1 + labels: + version: v1 + - name: v2 + labels: + version: v2 +--- diff --git a/istio-1.0.4/samples/bookinfo/networking/destination-rule-all.yaml b/istio-1.0.4/samples/bookinfo/networking/destination-rule-all.yaml new file mode 100644 index 0000000..96be699 --- /dev/null +++ b/istio-1.0.4/samples/bookinfo/networking/destination-rule-all.yaml @@ -0,0 +1,62 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: productpage +spec: + host: productpage + subsets: + - name: v1 + labels: + version: v1 +--- +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: reviews +spec: + host: reviews + subsets: + - name: v1 + labels: + version: v1 + - name: v2 + labels: + version: v2 + - name: v3 + labels: + version: v3 +--- +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: ratings +spec: + host: ratings + subsets: + - name: v1 + labels: + version: v1 + - name: v2 + labels: + version: v2 + - name: v2-mysql + labels: + version: v2-mysql + - name: v2-mysql-vm + labels: + version: v2-mysql-vm +--- +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: details +spec: + host: details + subsets: + - name: v1 + labels: + version: v1 + - name: v2 + labels: + version: v2 +--- diff --git a/istio-1.0.4/samples/bookinfo/networking/destination-rule-reviews.yaml b/istio-1.0.4/samples/bookinfo/networking/destination-rule-reviews.yaml new file mode 100644 index 0000000..69f30f1 --- /dev/null +++ b/istio-1.0.4/samples/bookinfo/networking/destination-rule-reviews.yaml @@ -0,0 +1,19 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: reviews +spec: + host: reviews + trafficPolicy: + loadBalancer: + simple: RANDOM + subsets: + - name: v1 + labels: + version: v1 + - name: v2 + labels: + version: v2 + - name: v3 + labels: + version: v3 diff --git a/istio-1.0.4/samples/bookinfo/networking/egress-rule-google-apis.yaml b/istio-1.0.4/samples/bookinfo/networking/egress-rule-google-apis.yaml new file mode 100644 index 0000000..41bc63d --- /dev/null +++ b/istio-1.0.4/samples/bookinfo/networking/egress-rule-google-apis.yaml @@ -0,0 +1,21 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: ServiceEntry +metadata: + name: googleapis +spec: + hosts: + - "*.googleapis.com" + ports: + - number: 443 + name: https + protocol: http +--- +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: googleapis +spec: + host: "*.googleapis.com" + trafficPolicy: + tls: + mode: SIMPLE # initiates HTTPS when talking to www.google.com diff --git a/istio-1.0.4/samples/bookinfo/networking/virtual-service-all-v1.yaml b/istio-1.0.4/samples/bookinfo/networking/virtual-service-all-v1.yaml new file mode 100644 index 0000000..6811e31 --- /dev/null +++ b/istio-1.0.4/samples/bookinfo/networking/virtual-service-all-v1.yaml @@ -0,0 +1,52 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: productpage +spec: + hosts: + - productpage + http: + - route: + - destination: + host: productpage + subset: v1 +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: reviews +spec: + hosts: + - reviews + http: + - route: + - destination: + host: reviews + subset: v1 +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: ratings +spec: + hosts: + - ratings + http: + - route: + - destination: + host: ratings + subset: v1 +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: details +spec: + hosts: + - details + http: + - route: + - destination: + host: details + subset: v1 +--- diff --git a/istio-1.0.4/samples/bookinfo/networking/virtual-service-details-v2.yaml b/istio-1.0.4/samples/bookinfo/networking/virtual-service-details-v2.yaml new file mode 100644 index 0000000..5f21fa5 --- /dev/null +++ b/istio-1.0.4/samples/bookinfo/networking/virtual-service-details-v2.yaml @@ -0,0 +1,12 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: details +spec: + hosts: + - details + http: + - route: + - destination: + host: details + subset: v2 diff --git a/istio-1.0.4/samples/bookinfo/networking/virtual-service-ratings-db.yaml b/istio-1.0.4/samples/bookinfo/networking/virtual-service-ratings-db.yaml new file mode 100644 index 0000000..1698ec2 --- /dev/null +++ b/istio-1.0.4/samples/bookinfo/networking/virtual-service-ratings-db.yaml @@ -0,0 +1,26 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: reviews +spec: + hosts: + - reviews + http: + - route: + - destination: + host: reviews + subset: v3 +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: ratings +spec: + hosts: + - ratings + http: + - route: + - destination: + host: ratings + subset: v2 +--- diff --git a/istio-1.0.4/samples/bookinfo/networking/virtual-service-ratings-mysql-vm.yaml b/istio-1.0.4/samples/bookinfo/networking/virtual-service-ratings-mysql-vm.yaml new file mode 100644 index 0000000..fdf8827 --- /dev/null +++ b/istio-1.0.4/samples/bookinfo/networking/virtual-service-ratings-mysql-vm.yaml @@ -0,0 +1,26 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: reviews +spec: + hosts: + - reviews + http: + - route: + - destination: + host: reviews + subset: v3 +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: ratings +spec: + hosts: + - ratings + http: + - route: + - destination: + host: ratings + subset: v2-mysql-vm +--- diff --git a/istio-1.0.4/samples/bookinfo/networking/virtual-service-ratings-mysql.yaml b/istio-1.0.4/samples/bookinfo/networking/virtual-service-ratings-mysql.yaml new file mode 100644 index 0000000..03a700e --- /dev/null +++ b/istio-1.0.4/samples/bookinfo/networking/virtual-service-ratings-mysql.yaml @@ -0,0 +1,26 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: reviews +spec: + hosts: + - reviews + http: + - route: + - destination: + host: reviews + subset: v3 +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: ratings +spec: + hosts: + - ratings + http: + - route: + - destination: + host: ratings + subset: v2-mysql +--- diff --git a/istio-1.0.4/samples/bookinfo/networking/virtual-service-ratings-test-abort.yaml b/istio-1.0.4/samples/bookinfo/networking/virtual-service-ratings-test-abort.yaml new file mode 100644 index 0000000..c5b5ccd --- /dev/null +++ b/istio-1.0.4/samples/bookinfo/networking/virtual-service-ratings-test-abort.yaml @@ -0,0 +1,24 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: ratings +spec: + hosts: + - ratings + http: + - match: + - headers: + end-user: + exact: jason + fault: + abort: + percent: 100 + httpStatus: 500 + route: + - destination: + host: ratings + subset: v1 + - route: + - destination: + host: ratings + subset: v1 diff --git a/istio-1.0.4/samples/bookinfo/networking/virtual-service-ratings-test-delay.yaml b/istio-1.0.4/samples/bookinfo/networking/virtual-service-ratings-test-delay.yaml new file mode 100644 index 0000000..0b94209 --- /dev/null +++ b/istio-1.0.4/samples/bookinfo/networking/virtual-service-ratings-test-delay.yaml @@ -0,0 +1,24 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: ratings +spec: + hosts: + - ratings + http: + - match: + - headers: + end-user: + exact: jason + fault: + delay: + percent: 100 + fixedDelay: 7s + route: + - destination: + host: ratings + subset: v1 + - route: + - destination: + host: ratings + subset: v1 diff --git a/istio-1.0.4/samples/bookinfo/networking/virtual-service-reviews-50-v3.yaml b/istio-1.0.4/samples/bookinfo/networking/virtual-service-reviews-50-v3.yaml new file mode 100644 index 0000000..aad8c31 --- /dev/null +++ b/istio-1.0.4/samples/bookinfo/networking/virtual-service-reviews-50-v3.yaml @@ -0,0 +1,17 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: reviews +spec: + hosts: + - reviews + http: + - route: + - destination: + host: reviews + subset: v1 + weight: 50 + - destination: + host: reviews + subset: v3 + weight: 50 diff --git a/istio-1.0.4/samples/bookinfo/networking/virtual-service-reviews-80-20.yaml b/istio-1.0.4/samples/bookinfo/networking/virtual-service-reviews-80-20.yaml new file mode 100644 index 0000000..7304d86 --- /dev/null +++ b/istio-1.0.4/samples/bookinfo/networking/virtual-service-reviews-80-20.yaml @@ -0,0 +1,17 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: reviews +spec: + hosts: + - reviews + http: + - route: + - destination: + host: reviews + subset: v1 + weight: 80 + - destination: + host: reviews + subset: v2 + weight: 20 diff --git a/istio-1.0.4/samples/bookinfo/networking/virtual-service-reviews-90-10.yaml b/istio-1.0.4/samples/bookinfo/networking/virtual-service-reviews-90-10.yaml new file mode 100644 index 0000000..d211dd1 --- /dev/null +++ b/istio-1.0.4/samples/bookinfo/networking/virtual-service-reviews-90-10.yaml @@ -0,0 +1,17 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: reviews +spec: + hosts: + - reviews + http: + - route: + - destination: + host: reviews + subset: v1 + weight: 90 + - destination: + host: reviews + subset: v2 + weight: 10 diff --git a/istio-1.0.4/samples/bookinfo/networking/virtual-service-reviews-jason-v2-v3.yaml b/istio-1.0.4/samples/bookinfo/networking/virtual-service-reviews-jason-v2-v3.yaml new file mode 100644 index 0000000..fb35713 --- /dev/null +++ b/istio-1.0.4/samples/bookinfo/networking/virtual-service-reviews-jason-v2-v3.yaml @@ -0,0 +1,20 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: reviews +spec: + hosts: + - reviews + http: + - match: + - headers: + end-user: + exact: jason + route: + - destination: + host: reviews + subset: v2 + - route: + - destination: + host: reviews + subset: v3 diff --git a/istio-1.0.4/samples/bookinfo/networking/virtual-service-reviews-test-v2.yaml b/istio-1.0.4/samples/bookinfo/networking/virtual-service-reviews-test-v2.yaml new file mode 100644 index 0000000..ea07efb --- /dev/null +++ b/istio-1.0.4/samples/bookinfo/networking/virtual-service-reviews-test-v2.yaml @@ -0,0 +1,20 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: reviews +spec: + hosts: + - reviews + http: + - match: + - headers: + end-user: + exact: jason + route: + - destination: + host: reviews + subset: v2 + - route: + - destination: + host: reviews + subset: v1 diff --git a/istio-1.0.4/samples/bookinfo/networking/virtual-service-reviews-v2-v3.yaml b/istio-1.0.4/samples/bookinfo/networking/virtual-service-reviews-v2-v3.yaml new file mode 100644 index 0000000..7ae7b80 --- /dev/null +++ b/istio-1.0.4/samples/bookinfo/networking/virtual-service-reviews-v2-v3.yaml @@ -0,0 +1,17 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: reviews +spec: + hosts: + - reviews + http: + - route: + - destination: + host: reviews + subset: v2 + weight: 50 + - destination: + host: reviews + subset: v3 + weight: 50 diff --git a/istio-1.0.4/samples/bookinfo/networking/virtual-service-reviews-v3.yaml b/istio-1.0.4/samples/bookinfo/networking/virtual-service-reviews-v3.yaml new file mode 100644 index 0000000..5da999d --- /dev/null +++ b/istio-1.0.4/samples/bookinfo/networking/virtual-service-reviews-v3.yaml @@ -0,0 +1,12 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: reviews +spec: + hosts: + - reviews + http: + - route: + - destination: + host: reviews + subset: v3 diff --git a/istio-1.0.4/samples/bookinfo/platform/consul/README.md b/istio-1.0.4/samples/bookinfo/platform/consul/README.md new file mode 100644 index 0000000..d0c68a7 --- /dev/null +++ b/istio-1.0.4/samples/bookinfo/platform/consul/README.md @@ -0,0 +1,67 @@ +# Consul Adapter for Istio on Docker + +Make Istio run in docker environment by integrating Consul as a service registry. + +## Design Principle + +The key issue is how to implement the ServiceDiscovery interface functions in Istio. +This platform adapter uses Consul Server to help Istio monitor service instances running in the underlying platform. +When a service instance is brought up in docker, the [Registrator](http://gliderlabs.github.io/registrator/latest/) +automatically registers the service in Consul. + +Note that Istio pilot is running inside each app container so as to coordinate Envoy and the service mesh. + +## Prerequisites + + * Clone Istio Pilot [repo](https://github.com/istio/pilot) (required only if building images locally) + + * Download istioctl from Istio's [releases page](https://github.com/istio/istio/releases) or build from + source in Istio Pilot repository + +## Bookinfo Demo + +The ingress controller is still under construction, routing functionalities can be tested by curling a service container directly. + +To build all images for the bookinfo sample for the consul adapter, run: + + ``` + samples/bookinfo/src/build-docker-services.sh + ``` + +For Linux users, configure the `DOCKER_GATEWAY` environment variable + + ```bash + export DOCKER_GATEWAY=172.28.0.1: + ``` + +To bring up the control plane containers directly, from the root repository directory run + + ``` + docker-compose -f install/consul/istio.yaml up -d + ``` + +This will pull images from docker hub to your local computing space. + +Now you can see all the containers in the mesh by running `docker ps -a`. + +If the webpage is not displaying properly, you may need to run the previous command once more to resolve a timing issue during start up. + + +To bring up the app containers, from the `samples/bookinfo/consul` directory run + + ``` + docker-compose -f bookinfo.yaml up -d + ``` + + +To view the productpage webpage, open a web browser and enter `localhost:9081/productpage`. + +If you refresh the page several times, you should see different versions of reviews shown in productpage presented in a round robin style (red stars, black stars, no stars). + +Configure `istioctl` to use the locally mapped port for the Istio api server + +``` +istioctl context-create --api-server http://localhost:8080 +``` + +If you are an advanced consul and docker network user, you may choose to configure your own envoymesh network dns and consul port mapping and istio-apiserver ipv4_address in the `istio.yaml` file. diff --git a/istio-1.0.4/samples/bookinfo/platform/consul/bookinfo.sidecars.yaml b/istio-1.0.4/samples/bookinfo/platform/consul/bookinfo.sidecars.yaml new file mode 100644 index 0000000..1d5e836 --- /dev/null +++ b/istio-1.0.4/samples/bookinfo/platform/consul/bookinfo.sidecars.yaml @@ -0,0 +1,127 @@ +# GENERATED FILE. Use with Docker-Compose and consul +# TO UPDATE, modify files in samples/bookinfo/platform/consul/templates and run install/updateVersion.sh +# Copyright 2017 Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +############################################################################ +version: '2' +services: + details-v1-init: + image: docker.io/istio/proxy_init:0.7.1 + cap_add: + - NET_ADMIN + network_mode: "container:consul_details-v1_1" + command: + - -p + - "15001" + - -u + - "1337" + details-v1-sidecar: + image: docker.io/istio/proxy_debug:1.0.4 + network_mode: "container:consul_details-v1_1" + entrypoint: + - su + - istio-proxy + - -c + - "/usr/local/bin/pilot-agent proxy --serviceregistry Consul --serviceCluster details-v1 --zipkinAddress zipkin:9411 --configPath /var/lib/istio >/tmp/envoy.log" + ratings-v1-init: + image: docker.io/istio/proxy_init:0.7.1 + cap_add: + - NET_ADMIN + network_mode: "container:consul_ratings-v1_1" + command: + - -p + - "15001" + - -u + - "1337" + ratings-v1-sidecar: + image: docker.io/istio/proxy_debug:1.0.4 + network_mode: "container:consul_ratings-v1_1" + entrypoint: + - su + - istio-proxy + - -c + - "/usr/local/bin/pilot-agent proxy --serviceregistry Consul --serviceCluster ratings-v1 --zipkinAddress zipkin:9411 --configPath /var/lib/istio >/tmp/envoy.log" + productpage-v1-init: + image: docker.io/istio/proxy_init:0.7.1 + cap_add: + - NET_ADMIN + network_mode: "container:consul_productpage-v1_1" + command: + - -p + - "15001" + - -u + - "1337" + productpage-v1-sidecar: + image: docker.io/istio/proxy_debug:1.0.4 + network_mode: "container:consul_productpage-v1_1" + entrypoint: + - su + - istio-proxy + - -c + - "/usr/local/bin/pilot-agent proxy --serviceregistry Consul --serviceCluster productpage-v1 --zipkinAddress zipkin:9411 --configPath /var/lib/istio >/tmp/envoy.log" + reviews-v1-init: + image: docker.io/istio/proxy_init:0.7.1 + cap_add: + - NET_ADMIN + network_mode: "container:consul_reviews-v1_1" + command: + - -p + - "15001" + - -u + - "1337" + reviews-v1-sidecar: + image: docker.io/istio/proxy_debug:1.0.4 + network_mode: "container:consul_reviews-v1_1" + entrypoint: + - su + - istio-proxy + - -c + - "/usr/local/bin/pilot-agent proxy --serviceregistry Consul --serviceCluster reviews-v1 --zipkinAddress zipkin:9411 --configPath /var/lib/istio >/tmp/envoy.log" + reviews-v2-init: + image: docker.io/istio/proxy_init:0.7.1 + cap_add: + - NET_ADMIN + network_mode: "container:consul_reviews-v2_1" + command: + - -p + - "15001" + - -u + - "1337" + reviews-v2-sidecar: + image: docker.io/istio/proxy_debug:1.0.4 + network_mode: "container:consul_reviews-v2_1" + entrypoint: + - su + - istio-proxy + - -c + - "/usr/local/bin/pilot-agent proxy --serviceregistry Consul --serviceCluster reviews-v2 --zipkinAddress zipkin:9411 --configPath /var/lib/istio >/tmp/envoy.log" + reviews-v3-init: + image: docker.io/istio/proxy_init:0.7.1 + cap_add: + - NET_ADMIN + network_mode: "container:consul_reviews-v3_1" + command: + - -p + - "15001" + - -u + - "1337" + reviews-v3-sidecar: + image: docker.io/istio/proxy_debug:1.0.4 + network_mode: "container:consul_reviews-v3_1" + entrypoint: + - su + - istio-proxy + - -c + - "/usr/local/bin/pilot-agent proxy --serviceregistry Consul --serviceCluster reviews-v3 --zipkinAddress zipkin:9411 --configPath /var/lib/istio >/tmp/envoy.log" diff --git a/istio-1.0.4/samples/bookinfo/platform/consul/bookinfo.yaml b/istio-1.0.4/samples/bookinfo/platform/consul/bookinfo.yaml new file mode 100644 index 0000000..b8c7301 --- /dev/null +++ b/istio-1.0.4/samples/bookinfo/platform/consul/bookinfo.yaml @@ -0,0 +1,122 @@ +# Copyright 2017 Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +############################################################################ +version: '2' +services: + details-v1: + image: istio/examples-bookinfo-details-v1:1.8.0 + networks: + istiomesh: + dns: + - 172.28.0.1 + - 8.8.8.8 + dns_search: + - service.consul + environment: + - SERVICE_NAME=details + - SERVICE_TAGS=version|v1 + - SERVICE_PROTOCOL=http + expose: + - "9080" + + ratings-v1: + image: istio/examples-bookinfo-ratings-v1:1.8.0 + networks: + istiomesh: + dns: + - 172.28.0.1 + - 8.8.8.8 + dns_search: + - service.consul + environment: + - SERVICE_NAME=ratings + - SERVICE_TAGS=version|v1 + - SERVICE_PROTOCOL=http + expose: + - "9080" + + reviews-v1: + image: istio/examples-bookinfo-reviews-v1:1.8.0 + networks: + istiomesh: + dns: + - 172.28.0.1 + - 8.8.8.8 + dns_search: + - service.consul + environment: + - SERVICE_9080_NAME=reviews + - SERVICE_TAGS=version|v1 + - SERVICE_PROTOCOL=http + - SERVICE_9443_IGNORE=1 + expose: + - "9080" + + reviews-v2: + image: istio/examples-bookinfo-reviews-v2:1.8.0 + networks: + istiomesh: + dns: + - 172.28.0.1 + - 8.8.8.8 + dns_search: + - service.consul + environment: + - SERVICE_9080_NAME=reviews + - SERVICE_TAGS=version|v2 + - SERVICE_PROTOCOL=http + - SERVICE_9443_IGNORE=1 + expose: + - "9080" + + reviews-v3: + image: istio/examples-bookinfo-reviews-v3:1.8.0 + networks: + istiomesh: + dns: + - 172.28.0.1 + - 8.8.8.8 + dns_search: + - service.consul + environment: + - SERVICE_9080_NAME=reviews + - SERVICE_TAGS=version|v3 + - SERVICE_PROTOCOL=http + - SERVICE_9443_IGNORE=1 + expose: + - "9080" + + productpage-v1: + image: istio/examples-bookinfo-productpage-v1:1.8.0 + networks: + istiomesh: + ipv4_address: 172.28.0.14 + dns: + - 172.28.0.1 + - 8.8.8.8 + dns_search: + - service.consul + environment: + - SERVICE_NAME=productpage + - SERVICE_TAGS=version|v1 + - SERVICE_PROTOCOL=http + ports: + - "9081:9080" + expose: + - "9080" +networks: + istiomesh: + external: + name: consul_istiomesh diff --git a/istio-1.0.4/samples/bookinfo/platform/consul/cleanup.sh b/istio-1.0.4/samples/bookinfo/platform/consul/cleanup.sh new file mode 100755 index 0000000..e51108f --- /dev/null +++ b/istio-1.0.4/samples/bookinfo/platform/consul/cleanup.sh @@ -0,0 +1,61 @@ +#!/bin/bash +# +# Copyright 2017 Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +SCRIPTDIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) + +# only ask if in interactive mode +if [[ -t 0 ]];then + echo -n "namespace ? [default] " + read NAMESPACE +fi + +if [[ -z ${NAMESPACE} ]];then + NAMESPACE=default +fi + +echo "using NAMESPACE=${NAMESPACE}" + +protos=( destinationrules virtualservices gateways ) +for proto in "${protos[@]}"; do + for resource in $(istioctl get -n ${NAMESPACE} $proto | awk 'NR>1{print $1}'); do + istioctl delete -n ${NAMESPACE} $proto $resource; + done +done +#istioctl delete mixer-rule ratings-ratelimit + +export OUTPUT=$(mktemp) +echo "Application cleanup may take up to one minute" +docker-compose -f $SCRIPTDIR/bookinfo.sidecars.yaml down > ${OUTPUT} 2>&1 +docker-compose -f $SCRIPTDIR/bookinfo.yaml down > ${OUTPUT} 2>&1 +ret=$? +function cleanup() { + rm -f ${OUTPUT} +} + +trap cleanup EXIT + +if [[ ${ret} -eq 0 ]];then + cat ${OUTPUT} +else + # ignore NotFound errors + OUT2=$(grep -v NotFound ${OUTPUT}) + if [[ ! -z ${OUT2} ]];then + cat ${OUTPUT} + exit ${ret} + fi +fi + +echo "Application cleanup successful" diff --git a/istio-1.0.4/samples/bookinfo/platform/consul/destination-rule-all.yaml b/istio-1.0.4/samples/bookinfo/platform/consul/destination-rule-all.yaml new file mode 100644 index 0000000..e28055a --- /dev/null +++ b/istio-1.0.4/samples/bookinfo/platform/consul/destination-rule-all.yaml @@ -0,0 +1,53 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: productpage +spec: + host: productpage.service.consul + subsets: + - name: v1 + labels: + version: v1 +--- +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: reviews +spec: + host: reviews.service.consul + subsets: + - name: v1 + labels: + version: v1 + - name: v2 + labels: + version: v2 + - name: v3 + labels: + version: v3 +--- +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: ratings +spec: + host: ratings.service.consul + subsets: + - name: v1 + labels: + version: v1 +--- +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: details +spec: + host: details.service.consul + subsets: + - name: v1 + labels: + version: v1 + - name: v2 + labels: + version: v2 +--- diff --git a/istio-1.0.4/samples/bookinfo/platform/consul/virtual-service-all-v1.yaml b/istio-1.0.4/samples/bookinfo/platform/consul/virtual-service-all-v1.yaml new file mode 100644 index 0000000..19b4772 --- /dev/null +++ b/istio-1.0.4/samples/bookinfo/platform/consul/virtual-service-all-v1.yaml @@ -0,0 +1,52 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: productpage +spec: + hosts: + - productpage.service.consul + http: + - route: + - destination: + host: productpage.service.consul + subset: v1 +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: reviews +spec: + hosts: + - reviews.service.consul + http: + - route: + - destination: + host: reviews.service.consul + subset: v1 +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: ratings +spec: + hosts: + - ratings.service.consul + http: + - route: + - destination: + host: ratings.service.consul + subset: v1 +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: details +spec: + hosts: + - details.service.consul + http: + - route: + - destination: + host: details.service.consul + subset: v1 +--- diff --git a/istio-1.0.4/samples/bookinfo/platform/consul/virtual-service-ratings-test-abort.yaml b/istio-1.0.4/samples/bookinfo/platform/consul/virtual-service-ratings-test-abort.yaml new file mode 100644 index 0000000..d13ce34 --- /dev/null +++ b/istio-1.0.4/samples/bookinfo/platform/consul/virtual-service-ratings-test-abort.yaml @@ -0,0 +1,24 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: ratings +spec: + hosts: + - ratings.service.consul + http: + - match: + - headers: + end-user: + exact: jason + fault: + abort: + percent: 100 + httpStatus: 500 + route: + - destination: + host: ratings.service.consul + subset: v1 + - route: + - destination: + host: ratings.service.consul + subset: v1 diff --git a/istio-1.0.4/samples/bookinfo/platform/consul/virtual-service-ratings-test-delay.yaml b/istio-1.0.4/samples/bookinfo/platform/consul/virtual-service-ratings-test-delay.yaml new file mode 100644 index 0000000..4373b0b --- /dev/null +++ b/istio-1.0.4/samples/bookinfo/platform/consul/virtual-service-ratings-test-delay.yaml @@ -0,0 +1,24 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: ratings +spec: + hosts: + - ratings.service.consul + http: + - match: + - headers: + end-user: + exact: jason + fault: + delay: + percent: 100 + fixedDelay: 7s + route: + - destination: + host: ratings.service.consul + subset: v1 + - route: + - destination: + host: ratings.service.consul + subset: v1 diff --git a/istio-1.0.4/samples/bookinfo/platform/consul/virtual-service-reviews-50-v3.yaml b/istio-1.0.4/samples/bookinfo/platform/consul/virtual-service-reviews-50-v3.yaml new file mode 100644 index 0000000..7e91c8c --- /dev/null +++ b/istio-1.0.4/samples/bookinfo/platform/consul/virtual-service-reviews-50-v3.yaml @@ -0,0 +1,17 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: reviews +spec: + hosts: + - reviews.service.consul + http: + - route: + - destination: + host: reviews.service.consul + subset: v1 + weight: 50 + - destination: + host: reviews.service.consul + subset: v3 + weight: 50 diff --git a/istio-1.0.4/samples/bookinfo/platform/consul/virtual-service-reviews-test-v2.yaml b/istio-1.0.4/samples/bookinfo/platform/consul/virtual-service-reviews-test-v2.yaml new file mode 100644 index 0000000..92fa461 --- /dev/null +++ b/istio-1.0.4/samples/bookinfo/platform/consul/virtual-service-reviews-test-v2.yaml @@ -0,0 +1,20 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: reviews +spec: + hosts: + - reviews.service.consul + http: + - match: + - headers: + end-user: + exact: jason + route: + - destination: + host: reviews.service.consul + subset: v2 + - route: + - destination: + host: reviews.service.consul + subset: v1 diff --git a/istio-1.0.4/samples/bookinfo/platform/consul/virtual-service-reviews-v2-v3.yaml b/istio-1.0.4/samples/bookinfo/platform/consul/virtual-service-reviews-v2-v3.yaml new file mode 100644 index 0000000..60271c0 --- /dev/null +++ b/istio-1.0.4/samples/bookinfo/platform/consul/virtual-service-reviews-v2-v3.yaml @@ -0,0 +1,17 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: reviews +spec: + hosts: + - reviews.service.consul + http: + - route: + - destination: + host: reviews.service.consul + subset: v2 + weight: 50 + - destination: + host: reviews.service.consul + subset: v3 + weight: 50 diff --git a/istio-1.0.4/samples/bookinfo/platform/consul/virtual-service-reviews-v3.yaml b/istio-1.0.4/samples/bookinfo/platform/consul/virtual-service-reviews-v3.yaml new file mode 100644 index 0000000..da9440c --- /dev/null +++ b/istio-1.0.4/samples/bookinfo/platform/consul/virtual-service-reviews-v3.yaml @@ -0,0 +1,12 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: reviews +spec: + hosts: + - reviews.service.consul + http: + - route: + - destination: + host: reviews.service.consul + subset: v3 diff --git a/istio-1.0.4/samples/bookinfo/platform/kube/README.md b/istio-1.0.4/samples/bookinfo/platform/kube/README.md new file mode 100644 index 0000000..d1189be --- /dev/null +++ b/istio-1.0.4/samples/bookinfo/platform/kube/README.md @@ -0,0 +1,2 @@ +See the [Bookinfo guide](https://istio.io/docs/guides/bookinfo.html) in Istio +docs for instructions on how to run this demo application. diff --git a/istio-1.0.4/samples/bookinfo/platform/kube/bookinfo-add-serviceaccount.yaml b/istio-1.0.4/samples/bookinfo/platform/kube/bookinfo-add-serviceaccount.yaml new file mode 100644 index 0000000..915f145 --- /dev/null +++ b/istio-1.0.4/samples/bookinfo/platform/kube/bookinfo-add-serviceaccount.yaml @@ -0,0 +1,69 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: bookinfo-productpage +--- +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: productpage-v1 +spec: + replicas: 1 + template: + metadata: + labels: + app: productpage + version: v1 + spec: + serviceAccountName: bookinfo-productpage + containers: + - name: productpage + image: istio/examples-bookinfo-productpage-v1:1.8.0 + imagePullPolicy: IfNotPresent + ports: + - containerPort: 9080 +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: bookinfo-reviews +--- +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: reviews-v2 +spec: + replicas: 1 + template: + metadata: + labels: + app: reviews + version: v2 + spec: + serviceAccountName: bookinfo-reviews + containers: + - name: reviews + image: istio/examples-bookinfo-reviews-v2:1.8.0 + imagePullPolicy: IfNotPresent + ports: + - containerPort: 9080 +--- +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: reviews-v3 +spec: + replicas: 1 + template: + metadata: + labels: + app: reviews + version: v3 + spec: + serviceAccountName: bookinfo-reviews + containers: + - name: reviews + image: istio/examples-bookinfo-reviews-v3:1.8.0 + imagePullPolicy: IfNotPresent + ports: + - containerPort: 9080 diff --git a/istio-1.0.4/samples/bookinfo/platform/kube/bookinfo-certificate.yaml b/istio-1.0.4/samples/bookinfo/platform/kube/bookinfo-certificate.yaml new file mode 100644 index 0000000..81ba819 --- /dev/null +++ b/istio-1.0.4/samples/bookinfo/platform/kube/bookinfo-certificate.yaml @@ -0,0 +1,37 @@ +--- +apiVersion: certmanager.k8s.io/v1alpha1 +kind: ClusterIssuer +metadata: + name: letsencrypt-staging + namespace: istio-system +spec: + acme: + # The ACME server URL + server: https://acme-staging-v02.api.letsencrypt.org/directory + # Email address used for ACME registration + email: stage@istio.io + # Name of a secret used to store the ACME account private key + privateKeySecretRef: + name: letsencrypt-staging + # Enable the HTTP-01 challenge provider + http01: {} +--- +apiVersion: certmanager.k8s.io/v1alpha1 +kind: Certificate +metadata: + name: istio-ingressgateway-certs + namespace: istio-system +spec: + secretName: istio-ingressgateway-certs + issuerRef: + name: letsencrypt-staging + kind: ClusterIssuer + commonName: bookinfo.example.com + dnsNames: + - bookinfo.example.com + acme: + config: + - http01: + ingressClass: none + domains: + - bookinfo.example.com \ No newline at end of file diff --git a/istio-1.0.4/samples/bookinfo/platform/kube/bookinfo-db.yaml b/istio-1.0.4/samples/bookinfo/platform/kube/bookinfo-db.yaml new file mode 100644 index 0000000..15ecd47 --- /dev/null +++ b/istio-1.0.4/samples/bookinfo/platform/kube/bookinfo-db.yaml @@ -0,0 +1,46 @@ +# Copyright 2017 Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: Service +metadata: + name: mongodb + labels: + app: mongodb +spec: + ports: + - port: 27017 + name: mongo + selector: + app: mongodb +--- +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: mongodb-v1 +spec: + replicas: 1 + template: + metadata: + labels: + app: mongodb + version: v1 + spec: + containers: + - name: mongodb + image: istio/examples-bookinfo-mongodb:1.8.0 + imagePullPolicy: IfNotPresent + ports: + - containerPort: 27017 +--- diff --git a/istio-1.0.4/samples/bookinfo/platform/kube/bookinfo-details-v2.yaml b/istio-1.0.4/samples/bookinfo/platform/kube/bookinfo-details-v2.yaml new file mode 100644 index 0000000..30d16e2 --- /dev/null +++ b/istio-1.0.4/samples/bookinfo/platform/kube/bookinfo-details-v2.yaml @@ -0,0 +1,39 @@ +# Copyright 2017 Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################################################## +# Details service v2 +################################################################################################## +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: details-v2 +spec: + replicas: 1 + template: + metadata: + labels: + app: details + version: v2 + spec: + containers: + - name: details + image: istio/examples-bookinfo-details-v2:1.8.0 + imagePullPolicy: IfNotPresent + ports: + - containerPort: 9080 + env: + - name: DO_NOT_ENCRYPT + value: "true" +--- diff --git a/istio-1.0.4/samples/bookinfo/platform/kube/bookinfo-details.yaml b/istio-1.0.4/samples/bookinfo/platform/kube/bookinfo-details.yaml new file mode 100644 index 0000000..f023a6d --- /dev/null +++ b/istio-1.0.4/samples/bookinfo/platform/kube/bookinfo-details.yaml @@ -0,0 +1,49 @@ +# Copyright 2017 Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################################################## +# Details service +################################################################################################## +apiVersion: v1 +kind: Service +metadata: + name: details + labels: + app: details +spec: + ports: + - port: 9080 + name: http + selector: + app: details +--- +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: details-v1 +spec: + replicas: 1 + template: + metadata: + labels: + app: details + version: v1 + spec: + containers: + - name: details + image: istio/examples-bookinfo-details-v1:1.8.0 + imagePullPolicy: IfNotPresent + ports: + - containerPort: 9080 +--- diff --git a/istio-1.0.4/samples/bookinfo/platform/kube/bookinfo-ingress.yaml b/istio-1.0.4/samples/bookinfo/platform/kube/bookinfo-ingress.yaml new file mode 100644 index 0000000..0dd6561 --- /dev/null +++ b/istio-1.0.4/samples/bookinfo/platform/kube/bookinfo-ingress.yaml @@ -0,0 +1,44 @@ +# Copyright 2017 Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +########################################################################### +# Ingress resource (gateway) +########################################################################## +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + name: gateway + annotations: + kubernetes.io/ingress.class: "istio" +spec: + rules: + - http: + paths: + - path: /productpage + backend: + serviceName: productpage + servicePort: 9080 + - path: /login + backend: + serviceName: productpage + servicePort: 9080 + - path: /logout + backend: + serviceName: productpage + servicePort: 9080 + - path: /api/v1/products.* + backend: + serviceName: productpage + servicePort: 9080 +--- diff --git a/istio-1.0.4/samples/bookinfo/platform/kube/bookinfo-mysql.yaml b/istio-1.0.4/samples/bookinfo/platform/kube/bookinfo-mysql.yaml new file mode 100644 index 0000000..6f1855b --- /dev/null +++ b/istio-1.0.4/samples/bookinfo/platform/kube/bookinfo-mysql.yaml @@ -0,0 +1,64 @@ +# Copyright 2017 Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################################################## +# Mysql db services +# credentials: root/password +################################################################################################## +apiVersion: v1 +kind: Secret +metadata: + name: mysql-credentials +type: Opaque +data: + rootpasswd: cGFzc3dvcmQ= +--- +apiVersion: v1 +kind: Service +metadata: + name: mysqldb + labels: + app: mysqldb +spec: + ports: + - port: 3306 + name: mysql + selector: + app: mysqldb +--- +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: mysqldb-v1 +spec: + replicas: 1 + template: + metadata: + labels: + app: mysqldb + version: v1 + spec: + containers: + - name: mysqldb + image: istio/examples-bookinfo-mysqldb:1.8.0 + imagePullPolicy: IfNotPresent + ports: + - containerPort: 3306 + env: + - name: MYSQL_ROOT_PASSWORD + valueFrom: + secretKeyRef: + name: mysql-credentials + key: rootpasswd +--- diff --git a/istio-1.0.4/samples/bookinfo/platform/kube/bookinfo-ratings-discovery.yaml b/istio-1.0.4/samples/bookinfo/platform/kube/bookinfo-ratings-discovery.yaml new file mode 100644 index 0000000..fa63eb2 --- /dev/null +++ b/istio-1.0.4/samples/bookinfo/platform/kube/bookinfo-ratings-discovery.yaml @@ -0,0 +1,30 @@ +# Copyright 2017 Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################################################## +# Ratings service +################################################################################################## +apiVersion: v1 +kind: Service +metadata: + name: ratings + labels: + app: ratings +spec: + ports: + - port: 9080 + name: http + selector: + app: ratings +--- diff --git a/istio-1.0.4/samples/bookinfo/platform/kube/bookinfo-ratings-v2-mysql-vm.yaml b/istio-1.0.4/samples/bookinfo/platform/kube/bookinfo-ratings-v2-mysql-vm.yaml new file mode 100644 index 0000000..00bed66 --- /dev/null +++ b/istio-1.0.4/samples/bookinfo/platform/kube/bookinfo-ratings-v2-mysql-vm.yaml @@ -0,0 +1,46 @@ +# Copyright 2017 Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: ratings-v2-mysql-vm +spec: + replicas: 1 + template: + metadata: + labels: + app: ratings + version: v2-mysql-vm + spec: + containers: + - name: ratings + image: istio/examples-bookinfo-ratings-v2:1.8.0 + imagePullPolicy: IfNotPresent + env: + # This assumes you registered your mysql vm as + # istioctl register -n vm mysqldb 1.2.3.4 3306 + - name: DB_TYPE + value: "mysql" + - name: MYSQL_DB_HOST + value: mysqldb.vm.svc.cluster.local + - name: MYSQL_DB_PORT + value: "3306" + - name: MYSQL_DB_USER + value: root + - name: MYSQL_DB_PASSWORD + value: password + ports: + - containerPort: 9080 +--- diff --git a/istio-1.0.4/samples/bookinfo/platform/kube/bookinfo-ratings-v2-mysql.yaml b/istio-1.0.4/samples/bookinfo/platform/kube/bookinfo-ratings-v2-mysql.yaml new file mode 100644 index 0000000..14d5cb1 --- /dev/null +++ b/istio-1.0.4/samples/bookinfo/platform/kube/bookinfo-ratings-v2-mysql.yaml @@ -0,0 +1,49 @@ +# Copyright 2017 Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: ratings-v2-mysql +spec: + replicas: 1 + template: + metadata: + labels: + app: ratings + version: v2-mysql + spec: + containers: + - name: ratings + image: istio/examples-bookinfo-ratings-v2:1.8.0 + imagePullPolicy: IfNotPresent + env: + # ratings-v2 will use mongodb as the default db backend. + # if you would like to use mysqldb then you can use this file + # which sets DB_TYPE = 'mysql' and the rest of the parameters shown + # here and also create the # mysqldb service using bookinfo-mysql.yaml + # NOTE: This file is mutually exclusive to bookinfo-ratings-v2.yaml + - name: DB_TYPE + value: "mysql" + - name: MYSQL_DB_HOST + value: mysqldb + - name: MYSQL_DB_PORT + value: "3306" + - name: MYSQL_DB_USER + value: root + - name: MYSQL_DB_PASSWORD + value: password + ports: + - containerPort: 9080 +--- diff --git a/istio-1.0.4/samples/bookinfo/platform/kube/bookinfo-ratings-v2.yaml b/istio-1.0.4/samples/bookinfo/platform/kube/bookinfo-ratings-v2.yaml new file mode 100644 index 0000000..9408eef --- /dev/null +++ b/istio-1.0.4/samples/bookinfo/platform/kube/bookinfo-ratings-v2.yaml @@ -0,0 +1,50 @@ +# Copyright 2017 Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: ratings-v2 +spec: + replicas: 1 + template: + metadata: + labels: + app: ratings + version: v2 + spec: + containers: + - name: ratings + image: istio/examples-bookinfo-ratings-v2:1.8.0 + imagePullPolicy: IfNotPresent + env: + # ratings-v2 will use mongodb as the default db backend. + # if you would like to use mysqldb then set DB_TYPE = 'mysql', set + # the rest of the parameters shown here and also create the + # mysqldb service using bookinfo-mysql.yaml + # - name: DB_TYPE #default to + # value: "mysql" + # - name: MYSQL_DB_HOST + # value: mysqldb + # - name: MYSQL_DB_PORT + # value: "3306" + # - name: MYSQL_DB_USER + # value: root + # - name: MYSQL_DB_PASSWORD + # value: password + - name: MONGO_DB_URL + value: mongodb://mongodb:27017/test + ports: + - containerPort: 9080 +--- diff --git a/istio-1.0.4/samples/bookinfo/platform/kube/bookinfo-ratings.yaml b/istio-1.0.4/samples/bookinfo/platform/kube/bookinfo-ratings.yaml new file mode 100644 index 0000000..ae1fc58 --- /dev/null +++ b/istio-1.0.4/samples/bookinfo/platform/kube/bookinfo-ratings.yaml @@ -0,0 +1,49 @@ +# Copyright 2017 Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################################################## +# Ratings service +################################################################################################## +apiVersion: v1 +kind: Service +metadata: + name: ratings + labels: + app: ratings +spec: + ports: + - port: 9080 + name: http + selector: + app: ratings +--- +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: ratings-v1 +spec: + replicas: 1 + template: + metadata: + labels: + app: ratings + version: v1 + spec: + containers: + - name: ratings + image: istio/examples-bookinfo-ratings-v1:1.8.0 + imagePullPolicy: IfNotPresent + ports: + - containerPort: 9080 +--- diff --git a/istio-1.0.4/samples/bookinfo/platform/kube/bookinfo-reviews-v2.yaml b/istio-1.0.4/samples/bookinfo/platform/kube/bookinfo-reviews-v2.yaml new file mode 100644 index 0000000..9a171a8 --- /dev/null +++ b/istio-1.0.4/samples/bookinfo/platform/kube/bookinfo-reviews-v2.yaml @@ -0,0 +1,36 @@ +# Copyright 2017 Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################################################## +# Reviews service v2 +################################################################################################## +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: reviews-v2 +spec: + replicas: 1 + template: + metadata: + labels: + app: reviews + version: v2 + spec: + containers: + - name: reviews + image: istio/examples-bookinfo-reviews-v2:1.8.0 + imagePullPolicy: IfNotPresent + ports: + - containerPort: 9080 +--- diff --git a/istio-1.0.4/samples/bookinfo/platform/kube/bookinfo.yaml b/istio-1.0.4/samples/bookinfo/platform/kube/bookinfo.yaml new file mode 100644 index 0000000..c0470c4 --- /dev/null +++ b/istio-1.0.4/samples/bookinfo/platform/kube/bookinfo.yaml @@ -0,0 +1,192 @@ +# Copyright 2017 Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################################################## +# Details service +################################################################################################## +apiVersion: v1 +kind: Service +metadata: + name: details + labels: + app: details +spec: + ports: + - port: 9080 + name: http + selector: + app: details +--- +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: details-v1 +spec: + replicas: 1 + template: + metadata: + labels: + app: details + version: v1 + spec: + containers: + - name: details + image: istio/examples-bookinfo-details-v1:1.8.0 + imagePullPolicy: IfNotPresent + ports: + - containerPort: 9080 +--- +################################################################################################## +# Ratings service +################################################################################################## +apiVersion: v1 +kind: Service +metadata: + name: ratings + labels: + app: ratings +spec: + ports: + - port: 9080 + name: http + selector: + app: ratings +--- +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: ratings-v1 +spec: + replicas: 1 + template: + metadata: + labels: + app: ratings + version: v1 + spec: + containers: + - name: ratings + image: istio/examples-bookinfo-ratings-v1:1.8.0 + imagePullPolicy: IfNotPresent + ports: + - containerPort: 9080 +--- +################################################################################################## +# Reviews service +################################################################################################## +apiVersion: v1 +kind: Service +metadata: + name: reviews + labels: + app: reviews +spec: + ports: + - port: 9080 + name: http + selector: + app: reviews +--- +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: reviews-v1 +spec: + replicas: 1 + template: + metadata: + labels: + app: reviews + version: v1 + spec: + containers: + - name: reviews + image: istio/examples-bookinfo-reviews-v1:1.8.0 + imagePullPolicy: IfNotPresent + ports: + - containerPort: 9080 +--- +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: reviews-v2 +spec: + replicas: 1 + template: + metadata: + labels: + app: reviews + version: v2 + spec: + containers: + - name: reviews + image: istio/examples-bookinfo-reviews-v2:1.8.0 + imagePullPolicy: IfNotPresent + ports: + - containerPort: 9080 +--- +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: reviews-v3 +spec: + replicas: 1 + template: + metadata: + labels: + app: reviews + version: v3 + spec: + containers: + - name: reviews + image: istio/examples-bookinfo-reviews-v3:1.8.0 + imagePullPolicy: IfNotPresent + ports: + - containerPort: 9080 +--- +################################################################################################## +# Productpage services +################################################################################################## +apiVersion: v1 +kind: Service +metadata: + name: productpage + labels: + app: productpage +spec: + ports: + - port: 9080 + name: http + selector: + app: productpage +--- +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: productpage-v1 +spec: + replicas: 1 + template: + metadata: + labels: + app: productpage + version: v1 + spec: + containers: + - name: productpage + image: istio/examples-bookinfo-productpage-v1:1.8.0 + imagePullPolicy: IfNotPresent + ports: + - containerPort: 9080 +--- diff --git a/istio-1.0.4/samples/bookinfo/platform/kube/cleanup.sh b/istio-1.0.4/samples/bookinfo/platform/kube/cleanup.sh new file mode 100755 index 0000000..625a758 --- /dev/null +++ b/istio-1.0.4/samples/bookinfo/platform/kube/cleanup.sh @@ -0,0 +1,60 @@ +#!/bin/bash +# +# Copyright 2017 Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +SCRIPTDIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) + +# only ask if in interactive mode +if [[ -t 0 ]];then + echo -n "namespace ? [default] " + read NAMESPACE +fi + +if [[ -z ${NAMESPACE} ]];then + NAMESPACE=default +fi + +echo "using NAMESPACE=${NAMESPACE}" + +protos=( destinationrules virtualservices gateways ) +for proto in "${protos[@]}"; do + for resource in $(istioctl get -n ${NAMESPACE} $proto | awk 'NR>1{print $1}'); do + istioctl delete -n ${NAMESPACE} $proto $resource; + done +done +#istioctl delete mixer-rule ratings-ratelimit + +export OUTPUT=$(mktemp) +echo "Application cleanup may take up to one minute" +kubectl delete -n ${NAMESPACE} -f $SCRIPTDIR/bookinfo.yaml > ${OUTPUT} 2>&1 +ret=$? +function cleanup() { + rm -f ${OUTPUT} +} + +trap cleanup EXIT + +if [[ ${ret} -eq 0 ]];then + cat ${OUTPUT} +else + # ignore NotFound errors + OUT2=$(grep -v NotFound ${OUTPUT}) + if [[ ! -z ${OUT2} ]];then + cat ${OUTPUT} + exit ${ret} + fi +fi + +echo "Application cleanup successful" diff --git a/istio-1.0.4/samples/bookinfo/platform/kube/istio-rbac-details-reviews.yaml b/istio-1.0.4/samples/bookinfo/platform/kube/istio-rbac-details-reviews.yaml new file mode 100644 index 0000000..7957714 --- /dev/null +++ b/istio-1.0.4/samples/bookinfo/platform/kube/istio-rbac-details-reviews.yaml @@ -0,0 +1,21 @@ +apiVersion: "rbac.istio.io/v1alpha1" +kind: ServiceRole +metadata: + name: details-reviews-viewer + namespace: default +spec: + rules: + - services: ["details.default.svc.cluster.local", "reviews.default.svc.cluster.local"] + methods: ["GET"] +--- +apiVersion: "rbac.istio.io/v1alpha1" +kind: ServiceRoleBinding +metadata: + name: bind-details-reviews + namespace: default +spec: + subjects: + - user: "cluster.local/ns/default/sa/bookinfo-productpage" + roleRef: + kind: ServiceRole + name: "details-reviews-viewer" diff --git a/istio-1.0.4/samples/bookinfo/platform/kube/istio-rbac-enable.yaml b/istio-1.0.4/samples/bookinfo/platform/kube/istio-rbac-enable.yaml new file mode 100644 index 0000000..9b81361 --- /dev/null +++ b/istio-1.0.4/samples/bookinfo/platform/kube/istio-rbac-enable.yaml @@ -0,0 +1,41 @@ +apiVersion: "config.istio.io/v1alpha2" +kind: authorization +metadata: + name: requestcontext + namespace: istio-system +spec: + subject: + user: source.user | "" + groups: "" + properties: + app: source.labels["app"] | "" + version: source.labels["version"] | "" + namespace: source.namespace | "" + action: + namespace: destination.namespace | "" + service: destination.service | "" + method: request.method | "" + path: request.path | "" + properties: + app: destination.labels["app"] | "" + version: destination.labels["version"] | "" +--- +apiVersion: "config.istio.io/v1alpha2" +kind: rbac +metadata: + name: handler + namespace: istio-system +spec: + config_store_url: "k8s://" +--- +apiVersion: "config.istio.io/v1alpha2" +kind: rule +metadata: + name: rbaccheck + namespace: istio-system +spec: + match: destination.namespace == "default" + actions: + - handler: handler.rbac + instances: + - requestcontext.authorization diff --git a/istio-1.0.4/samples/bookinfo/platform/kube/istio-rbac-namespace.yaml b/istio-1.0.4/samples/bookinfo/platform/kube/istio-rbac-namespace.yaml new file mode 100644 index 0000000..49cb1e4 --- /dev/null +++ b/istio-1.0.4/samples/bookinfo/platform/kube/istio-rbac-namespace.yaml @@ -0,0 +1,27 @@ +apiVersion: "rbac.istio.io/v1alpha1" +kind: ServiceRole +metadata: + name: service-viewer + namespace: default +spec: + rules: + - services: ["*"] + methods: ["GET"] + constraints: + - key: "app" + values: ["productpage", "details", "reviews", "ratings"] +--- +apiVersion: "rbac.istio.io/v1alpha1" +kind: ServiceRoleBinding +metadata: + name: bind-service-viewer + namespace: default +spec: + subjects: + - properties: + namespace: "default" + - properties: + namespace: "istio-system" + roleRef: + kind: ServiceRole + name: "service-viewer" diff --git a/istio-1.0.4/samples/bookinfo/platform/kube/istio-rbac-productpage.yaml b/istio-1.0.4/samples/bookinfo/platform/kube/istio-rbac-productpage.yaml new file mode 100644 index 0000000..6758ef2 --- /dev/null +++ b/istio-1.0.4/samples/bookinfo/platform/kube/istio-rbac-productpage.yaml @@ -0,0 +1,21 @@ +apiVersion: "rbac.istio.io/v1alpha1" +kind: ServiceRole +metadata: + name: productpage-viewer + namespace: default +spec: + rules: + - services: ["productpage.default.svc.cluster.local"] + methods: ["GET"] +--- +apiVersion: "rbac.istio.io/v1alpha1" +kind: ServiceRoleBinding +metadata: + name: bind-productpage-viewer + namespace: default +spec: + subjects: + - user: "*" + roleRef: + kind: ServiceRole + name: "productpage-viewer" diff --git a/istio-1.0.4/samples/bookinfo/platform/kube/istio-rbac-ratings.yaml b/istio-1.0.4/samples/bookinfo/platform/kube/istio-rbac-ratings.yaml new file mode 100644 index 0000000..d0e4f2b --- /dev/null +++ b/istio-1.0.4/samples/bookinfo/platform/kube/istio-rbac-ratings.yaml @@ -0,0 +1,21 @@ +apiVersion: "rbac.istio.io/v1alpha1" +kind: ServiceRole +metadata: + name: ratings-viewer + namespace: default +spec: + rules: + - services: ["ratings.default.svc.cluster.local"] + methods: ["GET"] +--- +apiVersion: "rbac.istio.io/v1alpha1" +kind: ServiceRoleBinding +metadata: + name: bind-ratings + namespace: default +spec: + subjects: + - user: "cluster.local/ns/default/sa/bookinfo-reviews" + roleRef: + kind: ServiceRole + name: "ratings-viewer" diff --git a/istio-1.0.4/samples/bookinfo/platform/kube/rbac/details-reviews-policy.yaml b/istio-1.0.4/samples/bookinfo/platform/kube/rbac/details-reviews-policy.yaml new file mode 100644 index 0000000..7957714 --- /dev/null +++ b/istio-1.0.4/samples/bookinfo/platform/kube/rbac/details-reviews-policy.yaml @@ -0,0 +1,21 @@ +apiVersion: "rbac.istio.io/v1alpha1" +kind: ServiceRole +metadata: + name: details-reviews-viewer + namespace: default +spec: + rules: + - services: ["details.default.svc.cluster.local", "reviews.default.svc.cluster.local"] + methods: ["GET"] +--- +apiVersion: "rbac.istio.io/v1alpha1" +kind: ServiceRoleBinding +metadata: + name: bind-details-reviews + namespace: default +spec: + subjects: + - user: "cluster.local/ns/default/sa/bookinfo-productpage" + roleRef: + kind: ServiceRole + name: "details-reviews-viewer" diff --git a/istio-1.0.4/samples/bookinfo/platform/kube/rbac/namespace-policy.yaml b/istio-1.0.4/samples/bookinfo/platform/kube/rbac/namespace-policy.yaml new file mode 100644 index 0000000..ac6e4a7 --- /dev/null +++ b/istio-1.0.4/samples/bookinfo/platform/kube/rbac/namespace-policy.yaml @@ -0,0 +1,27 @@ +apiVersion: "rbac.istio.io/v1alpha1" +kind: ServiceRole +metadata: + name: service-viewer + namespace: default +spec: + rules: + - services: ["*"] + methods: ["GET"] + constraints: + - key: "destination.labels[app]" + values: ["productpage", "details", "reviews", "ratings"] +--- +apiVersion: "rbac.istio.io/v1alpha1" +kind: ServiceRoleBinding +metadata: + name: bind-service-viewer + namespace: default +spec: + subjects: + - properties: + source.namespace: "istio-system" + - properties: + source.namespace: "default" + roleRef: + kind: ServiceRole + name: "service-viewer" diff --git a/istio-1.0.4/samples/bookinfo/platform/kube/rbac/productpage-policy.yaml b/istio-1.0.4/samples/bookinfo/platform/kube/rbac/productpage-policy.yaml new file mode 100644 index 0000000..6758ef2 --- /dev/null +++ b/istio-1.0.4/samples/bookinfo/platform/kube/rbac/productpage-policy.yaml @@ -0,0 +1,21 @@ +apiVersion: "rbac.istio.io/v1alpha1" +kind: ServiceRole +metadata: + name: productpage-viewer + namespace: default +spec: + rules: + - services: ["productpage.default.svc.cluster.local"] + methods: ["GET"] +--- +apiVersion: "rbac.istio.io/v1alpha1" +kind: ServiceRoleBinding +metadata: + name: bind-productpage-viewer + namespace: default +spec: + subjects: + - user: "*" + roleRef: + kind: ServiceRole + name: "productpage-viewer" diff --git a/istio-1.0.4/samples/bookinfo/platform/kube/rbac/ratings-policy.yaml b/istio-1.0.4/samples/bookinfo/platform/kube/rbac/ratings-policy.yaml new file mode 100644 index 0000000..d0e4f2b --- /dev/null +++ b/istio-1.0.4/samples/bookinfo/platform/kube/rbac/ratings-policy.yaml @@ -0,0 +1,21 @@ +apiVersion: "rbac.istio.io/v1alpha1" +kind: ServiceRole +metadata: + name: ratings-viewer + namespace: default +spec: + rules: + - services: ["ratings.default.svc.cluster.local"] + methods: ["GET"] +--- +apiVersion: "rbac.istio.io/v1alpha1" +kind: ServiceRoleBinding +metadata: + name: bind-ratings + namespace: default +spec: + subjects: + - user: "cluster.local/ns/default/sa/bookinfo-reviews" + roleRef: + kind: ServiceRole + name: "ratings-viewer" diff --git a/istio-1.0.4/samples/bookinfo/platform/kube/rbac/rbac-config-ON.yaml b/istio-1.0.4/samples/bookinfo/platform/kube/rbac/rbac-config-ON.yaml new file mode 100644 index 0000000..5ea065f --- /dev/null +++ b/istio-1.0.4/samples/bookinfo/platform/kube/rbac/rbac-config-ON.yaml @@ -0,0 +1,8 @@ +apiVersion: "rbac.istio.io/v1alpha1" +kind: RbacConfig +metadata: + name: default +spec: + mode: 'ON_WITH_INCLUSION' + inclusion: + namespaces: ["default"] diff --git a/istio-1.0.4/samples/bookinfo/policy/mixer-rule-additional-telemetry.yaml b/istio-1.0.4/samples/bookinfo/policy/mixer-rule-additional-telemetry.yaml new file mode 100644 index 0000000..ef7cd12 --- /dev/null +++ b/istio-1.0.4/samples/bookinfo/policy/mixer-rule-additional-telemetry.yaml @@ -0,0 +1,10 @@ +apiVersion: "config.istio.io/v1alpha2" +kind: rule +metadata: + name: prommetricsresponse + namespace: istio-system +spec: + actions: + - handler: handler.prometheus.istio-system + instances: + - responsesize.metric.istio-system diff --git a/istio-1.0.4/samples/bookinfo/policy/mixer-rule-deny-label.yaml b/istio-1.0.4/samples/bookinfo/policy/mixer-rule-deny-label.yaml new file mode 100644 index 0000000..249d505 --- /dev/null +++ b/istio-1.0.4/samples/bookinfo/policy/mixer-rule-deny-label.yaml @@ -0,0 +1,24 @@ +apiVersion: "config.istio.io/v1alpha2" +kind: denier +metadata: + name: denyreviewsv3handler +spec: + status: + code: 7 + message: Not allowed +--- +apiVersion: "config.istio.io/v1alpha2" +kind: checknothing +metadata: + name: denyreviewsv3request +spec: +--- +apiVersion: "config.istio.io/v1alpha2" +kind: rule +metadata: + name: denyreviewsv3 +spec: + match: destination.labels["app"] == "ratings" && source.labels["app"]=="reviews" && source.labels["version"] == "v3" + actions: + - handler: denyreviewsv3handler.denier + instances: [ denyreviewsv3request.checknothing ] diff --git a/istio-1.0.4/samples/bookinfo/policy/mixer-rule-deny-serviceaccount.yaml b/istio-1.0.4/samples/bookinfo/policy/mixer-rule-deny-serviceaccount.yaml new file mode 100644 index 0000000..c7555b0 --- /dev/null +++ b/istio-1.0.4/samples/bookinfo/policy/mixer-rule-deny-serviceaccount.yaml @@ -0,0 +1,24 @@ +apiVersion: "config.istio.io/v1alpha2" +kind: denier +metadata: + name: denyproductpagehandler +spec: + status: + code: 7 + message: Not allowed +--- +apiVersion: "config.istio.io/v1alpha2" +kind: checknothing +metadata: + name: denyproductpagerequest +spec: +--- +apiVersion: "config.istio.io/v1alpha2" +kind: rule +metadata: + name: denyproductpage +spec: + match: destination.labels["app"] == "details" && source.user == "cluster.local/ns/default/sa/bookinfo-productpage" + actions: + - handler: denyproductpagehandler.denier + instances: [ denyproductpagerequest.checknothing ] diff --git a/istio-1.0.4/samples/bookinfo/policy/mixer-rule-ingress-denial.yaml b/istio-1.0.4/samples/bookinfo/policy/mixer-rule-ingress-denial.yaml new file mode 100644 index 0000000..838cd3e --- /dev/null +++ b/istio-1.0.4/samples/bookinfo/policy/mixer-rule-ingress-denial.yaml @@ -0,0 +1,28 @@ +apiVersion: "config.istio.io/v1alpha2" +kind: denier +metadata: + name: handler + namespace: istio-system +spec: + status: + code: 7 + message: Not allowed +--- +apiVersion: "config.istio.io/v1alpha2" +kind: checknothing +metadata: + name: denyrequest + namespace: istio-system +spec: + +--- +apiVersion: "config.istio.io/v1alpha2" +kind: rule +metadata: + name: denyingress + namespace: istio-system +spec: + match: source.labels["istio"] == "ingressgateway" && request.headers["x-user"] == "john" + actions: + - handler: handler.denier.istio-system + instances: [ denyrequest.checknothing.istio-system ] diff --git a/istio-1.0.4/samples/bookinfo/policy/mixer-rule-kubernetesenv-telemetry.yaml b/istio-1.0.4/samples/bookinfo/policy/mixer-rule-kubernetesenv-telemetry.yaml new file mode 100644 index 0000000..334c275 --- /dev/null +++ b/istio-1.0.4/samples/bookinfo/policy/mixer-rule-kubernetesenv-telemetry.yaml @@ -0,0 +1,53 @@ +apiVersion: "config.istio.io/v1alpha2" +kind: prometheus +metadata: + name: kubeenvhandler + namespace: istio-system +spec: + metrics: + - name: kube_request_count + instance_name: kubeenvrequestcount.metric.istio-system + kind: COUNTER + label_names: + - response_code + - source_pod + - source_workload_uid + - source_workload + - source_owner + - destination_pod + - destination_workload_uid + - destination_workload + - destination_owner + - destination_container +--- +apiVersion: "config.istio.io/v1alpha2" +kind: metric +metadata: + name: kubeenvrequestcount + namespace: istio-system +spec: + value: "1" + dimensions: + response_code: response.code | 200 + source_pod: source.name | "unknown" + source_workload_uid: source.workload.uid | "unknown" + source_workload: source.workload.name | "unknown" + source_owner: source.owner | "unknown" + destination_pod: destination.name | "unknown" + destination_workload: destination.workload.name | "unknown" + destination_workload_uid: destination.workload.uid | "unknown" + destination_owner: destination.owner | "unknown" + destination_container: destination.container.name | "unknown" + monitored_resource_type: '"UNSPECIFIED"' +--- +apiVersion: "config.istio.io/v1alpha2" +kind: rule +metadata: + name: promkubeenv + namespace: istio-system +spec: + match: "true" + actions: + - handler: kubeenvhandler.prometheus + instances: + - kubeenvrequestcount.metric diff --git a/istio-1.0.4/samples/bookinfo/policy/mixer-rule-productpage-ratelimit.yaml b/istio-1.0.4/samples/bookinfo/policy/mixer-rule-productpage-ratelimit.yaml new file mode 100644 index 0000000..ea8fc40 --- /dev/null +++ b/istio-1.0.4/samples/bookinfo/policy/mixer-rule-productpage-ratelimit.yaml @@ -0,0 +1,80 @@ +apiVersion: "config.istio.io/v1alpha2" +kind: memquota +metadata: + name: handler + namespace: istio-system +spec: + quotas: + - name: requestcount.quota.istio-system + maxAmount: 500 + validDuration: 1s + # The first matching override is applied. + # A requestcount instance is checked against override dimensions. + overrides: + # The following override applies to 'reviews' regardless + # of the source. + - dimensions: + destination: reviews + maxAmount: 1 + validDuration: 5s + # The following override applies to 'productpage' when + # the source is a specific ip address. + - dimensions: + destination: productpage + source: "10.28.11.20" + maxAmount: 500 + validDuration: 1s + # The following override applies to 'productpage' regardless + # of the source. + - dimensions: + destination: productpage + maxAmount: 2 + validDuration: 5s +--- +apiVersion: "config.istio.io/v1alpha2" +kind: quota +metadata: + name: requestcount + namespace: istio-system +spec: + dimensions: + source: request.headers["x-forwarded-for"] | "unknown" + destination: destination.labels["app"] | destination.service | "unknown" + destinationVersion: destination.labels["version"] | "unknown" +--- +apiVersion: config.istio.io/v1alpha2 +kind: QuotaSpec +metadata: + name: request-count + namespace: istio-system +spec: + rules: + - quotas: + - charge: 1 + quota: requestcount +--- +apiVersion: config.istio.io/v1alpha2 +kind: QuotaSpecBinding +metadata: + name: request-count + namespace: istio-system +spec: + quotaSpecs: + - name: request-count + namespace: istio-system + services: + - name: productpage + namespace: default + # - service: '*' # Uncomment this to bind *all* services to request-count +--- +apiVersion: config.istio.io/v1alpha2 +kind: rule +metadata: + name: quota +spec: + # quota only applies if you are not logged in. + # match: match(request.headers["cookie"], "user=*") == false + actions: + - handler: handler.memquota + instances: + - requestcount.quota diff --git a/istio-1.0.4/samples/bookinfo/policy/mixer-rule-ratings-denial.yaml b/istio-1.0.4/samples/bookinfo/policy/mixer-rule-ratings-denial.yaml new file mode 100644 index 0000000..d62b853 --- /dev/null +++ b/istio-1.0.4/samples/bookinfo/policy/mixer-rule-ratings-denial.yaml @@ -0,0 +1,29 @@ +apiVersion: "config.istio.io/v1alpha2" +kind: denier +metadata: + name: handler + namespace: istio-system +spec: + status: + code: 7 + message: Not allowed +--- +apiVersion: "config.istio.io/v1alpha2" +kind: checknothing +metadata: + name: denyrequest + namespace: istio-system +spec: + +--- +apiVersion: "config.istio.io/v1alpha2" +kind: rule +metadata: + name: denyreviewsv3 + namespace: istio-system +spec: + #FIXME match: destination.labels["app"]=="productpage" && request.headers["x-user"] == "" + match: request.headers["x-user"] == "john" + actions: + - handler: handler.denier.istio-system + instances: [ denyrequest.checknothing.istio-system ] diff --git a/istio-1.0.4/samples/bookinfo/policy/mixer-rule-ratings-ratelimit.yaml b/istio-1.0.4/samples/bookinfo/policy/mixer-rule-ratings-ratelimit.yaml new file mode 100644 index 0000000..6b589ac --- /dev/null +++ b/istio-1.0.4/samples/bookinfo/policy/mixer-rule-ratings-ratelimit.yaml @@ -0,0 +1,78 @@ +apiVersion: "config.istio.io/v1alpha2" +kind: memquota +metadata: + name: handler + namespace: istio-system +spec: + quotas: + - name: requestcount.quota.istio-system + maxAmount: 5000 + validDuration: 1s + # The first matching override is applied. + # A requestcount instance is checked against override dimensions. + overrides: + # The following override applies to 'ratings' when + # the source is 'reviews'. + - dimensions: + destination: ratings + source: reviews + maxAmount: 1 + validDuration: 1s + # The following override applies to 'ratings' regardless + # of the source. + - dimensions: + destination: ratings + maxAmount: 100 + validDuration: 1s + +--- +apiVersion: "config.istio.io/v1alpha2" +kind: quota +metadata: + name: requestcount + namespace: istio-system +spec: + dimensions: + source: source.labels["app"] | source.service | "unknown" + sourceVersion: source.labels["version"] | "unknown" + destination: destination.labels["app"] | destination.service | "unknown" + destinationVersion: destination.labels["version"] | "unknown" + +--- +apiVersion: "config.istio.io/v1alpha2" +kind: rule +metadata: + name: quota + namespace: istio-system +spec: + actions: + - handler: handler.memquota + instances: + - requestcount.quota +--- +apiVersion: config.istio.io/v1alpha2 +kind: QuotaSpec +metadata: + name: request-count + namespace: istio-system +spec: + rules: + - quotas: + - charge: 1 + quota: requestcount +--- +apiVersion: config.istio.io/v1alpha2 +kind: QuotaSpecBinding +metadata: + name: request-count + namespace: istio-system +spec: + quotaSpecs: + - name: request-count + namespace: istio-system + services: + - name: ratings + - name: reviews + - name: details + - name: productpage + diff --git a/istio-1.0.4/samples/bookinfo/src/mongodb/ratings_data.json b/istio-1.0.4/samples/bookinfo/src/mongodb/ratings_data.json new file mode 100644 index 0000000..b4563b5 --- /dev/null +++ b/istio-1.0.4/samples/bookinfo/src/mongodb/ratings_data.json @@ -0,0 +1,2 @@ +{rating: 5} +{rating: 4} diff --git a/istio-1.0.4/samples/bookinfo/src/ratings/package.json b/istio-1.0.4/samples/bookinfo/src/ratings/package.json new file mode 100644 index 0000000..9093980 --- /dev/null +++ b/istio-1.0.4/samples/bookinfo/src/ratings/package.json @@ -0,0 +1,10 @@ +{ + "scripts": { + "start": "node ratings.js" + }, + "dependencies": { + "httpdispatcher": "1.0.0", + "mongodb": "^2.2.31", + "mysql": "^2.15.0" + } +} diff --git a/istio-1.0.4/samples/bookinfo/swagger.yaml b/istio-1.0.4/samples/bookinfo/swagger.yaml new file mode 100644 index 0000000..6782e73 --- /dev/null +++ b/istio-1.0.4/samples/bookinfo/swagger.yaml @@ -0,0 +1,248 @@ +swagger: "2.0" +info: + description: "This is the API of the Istio BookInfo sample application." + version: "1.0.0" + title: "BookInfo API" + termsOfService: "https://istio.io/" + license: + name: "Apache 2.0" + url: "http://www.apache.org/licenses/LICENSE-2.0.html" +basePath: "/api/v1" +tags: +- name: "product" + description: "Information about a product (in this case a book)" +- name: "review" + description: "Review information for a product" +- name: "rating" + description: "Rating information for a product" +externalDocs: + description: "Learn more about the Istio BookInfo application" + url: "https://istio.io/docs/samples/bookinfo.html" +paths: + /products: + get: + tags: + - "product" + summary: "List all products" + description: "List all products available in the application with a minimum amount of information." + operationId: "getProducts" + consumes: + - "application/json" + produces: + - "application/json" + responses: + 200: + description: "successful operation" + schema: + type: "array" + items: + $ref: "#/definitions/Product" + /products/{id}: + get: + tags: + - "product" + summary: "Get individual product" + description: "Get detailed information about an individual product with the given id." + operationId: "getProduct" + consumes: + - "application/json" + produces: + - "application/json" + parameters: + - name: "id" + in: "path" + description: "Product id" + required: true + type: "integer" + format: "int32" + responses: + 200: + description: "successful operation" + schema: + $ref: "#/definitions/ProductDetails" + 400: + description: "Invalid product id" + /products/{id}/reviews: + get: + tags: + - "review" + summary: "Get reviews for a product" + description: "Get reviews for a product, including review text and possibly ratings information." + operationId: "getProductReviews" + consumes: + - "application/json" + produces: + - "application/json" + parameters: + - name: "id" + in: "path" + description: "Product id" + required: true + type: "integer" + format: "int32" + responses: + 200: + description: "successful operation" + schema: + $ref: "#/definitions/ProductReviews" + 400: + description: "Invalid product id" + /products/{id}/ratings: + get: + tags: + - "rating" + summary: "Get ratings for a product" + description: "Get ratings for a product, including stars and their color." + operationId: "getProductRatings" + consumes: + - "application/json" + produces: + - "application/json" + parameters: + - name: "id" + in: "path" + description: "Product id" + required: true + type: "integer" + format: "int32" + responses: + 200: + description: "successful operation" + schema: + $ref: "#/definitions/ProductRatings" + 400: + description: "Invalid product id" + + +definitions: + Product: + type: "object" + description: "Basic information about a product" + properties: + id: + type: "integer" + format: "int32" + description: "Product id" + title: + type: "string" + description: "Title of the book" + descriptionHtml: + type: "string" + description: "Description of the book - may contain HTML tags" + required: + - "id" + - "title" + - "descriptionHtml" + ProductDetails: + type: "object" + description: "Detailed information about a product" + properties: + id: + type: "integer" + format: "int32" + description: "Product id" + publisher: + type: "string" + description: "Publisher of the book" + language: + type: "string" + description: "Language of the book" + author: + type: "string" + description: "Author of the book" + ISBN-10: + type: "string" + description: "ISBN-10 of the book" + ISBN-13: + type: "string" + description: "ISBN-13 of the book" + year: + type: "integer" + format: "int32" + description: "Year the book was first published in" + type: + type: "string" + enum: + - "paperback" + - "hardcover" + description: "Type of the book" + pages: + type: "integer" + format: "int32" + description: "Number of pages of the book" + required: + - "id" + - "publisher" + - "language" + - "author" + - "ISBN-10" + - "ISBN-13" + - "year" + - "type" + - "pages" + ProductReviews: + type: "object" + description: "Object containing reviews for a product" + properties: + id: + type: "integer" + format: "int32" + description: "Product id" + reviews: + type: "array" + description: "List of reviews" + items: + $ref: "#/definitions/Review" + required: + - "id" + - "reviews" + Review: + type: "object" + description: "Review of a product" + properties: + reviewer: + type: "string" + description: "Name of the reviewer" + text: + type: "string" + description: "Review text" + rating: + $ref: "#/definitions/Rating" + required: + - "reviewer" + - "text" + Rating: + type: "object" + description: "Rating of a product" + properties: + stars: + type: "integer" + format: "int32" + minimum: 1 + maximum: 5 + description: "Number of stars" + color: + type: "string" + enum: + - "red" + - "black" + description: "Color in which stars should be displayed" + required: + - "stars" + - "color" + ProductRatings: + type: "object" + description: "Object containing ratings of a product" + properties: + id: + type: "integer" + format: "int32" + description: "Product id" + ratings: + type: "object" + description: "A hashmap where keys are reviewer names, values are number of stars" + additionalProperties: + type: "string" + required: + - "id" + - "ratings" \ No newline at end of file diff --git a/istio-1.0.4/samples/certs/ca-cert.pem b/istio-1.0.4/samples/certs/ca-cert.pem new file mode 100644 index 0000000..a460e03 --- /dev/null +++ b/istio-1.0.4/samples/certs/ca-cert.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDnzCCAoegAwIBAgIJAON1ifrBZ2/BMA0GCSqGSIb3DQEBCwUAMIGLMQswCQYD +VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJU3Vubnl2YWxl +MQ4wDAYDVQQKDAVJc3RpbzENMAsGA1UECwwEVGVzdDEQMA4GA1UEAwwHUm9vdCBD +QTEiMCAGCSqGSIb3DQEJARYTdGVzdHJvb3RjYUBpc3Rpby5pbzAgFw0xODAxMjQx +OTE1NTFaGA8yMTE3MTIzMTE5MTU1MVowWTELMAkGA1UEBhMCVVMxEzARBgNVBAgT +CkNhbGlmb3JuaWExEjAQBgNVBAcTCVN1bm55dmFsZTEOMAwGA1UEChMFSXN0aW8x +ETAPBgNVBAMTCElzdGlvIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC +AQEAyzCxr/xu0zy5rVBiso9ffgl00bRKvB/HF4AX9/ytmZ6Hqsy13XIQk8/u/By9 +iCvVwXIMvyT0CbiJq/aPEj5mJUy0lzbrUs13oneXqrPXf7ir3HzdRw+SBhXlsh9z +APZJXcF93DJU3GabPKwBvGJ0IVMJPIFCuDIPwW4kFAI7R/8A5LSdPrFx6EyMXl7K +M8jekC0y9DnTj83/fY72WcWX7YTpgZeBHAeeQOPTZ2KYbFal2gLsar69PgFS0Tom +ESO9M14Yit7mzB1WDK2z9g3r+zLxENdJ5JG/ZskKe+TO4Diqi5OJt/h8yspS1ck8 +LJtCole9919umByg5oruflqIlQIDAQABozUwMzALBgNVHQ8EBAMCAgQwDAYDVR0T +BAUwAwEB/zAWBgNVHREEDzANggtjYS5pc3Rpby5pbzANBgkqhkiG9w0BAQsFAAOC +AQEAltHEhhyAsve4K4bLgBXtHwWzo6SpFzdAfXpLShpOJNtQNERb3qg6iUGQdY+w +A2BpmSkKr3Rw/6ClP5+cCG7fGocPaZh+c+4Nxm9suMuZBZCtNOeYOMIfvCPcCS+8 +PQ/0hC4/0J3WJKzGBssaaMufJxzgFPPtDJ998kY8rlROghdSaVt423/jXIAYnP3Y +05n8TGERBj7TLdtIVbtUIx3JHAo3PWJywA6mEDovFMJhJERp9sDHIr1BbhXK1TFN +Z6HNH6gInkSSMtvC4Ptejb749PTaePRPF7ID//eq/3AH8UK50F3TQcLjEqWUsJUn +aFKltOc+RAjzDklcUPeG4Y6eMA== +-----END CERTIFICATE----- diff --git a/istio-1.0.4/samples/certs/ca-key.pem b/istio-1.0.4/samples/certs/ca-key.pem new file mode 100644 index 0000000..faa77f3 --- /dev/null +++ b/istio-1.0.4/samples/certs/ca-key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAyzCxr/xu0zy5rVBiso9ffgl00bRKvB/HF4AX9/ytmZ6Hqsy1 +3XIQk8/u/By9iCvVwXIMvyT0CbiJq/aPEj5mJUy0lzbrUs13oneXqrPXf7ir3Hzd +Rw+SBhXlsh9zAPZJXcF93DJU3GabPKwBvGJ0IVMJPIFCuDIPwW4kFAI7R/8A5LSd +PrFx6EyMXl7KM8jekC0y9DnTj83/fY72WcWX7YTpgZeBHAeeQOPTZ2KYbFal2gLs +ar69PgFS0TomESO9M14Yit7mzB1WDK2z9g3r+zLxENdJ5JG/ZskKe+TO4Diqi5OJ +t/h8yspS1ck8LJtCole9919umByg5oruflqIlQIDAQABAoIBAGZI8fnUinmd5R6B +C941XG3XFs6GAuUm3hNPcUFuGnntmv/5I0gBpqSyFO0nDqYg4u8Jma8TTCIkmnFN +ogIeFU+LiJFinR3GvwWzTE8rTz1FWoaY+M9P4ENd/I4pVLxUPuSKhfA2ChAVOupU +8F7D9Q/dfBXQQCT3VoUaC+FiqjL4HvIhji1zIqaqpK7fChGPraC/4WHwLMNzI0Zg +oDdAanwVygettvm6KD7AeKzhK94gX1PcnsOi3KuzQYvkenQE1M6/K7YtEc5qXCYf +QETj0UCzB55btgdF36BGoZXf0LwHqxys9ubfHuhwKBpY0xg2z4/4RXZNhfIDih3w +J3mihcECgYEA6FtQ0cfh0Zm03OPDpBGc6sdKxTw6aBDtE3KztfI2hl26xHQoeFqp +FmV/TbnExnppw+gWJtwx7IfvowUD8uRR2P0M2wGctWrMpnaEYTiLAPhXsj69HSM/ +CYrh54KM0YWyjwNhtUzwbOTrh1jWtT9HV5e7ay9Atk3UWljuR74CFMUCgYEA392e +DVoDLE0XtbysmdlfSffhiQLP9sT8+bf/zYnr8Eq/4LWQoOtjEARbuCj3Oq7bP8IE +Vz45gT1mEE3IacC9neGwuEa6icBiuQi86NW8ilY/ZbOWrRPLOhk3zLiZ+yqkt+sN +cqWx0JkIh7IMKWI4dVQgk4I0jcFP7vNG/So4AZECgYEA426eSPgxHQwqcBuwn6Nt +yJCRq0UsljgbFfIr3Wfb3uFXsntQMZ3r67QlS1sONIgVhmBhbmARrcfQ0+xQ1SqO +wqnOL4AAd8K11iojoVXLGYP7ssieKysYxKpgPE8Yru0CveE9fkx0+OGJeM2IO5hY +qHAoTt3NpaPAuz5Y3XgqaVECgYA0TONS/TeGjxA9/jFY1Cbl8gp35vdNEKKFeM5D +Z7h+cAg56FE8tyFyqYIAGVoBFL7WO26mLzxiDEUfA/0Rb90c2JBfzO5hpleqIPd5 +cg3VR+cRzI4kK16sWR3nLy2SN1k6OqjuovVS5Z3PjfI3bOIBz0C5FY9Pmt0g1yc7 +mDRzcQKBgQCXWCZStbdjewaLd5u5Hhbw8tIWImMVfcfs3H1FN669LLpbARM8RtAa +8dYwDVHmWmevb/WX03LiSE+GCjCBO79fa1qc5RKAalqH/1OYxTuvYOeTUebSrg8+ +lQFlP2OC4GGolKrN6HVWdxtf+F+SdjwX6qGCfYkXJRLYXIFSFjFeuw== +-----END RSA PRIVATE KEY----- diff --git a/istio-1.0.4/samples/certs/cert-chain.pem b/istio-1.0.4/samples/certs/cert-chain.pem new file mode 100644 index 0000000..a460e03 --- /dev/null +++ b/istio-1.0.4/samples/certs/cert-chain.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDnzCCAoegAwIBAgIJAON1ifrBZ2/BMA0GCSqGSIb3DQEBCwUAMIGLMQswCQYD +VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJU3Vubnl2YWxl +MQ4wDAYDVQQKDAVJc3RpbzENMAsGA1UECwwEVGVzdDEQMA4GA1UEAwwHUm9vdCBD +QTEiMCAGCSqGSIb3DQEJARYTdGVzdHJvb3RjYUBpc3Rpby5pbzAgFw0xODAxMjQx +OTE1NTFaGA8yMTE3MTIzMTE5MTU1MVowWTELMAkGA1UEBhMCVVMxEzARBgNVBAgT +CkNhbGlmb3JuaWExEjAQBgNVBAcTCVN1bm55dmFsZTEOMAwGA1UEChMFSXN0aW8x +ETAPBgNVBAMTCElzdGlvIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC +AQEAyzCxr/xu0zy5rVBiso9ffgl00bRKvB/HF4AX9/ytmZ6Hqsy13XIQk8/u/By9 +iCvVwXIMvyT0CbiJq/aPEj5mJUy0lzbrUs13oneXqrPXf7ir3HzdRw+SBhXlsh9z +APZJXcF93DJU3GabPKwBvGJ0IVMJPIFCuDIPwW4kFAI7R/8A5LSdPrFx6EyMXl7K +M8jekC0y9DnTj83/fY72WcWX7YTpgZeBHAeeQOPTZ2KYbFal2gLsar69PgFS0Tom +ESO9M14Yit7mzB1WDK2z9g3r+zLxENdJ5JG/ZskKe+TO4Diqi5OJt/h8yspS1ck8 +LJtCole9919umByg5oruflqIlQIDAQABozUwMzALBgNVHQ8EBAMCAgQwDAYDVR0T +BAUwAwEB/zAWBgNVHREEDzANggtjYS5pc3Rpby5pbzANBgkqhkiG9w0BAQsFAAOC +AQEAltHEhhyAsve4K4bLgBXtHwWzo6SpFzdAfXpLShpOJNtQNERb3qg6iUGQdY+w +A2BpmSkKr3Rw/6ClP5+cCG7fGocPaZh+c+4Nxm9suMuZBZCtNOeYOMIfvCPcCS+8 +PQ/0hC4/0J3WJKzGBssaaMufJxzgFPPtDJ998kY8rlROghdSaVt423/jXIAYnP3Y +05n8TGERBj7TLdtIVbtUIx3JHAo3PWJywA6mEDovFMJhJERp9sDHIr1BbhXK1TFN +Z6HNH6gInkSSMtvC4Ptejb749PTaePRPF7ID//eq/3AH8UK50F3TQcLjEqWUsJUn +aFKltOc+RAjzDklcUPeG4Y6eMA== +-----END CERTIFICATE----- diff --git a/istio-1.0.4/samples/certs/root-cert.pem b/istio-1.0.4/samples/certs/root-cert.pem new file mode 100644 index 0000000..64c3fd5 --- /dev/null +++ b/istio-1.0.4/samples/certs/root-cert.pem @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIID7TCCAtWgAwIBAgIJAOIRDhOcxsx6MA0GCSqGSIb3DQEBCwUAMIGLMQswCQYD +VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJU3Vubnl2YWxl +MQ4wDAYDVQQKDAVJc3RpbzENMAsGA1UECwwEVGVzdDEQMA4GA1UEAwwHUm9vdCBD +QTEiMCAGCSqGSIb3DQEJARYTdGVzdHJvb3RjYUBpc3Rpby5pbzAgFw0xODAxMjQx +OTE1NTFaGA8yMTE3MTIzMTE5MTU1MVowgYsxCzAJBgNVBAYTAlVTMRMwEQYDVQQI +DApDYWxpZm9ybmlhMRIwEAYDVQQHDAlTdW5ueXZhbGUxDjAMBgNVBAoMBUlzdGlv +MQ0wCwYDVQQLDARUZXN0MRAwDgYDVQQDDAdSb290IENBMSIwIAYJKoZIhvcNAQkB +FhN0ZXN0cm9vdGNhQGlzdGlvLmlvMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB +CgKCAQEA38uEfAatzQYqbaLou1nxJ348VyNzumYMmDDt5pbLYRrCo2pS3ki1ZVDN +8yxIENJFkpKw9UctTGdbNGuGCiSDP7uqF6BiVn+XKAU/3pnPFBbTd0S33NqbDEQu +IYraHSl/tSk5rARbC1DrQRdZ6nYD2KrapC4g0XbjY6Pu5l4y7KnFwSunnp9uqpZw +uERv/BgumJ5QlSeSeCmhnDhLxooG8w5tC2yVr1yDpsOHGimP/mc8Cds4V0zfIhQv +YzfIHphhE9DKjmnjBYLOdj4aycv44jHnOGc+wvA1Jqsl60t3wgms+zJTiWwABLdw +zgMAa7yxLyoV0+PiVQud6k+8ZoIFcwIDAQABo1AwTjAdBgNVHQ4EFgQUOUYGtUyh +euxO4lGe4Op1y8NVoagwHwYDVR0jBBgwFoAUOUYGtUyheuxO4lGe4Op1y8NVoagw +DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEANXLyfAs7J9rmBamGJvPZ +ltx390WxzzLFQsBRAaH6rgeipBq3dR9qEjAwb6BTF+ROmtQzX+fjstCRrJxCto9W +tC8KvXTdRfIjfCCZjhtIOBKqRxE4KJV/RBfv9xD5lyjtCPCQl3Ia6MSf42N+abAK +WCdU6KCojA8WB9YhSCzza3aQbPTzd26OC/JblJpVgtus5f8ILzCsz+pbMimgTkhy +AuhYRppJaQ24APijsEC9+GIaVKPg5IwWroiPoj+QXNpshuvqVQQXvGaRiq4zoSnx +xAJz+w8tjrDWcf826VN14IL+/Cmqlg/rIfB5CHdwVIfWwpuGB66q/UiPegZMNs8a +3g== +-----END CERTIFICATE----- diff --git a/istio-1.0.4/samples/health-check/liveness-command.yaml b/istio-1.0.4/samples/health-check/liveness-command.yaml new file mode 100644 index 0000000..61d6033 --- /dev/null +++ b/istio-1.0.4/samples/health-check/liveness-command.yaml @@ -0,0 +1,54 @@ +# Copyright 2017 Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################################################## +# Liveness service +################################################################################################## +apiVersion: v1 +kind: Service +metadata: + name: liveness + labels: + app: liveness +spec: + ports: + - port: 80 + name: http + selector: + app: liveness +--- +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: liveness +spec: + template: + metadata: + labels: + app: liveness + spec: + containers: + - name: liveness + image: k8s.gcr.io/busybox + args: + - /bin/sh + - -c + - touch /tmp/healthy; sleep 3600 + livenessProbe: + exec: + command: + - cat + - /tmp/healthy + initialDelaySeconds: 5 + periodSeconds: 5 diff --git a/istio-1.0.4/samples/health-check/liveness-http.yaml b/istio-1.0.4/samples/health-check/liveness-http.yaml new file mode 100644 index 0000000..8e44959 --- /dev/null +++ b/istio-1.0.4/samples/health-check/liveness-http.yaml @@ -0,0 +1,35 @@ +apiVersion: v1 +kind: Service +metadata: + name: liveness-http + labels: + app: liveness-http +spec: + ports: + - name: http + port: 8001 + selector: + app: liveness-http +--- +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: liveness-http +spec: + template: + metadata: + labels: + app: liveness-http + version: v1 + spec: + containers: + - name: liveness-http + image: docker.io/istio/health:example + ports: + - containerPort: 8001 + livenessProbe: + httpGet: + path: /foo + port: 8002 + initialDelaySeconds: 5 + periodSeconds: 5 diff --git a/istio-1.0.4/samples/helloworld/README.md b/istio-1.0.4/samples/helloworld/README.md new file mode 100644 index 0000000..4a2e59c --- /dev/null +++ b/istio-1.0.4/samples/helloworld/README.md @@ -0,0 +1,67 @@ +# Helloworld service + +This sample runs two versions of a simple helloworld service that return their +version and instance (hostname) when called. It's used to demonstrate canary deployments +working in conjunction with autoscaling. +See [Canary deployments using Istio](https://istio.io/blog/2017/0.1-canary.html). + +## Start the services + +If you don't have [automatic sidecar injection](https://istio.io/docs/setup/kubernetes/sidecar-injection.html#automatic-sidecar-injection) +set in your cluster you will need to manually inject it to the services: + +```bash +istioctl kube-inject -f helloworld.yaml -o helloworld-istio.yaml +``` + +Note that Kubernetes [Horizontal Pod Autoscaler](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) +only work if all containers in the pods requests cpu. In this sample the deployment +containers within the `helloworld.yaml` are pre-defined with the request. The (manually/automatically) +injected istio-proxy containers also have the requests cpu therefore making the `helloworld` +ready for autoscaling. + +Now create the deployment using the updated yaml file: + +```bash +kubectl create -f helloworld-istio.yaml +``` + +Follow the [instructions](https://preliminary.istio.io/docs/tasks/traffic-management/ingress.html#determining-the-ingress-ip-and-ports) to set the INGRESS_HOST and INGRESS_PORT variables then confirm it's running using curl. + +```bash +export GATEWAY_URL=$INGRESS_HOST:$INGRESS_PORT +curl http://$GATEWAY_URL/hello +``` + +## Autoscale the services + +Enable autoscale on both services: + +```bash +kubectl autoscale deployment helloworld-v1 --cpu-percent=50 --min=1 --max=10 +kubectl autoscale deployment helloworld-v2 --cpu-percent=50 --min=1 --max=10 +kubectl get hpa +``` + +## Generate load + +```bash +./loadgen.sh & +./loadgen.sh & # run it twice to generate lots of load +``` + +Wait for about 2min and check the number of replicas: + +```bash +kubectl get hpa +``` + +If autoscaler is functioning correctly the `REPLICAS` column should have a +value > 1. + +## Cleanup + +```bash +kubectl delete -f helloworld-istio.yaml +kubectl delete hpa helloworld-v1 helloworld-v2 +``` diff --git a/istio-1.0.4/samples/helloworld/helloworld.yaml b/istio-1.0.4/samples/helloworld/helloworld.yaml new file mode 100644 index 0000000..52baa92 --- /dev/null +++ b/istio-1.0.4/samples/helloworld/helloworld.yaml @@ -0,0 +1,90 @@ +apiVersion: v1 +kind: Service +metadata: + name: helloworld + labels: + app: helloworld +spec: + ports: + - port: 5000 + name: http + selector: + app: helloworld +--- +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: helloworld-v1 +spec: + replicas: 1 + template: + metadata: + labels: + app: helloworld + version: v1 + spec: + containers: + - name: helloworld + image: istio/examples-helloworld-v1 + resources: + requests: + cpu: "100m" + imagePullPolicy: IfNotPresent #Always + ports: + - containerPort: 5000 +--- +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: helloworld-v2 +spec: + replicas: 1 + template: + metadata: + labels: + app: helloworld + version: v2 + spec: + containers: + - name: helloworld + image: istio/examples-helloworld-v2 + resources: + requests: + cpu: "100m" + imagePullPolicy: IfNotPresent #Always + ports: + - containerPort: 5000 +--- +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: helloworld-gateway +spec: + selector: + istio: ingressgateway # use istio default controller + servers: + - port: + number: 80 + name: http + protocol: HTTP + hosts: + - "*" +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: helloworld +spec: + hosts: + - "*" + gateways: + - helloworld-gateway + http: + - match: + - uri: + exact: /hello + route: + - destination: + host: helloworld + port: + number: 5000 diff --git a/istio-1.0.4/samples/httpbin/README.md b/istio-1.0.4/samples/httpbin/README.md new file mode 100644 index 0000000..a66878b --- /dev/null +++ b/istio-1.0.4/samples/httpbin/README.md @@ -0,0 +1,30 @@ +# Httpbin service + +This sample runs [httpbin](https://httpbin.org) as an Istio service. +Httpbin is a well known HTTP testing service that can be used for experimenting +with all kinds of Istio features. + +To use it: + +1. Install Istio by following the [istio install instructions](https://istio.io/docs/setup/kubernetes/quick-start.html). + +2. Start the httpbin service inside the Istio service mesh: + + ```bash + kubectl apply -f <(istioctl kube-inject -f httpbin.yaml) + ``` + +Because the httpbin service is not exposed outside of the cluster +we cannot _curl_ it directly, however we can verify that it is working correctly using +a _curl_ command against `httpbin:8000` *from inside the cluster* using the public _dockerqa/curl_ +image from the Docker hub: + +```bash +kubectl run -i --rm --restart=Never dummy --image=dockerqa/curl:ubuntu-trusty --command -- curl --silent httpbin:8000/html +kubectl run -i --rm --restart=Never dummy --image=dockerqa/curl:ubuntu-trusty --command -- curl --silent httpbin:8000/status/500 +time kubectl run -i --rm --restart=Never dummy --image=dockerqa/curl:ubuntu-trusty --command -- curl --silent httpbin:8000/delay/5 +``` + +Alternatively, you can test the httpbin service by +[configuring an ingress resource](https://istio.io/docs/tasks/traffic-management/ingress.html) or +by starting the [sleep service](../sleep) and calling httpbin from it. diff --git a/istio-1.0.4/samples/httpbin/destinationpolicies/httpbin-circuit-breaker.yaml b/istio-1.0.4/samples/httpbin/destinationpolicies/httpbin-circuit-breaker.yaml new file mode 100644 index 0000000..f144d2b --- /dev/null +++ b/istio-1.0.4/samples/httpbin/destinationpolicies/httpbin-circuit-breaker.yaml @@ -0,0 +1,18 @@ +apiVersion: config.istio.io/v1alpha1 +kind: DestinationPolicy +metadata: + name: httpbin-circuit-breaker +spec: + destination: + name: httpbin + labels: + version: v1 + circuitBreaker: + simpleCb: + maxConnections: 1 + httpMaxPendingRequests: 1 + sleepWindow: 3m + httpDetectionInterval: 1s + httpMaxEjectionPercent: 100 + httpConsecutiveErrors: 1 + httpMaxRequestsPerConnection: 1 diff --git a/istio-1.0.4/samples/httpbin/httpbin.yaml b/istio-1.0.4/samples/httpbin/httpbin.yaml new file mode 100644 index 0000000..407c124 --- /dev/null +++ b/istio-1.0.4/samples/httpbin/httpbin.yaml @@ -0,0 +1,48 @@ +# Copyright 2017 Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################################################## +# httpbin service +################################################################################################## +apiVersion: v1 +kind: Service +metadata: + name: httpbin + labels: + app: httpbin +spec: + ports: + - name: http + port: 8000 + selector: + app: httpbin +--- +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: httpbin +spec: + replicas: 1 + template: + metadata: + labels: + app: httpbin + version: v1 + spec: + containers: + - image: docker.io/citizenstig/httpbin + imagePullPolicy: IfNotPresent + name: httpbin + ports: + - containerPort: 8000 diff --git a/istio-1.0.4/samples/httpbin/routerules/httpbin-v1.yaml b/istio-1.0.4/samples/httpbin/routerules/httpbin-v1.yaml new file mode 100644 index 0000000..99100e7 --- /dev/null +++ b/istio-1.0.4/samples/httpbin/routerules/httpbin-v1.yaml @@ -0,0 +1,11 @@ +apiVersion: config.istio.io/v1alpha1 +kind: RouteRule +metadata: + name: httpbin-default-v1 +spec: + destination: + name: httpbin + precedence: 1 + route: + - labels: + version: v1 \ No newline at end of file diff --git a/istio-1.0.4/samples/httpbin/sample-client/fortio-deploy.yaml b/istio-1.0.4/samples/httpbin/sample-client/fortio-deploy.yaml new file mode 100644 index 0000000..68bff1c --- /dev/null +++ b/istio-1.0.4/samples/httpbin/sample-client/fortio-deploy.yaml @@ -0,0 +1,20 @@ +apiVersion: apps/v1beta1 +kind: Deployment +metadata: + name: fortio-deploy +spec: + replicas: 1 + template: + metadata: + labels: + app: fortio + spec: + containers: + - name: fortio + image: istio/fortio:latest_release + imagePullPolicy: Always + ports: + - containerPort: 8080 + name: http-fortio + - containerPort: 8079 + name: grpc-ping diff --git a/istio-1.0.4/samples/https/default.conf b/istio-1.0.4/samples/https/default.conf new file mode 100644 index 0000000..4a5b420 --- /dev/null +++ b/istio-1.0.4/samples/https/default.conf @@ -0,0 +1,10 @@ +server { + listen 443 ssl; + + root /usr/share/nginx/html; + index index.html; + + server_name localhost; + ssl_certificate /etc/nginx/ssl/tls.crt; + ssl_certificate_key /etc/nginx/ssl/tls.key; +} diff --git a/istio-1.0.4/samples/https/nginx-app.yaml b/istio-1.0.4/samples/https/nginx-app.yaml new file mode 100644 index 0000000..aece09e --- /dev/null +++ b/istio-1.0.4/samples/https/nginx-app.yaml @@ -0,0 +1,43 @@ +apiVersion: v1 +kind: Service +metadata: + name: my-nginx + labels: + app: nginx +spec: + type: NodePort + ports: + - port: 443 + name: https + selector: + app: nginx +--- +apiVersion: v1 +kind: ReplicationController +metadata: + name: my-nginx +spec: + replicas: 1 + template: + metadata: + labels: + app: nginx + spec: + volumes: + - name: secret-volume + secret: + secretName: nginxsecret + - name: configmap-volume + configMap: + name: nginxconfigmap + containers: + - name: nginxhttps + image: ymqytw/nginxhttps:1.5 + command: ["/home/auto-reload-nginx.sh"] + ports: + - containerPort: 443 + volumeMounts: + - mountPath: /etc/nginx/ssl + name: secret-volume + - mountPath: /etc/nginx/conf.d + name: configmap-volume diff --git a/istio-1.0.4/samples/kubernetes-blog/bookinfo-ratings.yaml b/istio-1.0.4/samples/kubernetes-blog/bookinfo-ratings.yaml new file mode 100644 index 0000000..a0197e4 --- /dev/null +++ b/istio-1.0.4/samples/kubernetes-blog/bookinfo-ratings.yaml @@ -0,0 +1,49 @@ +# Copyright 2017 Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################################################## +# Ratings service +################################################################################################## +apiVersion: v1 +kind: Service +metadata: + name: ratings + labels: + app: ratings +spec: + ports: + - port: 9080 + name: http + selector: + app: ratings +--- +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: ratings-v1 +spec: + replicas: 1 + template: + metadata: + labels: + app: ratings + version: v1 + spec: + containers: + - name: ratings + image: istio/examples-bookinfo-ratings-v1:0.2.3 + imagePullPolicy: IfNotPresent + ports: + - containerPort: 9080 +--- diff --git a/istio-1.0.4/samples/kubernetes-blog/bookinfo-reviews-v2.yaml b/istio-1.0.4/samples/kubernetes-blog/bookinfo-reviews-v2.yaml new file mode 100644 index 0000000..c8819f5 --- /dev/null +++ b/istio-1.0.4/samples/kubernetes-blog/bookinfo-reviews-v2.yaml @@ -0,0 +1,36 @@ +# Copyright 2017 Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################################################## +# Reviews service v2 +################################################################################################## +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: reviews-v2 +spec: + replicas: 1 + template: + metadata: + labels: + app: reviews + version: v2 + spec: + containers: + - name: reviews + image: istio/examples-bookinfo-reviews-v2:0.2.3 + imagePullPolicy: IfNotPresent + ports: + - containerPort: 9080 +--- diff --git a/istio-1.0.4/samples/kubernetes-blog/bookinfo-v1.yaml b/istio-1.0.4/samples/kubernetes-blog/bookinfo-v1.yaml new file mode 100644 index 0000000..c5b4d8f --- /dev/null +++ b/istio-1.0.4/samples/kubernetes-blog/bookinfo-v1.yaml @@ -0,0 +1,119 @@ +# Copyright 2017 Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################################################## +# Details service +################################################################################################## +apiVersion: v1 +kind: Service +metadata: + name: details + labels: + app: details +spec: + ports: + - port: 9080 + name: http + selector: + app: details +--- +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: details-v1 +spec: + replicas: 1 + template: + metadata: + labels: + app: details + version: v1 + spec: + containers: + - name: details + image: istio/examples-bookinfo-details-v1:0.2.3 + imagePullPolicy: IfNotPresent + ports: + - containerPort: 9080 +--- +################################################################################################## +# Reviews service +################################################################################################## +apiVersion: v1 +kind: Service +metadata: + name: reviews + labels: + app: reviews +spec: + ports: + - port: 9080 + name: http + selector: + app: reviews +--- +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: reviews-v1 +spec: + replicas: 1 + template: + metadata: + labels: + app: reviews + version: v1 + spec: + containers: + - name: reviews + image: istio/examples-bookinfo-reviews-v1:0.2.3 + imagePullPolicy: IfNotPresent + ports: + - containerPort: 9080 +--- +################################################################################################## +# Productpage services +################################################################################################## +apiVersion: v1 +kind: Service +metadata: + name: productpage + labels: + app: productpage +spec: + ports: + - port: 9080 + name: http + selector: + app: productpage +--- +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: productpage-v1 +spec: + replicas: 1 + template: + metadata: + labels: + app: productpage + version: v1 + spec: + containers: + - name: productpage + image: istio/examples-bookinfo-productpage-v1:0.2.3 + imagePullPolicy: IfNotPresent + ports: + - containerPort: 9080 +--- diff --git a/istio-1.0.4/samples/rawvm/README.md b/istio-1.0.4/samples/rawvm/README.md new file mode 100644 index 0000000..a059fb9 --- /dev/null +++ b/istio-1.0.4/samples/rawvm/README.md @@ -0,0 +1,158 @@ + +# RawVM in Istio 0.2 demo notes + +## MySQL Installation: + +### Official oracle version +```shell +wget https://dev.mysql.com/get/mysql-apt-config_0.8.7-1_all.deb +sudo dpkg -i mysql-apt-config_0.8.7-1_all.deb +# Select server 5.7 (default), tools and previews not needed/disabled +sudo apt-get update +sudo apt-get install mysql-server +# Clearly this is insecure, don't do that for prod ! +sudo mysql + ALTER USER 'root'@'localhost' IDENTIFIED WITH mysql_native_password BY 'password'; + # Remote 'root' can read test.*, to avoid + # ERROR 1130 (HY000): Host '...' is not allowed to connect to this MySQL server + create user 'root'@'%' IDENTIFIED WITH mysql_native_password BY 'password'; + GRANT SELECT ON test.* TO 'root'@'%'; +# Create tables : +mysql -u root -h 127.0.0.1 --password=password < ~/github/istio/samples/bookinfo/src/mysql/mysqldb-init.sql +# And to be able to connect remotely (only needed to test before injection) +sudo vi /etc/mysql/mysql.conf.d/mysqld.cnf +# comment out: +#bind-address = 127.0.0.1 +sudo service mysql restart +# check it's now binding on * +$ sudo lsof -i :3306 +COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME +mysqld 29145 mysql 31u IPv6 168376 0t0 TCP *:mysql (LISTEN) +# from another host, verify it works: +ldemailly@benchmark-2:~$ mysql -u root -h instance-1 --password=password test -e "select * from ratings" +mysql: [Warning] Using a password on the command line interface can be insecure. ++----------+--------+ +| ReviewID | Rating | ++----------+--------+ +| 1 | 5 | +| 2 | 6 | ++----------+--------+ +# for low volume troubleshooting: +mysql -u root -h instance-1 --password=password + SET global general_log_file='/tmp/mysqlquery.log'; + SET global general_log = 1; +# then +tail -f /tmp/mysqlquery.log +``` + +### Or +sudo apt-get mariadb-server + +TODO: figure out equivalent of above for mariadb + +https://stackoverflow.com/questions/28068155/access-denied-for-user-rootlocalhost-using-password-yes-after-new-instal + + +## Sidecar +See +https://github.com/istio/proxy/tree/master/tools/deb + +## Bookinfo with MySql in k8s: + +You need 5 nodes in your cluster to add mysql (until we tune the requests) +``` +# source istio.VERSION +wget https://storage.googleapis.com/istio-artifacts/pilot/$PILOT_TAG/artifacts/istioctl/istioctl-osx +chmod 755 istioctl-osx +./istioctl-osx kube-inject --hub $PILOT_HUB --tag $PILOT_TAG -f samples/bookinfo/kube/bookinfo.yaml > bookinfo-istio.yaml +kubectl apply -f bookinfo-istio.yaml +./istioctl-osx kube-inject --hub $PILOT_HUB --tag $PILOT_TAG -f samples/bookinfo/kube/bookinfo-mysql.yaml > bookinfo-mysql-istio.yaml +kubectl apply -f bookinfo-mysql-istio.yaml +./istioctl-osx kube-inject --hub $PILOT_HUB --tag $PILOT_TAG -f samples/bookinfo/kube/bookinfo-ratings-v2.yaml > bookinfo-ratings-v2-istio.yaml +kubectl apply -f bookinfo-ratings-v2-istio.yaml +# use it (ratings v2 and mysql) +kubectl apply -f samples/bookinfo/networking/virtual-service-ratings-mysql.yaml +# wait a bit / reload product page +# see mysql in grafana and 5,6 stars +kubectl port-forward mysqldb-v1-325529163-9x1r0 3306:3306 # use actual mysql pod +mysql -u root -h 127.0.0.1 --password=password test + select * from ratings; + update ratings set rating=3 where reviewid=1; +# see first rating change to 3 stars + +# for metrics: +fortio load -t 1m http://$INGRESS_IP/productpage +``` +## Move MySQL to VM +1. remove the k8s based service + ``` + kubectl delete svc mysqldb + ``` +2. observe `product ratings not available` when re-loading the page +3. register the VM instead: + ``` + $ ./istioctl-osx register mysqldb 10.138.0.13 3306 +I0904 11:12:56.785430 34562 register.go:44] Registering for service 'mysqldb' ip '10.138.0.13', ports list [{3306 mysql}] +I0904 11:12:56.785536 34562 register.go:49] 0 labels ([]) and 1 annotations ([alpha.istio.io/kubernetes-serviceaccounts=default]) +W0904 11:12:56.887017 34562 register.go:123] Got 'services "mysqldb" not found' looking up svc 'mysqldb' in namespace 'default', attempting to create it +W0904 11:12:56.938721 34562 register.go:139] Got 'endpoints "mysqldb" not found' looking up endpoints for 'mysqldb' in namespace 'default', attempting to create them +I0904 11:12:57.055643 34562 register.go:180] No pre existing exact matching ports list found, created new subset {[{10.138.0.13 nil}] [] [{mysql 3306 }]} +I0904 11:12:57.090739 34562 register.go:191] Successfully updated mysqldb, now with 1 endpoints + ``` +4. check the registration: + ``` + $ kubectl get svc mysqldb -o yaml +apiVersion: v1 +kind: Service +metadata: + annotations: + alpha.istio.io/kubernetes-serviceaccounts: default + creationTimestamp: 2017-09-04T18:12:56Z + name: mysqldb + namespace: default + resourceVersion: "464459" + selfLink: /api/v1/namespaces/default/services/mysqldb + uid: ad746e4c-919c-11e7-9a62-42010a8a004e +spec: + clusterIP: 10.31.253.143 + ports: + - name: mysql + port: 3306 + protocol: TCP + targetPort: 3306 + sessionAffinity: None + type: ClusterIP +status: + loadBalancer: {} + ``` + +## Build debian packages + +Prereq: + +Linux ubuntu xenial, docker, go 1.8, bazel, ... (the packages listed at https://github.com/istio/istio/blob/master/devel/README.md#collection-of-scripts-and-notes-for-developing-for-istio ) + +ps: for docker - remember to "docker ps" and it should work/not error out and not require sudo, if it doesn't work add your username to /etc/group docker + +For gcloud ( https://cloud.google.com/sdk/docs/quickstart-debian-ubuntu ): +```shell +export CLOUD_SDK_REPO="cloud-sdk-$(lsb_release -c -s)" +echo "deb http://packages.cloud.google.com/apt $CLOUD_SDK_REPO main" | sudo tee -a /etc/apt/sources.list.d/google-cloud-sdk.list +curl https://packages.cloud.google.com/apt/doc/apt-key.gpg | sudo apt-key add - +sudo apt-get update && sudo apt-get install google-cloud-sdk +gcloud init +sudo apt-get install kubectl +gcloud container clusters get-credentials demo-1 --zone us-west1-b --project istio-demo-0-2 +``` + +Note to install rbac yaml you need: +``` +kubectl create clusterrolebinding my-admin-access --clusterrole cluster-admin --user USERNAME +``` + +Then: + +``` +git clone https://github.com/istio/proxy.git -b rawvm-demo-0-2-2 +tools/deb/test/build_all.sh +``` diff --git a/istio-1.0.4/samples/sleep/README.md b/istio-1.0.4/samples/sleep/README.md new file mode 100644 index 0000000..982725f --- /dev/null +++ b/istio-1.0.4/samples/sleep/README.md @@ -0,0 +1,29 @@ +# Simple sleep service + +This sample consists of a simple service that does nothing but sleep. +It's a ubuntu container with curl installed that can be used as a request source for invoking other services +to experiment with Istio networking. +To use it: + +1. Install Istio by following the [istio install instructions](https://istio.io/docs/setup/kubernetes/quick-start.html). + +2. Start the sleep service: + + ```bash + kubectl apply -f <(istioctl kube-inject -f sleep.yaml) + ``` + + Note that if you also want to be able to directly call + external services, you'll need to set the `--includeIPRanges` option of `kube-inject`. + See [configuring egress](https://istio.io/docs/tasks/traffic-management/egress.html) for details. + +3. Start some other services, for example, the [Bookinfo sample](https://istio.io/docs/guides/bookinfo.html). + +Now you can `kubectl exec` into the sleep service to experiment with Istio. +For example, the following commands can be used to call the Bookinfo `ratings` service: + +``` +export SLEEP_POD=$(kubectl get pod -l app=sleep -o jsonpath={.items..metadata.name}) +kubectl exec -it $SLEEP_POD -c sleep curl http://ratings.default.svc.cluster.local:9080/ratings +{"Reviewer1":5,"Reviewer2":4} +``` diff --git a/istio-1.0.4/samples/sleep/sleep.yaml b/istio-1.0.4/samples/sleep/sleep.yaml new file mode 100644 index 0000000..20ca3be --- /dev/null +++ b/istio-1.0.4/samples/sleep/sleep.yaml @@ -0,0 +1,47 @@ +# Copyright 2017 Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################################################## +# Sleep service +################################################################################################## +apiVersion: v1 +kind: Service +metadata: + name: sleep + labels: + app: sleep +spec: + ports: + - port: 80 + name: http + selector: + app: sleep +--- +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: sleep +spec: + replicas: 1 + template: + metadata: + labels: + app: sleep + spec: + containers: + - name: sleep + image: pstauffer/curl + command: ["/bin/sleep", "3650d"] + imagePullPolicy: IfNotPresent +--- diff --git a/istio-1.0.4/samples/websockets/README.md b/istio-1.0.4/samples/websockets/README.md new file mode 100644 index 0000000..a0e4430 --- /dev/null +++ b/istio-1.0.4/samples/websockets/README.md @@ -0,0 +1,38 @@ +# Tornado - Demo Websockets App + +This is a sample application that demonstrates the use of an upgraded websockets connection on an ingress traffic when using Istio `VirtualService`. +The `app.yaml` creates a Kubernetes `Service` and a `Deployment` that is based on an existing Docker image for [Hiroakis's Tornado Websocket Example](https://github.com/hiroakis/tornado-websocket-example). + +__Notice:__ The addition of websockets upgrade support in v1alpha3 routing rules has only been added after the release of `Istio v0.8.0`. + +## Prerequisites +- Install Istio by following the [Istio Quick Start](https://istio.io/docs/setup/kubernetes/quick-start.html). + +## Installation +1. First install the application service: + - With manual sidecar injection: + ```command + kubectl create -f <(istioctl kube-inject --debug -f samples/websockets/app.yaml) + ``` + - With automatic sidecar injection: + ```command + kubectl create -f samples/websockets/app.yaml + ``` +2. Create the Ingress `Gateway` and `VirtualService` that enables the upgrade to Websocket for incoming traffic: + ```command + istioctl create -f samples/websockets/route.yaml + ``` + +## Test +- [Find your ingress gateway IP](https://istio.io/docs/tasks/traffic-management/ingress/#determining-the-ingress-ip-and-ports) +- Access http://$GATEWAY_IP/ with your browser +- The `WebSocket status` should show a green `open` status which means that a websocket connection to the server has been established. +To see the websocket in action see the instructions in the _REST API examples_ section of the demo app webpage for updating the server-side data and getting the updated data through the open websocket to the table in the webpage (without refreshing). + +## Cleanup +```command +istioctl delete -f samples/websockets/route.yaml +``` +```command +kubectl delete -f samples/websockets/app.yaml +``` diff --git a/istio-1.0.4/samples/websockets/app.yaml b/istio-1.0.4/samples/websockets/app.yaml new file mode 100644 index 0000000..ab618aa --- /dev/null +++ b/istio-1.0.4/samples/websockets/app.yaml @@ -0,0 +1,32 @@ +apiVersion: v1 +kind: Service +metadata: + name: tornado + labels: + app: tornado +spec: + ports: + - port: 8888 + name: http + selector: + app: tornado +--- +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: tornado +spec: + replicas: 1 + template: + metadata: + labels: + app: tornado + version: v1 + spec: + containers: + - name: tornado + image: hiroakis/tornado-websocket-example + imagePullPolicy: IfNotPresent + ports: + - containerPort: 8888 +--- diff --git a/istio-1.0.4/samples/websockets/route.yaml b/istio-1.0.4/samples/websockets/route.yaml new file mode 100644 index 0000000..b9450a9 --- /dev/null +++ b/istio-1.0.4/samples/websockets/route.yaml @@ -0,0 +1,33 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: tornado-gateway +spec: + selector: + istio: ingressgateway + servers: + - port: + number: 80 + name: http + protocol: HTTP + hosts: + - "*" +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: tornado +spec: + hosts: + - "*" + gateways: + - tornado-gateway + http: + - match: + - uri: + prefix: / + route: + - destination: + host: tornado + weight: 100 + websocketUpgrade: true diff --git a/istio-1.0.4/tools/README.md b/istio-1.0.4/tools/README.md new file mode 100644 index 0000000..e80b571 --- /dev/null +++ b/istio-1.0.4/tools/README.md @@ -0,0 +1,281 @@ +# Istio Load Testing User Guide +### Introduction +This guide provides step-by-step instructions for using the `setup_perf_cluster.sh` load testing script. +The script deploys a GKE cluster, an Istio service mesh and a GCE VM. The script then runs [Fortio](https://github.com/istio/fortio/#fortio) +on the VM, 2 pods within the cluster (non-Istio) and 2 pods within the Istio mesh. + +It should not be too difficult to adapt the script to other cloud providers or environments and contributions for additional automated setup are welcome. + +The following diagram provides additional details of the deployment and the main 4 istio-ified scenarios (which are ran twice each, once at max qps and once at fixed 400qps): + +![Deployment Diagram](perf_setup.svg) + +The deployment provides a basis for Istio performance characterization. Fortio is used to perform load testing, +graphing results and as a backend echo server. + +### Download a Release or Clone Istio + +It's recommended you use a release (either [official](https://github.com/istio/istio/releases) or [dailies](https://github.com/istio/istio/wiki/Daily-builds)): +``` +curl -L https://git.io/getLatestIstio | sh - # or download the daily TGZ +``` + +From source: +``` +$ git clone https://github.com/istio/istio.git && cd istio +``` + +### Install fortio locally + +Optional but recommended: + +If not already present from building from source, +Install fortio: `go get istio.io/fortio` (so you can run `fortio report` to visualize the results) + +### Prepare the Istio Deployment Manifest and Istio Client + +__Option A:__ (From release) Make sure `istioctl` is in your path is the one matching the downloaded release. + +For instance, in `~/tmp/istio-0.6.0/` run: +``` +export PATH=`pwd`/bin:$PATH +# check 'which istioctl' and 'istioctl version' returns the correct version +``` +For versions before 0.5.0 (the tools/ directory is now part of the release) +``` +$ ln -s $GOPATH/src/istio.io/istio/tools +``` +If you want to get newer version of the tools, you can `rm -rf tools/` and do the symlink above to use your updated/newer script. + +__Option B:__ (Advanced users, not recommended, from source) Build the deployment manifest and `istioctl` binary: +``` +$ ./install/updateVersion.sh # This step is only needed when using Istio from source and may or may not work/need additional hub/tags/... +``` +Follow the steps in the [Developer Guide](https://github.com/istio/istio/wiki/Dev-Guide) to build the `istioctl` binary. +Make sure the binary is first in to your PATH. +Make sure it does `istioctl kube-inject` producing the HUB/TAG you expect. + +### Set Your Google Cloud Credentials (optional/one time setup) +This is not necessary if you already have working `gcloud` commands and you +did `gcloud auth login` at least once. +``` +$ gcloud auth login +# Or +$ export GOOGLE_APPLICATION_CREDENTIALS=/my/gce/creds.json +``` +If you do not have a Google Cloud account, [set one up](https://cloud.google.com/). + +### Optional: Customize the Deployment +The `setup_perf_cluster.sh` script can be customized. View the script and modify the default variables if needed. +For example, to update the default gcloud zone (us-east4-b): +``` +$ export ZONE=us-west1-a +``` +If you change either the `PROJECT` or the `ZONE`, make sure to run `update_gcp_opts` before calling the other functions. + +The script tries to guess your `PROJECT` but it's safer to set it explicitly. (and use a new empty project if possible) + +### Source the Script +``` +# Set PROJECT and ZONE first then +$ source tools/setup_perf_cluster.sh +``` +__Note:__ `setup_perf_cluster.sh` can be used as a script or sourced and functions called interactively. + +Inside Google, you may need to rerun setup_vm_firewall multiple times. + +### Run the Functions +The output of `source tools/setup_perf_cluster.sh` provides a list of available functions or +you can view the functions from within the `setup_perf_cluster.sh` script. The most common workflow is: +``` +$ setup_all +Obtaining latest ubuntu xenial image name... (takes a few seconds)... + +### Running: istioctl create -n istio -f tools/cache_buster.yaml +Created config denier/istio/denyall at revision 881 +Created config checknothing/istio/denyrequest at revision 882 +Created config rule/istio/mixercachebuster at revision 883 +``` +The deployment is now complete. You can verify the deployment using standard `kubectl` commands: +``` +$ kubectl get po --all-namespaces +NAMESPACE NAME READY STATUS RESTARTS AGE +fortio fortio1-1966733334-xj5f6 1/1 Running 0 8m +fortio fortio2-3044850348-v5f74 1/1 Running 0 8m +istio-system istio-ca-1363003450-gvtmn 1/1 Running 0 7m +istio-system istio-ingress-1732553340-gv41r 1/1 Running 0 7m +istio-system istio-mixer-3192291716-psskv 3/3 Running 0 8m +istio-system istio-pilot-3663920167-4ns3g 2/2 Running 0 7m + +``` + +Make sure your ingress is ready: +``` +$ kubectl get ing -n istio +NAME HOSTS ADDRESS PORTS AGE +istio-ingress * 35.188.254.231 80 1m +``` + +You can now run the performance tests, either from the command line or interactively using the UIs (see next section). +For command lines there are a couple of examples in the `run_tests` functions, it will run 4 tests +and start fortio report so you can graph the result on [http://localhost:8080/](http://localhost:8080/) + +``` +$ run_tests ++++ VM Ip is 35.199.55.254 - visit (http on port 443 is not a typo:) http://35.199.55.254:443/fortio/ ++++ In k8s fortio external ip: http://35.199.37.178:8080/fortio/ ++++ In k8s non istio ingress: http://35.227.201.148/fortio/ ++++ In k8s istio ingress: http://35.188.241.231/fortio1/fortio/ and fortio2 +Using istio ingress to fortio1: +### Running: curl -s http://35.199.55.254:443/fortio/?labels=ingress+to+f1\&json=on\&save=on\&qps=-1\&t=30s\&c=48\&load=Start\&url=http://35.188.241.231/fortio1/echo | tee ing-to-f1.json | grep ActualQPS + "ActualQPS": 439.8723210634554, +Using istio ingress to fortio2: +### Running: curl -s http://35.199.55.254:443/fortio/?labels=ingress+to+f2\&json=on\&save=on\&qps=-1\&t=30s\&c=48\&load=Start\&url=http://35.188.241.231/fortio2/echo | tee ing-to-f2.json | grep ActualQPS + "ActualQPS": 540.2583184971915, +Using istio f1 to f2: +### Running: curl -s http://35.188.241.231/fortio1/fortio/?labels=f1+to+f2\&json=on\&save=on\&qps=-1\&t=30s\&c=48\&load=Start\&url=http://echosrv2:8080/echo | tee f1-to-f2.json | grep ActualQPS + "ActualQPS": 439.5027107832303, +Using istio f2 to f1: +### Running: curl -s http://35.188.241.231/fortio2/fortio/?labels=f2+to+f1\&json=on\&save=on\&qps=-1\&t=30s\&c=48\&load=Start\&url=http://echosrv1:8080/echo | tee f2-to-f1.json | grep ActualQPS + "ActualQPS": 330.49386695603846, +``` +And then you will see: +![Single Graph Screen Shot](https://user-images.githubusercontent.com/3664595/37693480-231ac8c0-2c7d-11e8-9b3a-4e77a06f2d37.png) +![Multi Graph Screen Shot](https://user-images.githubusercontent.com/3664595/37693481-232efdf4-2c7d-11e8-92b4-8a6e088d3357.png) + + +For comparison and reference you can also run `run_fortio_test1` uses the default loadbalancer and no Istio mesh or Istio Ingress Controller. + +The following command tells +Fortio on the VM to run a load test against the Fortio echo server running in the Kubernetes cluster: +``` +### Running: curl http://$VM_URL/fortio/?json=on&qps=-1&t=30s&c=48&load=Start&url=http://$K8S_FORTIO_EXT_IP:8080/echo +``` +The following arguments are passed to the Fortio server running on the GCE VM: + +| Argument | Description | +| --------------------------------------- | --------------------------------------- | +| json=on | Sets output in json format | +| qps=-1 | Requested queries per second to "max" | +| t=30s | Requested duration to run load test | +| c=48 | Number of connections/goroutine/threads | +| qps=-1 | Requested queries per second to "max" | +| load=Start | Tells Fortio to be a load generator | +| url=http://$K8S_FORTIO_EXT_IP:8080/echo | The target to load test | + +You can also run `run_fortio_test2` which uses the Fortio Ingress with no Istio mesh and the same arguments as the first test: +``` +### Running: curl http://$VM_URL/?json=on&qps=-1&t=30s&c=48&load=Start&url=http://$NON_ISTIO_INGRESS/echo +``` + +The tests from `run_tests` uses the Istio Ingress with the same arguments. This is the test that performs load testing +of the Istio service mesh: +``` +### Running: curl http://$VM_URL/?json=on&qps=-1&t=30s&c=48&load=Start&url=http://$ISTIO_INGRESS/fortio1/echo +``` +Compare the test results to understand the load differential between the 3 test cases. + +### Interactive Testing / UI Graphing of results + +Fortio provides a [Web UI](https://github.com/istio/fortio#webgraphical-ui) that +can be used to perform load testing. You can call the `get_ips` function to obtain Fortio endpoint information for further load testing: +``` +$ get_ips ++++ VM Ip is $VM_IP - visit http://$VM_URL/ ++++ In k8s fortio external ip: http://$EXTERNAL_IP:8080/fortio/ ++++ In k8s non istio ingress: http://$NON_ISTIO_INGRESS_IP/fortio/ ++++ In k8s istio ingress: http://$ISTIO_INGRESS_IP/fortio1/fortio/ and fortio2 +``` + +Then visit http://$ISTIO_INGRESS_IP/fortio1/fortio/ or http://$ISTIO_INGRESS_IP/fortio2/fortio/ to generate a load +to one of the Fortio echo servers: + +`echosrv1.istio.svc.cluster.local:8080` or `echosrv2.istio.svc.cluster.local:8080`. + +Fortio provides additional load testing capabilities not covered by this document. For more information, refer to the +[Fortio documentation](https://github.com/istio/fortio/blob/master/README.md) + +### Canonical Tests + +There is a set of canonical tests in ```run_canonical_perf_tests.sh``` script that runs tests by changing parameters in +various dimensions: +- Number of clients +- QPS +- Cached v.s. non-cached + +If you have a change that you think might affect performance, then you can run these tests to check the affects. + +To establish a baseline, simply deploy a perf cluster using the instructions above. Then run +```run_canonical_perf_tests.sh``` to establish the baseline. You will see output that looks like this: + +``` +> run_canonical_perf_tests.sh ++++ In k8s istio ingress: http:///fortio1/fortio/ and fortio2 +Running 'canonical+fortio2+echo1+Q100+T1s+C16' and storing results in /tmp/istio_perf.cpxCcs/canonical_fortio2_echo1_Q100_T1s_C16.json ++++ In k8s istio ingress: http:///fortio1/fortio/ and fortio2 +Running 'canonical+fortio2+echo1+Q400+T1s+C16' and storing results in /tmp/istio_perf.cpxCcs/canonical_fortio2_echo1_Q400_T1s_C16.json +... +``` + +You can check the Fortio UI of the respective drivers to see the results. Also, you can checkout the raw json files +that gets stored in the temporary folder that is in the output above: + +``` +ls /tmp/istio_perf.cpxCcs/ +canonical_fortio2_echo1_Q1000_T1s_C16.json canonical_fortio2_echo1_Q100_T1s_C20.json canonical_fortio2_echo1_Q1200_T1s_C24.json canonical_fortio2_echo1_Q400_T1s_C16.json +canonical_fortio2_echo1_Q1000_T1s_C20.json canonical_fortio2_echo1_Q100_T1s_C24.json canonical_fortio2_echo1_Q1600_T1s_C16.json canonical_fortio2_echo1_Q400_T1s_C20.json +canonical_fortio2_echo1_Q1000_T1s_C24.json canonical_fortio2_echo1_Q1200_T1s_C16.json canonical_fortio2_echo1_Q1600_T1s_C20.json canonical_fortio2_echo1_Q400_T1s_C24.json +canonical_fortio2_echo1_Q100_T1s_C16.json canonical_fortio2_echo1_Q1200_T1s_C20.json canonical_fortio2_echo1_Q1600_T1s_C24.json out.csv +``` + +You can run `fortio report -data-dir /tmp/istio_perf.cpxCcs/` to see all the results and graph them/compare them by visiting `http://localhost:8080` + +Alternatively, notice the ```out.csv``` file in the folder. This file contains all the data in the individual json files, and can be +imported into a spreadsheet: + + +``` +> cat /tmp/istio_perf.cpxCcs/out.csv +Label,Driver,Target,qps,duration,clients,min,max,avg,p50,p75,p90,p99,p99.9 +canonical,fortio2,echo1,1200,1s,16,0.00243703,0.059164527,0.0134183966225,0.0108966942149,0.01594375,0.02405,0.048646875,0.0575867009348 +canonical,fortio2,echo1,1200,1s,24,0.003420898,0.086621239,0.0248239801951,0.0203296703297,0.0303731343284,0.0494375,0.080344304428,0.085993545542 +... +``` + +To test the affects of your change, simply update your cluster with your binaries by following the +[Developer Guide](https://github.com/istio/istio/blob/master/DEV-GUIDE.md) and rerun the tests again. To ensure +you're tracking the results of your changes correctly, you can explicitly specify a label: + +``` +# Notice the "mylabel" parameter below: +# +> run_canonical_perf_tests.sh mylabel ++++ In k8s istio ingress: http:///fortio1/fortio/ and fortio2 +Running 'mylabel+fortio2+echo1+Q400+T1s+C16' and storing results in /tmp/istio_perf.0XuSIH/mylabel_fortio2_echo1_Q400_T1s_C16.json ++++ In k8s istio ingress: http:///fortio1/fortio/ and fortio2 +... +``` + +After the run, you can find the new results both in Fortio UI, and also in the temporary folder: + +``` +> ls /tmp/istio_perf.0XuSIH/ +mylabel_fortio2_echo1_Q1000_T1s_C16.json mylabel_fortio2_echo1_Q100_T1s_C20.json mylabel_fortio2_echo1_Q1200_T1s_C24.json mylabel_fortio2_echo1_Q400_T1s_C16.json +mylabel_fortio2_echo1_Q1000_T1s_C20.json mylabel_fortio2_echo1_Q100_T1s_C24.json mylabel_fortio2_echo1_Q1600_T1s_C16.json mylabel_fortio2_echo1_Q400_T1s_C20.json +mylabel_fortio2_echo1_Q1000_T1s_C24.json mylabel_fortio2_echo1_Q1200_T1s_C16.json mylabel_fortio2_echo1_Q1600_T1s_C20.json mylabel_fortio2_echo1_Q400_T1s_C24.json +mylabel_fortio2_echo1_Q100_T1s_C16.json mylabel_fortio2_echo1_Q1200_T1s_C20.json mylabel_fortio2_echo1_Q1600_T1s_C24.json out.csv +``` + +### Uninstall +Use the `delete_all` function to remove everything done by the `setup_all` function. The following delete functions are used by +`delete_all` and may be called individually: +``` +$ delete_istio +$ delete_cluster +$ delete_vm +$ delete_vm_firewall +``` + +### See also + +[Perf setup FAQ wiki](https://github.com/istio/istio/wiki/Istio-Performance-oriented-setup-FAQ) diff --git a/istio-1.0.4/tools/adsload/adsload.go b/istio-1.0.4/tools/adsload/adsload.go new file mode 100644 index 0000000..bfdeca7 --- /dev/null +++ b/istio-1.0.4/tools/adsload/adsload.go @@ -0,0 +1,152 @@ +// Copyright 2018 Istio Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package main + +// Will create the specified number of ADS connections to the pilot, and keep +// receiving notifications. This creates a load on pilot - without having to +// run a large number of pods in k8s. +// The clients will use 10.10.x.x addresses - it is possible to create ServiceEntry +// objects so clients get inbound listeners. Otherwise only outbound config will +// be pushed. + +import ( + "flag" + "log" + "net" + "net/http" + _ "net/http/pprof" + "time" + + "github.com/prometheus/client_golang/prometheus" + "github.com/prometheus/client_golang/prometheus/promhttp" + + "istio.io/istio/pkg/adsc" +) + +var ( + // For local testing (single pilot) - better to keep it bellow 1000 + // As of Istio1.0.3, with a throttle of 250 qps push time for 1000 is ~15 seconds, + // and with 500 qps push time is 28 seconds. + // + clients = flag.Int("clients", + 1000, + "Number of ads clients.") + + pilotAddr = flag.String("pilot", + "localhost:15010", + "Pilot address. Can be a real pilot exposed for mesh expansion.") + + port = flag.String("port", + ":14000", + "Http port for debug and control.") + + certDir = flag.String("certDir", + "", // /etc/certs", + "Certificate dir. Must be set according to mesh expansion docs for testing a meshex pilot.") +) + +func main() { + flag.Parse() + + for i := 0; i < *clients; i++ { + n := i + go runClient(n) + } + http.Handle("/metrics", promhttp.Handler()) + initMetrics() + err := http.ListenAndServe(*port, nil) + if err != nil { + log.Fatal("failed to start monitoring port ", err) + } +} + +var ( + initialConnectz = prometheus.NewHistogram(prometheus.HistogramOpts{ + Name: "connect", + Help: "Initial connection time, in ms", + Buckets: []float64{100, 500, 1000, 2000, 5000, 10000, 20000, 40000}, + }) + + connectedz = prometheus.NewGauge(prometheus.GaugeOpts{ + Name: "connected", + Help: "Connected clients", + }) + + connectTimeoutz = prometheus.NewGauge(prometheus.GaugeOpts{ + Name: "connectTimeout", + Help: "Connect timeouts", + }) + + cfgRecvz = prometheus.NewGaugeVec(prometheus.GaugeOpts{ + Name: "configs", + Help: "Received config types", + }, []string{"type"}) +) + +func initMetrics() { + prometheus.MustRegister(initialConnectz) + prometheus.MustRegister(connectedz) + prometheus.MustRegister(connectTimeoutz) + prometheus.MustRegister(cfgRecvz) +} + +// runClient creates a single long lived connection +func runClient(n int) { + c, err := adsc.Dial(*pilotAddr, *certDir, &adsc.Config{ + IP: net.IPv4(10, 10, byte(n/256), byte(n%256)).String(), + }) + if err != nil { + log.Println("Error connecting ", err) + return + } + + t0 := time.Now() + + c.Watch() + + initialConnect := true + _, err = c.Wait("rds", 30*time.Second) + if err != nil { + log.Println("Timeout receiving RDS") + connectTimeoutz.Add(1) + initialConnect = false + } else { + connectedz.Add(1) + } + + ctime := time.Since(t0) + initialConnectz.Observe(float64(ctime / 1000000)) // ms + + for { + msg, err := c.Wait("", 15*time.Second) + if err == adsc.ErrTimeout { + continue + } + if msg == "close" { + err = c.Reconnect() + if err != nil { + log.Println("Failed to reconnect") + return + } + } + if !initialConnect && msg == "rds" { + // This is a delayed initial connect + connectedz.Add(1) + initialConnect = true + } + cfgRecvz.With(prometheus.Labels{"type": msg}).Add(1) + log.Println("Received ", msg) + } +} diff --git a/istio-1.0.4/tools/cache_buster.yaml b/istio-1.0.4/tools/cache_buster.yaml new file mode 100644 index 0000000..7ed8e32 --- /dev/null +++ b/istio-1.0.4/tools/cache_buster.yaml @@ -0,0 +1,31 @@ +apiVersion: "config.istio.io/v1alpha2" +kind: denier +metadata: + name: denyall +spec: + status: + code: 7 + message: Not allowed +--- +apiVersion: "config.istio.io/v1alpha2" +kind: checknothing +metadata: + name: denyrequest +spec: +--- +apiVersion: "config.istio.io/v1alpha2" +kind: rule +metadata: + name: mixercachebuster +spec: + # one direction 1->2 will use the cache, while 2->1 will not use the cache. + # TODO: parametrize the namespace of find a way to get short names to work: + # TODO: this appears to always bust the cache, even if dest is echosrv1 ! + match: destination.service == "echosrv1.istio.svc.cluster.local" && request.headers["x-request-id"] == "foo" + # test that denial does work + # match: destination.service == "echosrv1.istio.svc.cluster.local" && request.headers["x-forwarded-proto"] == "http" && source.service == "echosrv2.istio.svc.cluster.local" + actions: + # handler and instance names default to the rule's namespace. + - handler: denyall.denier + instances: + - denyrequest.checknothing diff --git a/istio-1.0.4/tools/convert_perf_results.py b/istio-1.0.4/tools/convert_perf_results.py new file mode 100644 index 0000000..75df062 --- /dev/null +++ b/istio-1.0.4/tools/convert_perf_results.py @@ -0,0 +1,41 @@ +import json +import os +import sys + +target_dir="." + +if len(sys.argv) > 1: + target_dir = sys.argv[1] + +# Converts Fortio result output data into a CSV line. +def csv_line(data): + rawLabels = data['Labels'].split() + + labels = ",".join([l for l in rawLabels if l[0] != 'Q' and l[0] != 'T' and l[0] != 'C']) + + qps = data['RequestedQPS'] + duration = data['RequestedDuration'] + clients = data['NumThreads'] + min = data['DurationHistogram']['Min'] + max = data['DurationHistogram']['Max'] + avg = data['DurationHistogram']['Avg'] + + p50 = [e['Value'] for e in data['DurationHistogram']['Percentiles'] if e['Percentile'] == 50][0] + p75 = [e['Value'] for e in data['DurationHistogram']['Percentiles'] if e['Percentile'] == 75][0] + p90 = [e['Value'] for e in data['DurationHistogram']['Percentiles'] if e['Percentile'] == 90][0] + p99 = [e['Value'] for e in data['DurationHistogram']['Percentiles'] if e['Percentile'] == 99][0] + p99d9 = [e['Value'] for e in data['DurationHistogram']['Percentiles'] if e['Percentile'] == 99.9][0] + + return ("%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s" % (labels, qps, duration, clients, min, max, avg, p50, p75, p90, p99, p99d9)) + +# Print the header line +print "Label,Driver,Target,qps,duration,clients,min,max,avg,p50,p75,p90,p99,p99.9" + +# For each json file in current dir, interpret it as Fortio result json file and print a csv line for it. +for fn in os.listdir(target_dir): + fullfn = os.path.join(target_dir, fn) + if os.path.isfile(fullfn) and fullfn.endswith('.json'): + with open(fullfn) as f: + data = json.load(f) + print csv_line(data) + diff --git a/istio-1.0.4/tools/deb/Dockerfile b/istio-1.0.4/tools/deb/Dockerfile new file mode 100644 index 0000000..4f8a88a --- /dev/null +++ b/istio-1.0.4/tools/deb/Dockerfile @@ -0,0 +1,21 @@ +# Base dockerfile containing ubuntu and istio debian. +# Can be used for testing +FROM istionightly/base_debug + +# Micro pilot+mock mixer+echo, local kube +COPY hyperistio kube-apiserver etcd kubectl /usr/local/bin/ +COPY *.yaml /var/lib/istio/config/ +COPY certs/ /var/lib/istio/ +COPY certs/default/* /etc/certs/ + +COPY istio.deb /tmp +COPY istio-sidecar.deb /tmp +COPY deb_test.sh /usr/local/bin/ + +# Root and istio are not intercepted +RUN adduser istio-test --system + +# Verify the debian files can be installed +RUN dpkg -i /tmp/istio-sidecar.deb && rm /tmp/istio-sidecar.deb +RUN dpkg -i /tmp/istio.deb && rm /tmp/istio.deb + diff --git a/istio-1.0.4/tools/deb/deb_test.sh b/istio-1.0.4/tools/deb/deb_test.sh new file mode 100755 index 0000000..e9ce7fb --- /dev/null +++ b/istio-1.0.4/tools/deb/deb_test.sh @@ -0,0 +1,49 @@ +#!/bin/bash +# +# Copyright 2017 Istio Authors. All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ +# +# Test for istio debian. Will run in a docker image where the .deb has been installed. + +function startIstio() { + /usr/local/bin/hyperistio --envoy=false & + sleep 1 + + bash -x /usr/local/bin/istio-start.sh & + sleep 1 +} + +function istioDebug() { + curl localhost:15000/logging?upstream=debug + curl localhost:15000/logging?client=debug + curl localhost:15000/logging?connection=debug + curl localhost:15000/logging?http2=debug + curl localhost:15000/logging?grpc=debug +} + +function istioStats() { + curl localhost:15000/stats + + # Try to get the endpoints over https + curl -k --key tests/testdata/certs/default/key.pem \ + --cert tests/testdata/certs/default/cert-chain.pem \ + -v https://istio-pilot.istio-system:15011/debug/endpointz +} + +function istioTest() { + # Will go to local machine + su -s /bin/bash -c "curl -v byon-docker.test.istio.io:7072" istio-test +} diff --git a/istio-1.0.4/tools/deb/envoy_bootstrap_v2.json b/istio-1.0.4/tools/deb/envoy_bootstrap_v2.json new file mode 100644 index 0000000..e683ec6 --- /dev/null +++ b/istio-1.0.4/tools/deb/envoy_bootstrap_v2.json @@ -0,0 +1,222 @@ +{ + "node": { + "id": "{{ .nodeID }}", + "cluster": "{{ .cluster }}", +{{ if .zone }} + "locality": { + "zone": "{{ .zone }}" + }, +{{ end }} + "metadata": {{ .meta_json_str }} + }, + "stats_config": { + "use_all_default_tags": false, + "stats_tags": [{ + "tag_name": "cluster_name", + "regex": "^cluster\\.((.+?(\\..+?\\.svc\\.cluster\\.local)?)\\.)" + }, + { + "tag_name": "tcp_prefix", + "regex": "^tcp\\.((.*?)\\.)\\w+?$" + }, + { + "tag_name": "response_code", + "regex": "_rq(_(\\d{3}))$" + }, + { + "tag_name": "response_code_class", + "regex": "_rq(_(\\dxx))$" + }, + { + "tag_name": "http_conn_manager_listener_prefix", + "regex": "^listener(?=\\.).*?\\.http\\.(((?:[_.[:digit:]]*|[_\\[\\]aAbBcCdDeEfF[:digit:]]*))\\.)" + }, + { + "tag_name": "http_conn_manager_prefix", + "regex": "^http\\.(((?:[_.[:digit:]]*|[_\\[\\]aAbBcCdDeEfF[:digit:]]*))\\.)" + }, + { + "tag_name": "listener_address", + "regex": "^listener\\.(((?:[_.[:digit:]]*|[_\\[\\]aAbBcCdDeEfF[:digit:]]*))\\.)" + } + ] + }, + "admin": { + "access_log_path": "/dev/null", + "address": { + "socket_address": { + "address": "127.0.0.1", + "port_value": 15000 + } + } + }, + "dynamic_resources": { + "lds_config": { + "ads": {} + }, + "cds_config": { + "ads": {} + }, + "ads_config": { + "api_type": "GRPC", + "refresh_delay": "{{ .refresh_delay }}", + "grpc_services": [ + { + "envoy_grpc": { + "cluster_name": "xds-grpc" + } + } + ] + } + }, + "static_resources": { + "clusters": [ + { + "name": "prometheus_stats", + "type": "STATIC", + "connect_timeout": "0.250s", + "lb_policy": "ROUND_ROBIN", + "hosts": [{ + "socket_address": { + "protocol": "TCP", + "address": "127.0.0.1", + "port_value": 15000, + } + }], + }, + { + "name": "xds-grpc", + "type": "STRICT_DNS", + "connect_timeout": "{{ .connect_timeout }}", + "lb_policy": "ROUND_ROBIN", +{{ if eq .config.ControlPlaneAuthPolicy 1 }} + "tls_context": { + "common_tls_context": { + "alpn_protocols": ["h2"], + "tls_certificates": [{ + "certificate_chain": { + "filename": "/etc/certs/cert-chain.pem" + }, + "private_key": { + "filename": "/etc/certs/key.pem" + } + }], + "validation_context": { + "trusted_ca": { + "filename": "/etc/certs/root-cert.pem" + }, + "verify_subject_alt_name": [ + {{- range $a, $s := .pilot_SAN }} + "{{$s}}" + {{- end}} + ] + } + } + }, +{{ end }} + "hosts": [ + { + "socket_address": {{ .pilot_grpc_address }} + } + ], + "circuit_breakers": { + "thresholds": [ + { + "priority": "DEFAULT", + "max_connections": 100000, + "max_pending_requests": 100000, + "max_requests": 100000 + }, + { + "priority": "HIGH", + "max_connections": 100000, + "max_pending_requests": 100000, + "max_requests": 100000 + }] + }, + "upstream_connection_options": { + "tcp_keepalive": { + "keepalive_time": 300 + } + }, + "http2_protocol_options": { } + } + + {{ if .zipkin }} + , + { + "name": "zipkin", + "type": "STRICT_DNS", + "connect_timeout": "1s", + "lb_policy": "ROUND_ROBIN", + "hosts": [ + { + "socket_address": {{ .zipkin }} + } + ] + } + {{ end }} + ], + "listeners":[ + { + "address": { + "socket_address": { + "protocol": "TCP", + "address": "0.0.0.0", + "port_value": 15090, + } + }, + "filter_chains": [{ + "filters": [{ + "name": "envoy.http_connection_manager", + "config": { + "codec_type": "AUTO", + "stat_prefix": "stats", + "route_config": { + "virtual_hosts": [{ + "name": "backend", + "domains": [ + "*" + ], + "routes": [{ + "match": { + "prefix": "/stats/prometheus" + }, + "route": { + "cluster": "prometheus_stats" + } + }] + }] + }, + "http_filters": { + "name": "envoy.router" + } + } + }] + }], + }, + ], + }, + {{ if .zipkin }} + "tracing": { + "http": { + "name": "envoy.zipkin", + "config": { + "collector_cluster": "zipkin" + } + } + }, + {{ end }} + {{ if .statsd }} + "stats_sinks": [ + { + "name": "envoy.statsd", + "config": { + "address": { + "socket_address": {{ .statsd }} + } + } + } + ] + {{ end }} +} diff --git a/istio-1.0.4/tools/deb/istio-auth-node-agent.service b/istio-1.0.4/tools/deb/istio-auth-node-agent.service new file mode 100644 index 0000000..8728d98 --- /dev/null +++ b/istio-1.0.4/tools/deb/istio-auth-node-agent.service @@ -0,0 +1,12 @@ +[Unit] +Description=istio-auth-node-agent: The Istio auth node agent +Documentation=https://istio.io/ + +[Service] +ExecStart=/usr/local/bin/istio-node-agent-start.sh +Restart=always +StartLimitInterval=0 +RestartSec=10 + +[Install] +WantedBy=multi-user.target diff --git a/istio-1.0.4/tools/deb/istio-ca.sh b/istio-1.0.4/tools/deb/istio-ca.sh new file mode 100755 index 0000000..494785e --- /dev/null +++ b/istio-1.0.4/tools/deb/istio-ca.sh @@ -0,0 +1,43 @@ +#!/bin/bash +# +# Copyright 2017 Istio Authors. All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ +# +# Script to configure and start the Istio sidecar. + +set -e + +# Load optional config variables +ISTIO_SIDECAR_CONFIG=${ISTIO_SIDECAR_CONFIG:-/var/lib/istio/envoy/sidecar.env} +if [[ -r ${ISTIO_SIDECAR_CONFIG} ]]; then + . $ISTIO_SIDECAR_CONFIG +fi + +# Set defaults +ISTIO_BIN_BASE=${ISTIO_BIN_BASE:-/usr/local/bin} +ISTIO_LOG_DIR=${ISTIO_LOG_DIR:-/var/log/istio} +ISTIO_CFG=${ISTIO_CFG:-/var/lib/istio} + +# Default kube config for istio components +# TODO: use different configs, with different service accounts, for ca/pilot/mixer +KUBECONFIG=${ISTIO_CFG}/kube.config + +# TODO: use separate user for ca +if [ $(id -u) = "0" ] ; then + exec su -s /bin/bash -c "${ISTIO_BIN_BASE}/istio_ca --self-signed-ca --kube-config ${KUBECONFIG} 2> ${ISTIO_LOG_DIR}/istio_ca.err.log > ${ISTIO_LOG_DIR}/istio_ca.log" istio-proxy +else + ${ISTIO_BIN_BASE}/istio_ca --self-signed-ca --kube-config ${KUBECONFIG} +fi diff --git a/istio-1.0.4/tools/deb/istio-iptables.sh b/istio-1.0.4/tools/deb/istio-iptables.sh new file mode 100755 index 0000000..6a17d36 --- /dev/null +++ b/istio-1.0.4/tools/deb/istio-iptables.sh @@ -0,0 +1,334 @@ +#!/bin/bash +# +# Copyright 2017, 2018 Istio Authors. All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ +# +# Initialization script responsible for setting up port forwarding for Istio sidecar. + +function usage() { + echo "${0} -p PORT -u UID -g GID [-m mode] [-b ports] [-d ports] [-i CIDR] [-x CIDR] [-h]" + echo '' + echo ' -p: Specify the envoy port to which redirect all TCP traffic (default $ENVOY_PORT = 15001)' + echo ' -u: Specify the UID of the user for which the redirection is not' + echo ' applied. Typically, this is the UID of the proxy container' + echo ' (default to uid of $ENVOY_USER, uid of istio_proxy, or 1337)' + echo ' -g: Specify the GID of the user for which the redirection is not' + echo ' applied. (same default value as -u param)' + echo ' -m: The mode used to redirect inbound connections to Envoy, either "REDIRECT" or "TPROXY"' + echo ' (default to $ISTIO_INBOUND_INTERCEPTION_MODE)' + echo ' -b: Comma separated list of inbound ports for which traffic is to be redirected to Envoy (optional). The' + echo ' wildcard character "*" can be used to configure redirection for all ports. An empty list will disable' + echo ' all inbound redirection (default to $ISTIO_INBOUND_PORTS)' + echo ' -d: Comma separated list of inbound ports to be excluded from redirection to Envoy (optional). Only applies' + echo ' when all inbound traffic (i.e. "*") is being redirected (default to $ISTIO_LOCAL_EXCLUDE_PORTS)' + echo ' -i: Comma separated list of IP ranges in CIDR form to redirect to envoy (optional). The wildcard' + echo ' character "*" can be used to redirect all outbound traffic. An empty list will disable all outbound' + echo ' redirection (default to $ISTIO_SERVICE_CIDR)' + echo ' -x: Comma separated list of IP ranges in CIDR form to be excluded from redirection. Only applies when all ' + echo ' outbound traffic (i.e. "*") is being redirected (default to $ISTIO_SERVICE_EXCLUDE_CIDR).' + echo '' + echo 'Using environment variables in $ISTIO_SIDECAR_CONFIG (default: /var/lib/istio/envoy/sidecar.env)' +} + +function dump { + iptables-save +} + +trap dump EXIT + +# Use a comma as the separator for multi-value arguments. +IFS=, + +# The cluster env can be used for common cluster settings, pushed to all VMs in the cluster. +# This allows separating per-machine settings (the list of inbound ports, local path overrides) from cluster wide +# settings (CIDR range) +ISTIO_CLUSTER_CONFIG=${ISTIO_CLUSTER_CONFIG:-/var/lib/istio/envoy/cluster.env} +if [ -r ${ISTIO_CLUSTER_CONFIG} ]; then + . ${ISTIO_CLUSTER_CONFIG} +fi + +ISTIO_SIDECAR_CONFIG=${ISTIO_SIDECAR_CONFIG:-/var/lib/istio/envoy/sidecar.env} +if [ -r ${ISTIO_SIDECAR_CONFIG} ]; then + . ${ISTIO_SIDECAR_CONFIG} +fi + +# TODO: load all files from a directory, similar with ufw, to make it easier for automated install scripts +# Ideally we should generate ufw (and similar) configs as well, in case user already has an iptables solution. + +PROXY_PORT=${ENVOY_PORT:-15001} +PROXY_UID= +PROXY_GID= +INBOUND_INTERCEPTION_MODE=${ISTIO_INBOUND_INTERCEPTION_MODE} +INBOUND_TPROXY_MARK=${ISTIO_INBOUND_TPROXY_MARK:-1337} +INBOUND_TPROXY_ROUTE_TABLE=${ISTIO_INBOUND_TPROXY_ROUTE_TABLE:-133} +INBOUND_PORTS_INCLUDE=${ISTIO_INBOUND_PORTS-} +INBOUND_PORTS_EXCLUDE=${ISTIO_LOCAL_EXCLUDE_PORTS-} +OUTBOUND_IP_RANGES_INCLUDE=${ISTIO_SERVICE_CIDR-} +OUTBOUND_IP_RANGES_EXCLUDE=${ISTIO_SERVICE_EXCLUDE_CIDR-} + +while getopts ":p:u:g:m:b:d:i:x:h" opt; do + case ${opt} in + p) + PROXY_PORT=${OPTARG} + ;; + u) + PROXY_UID=${OPTARG} + ;; + g) + PROXY_GID=${OPTARG} + ;; + m) + INBOUND_INTERCEPTION_MODE=${OPTARG} + ;; + b) + INBOUND_PORTS_INCLUDE=${OPTARG} + ;; + d) + INBOUND_PORTS_EXCLUDE=${OPTARG} + ;; + i) + OUTBOUND_IP_RANGES_INCLUDE=${OPTARG} + ;; + x) + OUTBOUND_IP_RANGES_EXCLUDE=${OPTARG} + ;; + h) + usage + exit 0 + ;; + \?) + echo "Invalid option: -$OPTARG" >&2 + usage + exit 1 + ;; + esac +done + +# TODO: more flexibility - maybe a whitelist of users to be captured for output instead of a blacklist. +if [ -z "${PROXY_UID}" ]; then + # Default to the UID of ENVOY_USER and root + PROXY_UID=$(id -u ${ENVOY_USER:-istio-proxy}) + if [ $? -ne 0 ]; then + PROXY_UID="1337" + fi + # If ENVOY_UID is not explicitly defined (as it would be in k8s env), we add root to the list, + # for ca agent. + PROXY_UID=${PROXY_UID},0 +fi +# for TPROXY as its uid and gid are same +if [ -z "${PROXY_GID}" ]; then +PROXY_GID=${PROXY_UID} +fi + + +# Remove the old chains, to generate new configs. +iptables -t nat -D PREROUTING -p tcp -j ISTIO_INBOUND 2>/dev/null +iptables -t mangle -D PREROUTING -p tcp -j ISTIO_INBOUND 2>/dev/null +iptables -t nat -D OUTPUT -p tcp -j ISTIO_OUTPUT 2>/dev/null + +# Flush and delete the istio chains. +iptables -t nat -F ISTIO_OUTPUT 2>/dev/null +iptables -t nat -X ISTIO_OUTPUT 2>/dev/null +iptables -t nat -F ISTIO_INBOUND 2>/dev/null +iptables -t nat -X ISTIO_INBOUND 2>/dev/null +iptables -t mangle -F ISTIO_INBOUND 2>/dev/null +iptables -t mangle -X ISTIO_INBOUND 2>/dev/null +iptables -t mangle -F ISTIO_DIVERT 2>/dev/null +iptables -t mangle -X ISTIO_DIVERT 2>/dev/null +iptables -t mangle -F ISTIO_TPROXY 2>/dev/null +iptables -t mangle -X ISTIO_TPROXY 2>/dev/null + +# Must be last, the others refer to it +iptables -t nat -F ISTIO_REDIRECT 2>/dev/null +iptables -t nat -X ISTIO_REDIRECT 2>/dev/null +iptables -t nat -F ISTIO_IN_REDIRECT 2>/dev/null +iptables -t nat -X ISTIO_IN_REDIRECT 2>/dev/null + +if [ "${1:-}" = "clean" ]; then + echo "Only cleaning, no new rules added" + exit 0 +fi + +# Dump out our environment for debugging purposes. +echo "Environment:" +echo "------------" +echo "ENVOY_PORT=${ENVOY_PORT-}" +echo "ISTIO_INBOUND_INTERCEPTION_MODE=${ISTIO_INBOUND_INTERCEPTION_MODE-}" +echo "ISTIO_INBOUND_TPROXY_MARK=${ISTIO_INBOUND_TPROXY_MARK-}" +echo "ISTIO_INBOUND_TPROXY_ROUTE_TABLE=${ISTIO_INBOUND_TPROXY_ROUTE_TABLE-}" +echo "ISTIO_INBOUND_PORTS=${ISTIO_INBOUND_PORTS-}" +echo "ISTIO_LOCAL_EXCLUDE_PORTS=${ISTIO_LOCAL_EXCLUDE_PORTS-}" +echo "ISTIO_SERVICE_CIDR=${ISTIO_SERVICE_CIDR-}" +echo "ISTIO_SERVICE_EXCLUDE_CIDR=${ISTIO_SERVICE_EXCLUDE_CIDR-}" +echo +echo "Variables:" +echo "----------" +echo "PROXY_PORT=${PROXY_PORT}" +echo "INBOUND_CAPTURE_PORT=${INBOUND_CAPTURE_PORT:-$PROXY_PORT}" +echo "PROXY_UID=${PROXY_UID}" +echo "INBOUND_INTERCEPTION_MODE=${INBOUND_INTERCEPTION_MODE}" +echo "INBOUND_TPROXY_MARK=${INBOUND_TPROXY_MARK}" +echo "INBOUND_TPROXY_ROUTE_TABLE=${INBOUND_TPROXY_ROUTE_TABLE}" +echo "INBOUND_PORTS_INCLUDE=${INBOUND_PORTS_INCLUDE}" +echo "INBOUND_PORTS_EXCLUDE=${INBOUND_PORTS_EXCLUDE}" +echo "OUTBOUND_IP_RANGES_INCLUDE=${OUTBOUND_IP_RANGES_INCLUDE}" +echo "OUTBOUND_IP_RANGES_EXCLUDE=${OUTBOUND_IP_RANGES_EXCLUDE}" +echo + +INBOUND_CAPTURE_PORT=${INBOUND_CAPTURE_PORT:-$PROXY_PORT} + +set -o errexit +set -o nounset +set -o pipefail +set -x # echo on + +# Create a new chain for redirecting outbound traffic to the common Envoy port. +# In both chains, '-j RETURN' bypasses Envoy and '-j ISTIO_REDIRECT' +# redirects to Envoy. +iptables -t nat -N ISTIO_REDIRECT +iptables -t nat -A ISTIO_REDIRECT -p tcp -j REDIRECT --to-port ${PROXY_PORT} + +# Use this chain also for redirecting inbound traffic to the common Envoy port +# when not using TPROXY. +iptables -t nat -N ISTIO_IN_REDIRECT +iptables -t nat -A ISTIO_IN_REDIRECT -p tcp -j REDIRECT --to-port ${INBOUND_CAPTURE_PORT} + +# Handling of inbound ports. Traffic will be redirected to Envoy, which will process and forward +# to the local service. If not set, no inbound port will be intercepted by istio iptables. +if [ -n "${INBOUND_PORTS_INCLUDE}" ]; then + if [ "${INBOUND_INTERCEPTION_MODE}" = "TPROXY" ] ; then + # When using TPROXY, create a new chain for routing all inbound traffic to + # Envoy. Any packet entering this chain gets marked with the ${INBOUND_TPROXY_MARK} mark, + # so that they get routed to the loopback interface in order to get redirected to Envoy. + # In the ISTIO_INBOUND chain, '-j ISTIO_DIVERT' reroutes to the loopback + # interface. + # Mark all inbound packets. + iptables -t mangle -N ISTIO_DIVERT + iptables -t mangle -A ISTIO_DIVERT -j MARK --set-mark ${INBOUND_TPROXY_MARK} + iptables -t mangle -A ISTIO_DIVERT -j ACCEPT + + # Route all packets marked in chain ISTIO_DIVERT using routing table ${INBOUND_TPROXY_ROUTE_TABLE}. + ip -f inet rule add fwmark ${INBOUND_TPROXY_MARK} lookup ${INBOUND_TPROXY_ROUTE_TABLE} + # In routing table ${INBOUND_TPROXY_ROUTE_TABLE}, create a single default rule to route all traffic to + # the loopback interface. + ip -f inet route add local default dev lo table ${INBOUND_TPROXY_ROUTE_TABLE} || ip route show table all + + # Create a new chain for redirecting inbound traffic to the common Envoy + # port. + # In the ISTIO_INBOUND chain, '-j RETURN' bypasses Envoy and + # '-j ISTIO_TPROXY' redirects to Envoy. + iptables -t mangle -N ISTIO_TPROXY + iptables -t mangle -A ISTIO_TPROXY ! -d 127.0.0.1/32 -p tcp -j TPROXY --tproxy-mark ${INBOUND_TPROXY_MARK}/0xffffffff --on-port ${PROXY_PORT} + + table=mangle + else + table=nat + fi + iptables -t ${table} -N ISTIO_INBOUND + iptables -t ${table} -A PREROUTING -p tcp -j ISTIO_INBOUND + + if [ "${INBOUND_PORTS_INCLUDE}" == "*" ]; then + # Makes sure SSH is not redirected + iptables -t ${table} -A ISTIO_INBOUND -p tcp --dport 22 -j RETURN + # Apply any user-specified port exclusions. + if [ -n "${INBOUND_PORTS_EXCLUDE}" ]; then + for port in ${INBOUND_PORTS_EXCLUDE}; do + iptables -t ${table} -A ISTIO_INBOUND -p tcp --dport ${port} -j RETURN + done + fi + # Redirect remaining inbound traffic to Envoy. + if [ "${INBOUND_INTERCEPTION_MODE}" = "TPROXY" ]; then + # If an inbound packet belongs to an established socket, route it to the + # loopback interface. + iptables -t mangle -A ISTIO_INBOUND -p tcp -m socket -j ISTIO_DIVERT || echo "No socket match support" + # Otherwise, it's a new connection. Redirect it using TPROXY. + iptables -t mangle -A ISTIO_INBOUND -p tcp -j ISTIO_TPROXY + else + iptables -t nat -A ISTIO_INBOUND -p tcp -j ISTIO_IN_REDIRECT + fi + else + # User has specified a non-empty list of ports to be redirected to Envoy. + for port in ${INBOUND_PORTS_INCLUDE}; do + if [ "${INBOUND_INTERCEPTION_MODE}" = "TPROXY" ]; then + iptables -t mangle -A ISTIO_INBOUND -p tcp --dport ${port} -m socket -j ISTIO_DIVERT || echo "No socket match support" + iptables -t mangle -A ISTIO_INBOUND -p tcp --dport ${port} -m socket -j ISTIO_DIVERT || echo "No socket match support" + iptables -t mangle -A ISTIO_INBOUND -p tcp --dport ${port} -j ISTIO_TPROXY + else + iptables -t nat -A ISTIO_INBOUND -p tcp --dport ${port} -j ISTIO_IN_REDIRECT + fi + done + fi +fi + +# TODO: change the default behavior to not intercept any output - user may use http_proxy or another +# iptables wrapper (like ufw). Current default is similar with 0.1 + +# Create a new chain for selectively redirecting outbound packets to Envoy. +iptables -t nat -N ISTIO_OUTPUT + +# Jump to the ISTIO_OUTPUT chain from OUTPUT chain for all tcp traffic. +iptables -t nat -A OUTPUT -p tcp -j ISTIO_OUTPUT + +# Redirect app calls to back itself via Envoy when using the service VIP or endpoint +# address, e.g. appN => Envoy (client) => Envoy (server) => appN. +iptables -t nat -A ISTIO_OUTPUT -o lo ! -d 127.0.0.1/32 -j ISTIO_REDIRECT + +for uid in ${PROXY_UID}; do + # Avoid infinite loops. Don't redirect Envoy traffic directly back to + # Envoy for non-loopback traffic. + iptables -t nat -A ISTIO_OUTPUT -m owner --uid-owner ${uid} -j RETURN +done + +for gid in ${PROXY_GID}; do + # Avoid infinite loops. Don't redirect Envoy traffic directly back to + # Envoy for non-loopback traffic. + iptables -t nat -A ISTIO_OUTPUT -m owner --gid-owner ${gid} -j RETURN +done + +# Skip redirection for Envoy-aware applications and +# container-to-container traffic both of which explicitly use +# localhost. +iptables -t nat -A ISTIO_OUTPUT -d 127.0.0.1/32 -j RETURN + +# Apply outbound IP exclusions. Must be applied before inclusions. +if [ -n "${OUTBOUND_IP_RANGES_EXCLUDE}" ]; then + for cidr in ${OUTBOUND_IP_RANGES_EXCLUDE}; do + iptables -t nat -A ISTIO_OUTPUT -d ${cidr} -j RETURN + done +fi + +# Apply outbound IP inclusions. +if [ "${OUTBOUND_IP_RANGES_INCLUDE}" == "*" ]; then + # Wildcard specified. Redirect all remaining outbound traffic to Envoy. + iptables -t nat -A ISTIO_OUTPUT -j ISTIO_REDIRECT +elif [ -n "${OUTBOUND_IP_RANGES_INCLUDE}" ]; then + # User has specified a non-empty list of cidrs to be redirected to Envoy. + for cidr in ${OUTBOUND_IP_RANGES_INCLUDE}; do + iptables -t nat -A ISTIO_OUTPUT -d ${cidr} -j ISTIO_REDIRECT + done + # All other traffic is not redirected. + iptables -t nat -A ISTIO_OUTPUT -j RETURN +fi + +# If ENABLE_INBOUND_IPV6 is unset (default unset), restrict IPv6 traffic. +set +o nounset +if [ -z "${ENABLE_INBOUND_IPV6}" ]; then + # Drop all inbound traffic except established connections. + # TODO: support receiving IPv6 traffic in the same way as IPv4. + ip6tables -F INPUT || true + ip6tables -A INPUT -m state --state ESTABLISHED -j ACCEPT || true + ip6tables -A INPUT -j REJECT || true +fi diff --git a/istio-1.0.4/tools/deb/istio-node-agent-start.sh b/istio-1.0.4/tools/deb/istio-node-agent-start.sh new file mode 100755 index 0000000..c9776b0 --- /dev/null +++ b/istio-1.0.4/tools/deb/istio-node-agent-start.sh @@ -0,0 +1,68 @@ +#!/bin/bash +# +# Copyright 2017 Istio Authors. All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ +# +# Script to configure and start the Istio node agent. +# Will run the node_agent as istio-proxy instead of root - to allow interception +# of apps running as root (node_agent requires root to not be intercepted) and +# to reduce risks. + +set -e + +# Load optional config variables +ISTIO_SIDECAR_CONFIG=${ISTIO_SIDECAR_CONFIG:-/var/lib/istio/envoy/sidecar.env} +if [[ -r ${ISTIO_SIDECAR_CONFIG} ]]; then + . $ISTIO_SIDECAR_CONFIG +fi + +# Load config variables ISTIO_SYSTEM_NAMESPACE, CONTROL_PLANE_AUTH_POLICY +ISTIO_CLUSTER_CONFIG=${ISTIO_CLUSTER_CONFIG:-/var/lib/istio/envoy/cluster.env} +if [[ -r ${ISTIO_CLUSTER_CONFIG} ]]; then + . $ISTIO_CLUSTER_CONFIG +fi + +# Set defaults +ISTIO_BIN_BASE=${ISTIO_BIN_BASE:-/usr/local/bin} +ISTIO_LOG_DIR=${ISTIO_LOG_DIR:-/var/log/istio} +NS=${ISTIO_NAMESPACE:-default} +SVC=${ISTIO_SERVICE:-rawvm} +ISTIO_SYSTEM_NAMESPACE=${ISTIO_SYSTEM_NAMESPACE:-istio-system} + +EXEC_USER=${EXEC_USER:-istio-proxy} + +if [ -z "${CITADEL_ADDRESS:-}" ]; then + CITADEL_ADDRESS=istio-citadel:8060 +fi + +CERTS_DIR=${CERTS_DIR:-/etc/certs} + +CITADEL_ARGS="--ca-address ${CITADEL_ADDRESS}" +CITADEL_ARGS="${CITADEL_ARGS} --cert-chain ${CERTS_DIR}/cert-chain.pem" +CITADEL_ARGS="${CITADEL_ARGS} --key ${CERTS_DIR}/key.pem" +CITADEL_ARGS="${CITADEL_ARGS} --root-cert ${CERTS_DIR}/root-cert.pem" + +if [ -z "${CITADEL_ENV:-}" ]; then + CITADEL_ARGS="${CITADEL_ARGS} --env onprem" +else + CITADEL_ARGS="${CITADEL_ARGS} --env ${CITADEL_ENV}" +fi + +if [ ${EXEC_USER} == ${USER:-} ] ; then + ${ISTIO_BIN_BASE}/node_agent ${CITADEL_ARGS} +else + su -s /bin/sh -c "exec ${ISTIO_BIN_BASE}/node_agent ${CITADEL_ARGS}" ${EXEC_USER} +fi \ No newline at end of file diff --git a/istio-1.0.4/tools/deb/istio-start.sh b/istio-1.0.4/tools/deb/istio-start.sh new file mode 100755 index 0000000..ccc0593 --- /dev/null +++ b/istio-1.0.4/tools/deb/istio-start.sh @@ -0,0 +1,99 @@ +#!/bin/bash +# +# Copyright 2017 Istio Authors. All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ +# +# Script to configure and start the Istio sidecar. + +set -e + +# Load optional config variables +ISTIO_SIDECAR_CONFIG=${ISTIO_SIDECAR_CONFIG:-/var/lib/istio/envoy/sidecar.env} +if [[ -r ${ISTIO_SIDECAR_CONFIG} ]]; then + . $ISTIO_SIDECAR_CONFIG +fi + +# Load config variables ISTIO_SYSTEM_NAMESPACE, CONTROL_PLANE_AUTH_POLICY +ISTIO_CLUSTER_CONFIG=${ISTIO_CLUSTER_CONFIG:-/var/lib/istio/envoy/cluster.env} +if [[ -r ${ISTIO_CLUSTER_CONFIG} ]]; then + . $ISTIO_CLUSTER_CONFIG +fi + +# Set defaults +ISTIO_BIN_BASE=${ISTIO_BIN_BASE:-/usr/local/bin} +ISTIO_LOG_DIR=${ISTIO_LOG_DIR:-/var/log/istio} +NS=${ISTIO_NAMESPACE:-default} +SVC=${ISTIO_SERVICE:-rawvm} +ISTIO_SYSTEM_NAMESPACE=${ISTIO_SYSTEM_NAMESPACE:-istio-system} + +# The default matches the default istio.yaml - use sidecar.env to override this if you +# enable auth. This requires node-agent to be running. +ISTIO_PILOT_PORT=${ISTIO_PILOT_PORT:-15011} + +# If set, override the default +CONTROL_PLANE_AUTH_POLICY="--controlPlaneAuthPolicy MUTUAL_TLS" +if [ ! -z "${ISTIO_CP_AUTH:-}" ]; then + CONTROL_PLANE_AUTH_POLICY="--controlPlaneAuthPolicy ${ISTIO_CP_AUTH}" +fi + +if [ -z "${ISTIO_SVC_IP:-}" ]; then + ISTIO_SVC_IP=$(hostname --ip-address) +fi + +if [ -z "${POD_NAME:-}" ]; then + POD_NAME=$(hostname -s) +fi + +# Init option will only initialize iptables. Can be used +if [[ ${1-} == "init" || ${1-} == "-p" ]] ; then + # Update iptables, based on current config. This is for backward compatibility with the init image mode. + # The sidecar image can replace the k8s init image, to avoid downloading 2 different images. + ${ISTIO_BIN_BASE}/istio-iptables.sh "${@}" + exit 0 +fi + +if [[ ${1-} != "run" ]] ; then + # Update iptables, based on config file + ${ISTIO_BIN_BASE}/istio-iptables.sh +fi + +EXEC_USER=${EXEC_USER:-istio-proxy} +if [ "${ISTIO_INBOUND_INTERCEPTION_MODE}" = "TPROXY" ] ; then + # In order to allow redirect inbound traffic using TPROXY, run envoy with the CAP_NET_ADMIN capability. + # This allows configuring listeners with the "transparent" socket option set to true. + EXEC_USER=root +fi + +if [ -z "${PILOT_ADDRESS:-}" ]; then + PILOT_ADDRESS=istio-pilot.${ISTIO_SYSTEM_NAMESPACE}:${ISTIO_PILOT_PORT} +fi + +if [ ${EXEC_USER} == ${USER:-} ] ; then + # if started as istio-proxy (or current user), do a normal start, without + # redirecting stderr. + INSTANCE_IP=${ISTIO_SVC_IP} POD_NAME=${POD_NAME} POD_NAMESPACE=${NS} ${ISTIO_BIN_BASE}/pilot-agent proxy ${ISTIO_AGENT_FLAGS:-} \ + --serviceCluster $SVC \ + --discoveryAddress ${PILOT_ADDRESS} \ + $CONTROL_PLANE_AUTH_POLICY +else + +# Will run: ${ISTIO_BIN_BASE}/envoy -c $ENVOY_CFG --restart-epoch 0 --drain-time-s 2 --parent-shutdown-time-s 3 --service-cluster $SVC --service-node 'sidecar~${ISTIO_SVC_IP}~${POD_NAME}.${NS}.svc.cluster.local~${NS}.svc.cluster.local' --allow-unknown-fields $ISTIO_DEBUG >${ISTIO_LOG_DIR}/istio.log" istio-proxy +exec su -s /bin/bash -c "INSTANCE_IP=${ISTIO_SVC_IP} POD_NAME=${POD_NAME} POD_NAMESPACE=${NS} exec ${ISTIO_BIN_BASE}/pilot-agent proxy ${ISTIO_AGENT_FLAGS:-} \ + --serviceCluster $SVC \ + --discoveryAddress ${PILOT_ADDRESS} \ + $CONTROL_PLANE_AUTH_POLICY \ + 2> ${ISTIO_LOG_DIR}/istio.err.log > ${ISTIO_LOG_DIR}/istio.log" ${EXEC_USER} +fi \ No newline at end of file diff --git a/istio-1.0.4/tools/deb/istio.mk b/istio-1.0.4/tools/deb/istio.mk new file mode 100644 index 0000000..3e43add --- /dev/null +++ b/istio-1.0.4/tools/deb/istio.mk @@ -0,0 +1,169 @@ +# Make the deb image using the CI/CD image and docker, for users who don't have 'fpm' installed. +# TODO: use 'which fpm' to detect if fpm is installed on host, consolidate under one target ('deb') +deb/build-in-docker: + (cd ${TOP}; docker run --rm -u $(shell id -u) -it \ + -v ${GO_TOP}:${GO_TOP} \ + -w ${PWD} \ + -e USER=${USER} \ + -e GOPATH=${GOPATH} \ + --entrypoint /bin/bash ${CI_HUB}/ci:${CI_VERSION} \ + -c "make deb/fpm") + +# Create the 'sidecar' deb, including envoy and istio agents and configs. +# This target uses a locally installed 'fpm' - use 'docker.sidecar.deb' to use +# the builder image. +# TODO: consistent layout, possibly /opt/istio-VER/... +sidecar.deb: ${ISTIO_OUT}/istio-sidecar.deb + +deb: ${ISTIO_OUT}/istio-sidecar.deb + +# Base directory for istio binaries. Likely to change ! +ISTIO_DEB_BIN=/usr/local/bin + +ISTIO_DEB_DEPS:=pilot-discovery istioctl mixs istio_ca +ISTIO_FILES:= +# subst is used to turn an absolute path into the relative path that fpm seems to expect +$(foreach DEP,$(ISTIO_DEB_DEPS),\ + $(eval ${ISTIO_OUT}/istio.deb: $(ISTIO_OUT)/$(DEP)) \ + $(eval ISTIO_FILES+=$(subst $(GO_TOP)/,,$(ISTIO_OUT))/$(DEP)=$(ISTIO_DEB_BIN)/$(DEP)) ) + +SIDECAR_DEB_DEPS:=envoy pilot-agent node_agent +SIDECAR_FILES:= +# subst is used to turn an absolute path into the relative path that fpm seems to expect +$(foreach DEP,$(SIDECAR_DEB_DEPS),\ + $(eval ${ISTIO_OUT}/istio-sidecar.deb: $(ISTIO_OUT)/$(DEP)) \ + $(eval SIDECAR_FILES+=$(subst $(GO_TOP)/,,$(ISTIO_OUT))/$(DEP)=$(ISTIO_DEB_BIN)/$(DEP)) ) + +ISTIO_DEB_DEST:=${ISTIO_DEB_BIN}/istio-start.sh \ + ${ISTIO_DEB_BIN}/istio-node-agent-start.sh \ + ${ISTIO_DEB_BIN}/istio-iptables.sh \ + /lib/systemd/system/istio.service \ + /lib/systemd/system/istio-auth-node-agent.service \ + /var/lib/istio/envoy/sidecar.env + +$(foreach DEST,$(ISTIO_DEB_DEST),\ + $(eval ${ISTIO_OUT}/istio-sidecar.deb: tools/deb/$(notdir $(DEST))) \ + $(eval SIDECAR_FILES+=src/istio.io/istio/tools/deb/$(notdir $(DEST))=$(DEST))) + +SIDECAR_FILES+=src/istio.io/istio/tools/deb/envoy_bootstrap_v2.json=/var/lib/istio/envoy/envoy_bootstrap_tmpl.json + +# original name used in 0.2 - will be updated to 'istio.deb' since it now includes all istio binaries. +ISTIO_DEB_NAME ?= istio-sidecar + +# TODO: rename istio-sidecar.deb to istio.deb + +# Note: adding --deb-systemd ${GO_TOP}/src/istio.io/istio/tools/deb/istio.service will result in +# a /etc/systemd/system/multi-user.target.wants/istio.service and auto-start. Currently not used +# since we need configuration. +# --iteration 1 adds a "-1" suffix to the version that didn't exist before +${ISTIO_OUT}/istio-sidecar.deb: | ${ISTIO_OUT} + $(MAKE) deb/fpm + +#remove leading charecters since debian version expects to start with digit +DEB_VERSION := $(shell echo $(VERSION) | sed 's/^[a-z]*-//') + +# Package the sidecar deb file. +deb/fpm: + rm -f ${ISTIO_OUT}/istio-sidecar.deb + fpm -s dir -t deb -n ${ISTIO_DEB_NAME} -p ${ISTIO_OUT}/istio-sidecar.deb --version $(DEB_VERSION) -C ${GO_TOP} -f \ + --url http://istio.io \ + --license Apache \ + --vendor istio.io \ + --maintainer istio@istio.io \ + --after-install tools/deb/postinst.sh \ + --config-files /var/lib/istio/envoy/envoy_bootstrap_tmpl.json \ + --config-files /var/lib/istio/envoy/sidecar.env \ + --description "Istio Sidecar" \ + --depends iproute2 \ + --depends iptables \ + $(SIDECAR_FILES) + +${ISTIO_OUT}/istio.deb: + rm -f ${ISTIO_OUT}/istio.deb + fpm -s dir -t deb -n istio -p ${ISTIO_OUT}/istio.deb --version $(DEB_VERSION) -C ${GO_TOP} -f \ + --url http://istio.io \ + --license Apache \ + --vendor istio.io \ + --maintainer istio@istio.io \ + --description "Istio" \ + $(ISTIO_FILES) + +# Install the deb in a docker image, for testing of the install process. +deb/docker: hyperistio build deb/fpm ${ISTIO_OUT}/istio.deb + mkdir -p ${OUT_DIR}/deb + cp tools/deb/Dockerfile tools/deb/deb_test.sh ${OUT_DIR}/deb + cp tests/testdata/config/*.yaml ${OUT_DIR}/deb + cp -a tests/testdata/certs ${OUT_DIR}/deb + cp ${ISTIO_OUT}/hyperistio ${OUT_DIR}/deb + cp ${GOPATH}/bin/{kube-apiserver,etcd,kubectl} ${OUT_DIR}/deb + cp ${ISTIO_OUT}/istio-sidecar.deb ${OUT_DIR}/deb/istio-sidecar.deb + cp ${ISTIO_OUT}/istio.deb ${OUT_DIR}/deb/istio.deb + docker build -t istio_deb -f ${OUT_DIR}/deb/Dockerfile ${OUT_DIR}/deb/ + +deb/test: + docker run --cap-add=NET_ADMIN --rm -v ${ISTIO_GO}/tools/deb/deb_test.sh:/tmp/deb_test.sh istio_deb /tmp/deb_test.sh + +# For the test, by default use a local pilot. +# Set it to 172.18.0.1 to run against a pilot or hyperistio running in IDE. +# You may need to enable 15007 in the local machine firewall for this to work. +DEB_PILOT_IP ?= 127.0.0.1 +DEB_CMD ?= /bin/bash +DEB_IP ?= 172.18.0.3 +DEB_PORT_PREFIX ?= 1600 + +# TODO: docker compose ? + +# Run the docker image including the installed debian, with access to all source +# code. Useful for debugging/experiments with iptables. +# +# Before running: +# docker network create --subnet=172.18.0.0/16 istiotest +# The IP of the docker matches the byon-docker service entry +deb/run/docker: + docker run --cap-add=NET_ADMIN --rm \ + -v ${GO_TOP}:${GO_TOP} \ + -w ${PWD} \ + --net istiotest --ip ${DEB_IP} \ + --add-host echo:10.1.1.1 \ + --add-host byon.test.istio.io:10.1.1.2 \ + --add-host byon-docker.test.istio.io:10.1.1.2 \ + --add-host istio-pilot.istio-system:${DEB_PILOT_IP} \ + ${DEB_ENV} -e ISTIO_SERVICE_CIDR=10.1.1.0/24 \ + -e ISTIO_INBOUND_PORTS=7070,7072,7073,7074,7075 \ + -e PILOT_CERT_DIR=/var/lib/istio/pilot \ + -p 127.0.0.1:${DEB_PORT_PREFIX}1:15007 \ + -p 127.0.0.1:${DEB_PORT_PREFIX}2:7070 \ + -p 127.0.0.1:${DEB_PORT_PREFIX}3:7072 \ + -p 127.0.0.1:${DEB_PORT_PREFIX}4:7073 \ + -p 127.0.0.1:${DEB_PORT_PREFIX}5:7074 \ + -p 127.0.0.1:${DEB_PORT_PREFIX}6:7075 \ + -p 127.0.0.1:${DEB_PORT_PREFIX}7:15011 \ + -p 127.0.0.1:${DEB_PORT_PREFIX}8:15010 \ + -e GOPATH=${GOPATH} \ + -it istio_deb ${DEB_CMD} + +deb/run/debug: + $(MAKE) deb/run/docker DEB_ENV="-e DEB_PILOT_IP=172.18.0.1" + +deb/run/tproxy: + $(MAKE) deb/run/docker DEB_PORT_PREFIX=1610 DEB_IP=172.18.0.4 DEB_ENV="-e ISTIO_INBOUND_INTERCEPTION_MODE=TPROXY" + +deb/run/mtls: + $(MAKE) deb/run/docker DEB_PORT_PREFIX=1620 -e DEB_PILOT_IP=172.18.0.1 DEB_IP=172.18.0.5 DEB_ENV="-e ISTIO_PILOT_PORT=15005 -e ISTIO_CP_AUTH=MUTUAL_TLS" + +# Similar with above, but using a pilot running on the local machine +deb/run/docker-debug: + $(MAKE) deb/run/docker PILOT_IP= + +# +deb/docker-run: deb/docker deb/run/docker + +.PHONY: \ + deb \ + deb/build-in-docker \ + deb/docker \ + deb/docker-run \ + deb/run/docker \ + deb/fpm \ + deb/test \ + sidecar.deb diff --git a/istio-1.0.4/tools/deb/istio.service b/istio-1.0.4/tools/deb/istio.service new file mode 100644 index 0000000..fd4d29e --- /dev/null +++ b/istio-1.0.4/tools/deb/istio.service @@ -0,0 +1,12 @@ +[Unit] +Description=istio-sidecar: The Istio sidecar +Documentation=http://istio.io/ + +[Service] +ExecStart=/usr/local/bin/istio-start.sh +Restart=always +StartLimitInterval=0 +RestartSec=10 + +[Install] +WantedBy=multi-user.target diff --git a/istio-1.0.4/tools/deb/postinst.sh b/istio-1.0.4/tools/deb/postinst.sh new file mode 100755 index 0000000..1e5ec55 --- /dev/null +++ b/istio-1.0.4/tools/deb/postinst.sh @@ -0,0 +1,53 @@ +#!/bin/bash +# +# Copyright 2017, 2018 Istio Authors. All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ +set -e + +action="$1" +oldversion="$2" + +umask 022 + +if ! getent passwd istio-proxy >/dev/null; then + addgroup --system istio-proxy + adduser --system --group --home /var/lib/istio istio-proxy +fi + +if [ ! -e /etc/istio ]; then + # Backward compat. + ln -s /var/lib/istio /etc/istio +fi + +mkdir -p /var/lib/istio/envoy +mkdir -p /var/lib/istio/proxy +mkdir -p /var/lib/istio/config +mkdir -p /var/log/istio + +touch /var/lib/istio/config/mesh + +mkdir -p /etc/certs +chown istio-proxy.istio-proxy /etc/certs + +chown istio-proxy.istio-proxy /var/lib/istio/envoy /var/lib/istio/config /var/log/istio /var/lib/istio/config/mesh /var/lib/istio/proxy +chmod o+rx /usr/local/bin/{envoy,pilot-agent,node_agent} + +# pilot-agent and envoy may run with effective uid 0 in order to run envoy with +# CAP_NET_ADMIN, so any iptables rule matching on "-m owner --uid-owner +# istio-proxy" will not match connections from those processes anymore. +# Instead, rely on the process's effective gid being istio-proxy and create a +# "-m owner --gid-owner istio-proxy" iptables rule in istio-iptables.sh. +chmod 2755 /usr/local/bin/{envoy,pilot-agent} diff --git a/istio-1.0.4/tools/deb/sidecar.env b/istio-1.0.4/tools/deb/sidecar.env new file mode 100644 index 0000000..0dacf75 --- /dev/null +++ b/istio-1.0.4/tools/deb/sidecar.env @@ -0,0 +1,80 @@ +# Environment variables used to configure istio startup + +# Comma separated list of CIDRs used for services. If set, iptables will be run to allow istio +# sidecar to intercept outbound calls to configured addresses. If not set, outbound istio sidecar +# will not be used via iptables. +# ISTIO_SERVICE_CIDR= + +# Name of the service exposed by the machine. +# ISTIO_SERVICE=myservice + +# The mode used to redirect inbound connections to Envoy. This setting +# has no effect on outbound traffic: iptables REDIRECT is always used for +# outbound connections. +# If "REDIRECT", use iptables REDIRECT to NAT and redirect to Envoy. +# The "REDIRECT" mode loses source addresses during redirection. +# If "TPROXY", use iptables TPROXY to redirect to Envoy. +# The "TPROXY" mode preserves both the source and destination IP +# addresses and ports, so that they can be used for advanced filtering +# and manipulation. +# The "TPROXY" mode also configures the sidecar to run with the +# CAP_NET_ADMIN capability, which is required to use TPROXY. +# If not set, defaults to "REDIRECT". +# ISTIO_INBOUND_INTERCEPTION_MODE=REDIRECT + +# When the interception mode is "TPROXY", the iptables skb mark that is set on +# every inbound packet to be redirected to Envoy. +# If not set, defaults to "1337". +# ISTIO_INBOUND_TPROXY_MARK=1337 + +# When the interception mode is "TPROXY", the number of the routing table that +# is configured and used to route inbound connections to the loopback interface +# in order to be redirected to Envoy. +# If not set, defaults to "133". +# ISTIO_INBOUND_TPROXY_ROUTE_TABLE=133 + +# Comma separated list of local ports that will use Istio sidecar for inbound services. +# If set, iptables rules will be configured to intercept inbound traffic and redirect to sidecar. +# If not set, no rules will be enabled +# ISTIO_INBOUND_PORTS= + +# List of ports to exclude from inbound interception, if ISTIO_INBOUND_PORTS is set to * +# Port 22 is automatically excluded +# ISTIO_INBOUND_EXCLUDE_PORTS= + +# Namespace of the cluster. +# ISTIO_NAMESPACE=default + +# Specify the IP address used in endpoints. If not set, 'hostname --ip-address' will be used. +# Needed if the host has multiple IP. +# ISTIO_SVC_IP= + +# If istio-pilot is configured with mTLS authentication (--controlPlaneAuthPolicy MUTUAL_TLS ) you must +# also configure the mesh expansion machines: +# ISTIO_PILOT_PORT=15005 +# ISTIO_CP_AUTH=MUTUAL_TLS + +# Fine tunning - useful if installing/building binaries instead of using the .deb file, or running +# multiple instances. + +# Port used by Envoy. Defaults to 15001, used in the autogenerated config +# ENVOY_PORT=15001 + +# User running Envoy. For testing you can use a regular user ID - however running iptables requires +# root or netadmin capability. The debian file creates user istio. +# ENVOY_USER=istio-proxy + +# Uncomment to enable debugging +# ISTIO_AGENT_FLAGS="--proxyLogLevel debug" + +# Directory for stdout redirection. The redirection is required because envoy attempts to open +# /dev/stdout - must be a real file. Will be used for access logs. Additional config for logsaver +# needs to be made, envoy reopens the file on SIGUSR1 +# ISTIO_LOG_DIR=/var/log/istio + +# Installation directory for istio binaries, customize in case you're using a binary. +# This is likely to change - current path matches the docker layout in 0.1 +# ISTIO_BIN_BASE=/usr/local/bin + +# Location of istio configs. +# ISTIO_CFG=/var/lib/istio diff --git a/istio-1.0.4/tools/dump_kubernetes.sh b/istio-1.0.4/tools/dump_kubernetes.sh new file mode 100755 index 0000000..678ba6d --- /dev/null +++ b/istio-1.0.4/tools/dump_kubernetes.sh @@ -0,0 +1,286 @@ +#!/bin/bash +# +# Uses kubectl to collect cluster information. +# Dumps: +# - Logs of every container of every pod of every namespace. +# - Resource configurations for ingress, endpoints, custom resource +# definitions, configmaps, secrets (names only) and "all" as defined by +# kubectl. + +COREDUMP_DIR="/var/lib/istio" + +error() { + echo "$*" >&2 +} + +usage() { + error 'Collect all possible data from a Kubernetes cluster using kubectl.' + error '' + error 'Usage:' + error ' dump_kubernetes.sh [options]' + error '' + error 'Options:' + error ' -d, --output-directory directory to output files; defaults to' + error ' "istio-dump"' + error ' -z, --archive if present, archives and removes the output' + error ' directory' + error ' -q, --quiet if present, do not log' + error ' --error-if-nasty-logs if present, exit with 255 if any logs' + error ' contain errors' + exit 1 +} + +log() { + local msg="${1}" + if [ "${QUIET}" = false ]; then + printf '%s\n' "${msg}" + fi +} + +parse_args() { + while [ "$#" -gt 0 ]; do + case "${1}" in + -d|--output-directory) + local out_dir="${2}" + shift 2 # Shift past option and value. + ;; + -z|--archive) + local should_archive=true + shift # Shift past flag. + ;; + -q|--quiet) + local quiet=true + shift # Shift past flag. + ;; + --error-if-nasty-logs) + local should_check_logs_for_errors=true + shift # Shift past flag. + ;; + *) + usage + ;; + esac + done + + readonly OUT_DIR="${out_dir:-istio-dump}" + readonly SHOULD_ARCHIVE="${should_archive:-false}" + readonly QUIET="${quiet:-false}" + readonly SHOULD_CHECK_LOGS_FOR_ERRORS="${should_check_logs_for_errors:-false}" + readonly LOG_DIR="${OUT_DIR}/logs" + readonly RESOURCES_FILE="${OUT_DIR}/resources.yaml" + readonly ISTIO_RESOURCES_FILE="${OUT_DIR}/istio-resources.yaml" +} + +check_prerequisites() { + local prerequisites=$* + for prerequisite in ${prerequisites}; do + if ! command -v "${prerequisite}" > /dev/null; then + error "\"${prerequisite}\" is required. Please install it." + return 1 + fi + done +} + +dump_time() { + mkdir -p "${OUT_DIR}" + date -u > "${OUT_DIR}/DUMP_TIME" +} + +dump_logs_for_container() { + local namespace="${1}" + local pod="${2}" + local container="${3}" + + log "Retrieving logs for ${namespace}/${pod}/${container}" + + mkdir -p "${LOG_DIR}/${namespace}/${pod}" + local log_file_head="${LOG_DIR}/${namespace}/${pod}/${container}" + + local log_file="${log_file_head}.log" + kubectl logs --namespace="${namespace}" "${pod}" "${container}" \ + > "${log_file}" + + local filter="?(@.name == \"${container}\")" + local json_path='{.status.containerStatuses['${filter}'].restartCount}' + local restart_count + restart_count=$(kubectl get --namespace="${namespace}" \ + pod "${pod}" -o=jsonpath="${json_path}") + if [ "${restart_count}" -gt 0 ]; then + log "Retrieving previous logs for ${namespace}/${pod}/${container}" + + local log_previous_file + log_previous_file="${log_file_head}_previous.log" + kubectl logs --namespace="${namespace}" \ + --previous "${pod}" "${container}" \ + > "${log_previous_file}" + fi +} + +copy_core_dumps_if_istio_proxy() { + local namespace="${1}" + local pod="${2}" + local container="${3}" + local got_core_dump=false + + if [ "istio-proxy" = "${container}" ]; then + local out_dir="${LOG_DIR}/${namespace}/${pod}" + mkdir -p "${out_dir}" + local core_dumps + core_dumps=$(kubectl exec -n "${namespace}" "${pod}" -c "${container}" -- \ + find ${COREDUMP_DIR} -name 'core.*') + for f in ${core_dumps}; do + local out_file + out_file="${out_dir}/$(basename "${f}")" + + kubectl exec -n "${namespace}" "${pod}" -c "${container}" -- \ + cat "${f}" > "${out_file}" + + log "Copied ${namespace}/${pod}/${container}:${f} to ${out_file}" + got_core_dump=true + done + fi + if [ "${got_core_dump}" = true ]; then + return 254 + fi +} + +# Run functions on each container. Each argument should be a function which +# takes 3 args: ${namespace} ${pod} ${container}. +# If any of the called functions returns error, tap_containers returns +# immediately with that error. +tap_containers() { + local functions=( "$@" ) + + local namespaces + namespaces=$(kubectl get \ + namespaces -o=jsonpath="{.items[*].metadata.name}") + for namespace in ${namespaces}; do + local pods + pods=$(kubectl get --namespace="${namespace}" \ + pods -o=jsonpath='{.items[*].metadata.name}') + for pod in ${pods}; do + local containers + containers=$(kubectl get --namespace="${namespace}" \ + pod "${pod}" -o=jsonpath='{.spec.containers[*].name}') + for container in ${containers}; do + + for f in "${functions[@]}"; do + "${f}" "${namespace}" "${pod}" "${container}" || return $? + done + + done + done + done + + return 0 +} + +dump_kubernetes_resources() { + log "Retrieving kubernetes resource configurations" + + mkdir -p "${OUT_DIR}" + # Only works in Kubernetes 1.8.0 and above. + kubectl get --all-namespaces --export \ + all,jobs,ingresses,endpoints,customresourcedefinitions,configmaps,secrets,events \ + -o yaml > "${RESOURCES_FILE}" +} + +dump_istio_custom_resource_definitions() { + log "Retrieving istio resource configurations" + + local istio_resources + # Trim to only first field; join by comma; remove last comma. + istio_resources=$(kubectl get customresourcedefinitions \ + --no-headers 2> /dev/null \ + | cut -d ' ' -f 1 \ + | tr '\n' ',' \ + | sed 's/,$//') + + if [ ! -z "${istio_resources}" ]; then + kubectl get "${istio_resources}" --all-namespaces -o yaml \ + > "${ISTIO_RESOURCES_FILE}" + fi +} + +dump_resources() { + dump_kubernetes_resources + dump_istio_custom_resource_definitions + + mkdir -p "${OUT_DIR}" + kubectl cluster-info dump > "${OUT_DIR}/cluster-info.dump.txt" + kubectl describe pods -n istio-system > "${OUT_DIR}/istio-system-pods.txt" + kubectl get events --all-namespaces -o wide > "${OUT_DIR}/events.txt" +} + +dump_pilot_url(){ + local pilot_pod=$1 + local url=$2 + local dname=$3 + local outfile + + outfile="${dname}/$(basename "${url}")" + + log "Fetching ${url} from pilot" + kubectl -n istio-system exec -i -t "${pilot_pod}" -c istio-proxy -- \ + curl "http://localhost:8080/${url}" > "${outfile}" +} + +dump_pilot() { + local pilot_pod + pilot_pod=$(kubectl -n istio-system get pods -l istio=pilot \ + -o jsonpath='{.items[*].metadata.name}') + + if [ ! -z "${pilot_pod}" ]; then + local pilot_dir="${OUT_DIR}/pilot" + mkdir -p "${pilot_dir}" + + dump_pilot_url "${pilot_pod}" debug/configz "${pilot_dir}" + dump_pilot_url "${pilot_pod}" debug/endpointz "${pilot_dir}" + dump_pilot_url "${pilot_pod}" debug/adsz "${pilot_dir}" + dump_pilot_url "${pilot_pod}" metrics "${pilot_dir}" + fi +} + +archive() { + local parent_dir + parent_dir=$(dirname "${OUT_DIR}") + local dir + dir=$(basename "${OUT_DIR}") + + pushd "${parent_dir}" > /dev/null || exit + tar -czf "${dir}.tar.gz" "${dir}" + popd > /dev/null || exit + + log "Wrote ${parent_dir}/${dir}.tar.gz" +} + +check_logs_for_errors() { + log "Searching logs for errors." + grep -R --include "${LOG_DIR}/*.log" --ignore-case -e 'segmentation fault' +} + +main() { + local exit_code=0 + parse_args "$@" + check_prerequisites kubectl + dump_time + dump_pilot + dump_resources + exit_code=tap_containers dump_logs_for_container copy_core_dumps_if_istio_proxy + + if [ "${SHOULD_CHECK_LOGS_FOR_ERRORS}" = true ]; then + if ! check_logs_for_errors; then + exit_code=255 + fi + fi + + if [ "${SHOULD_ARCHIVE}" = true ] ; then + archive + rm -r "${OUT_DIR}" + fi + log "Wrote to ${OUT_DIR}" + + return ${exit_code} +} + +main "$@" diff --git a/istio-1.0.4/tools/githubContrib/Contributions.txt b/istio-1.0.4/tools/githubContrib/Contributions.txt new file mode 100644 index 0000000..d086fbc --- /dev/null +++ b/istio-1.0.4/tools/githubContrib/Contributions.txt @@ -0,0 +1,2 @@ +Here is the current (as of January 2018) alphabetical list of companies and the number of contributors: +Apache.org (1), Apprenda (1), Calcotestudios (1), CMU (1), Google (34), Hashbangbash (1), Hootsuite (1), Ibm (11), Redhat (2), Unknown (12) diff --git a/istio-1.0.4/tools/hyperistio/README.md b/istio-1.0.4/tools/hyperistio/README.md new file mode 100644 index 0000000..6cbac8d --- /dev/null +++ b/istio-1.0.4/tools/hyperistio/README.md @@ -0,0 +1,5 @@ +HyperIstio is a standalone server including multiple istio components, with default +configuration suited for local testing. + +- config defaults to tests/testdata/config +- default ports used diff --git a/istio-1.0.4/tools/hyperistio/hyperistio.go b/istio-1.0.4/tools/hyperistio/hyperistio.go new file mode 100644 index 0000000..59c6280 --- /dev/null +++ b/istio-1.0.4/tools/hyperistio/hyperistio.go @@ -0,0 +1,193 @@ +// Copyright 2018 Istio Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package main + +import ( + "flag" + "fmt" + "log" + "os" + "os/signal" + "syscall" + "time" + + "github.com/golang/protobuf/ptypes" + + meshconfig "istio.io/api/mesh/v1alpha1" + "istio.io/istio/mixer/test/client/env" + "istio.io/istio/pilot/pkg/bootstrap" + "istio.io/istio/pilot/pkg/model" + "istio.io/istio/pilot/pkg/proxy/envoy" + "istio.io/istio/pilot/pkg/serviceregistry" + agent "istio.io/istio/pkg/bootstrap" + "istio.io/istio/tests/util" +) + +var ( + runEnvoy = flag.Bool("envoy", true, "Start envoy") +) + +// hyperistio runs all istio components in one binary, using a directory based config by +// default. It is intended for testing/debugging/prototyping. +func main() { + flag.Parse() + err := startAll() + if err != nil { + log.Fatal("Failed to start ", err) + } + sigs := make(chan os.Signal, 1) + signal.Notify(sigs, syscall.SIGINT, syscall.SIGTERM) + <-sigs + + //select{} +} + +func startAll() error { + err := startPilot() + if err != nil { + return err + } + + err = startMixer() + if err != nil { + return err + } + + // Mixer test servers + srv, err := env.NewHTTPServer(7070) + if err != nil { + return err + } + srv.Start() + + go util.RunHTTP(7072, "v1") + go util.RunGRPC(7073, "v1", "", "") + go util.RunHTTP(7074, "v2") + go util.RunGRPC(7075, "v2", "", "") + if *runEnvoy { + err = startEnvoy() + if err != nil { + return err + } + } + + return nil +} + +func startMixer() error { + srv, err := env.NewMixerServer(9091, false) + if err != nil { + return err + } + srv.Start() + + go func() { + for { + r := srv.GetReport() + fmt.Println("MixerReport: ", r) + } + }() + + return nil +} + +func startEnvoy() error { + cfg := &meshconfig.ProxyConfig{ + DiscoveryAddress: "localhost:8080", + ConfigPath: util.IstioOut, + BinaryPath: util.IstioBin + "/envoy", + ServiceCluster: "test", + CustomConfigFile: util.IstioSrc + "/tools/deb/envoy_bootstrap_v2.json", + DiscoveryRefreshDelay: ptypes.DurationProto(10 * time.Second), // crash if not set + ConnectTimeout: ptypes.DurationProto(5 * time.Second), // crash if not set + DrainDuration: ptypes.DurationProto(30 * time.Second), // crash if 0 + + } + cfgF, err := agent.WriteBootstrap(cfg, "sidecar~127.0.0.2~a~a", 1, []string{}, nil, os.Environ()) + if err != nil { + return err + } + stop := make(chan error) + envoyLog, err := os.Create(util.IstioOut + "/envoy_hyperistio_sidecar.log") + if err != nil { + envoyLog = os.Stderr + } + agent.RunProxy(cfg, "node", 1, cfgF, stop, envoyLog, envoyLog, []string{ + "--disable-hot-restart", // "-l", "trace", + }) + + return nil +} + +// startPilot with defaults: +// - http port 15007 +// - grpc on 15010 +// - grpcs in 15011 - certs from PILOT_CERT_DIR or ./tests/testdata/certs/pilot +// - mixer set to localhost:9091 (runs in-process), +//- http proxy on 15002 (so tests can be run without iptables) +//- config from $ISTIO_CONFIG dir (defaults to in-source tests/testdata/config) +func startPilot() error { + stop := make(chan struct{}) + + mcfg := model.DefaultMeshConfig() + mcfg.ProxyHttpPort = 15002 + + // Create a test pilot discovery service configured to watch the tempDir. + args := bootstrap.PilotArgs{ + Namespace: "testing", + DiscoveryOptions: envoy.DiscoveryServiceOptions{ + HTTPAddr: ":15007", + GrpcAddr: ":15010", + SecureGrpcAddr: ":15011", + EnableCaching: true, + EnableProfiling: true, + }, + + Mesh: bootstrap.MeshArgs{ + MixerAddress: "localhost:9091", + RdsRefreshDelay: ptypes.DurationProto(10 * time.Millisecond), + }, + Config: bootstrap.ConfigArgs{ + KubeConfig: util.IstioSrc + "/.circleci/config", + }, + Service: bootstrap.ServiceArgs{ + // Using the Mock service registry, which provides the hello and world services. + Registries: []string{ + string(serviceregistry.MockRegistry)}, + }, + MeshConfig: &mcfg, + } + bootstrap.PilotCertDir = util.IstioSrc + "/tests/testdata/certs/pilot" + + bootstrap.FilepathWalkInterval = 5 * time.Second + // Static testdata, should include all configs we want to test. + args.Config.FileDir = os.Getenv("ISTIO_CONFIG") + if args.Config.FileDir == "" { + args.Config.FileDir = util.IstioSrc + "/tests/testdata/config" + } + log.Println("Using mock configs: ", args.Config.FileDir) + // Create and setup the controller. + s, err := bootstrap.NewServer(args) + if err != nil { + return err + } + + // Start the server. + _, err = s.Start(stop) + if err != nil { + return err + } + return nil +} diff --git a/istio-1.0.4/tools/hyperistio/hyperistio_test.go b/istio-1.0.4/tools/hyperistio/hyperistio_test.go new file mode 100644 index 0000000..8b48244 --- /dev/null +++ b/istio-1.0.4/tools/hyperistio/hyperistio_test.go @@ -0,0 +1,75 @@ +// Copyright 2018 Istio Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package main + +import ( + "fmt" + "net/http" + "net/http/httputil" + "net/url" + "strings" + "testing" +) + +var ( + client *http.Client +) + +func init() { + proxyURL, _ := url.Parse("http://localhost:15002") + client = &http.Client{Transport: &http.Transport{Proxy: http.ProxyURL(proxyURL)}} +} + +// Minimal test to check the standalone server runs with some valid config. +func TestAppend(t *testing.T) { + res, err := get(t, "http://appendh.test.istio.io/foo") + if err != nil { + return + } + if !strings.Contains(res, "Istio-Custom-Header=user-defined-value") { + t.Error("Header not found in ", res) + return + } +} + +func TestByon(t *testing.T) { + res, err := get(t, "http://mybyon.test.istio.io/foo") + if err != nil { + return + } + // The request header will be the original one, from the request, even if the + // request is sent to byon.test.istio.io + if !strings.Contains(res, "Host=mybyon.test.istio.io") { + t.Error("Header not found in ", res) + return + } + t.Log(res) +} + +// get returns the body of the request, after making basic checks on the response +func get(t *testing.T, url string) (string, error) { + res, err := client.Get("http://mybyon.test.istio.io/foo") + if err != nil { + t.Error(err) + return "", err + } + resdmp, _ := httputil.DumpResponse(res, true) + ress := string(resdmp) + if res.StatusCode != 200 { + t.Error("Invalid response code ", res.StatusCode) + return "", fmt.Errorf("invalid response code %d: %s", res.StatusCode, ress) + } + return ress, nil +} diff --git a/istio-1.0.4/tools/hyperistio/index.html b/istio-1.0.4/tools/hyperistio/index.html new file mode 100644 index 0000000..7b228f9 --- /dev/null +++ b/istio-1.0.4/tools/hyperistio/index.html @@ -0,0 +1,42 @@ + + + + + Istio Debug + + + + + + + \ No newline at end of file diff --git a/istio-1.0.4/tools/istio-docker.mk b/istio-1.0.4/tools/istio-docker.mk new file mode 100644 index 0000000..3cf9097 --- /dev/null +++ b/istio-1.0.4/tools/istio-docker.mk @@ -0,0 +1,247 @@ +## Copyright 2018 Istio Authors +## +## Licensed under the Apache License, Version 2.0 (the "License"); +## you may not use this file except in compliance with the License. +## You may obtain a copy of the License at +## +## http://www.apache.org/licenses/LICENSE-2.0 +## +## Unless required by applicable law or agreed to in writing, software +## distributed under the License is distributed on an "AS IS" BASIS, +## WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +## See the License for the specific language governing permissions and +## limitations under the License. + +.PHONY: docker + +# Docker target will build the go binaries and package the docker for local testing. +# It does not upload to a registry. +docker: build test-bins docker.all + +$(ISTIO_DOCKER) $(ISTIO_DOCKER_TAR): + mkdir -p $@ + +.SECONDEXPANSION: #allow $@ to be used in dependency list + +# static files/directories that are copied from source tree + +NODE_AGENT_TEST_FILES:=security/docker/start_app.sh \ + security/docker/app.js + + +# note that "js" and "force" are directories rather than a file +$(ISTIO_DOCKER)/js $(ISTIO_DOCKER)/force: addons/servicegraph/$$(notdir $$@) | $(ISTIO_DOCKER) + cp -r $< $(@D) + +# generated content +$(ISTIO_DOCKER)/istio_ca.crt $(ISTIO_DOCKER)/istio_ca.key: ${GEN_CERT} | ${ISTIO_DOCKER} + ${GEN_CERT} --key-size=2048 --out-cert=${ISTIO_DOCKER}/istio_ca.crt \ + --out-priv=${ISTIO_DOCKER}/istio_ca.key --organization="k8s.cluster.local" \ + --self-signed=true --ca=true +$(ISTIO_DOCKER)/node_agent.crt $(ISTIO_DOCKER)/node_agent.key: ${GEN_CERT} $(ISTIO_DOCKER)/istio_ca.crt $(ISTIO_DOCKER)/istio_ca.key + ${GEN_CERT} --key-size=2048 --out-cert=${ISTIO_DOCKER}/node_agent.crt \ + --out-priv=${ISTIO_DOCKER}/node_agent.key --organization="NodeAgent" \ + --host="nodeagent.google.com" --signer-cert=${ISTIO_DOCKER}/istio_ca.crt \ + --signer-priv=${ISTIO_DOCKER}/istio_ca.key + +# directives to copy files to docker scratch directory + +# tell make which files are copied form go/out +DOCKER_FILES_FROM_ISTIO_OUT:=pilot-test-client pilot-test-server \ + pilot-discovery pilot-agent sidecar-injector servicegraph mixs \ + istio_ca node_agent galley +$(foreach FILE,$(DOCKER_FILES_FROM_ISTIO_OUT), \ + $(eval $(ISTIO_DOCKER)/$(FILE): $(ISTIO_OUT)/$(FILE) | $(ISTIO_DOCKER); cp $$< $$(@D))) + +# This generates rules like: +#$(ISTIO_DOCKER)/pilot-agent: $(ISTIO_OUT)/pilot-agent | $(ISTIO_DOCKER) +# cp $$< $$(@D)) + +# tell make which files are copied from the source tree +DOCKER_FILES_FROM_SOURCE:=tools/deb/istio-iptables.sh docker/ca-certificates.tgz \ + $(NODE_AGENT_TEST_FILES) $(GRAFANA_FILES) \ + pilot/docker/certs/cert.crt pilot/docker/certs/cert.key pilot/docker/certs/cacert.pem +$(foreach FILE,$(DOCKER_FILES_FROM_SOURCE), \ + $(eval $(ISTIO_DOCKER)/$(notdir $(FILE)): $(FILE) | $(ISTIO_DOCKER); cp $(FILE) $$(@D))) + +# pilot docker imagesDOCKER_BUILD_TOP + +docker.proxy_init: $(ISTIO_DOCKER)/istio-iptables.sh +docker.sidecar_injector: $(ISTIO_DOCKER)/sidecar-injector + +docker.proxy_debug: tools/deb/envoy_bootstrap_v2.json +docker.proxy_debug: ${ISTIO_ENVOY_DEBUG_PATH} +docker.proxy_debug: $(ISTIO_OUT)/pilot-agent +docker.proxy_debug: pilot/docker/Dockerfile.proxyv2 +docker.proxy_debug: pilot/docker/envoy_pilot.yaml.tmpl +docker.proxy_debug: pilot/docker/envoy_policy.yaml.tmpl +docker.proxy_debug: pilot/docker/envoy_telemetry.yaml.tmpl + mkdir -p $(DOCKER_BUILD_TOP)/proxyd + cp ${ISTIO_ENVOY_DEBUG_PATH} $(DOCKER_BUILD_TOP)/proxyd/envoy + cp pilot/docker/*.yaml.tmpl $(DOCKER_BUILD_TOP)/proxyd/ + # Not using $^ to avoid 2 copies of envoy + cp tools/deb/envoy_bootstrap_v2.json tools/deb/istio-iptables.sh $(ISTIO_OUT)/pilot-agent pilot/docker/Dockerfile.proxyv2 $(DOCKER_BUILD_TOP)/proxyd/ + time (cd $(DOCKER_BUILD_TOP)/proxyd && \ + docker build \ + --build-arg proxy_version=istio-proxy:${PROXY_REPO_SHA} \ + --build-arg istio_version=${VERSION} \ + -t $(HUB)/proxy_debug:$(TAG) -f Dockerfile.proxyv2 .) + +# The file must be named 'envoy', depends on the release. +${ISTIO_ENVOY_RELEASE_DIR}/envoy: ${ISTIO_ENVOY_RELEASE_PATH} + mkdir -p $(DOCKER_BUILD_TOP)/proxyv2 + cp ${ISTIO_ENVOY_RELEASE_PATH} ${ISTIO_ENVOY_RELEASE_DIR}/envoy + +# Default proxy image. +docker.proxyv2: tools/deb/envoy_bootstrap_v2.json +docker.proxyv2: $(ISTIO_ENVOY_RELEASE_DIR)/envoy +docker.proxyv2: $(ISTIO_OUT)/pilot-agent +docker.proxyv2: pilot/docker/Dockerfile.proxyv2 +docker.proxyv2: pilot/docker/envoy_pilot.yaml.tmpl +docker.proxyv2: pilot/docker/envoy_policy.yaml.tmpl +docker.proxyv2: tools/deb/istio-iptables.sh +docker.proxyv2: pilot/docker/envoy_telemetry.yaml.tmpl + mkdir -p $(DOCKER_BUILD_TOP)/proxyv2 + cp $^ $(DOCKER_BUILD_TOP)/proxyv2/ + time (cd $(DOCKER_BUILD_TOP)/proxyv2 && \ + docker build \ + --build-arg proxy_version=istio-proxy:${PROXY_REPO_SHA} \ + --build-arg istio_version=${VERSION} \ + -t $(HUB)/proxyv2:$(TAG) -f Dockerfile.proxyv2 .) + +# Proxy using TPROXY interception - but no core dumps +docker.proxytproxy: tools/deb/envoy_bootstrap_v2.json +docker.proxytproxy: $(ISTIO_ENVOY_RELEASE_DIR)/envoy +docker.proxytproxy: $(ISTIO_OUT)/pilot-agent +docker.proxytproxy: pilot/docker/Dockerfile.proxytproxy +docker.proxytproxy: pilot/docker/envoy_pilot.yaml.tmpl +docker.proxytproxy: pilot/docker/envoy_policy.yaml.tmpl +docker.proxytproxy: tools/deb/istio-iptables.sh +docker.proxytproxy: pilot/docker/envoy_telemetry.yaml.tmpl + mkdir -p $(DOCKER_BUILD_TOP)/proxyv2 + cp $^ $(DOCKER_BUILD_TOP)/proxyv2/ + time (cd $(DOCKER_BUILD_TOP)/proxyv2 && \ + docker build \ + --build-arg proxy_version=istio-proxy:${PROXY_REPO_SHA} \ + --build-arg istio_version=${VERSION} \ + -t $(HUB)/proxytproxy:$(TAG) -f Dockerfile.proxytproxy .) + +push.proxytproxy: docker.proxytproxy + docker push $(HUB)/proxytproxy:$(TAG) + +docker.pilot: $(ISTIO_OUT)/pilot-discovery pilot/docker/certs/cacert.pem pilot/docker/Dockerfile.pilot + mkdir -p $(ISTIO_DOCKER)/pilot + cp $^ $(ISTIO_DOCKER)/pilot/ + time (cd $(ISTIO_DOCKER)/pilot && \ + docker build -t $(HUB)/pilot:$(TAG) -f Dockerfile.pilot .) + +# Test app for pilot integration +docker.app: $(ISTIO_OUT)/pilot-test-client $(ISTIO_OUT)/pilot-test-server \ + pilot/docker/certs/cert.crt pilot/docker/certs/cert.key pilot/docker/Dockerfile.app + mkdir -p $(ISTIO_DOCKER)/pilotapp + cp $^ $(ISTIO_DOCKER)/pilotapp +ifeq ($(DEBUG_IMAGE),1) + # It is extremely helpful to debug from the test app. The savings in size are not worth the + # developer pain + cp $(ISTIO_DOCKER)/pilotapp/Dockerfile.app $(ISTIO_DOCKER)/pilotapp/Dockerfile.appdbg + sed -e "s,FROM scratch,FROM $(HUB)/proxy_debug:$(TAG)," $(ISTIO_DOCKER)/pilotapp/Dockerfile.appdbg > $(ISTIO_DOCKER)/pilotapp/Dockerfile.appd +endif + time (cd $(ISTIO_DOCKER)/pilotapp && \ + docker build -t $(HUB)/app:$(TAG) -f Dockerfile.app .) + +# Test policy backend for mixer integration +docker.test_policybackend: $(ISTIO_OUT)/mixer-test-policybackend \ + mixer/docker/Dockerfile.test_policybackend + mkdir -p $(ISTIO_DOCKER)/test_policybackend + cp $^ $(ISTIO_DOCKER)/test_policybackend + time (cd $(ISTIO_DOCKER)/test_policybackend && \ + docker build -t $(HUB)/test_policybackend:$(TAG) -f Dockerfile.test_policybackend .) + +PILOT_DOCKER:=docker.proxy_init docker.sidecar_injector +$(PILOT_DOCKER): pilot/docker/Dockerfile$$(suffix $$@) | $(ISTIO_DOCKER) + $(DOCKER_RULE) + +# addons docker images + +SERVICEGRAPH_DOCKER:=docker.servicegraph docker.servicegraph_debug +$(SERVICEGRAPH_DOCKER): addons/servicegraph/docker/Dockerfile$$(suffix $$@) \ + $(ISTIO_DOCKER)/servicegraph $(ISTIO_DOCKER)/js $(ISTIO_DOCKER)/force | $(ISTIO_DOCKER) + $(DOCKER_RULE) + +# mixer docker images + +MIXER_DOCKER:=docker.mixer docker.mixer_debug +$(MIXER_DOCKER): mixer/docker/Dockerfile$$(suffix $$@) \ + $(ISTIO_DOCKER)/ca-certificates.tgz $(ISTIO_DOCKER)/mixs | $(ISTIO_DOCKER) + $(DOCKER_RULE) + +# galley docker images + +GALLEY_DOCKER:=docker.galley +$(GALLEY_DOCKER): galley/docker/Dockerfile$$(suffix $$@) $(ISTIO_DOCKER)/galley | $(ISTIO_DOCKER) + $(DOCKER_RULE) + +# security docker images + +docker.citadel: $(ISTIO_DOCKER)/istio_ca $(ISTIO_DOCKER)/ca-certificates.tgz +docker.citadel-test: $(ISTIO_DOCKER)/istio_ca.crt $(ISTIO_DOCKER)/istio_ca.key +docker.node-agent: $(ISTIO_DOCKER)/node_agent +docker.node-agent-test: $(ISTIO_DOCKER)/node_agent $(ISTIO_DOCKER)/istio_ca.key \ + $(ISTIO_DOCKER)/node_agent.crt $(ISTIO_DOCKER)/node_agent.key +$(foreach FILE,$(NODE_AGENT_TEST_FILES),$(eval docker.node-agent-test: $(ISTIO_DOCKER)/$(notdir $(FILE)))) + +SECURITY_DOCKER:=docker.citadel docker.citadel-test docker.node-agent docker.node-agent-test +$(SECURITY_DOCKER): security/docker/Dockerfile$$(suffix $$@) | $(ISTIO_DOCKER) + $(DOCKER_RULE) + +DOCKER_TARGETS:=docker.pilot docker.proxy_debug docker.proxyv2 docker.app docker.test_policybackend $(PILOT_DOCKER) $(SERVICEGRAPH_DOCKER) $(MIXER_DOCKER) $(SECURITY_DOCKER) $(GALLEY_DOCKER) + +DOCKER_RULE=time (cp $< $(ISTIO_DOCKER)/ && cd $(ISTIO_DOCKER) && \ + docker build -t $(HUB)/$(subst docker.,,$@):$(TAG) -f Dockerfile$(suffix $@) .) + +# This target will package all docker images used in test and release, without re-building +# go binaries. It is intended for CI/CD systems where the build is done in separate job. +docker.all: $(DOCKER_TARGETS) + +# for each docker.XXX target create a tar.docker.XXX target that says how +# to make a $(ISTIO_OUT)/docker/XXX.tar.gz from the docker XXX image +# note that $(subst docker.,,$(TGT)) strips off the "docker." prefix, leaving just the XXX +$(foreach TGT,$(DOCKER_TARGETS),$(eval tar.$(TGT): $(TGT) | $(ISTIO_DOCKER_TAR) ; \ + time (docker save -o ${ISTIO_DOCKER_TAR}/$(subst docker.,,$(TGT)).tar $(HUB)/$(subst docker.,,$(TGT)):$(TAG) && \ + gzip ${ISTIO_DOCKER_TAR}/$(subst docker.,,$(TGT)).tar))) + +# create a DOCKER_TAR_TARGETS that's each of DOCKER_TARGETS with a tar. prefix +DOCKER_TAR_TARGETS:= +$(foreach TGT,$(DOCKER_TARGETS),$(eval DOCKER_TAR_TARGETS+=tar.$(TGT))) + +# this target saves a tar.gz of each docker image to ${ISTIO_OUT}/docker/ +docker.save: $(DOCKER_TAR_TARGETS) + +# for each docker.XXX target create a push.docker.XXX target that pushes +# the local docker image to another hub +# a possible optimization is to use tag.$(TGT) as a dependency to do the tag for us +$(foreach TGT,$(DOCKER_TARGETS),$(eval push.$(TGT): | $(TGT) ; \ + time (docker push $(HUB)/$(subst docker.,,$(TGT)):$(TAG)))) + +# create a DOCKER_PUSH_TARGETS that's each of DOCKER_TARGETS with a push. prefix +DOCKER_PUSH_TARGETS:= +$(foreach TGT,$(DOCKER_TARGETS),$(eval DOCKER_PUSH_TARGETS+=push.$(TGT))) + +# This target pushes each docker image to specified HUB and TAG. +# The push scripts support a comma-separated list of HUB(s) and TAG(s), +# but I'm not sure this is worth the added complexity to support. + +# Deprecated - just use docker, no need to retag. +docker.tag: docker + +# Will build and push docker images. +docker.push: $(DOCKER_PUSH_TARGETS) + +# Base image for 'debug' containers. +# You can run it first to use local changes (or guarantee it is built from scratch) +docker.basedebug: + docker build -t istionightly/base_debug -f docker/Dockerfile.xenial_debug docker/ + +# Job run from the nightly cron to publish an up-to-date xenial with the debug tools. +docker.push.basedebug: docker.basedebug + docker push istionightly/base_debug:latest diff --git a/istio-1.0.4/tools/license/README.md b/istio-1.0.4/tools/license/README.md new file mode 100644 index 0000000..3c4b74d --- /dev/null +++ b/istio-1.0.4/tools/license/README.md @@ -0,0 +1,11 @@ +# Istio License Generation Guide +## Usage +Note: This tool requires https://github.com/benbalter/licensee for --summary and --match_detail to work. +#### Generate complete dump of every license, suitable for including in release build/binary image: + go run get_dep_licenses.go +#### CSV format output with one package per line: + go run get_dep_licenses.go --summary +#### Detailed info about how closely each license matches official text: + go run get_dep_licenses.go --match-detail +#### Use a different branch from the current one. Will do git checkout to that branch and back to the current on completion. This can only be used from inside Istio repo: + go run get_dep_licenses.go --branch release-0.8 diff --git a/istio-1.0.4/tools/license/get_dep_licenses.go b/istio-1.0.4/tools/license/get_dep_licenses.go new file mode 100644 index 0000000..6159cac --- /dev/null +++ b/istio-1.0.4/tools/license/get_dep_licenses.go @@ -0,0 +1,394 @@ +// Copyright 2018 Istio Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// Binary get_dep_licenses outputs aggrerate license information for all transitive Istio dependencies. +// This tool requires https://github.com/benbalter/licensee to work. +// Usage: +// 1) Generate complete dump of every license, suitable for including in release build/binary image: +// go run get_dep_licenses.go --branch release-0.8 +// 2) CSV format output with one package per line: +// go run get_dep_licenses.go --summary --branch release-0.8 +// 3) Detailed info about how closely each license matches official text: +// go run get_dep_licenses.go --match-detail --branch release-0.8 +// 4) Use a different branch from the current one. Will do git checkout to that branch and back to the current on completion. +// This can only be used from inside Istio repo: +// go run get_dep_licenses.go --branch release-0.8 --checkout +package main + +import ( + "bytes" + "flag" + "fmt" + "io/ioutil" + "log" + "os" + "os/exec" + "path/filepath" + "sort" + "strings" +) + +const ( + // maxLevelsToLicense is the maximum levels to go up to the root to find + // license in parent directories. + maxLevelsToLicense = 7 +) + +var ( + // Ignore package paths that don't start with this. + mustStartWith = []string{ + "istio.io/istio/vendor", + "vendor", + } + // After ignoring anything not in mustStartWith, further exclude anything with prefix below. + skipPrefixes = []string{ + "istio.io/istio/vendor/github.com/gogo", + "vendor/golang_org", + } + // root is the root of Go src code. + root = filepath.Join(os.Getenv("GOPATH"), "src") + // istioSubdir is the subdir from src root where istio source is found. + istioSubdir = "istio.io/istio" + // istioRoot is the path we expect to find istio source under. + istioRoot = filepath.Join(root, istioSubdir) + // istioReleaseBranch is the branch to generate licenses for. + istioReleaseBranch = "" +) + +// LicenseInfo describes a license. +type LicenseInfo struct { + packageName string + path string + url string + licenseeOutput string + licenseTypeString string + licenseText string + exact bool + confidence string +} + +// LicenseInfos is a slice of LicenseInfo. +type LicenseInfos []*LicenseInfo + +// Len implements the sort.Interface interface. +func (s LicenseInfos) Len() int { + return len(s) +} + +// Less implements the sort.Interface interface. +func (s LicenseInfos) Less(i, j int) bool { + return s[i].packageName < s[j].packageName +} + +// Swap implements the sort.Interface interface. +func (s LicenseInfos) Swap(i, j int) { + s[i], s[j] = s[j], s[i] +} + +func main() { + var summary, checkout, matchDetail bool + flag.BoolVar(&summary, "summary", false, "Generate a summary report.") + flag.BoolVar(&checkout, "checkout", false, "Checkout target branch, return to current branch on completion. Can only use from inside Istio git repo.") + flag.BoolVar(&matchDetail, "match_detail", false, "Show information about match closeness for inexact matches.") + flag.StringVar(&istioReleaseBranch, "branch", "", "Istio release branch to use.") + flag.Parse() + + // Verify inputs. + if summary && matchDetail { + log.Fatal("--summary and --match_detail cannot both be set.") + } + + if istioReleaseBranch == "" { + log.Fatal("--branch must be set.") + } + + // Everything happens from istio root. + if err := os.Chdir(istioRoot); err != nil { + log.Fatalf("Could not chdir to Istio root at %s", istioRoot) + } + + // Handle git checkouts if the release branch we want != current branch + var prevBranch string + if checkout { + // Save git branch to return to later. + pb, err := runBash("git", "rev-parse", "--abbrev-ref", "HEAD") + if err != nil { + log.Fatalf("Could not get current branch: %s", err) + } + prevBranch = strings.TrimSpace(string(pb)) + + // Need to switch to branch we're getting the licenses for. + _, err = runBash("git", "checkout", istioReleaseBranch) + if err != nil { + log.Fatalf("Could not git checkout %s: %s", istioReleaseBranch, err) + } + } + defer func() { + if checkout { + // Get back to original branch. + + _, err := exec.Command("git", "checkout", prevBranch).Output() + if err != nil { + log.Fatalf("Could not git checkout back to original branch %s.", prevBranch) + } + } + }() + + // List all the deps in vendor. + out, err := runBash("go", "list", "-f", `'{{ join .Deps "\n"}}'`, "./vendor/...") + if err != nil { + log.Fatal(out) + } + outv := strings.Split(string(out), "\n") + outv, skipv := filter(dedup(outv)) + sort.Strings(outv) + sort.Strings(skipv) + var missing []string + + // TODO: detect multiple licenses. + licensePath := make(map[string]string, 0) + for _, p := range outv { + lf, err := findLicenseFile(p) + if err != nil || lf == nil { + missing = append(missing, p) + continue + } + licensePath[p] = lf[0] + } + + licenseTypes := make(map[string][]string, 0) + var licenses, exact, inexact LicenseInfos + for p, lp := range licensePath { + linfo := &LicenseInfo{} + if matchDetail || summary { + // This requires the external licensee program. + linfo, err = getLicenseeInfo(lp) + if err != nil { + log.Printf("licensee error: %s", err) + continue + } + } + linfo.packageName = strings.TrimPrefix(p, istioSubdir+"/vendor/") + linfo.licenseText = readFile(lp) + linfo.path = lp + linfo.url = pathToURL(lp) + licenses = append(licenses, linfo) + if linfo.exact { + licenseTypes[linfo.licenseTypeString] = append(licenseTypes[linfo.licenseTypeString], p) + exact = append(exact, linfo) + } else { + inexact = append(inexact, linfo) + } + } + + sort.Sort(licenses) + sort.Sort(exact) + sort.Sort(inexact) + + if summary { + for _, p := range missing { + fmt.Printf("%s, MISSING\n", p) + } + for _, l := range append(inexact, exact...) { + fmt.Printf("%s,%s,%s,%s\n", l.packageName, l.url, l.licenseTypeString, l.confidence) + } + return + } + + fmt.Println("===========================================================") + fmt.Println("The following packages were missing license files:") + fmt.Println("===========================================================") + for _, p := range missing { + fmt.Println(p) + } + + if matchDetail { + fmt.Println("\n\n") + fmt.Println("===========================================================") + fmt.Println("The following packages had inexact licenses:") + fmt.Println("===========================================================") + for _, l := range inexact { + fmt.Printf("Package: %s\n", l.packageName) + fmt.Printf("URL: %s\n", l.url) + fmt.Printf("Match info:\n%s\n", l.licenseeOutput) + fmt.Printf("License text:\n%s\n", l.licenseText) + fmt.Println("-----------------------------------------------------------") + } + + fmt.Println("\n\n") + fmt.Println("===========================================================") + fmt.Println("The following packages had exact licenses:") + fmt.Println("===========================================================") + for t, ps := range licenseTypes { + fmt.Printf("\nLicense type: %s\n", t) + sort.Strings(ps) + for _, p := range ps { + fmt.Printf(" %s\n", p) + } + } + } else { + fmt.Println("\n\n") + fmt.Println("===========================================================") + fmt.Println("Package licenses") + fmt.Println("===========================================================") + + for _, l := range append(exact, inexact...) { + fmt.Printf("Package: %s\n", l.packageName) + fmt.Printf("License URL: %s\n", l.url) + fmt.Printf("License text:\n%s\n", l.licenseText) + fmt.Println("-----------------------------------------------------------") + } + } +} + +// runBash runs a bash command. If command is successful, returns output, otherwise returns stderr output as error. +func runBash(args ...string) (string, error) { + cmd := exec.Command(args[0], args[1:]...) + var out bytes.Buffer + var stderr bytes.Buffer + cmd.Stdout = &out + cmd.Stderr = &stderr + err := cmd.Run() + if err != nil { + return "", fmt.Errorf(fmt.Sprint(err) + ": " + stderr.String()) + } + return out.String(), nil +} + +// pathToURL returns a URL to a path within Istio github code. +func pathToURL(path string) string { + return strings.Replace(path, istioRoot, "https://github.com/istio/istio/blob/"+istioReleaseBranch, 1) +} + +func readFile(path string) string { + b, err := ioutil.ReadFile(path) + if err != nil { + return err.Error() + } + return string(b) +} + +func getLicenseeInfo(path string) (*LicenseInfo, error) { + outb, err := exec.Command("licensee", "detect", path).Output() + if err != nil { + return nil, err + } + out := string(outb) + + licenseTypeString := getMatchingValue(out, "License:") + confidence := getMatchingValue(out, " Confidence:") + if licenseTypeString == "NOASSERTION" { + licenseTypeString, confidence = getLicenseAndConfidence(out) + } + + return &LicenseInfo{ + licenseeOutput: out, + licenseTypeString: licenseTypeString, + confidence: confidence, + exact: strings.Contains(out, "Licensee::Matchers::Exact"), + }, nil +} + +func getMatchingValue(in, match string) string { + for _, l := range strings.Split(in, "\n") { + if strings.Contains(l, match) { + return strings.TrimSpace(strings.TrimPrefix(l, match)) + } + } + return "" +} + +// For NOASSERTION license type, it means we are below the match threshold. Still grab the closest match and output +// confidence value. +func getLicenseAndConfidence(in string) (string, string) { + for _, l := range strings.Split(in, "\n") { + if strings.Contains(l, " similarity:") { + fs := strings.Fields(l) + return fs[0], fs[2] + } + } + return "UNKNOWN", "" +} + +func findLicenseFile(path string) ([]string, error) { + path = filepath.Join(root, path) + for i := 0; i <= maxLevelsToLicense; i++ { + outb, err := exec.Command("find", path, "-maxdepth", "1", + "-iname", "licen[sc]e*", "-o", "-iname", "copying").Output() + if err != nil { + return nil, err + } + out := string(outb) + if strings.TrimSpace(out) != "" { + return strings.Split(out, "\n"), nil + } + path = filepath.Join(path, "..") + if strings.Count(path, "/") < strings.Count(istioRoot, "/")+2 { + // go no further than the root of the package + break + } + } + return nil, nil +} + +func filter(in []string) (keep, skip []string) { + for _, s := range in { + s = cleanString(s) + //sv := strings.Split(s, "/") + + if !hasAnyPrefix(s, mustStartWith) || hasAnyPrefix(s, skipPrefixes) { + skip = append(skip, s) + continue + } + keep = append(keep, s) + } + return keep, skip +} + +func hasAnyPrefix(s string, prefixes []string) bool { + for _, p := range prefixes { + if strings.HasPrefix(s, p) { + return true + } + + } + return false +} + +func cleanString(s string) string { + s = strings.TrimSpace(s) + s = strings.TrimPrefix(s, "'") + s = strings.TrimSuffix(s, "'") + return s +} + +func dedup(s []string) []string { + return fromMap(toMap(s)) +} + +func toMap(ss []string) map[string]interface{} { + out := make(map[string]interface{}) + for _, s := range ss { + out[s] = nil + } + return out +} + +func fromMap(m map[string]interface{}) []string { + var out []string + for k := range m { + out = append(out, k) + } + return out +} diff --git a/istio-1.0.4/tools/perf_istio_rules.yaml b/istio-1.0.4/tools/perf_istio_rules.yaml new file mode 100644 index 0000000..2a7a586 --- /dev/null +++ b/istio-1.0.4/tools/perf_istio_rules.yaml @@ -0,0 +1,30 @@ +--- +apiVersion: config.istio.io/v1alpha2 +kind: RouteRule +metadata: + name: fortio1-redir +spec: + destination: + name: echosrv1 + match: + request: + headers: + uri: + prefix: /fortio1/ # prefix + rewrite: + uri: / # drop the /fortio1 prefix when talking to fortio such as /fortio1/debug -> /debug +--- +apiVersion: config.istio.io/v1alpha2 +kind: RouteRule +metadata: + name: fortio2-redir +spec: + destination: + name: echosrv2 + match: + request: + headers: + uri: + prefix: /fortio2/ # prefix + rewrite: + uri: / # drop the /fortio2 prefix when talking to fortio such as /fortio2/debug -> /debug diff --git a/istio-1.0.4/tools/perf_k8svcs.yaml b/istio-1.0.4/tools/perf_k8svcs.yaml new file mode 100644 index 0000000..b713deb --- /dev/null +++ b/istio-1.0.4/tools/perf_k8svcs.yaml @@ -0,0 +1,85 @@ +# 2 services will get istio injected +--- +apiVersion: v1 +kind: Service +metadata: + name: echosrv1 +spec: + ports: + - port: 8080 + name: http-echo + - port: 8079 + name: grpc-ping + selector: + app: echosrv1 +--- +apiVersion: apps/v1beta1 +kind: Deployment +metadata: + name: echo-svc-deployment1 +spec: + replicas: 1 # tells deployment to run 1 pods matching the template + template: # create pods using pod definition in this template + metadata: + # a unique name is generated from the deployment name + labels: + app: echosrv1 + spec: + containers: + - name: echosrv + image: istio/fortio:latest_release + imagePullPolicy: Always # needed despite what is documented to really get latest + ports: + - containerPort: 8080 +--- +apiVersion: v1 +kind: Service +metadata: + name: echosrv2 +spec: + ports: + - port: 8080 + name: http-echo + - port: 8079 + name: grpc-ping + selector: + app: echosrv2 +--- +apiVersion: apps/v1beta1 +kind: Deployment +metadata: + name: echo-svc-deployment2 +spec: + replicas: 1 # tells deployment to run 1 pods matching the template + template: # create pods using pod definition in this template + metadata: + # a unique name is generated from the deployment name + labels: + app: echosrv2 + spec: + containers: + - name: echosrv + image: istio/fortio:latest_release + imagePullPolicy: Always # needed despite what is documented to really get latest + ports: + - containerPort: 8080 +--- +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + annotations: + kubernetes.io/ingress.class: istio + name: istio-ingress +spec: + rules: + - http: + paths: + - path: /fortio1/.* + backend: + serviceName: echosrv1 + servicePort: http-echo + - path: /fortio2/.* + backend: + serviceName: echosrv2 + servicePort: http-echo +--- diff --git a/istio-1.0.4/tools/perf_setup.svg b/istio-1.0.4/tools/perf_setup.svg new file mode 100644 index 0000000..0e4c0ce --- /dev/null +++ b/istio-1.0.4/tools/perf_setup.svg @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/istio-1.0.4/tools/rules.yml b/istio-1.0.4/tools/rules.yml new file mode 100644 index 0000000..509f85d --- /dev/null +++ b/istio-1.0.4/tools/rules.yml @@ -0,0 +1,57 @@ +subject: namespace:ns +revision: "2022" +rules: +- selector: # must be empty for preprocessing adapters + aspects: + - kind: quotas + params: + quotas: + - descriptorName: RequestCount + maxAmount: 5000 + expiration: 1s + - kind: metrics + adapter: prometheus + params: + metrics: + - descriptor_name: request_count + # we want to increment this counter by 1 for each unique (source, target, service, method, response_code) tuple + value: "1" + labels: + source: source.labels["app"] | "unknown" + target: destination.service | "unknown" + service: destination.labels["app"] | "unknown" + method: request.path | "unknown" + version: destination.labels["version"] | "unknown" + response_code: response.code | 200 + - descriptor_name: request_duration + value: response.duration | "0ms" + labels: + source: source.labels["app"] | "unknown" + target: destination.service | "unknown" + service: destination.labels["app"] | "unknown" + method: request.path | "unknown" + version: destination.labels["version"] | "unknown" + response_code: response.code | 200 + - kind: access-logs + params: + logName: access_log + log: + descriptor_name: accesslog.common + template_expressions: + originIp: origin.ip + sourceUser: origin.user + timestamp: request.time + method: request.method + url: request.path + protocol: request.scheme + responseCode: response.code + responseSize: response.size + labels: + originIp: origin.ip + sourceUser: origin.user + timestamp: request.time + method: request.method + url: request.path + protocol: request.scheme + responseCode: response.code + responseSize: response.size diff --git a/istio-1.0.4/tools/run_canonical_perf_tests.sh b/istio-1.0.4/tools/run_canonical_perf_tests.sh new file mode 100755 index 0000000..2804871 --- /dev/null +++ b/istio-1.0.4/tools/run_canonical_perf_tests.sh @@ -0,0 +1,51 @@ +#!/bin/bash + +DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" +source "${DIR}/setup_perf_cluster.sh" + +LABEL="${1}" +OUT_DIR="${2}" + +if [[ -z "${OUT_DIR// }" ]]; then + OUT_DIR=$(mktemp -d -t "istio_perf.XXXXXX") +fi + +DURATION="1m" + +run_canonical_perf_test "${LABEL}" "fortio2" "echo1" 100 "${DURATION}" 16 "${OUT_DIR}" +run_canonical_perf_test "${LABEL}" "fortio2" "echo1" 400 "${DURATION}" 16 "${OUT_DIR}" +run_canonical_perf_test "${LABEL}" "fortio2" "echo1" 1000 "${DURATION}" 16 "${OUT_DIR}" +run_canonical_perf_test "${LABEL}" "fortio2" "echo1" 1200 "${DURATION}" 16 "${OUT_DIR}" +run_canonical_perf_test "${LABEL}" "fortio2" "echo1" 1600 "${DURATION}" 16 "${OUT_DIR}" + +run_canonical_perf_test "${LABEL}" "fortio1" "echo2" 100 "${DURATION}" 16 "${OUT_DIR}" +run_canonical_perf_test "${LABEL}" "fortio1" "echo2" 400 "${DURATION}" 16 "${OUT_DIR}" +run_canonical_perf_test "${LABEL}" "fortio1" "echo2" 1000 "${DURATION}" 16 "${OUT_DIR}" +run_canonical_perf_test "${LABEL}" "fortio1" "echo2" 1200 "${DURATION}" 16 "${OUT_DIR}" +run_canonical_perf_test "${LABEL}" "fortio1" "echo2" 1600 "${DURATION}" 16 "${OUT_DIR}" + +run_canonical_perf_test "${LABEL}" "fortio2" "echo1" 100 "${DURATION}" 20 "${OUT_DIR}" +run_canonical_perf_test "${LABEL}" "fortio2" "echo1" 400 "${DURATION}" 20 "${OUT_DIR}" +run_canonical_perf_test "${LABEL}" "fortio2" "echo1" 1000 "${DURATION}" 20 "${OUT_DIR}" +run_canonical_perf_test "${LABEL}" "fortio2" "echo1" 1200 "${DURATION}" 20 "${OUT_DIR}" +run_canonical_perf_test "${LABEL}" "fortio2" "echo1" 1600 "${DURATION}" 20 "${OUT_DIR}" + +run_canonical_perf_test "${LABEL}" "fortio1" "echo2" 100 "${DURATION}" 20 "${OUT_DIR}" +run_canonical_perf_test "${LABEL}" "fortio1" "echo2" 400 "${DURATION}" 20 "${OUT_DIR}" +run_canonical_perf_test "${LABEL}" "fortio1" "echo2" 1000 "${DURATION}" 20 "${OUT_DIR}" +run_canonical_perf_test "${LABEL}" "fortio1" "echo2" 1200 "${DURATION}" 20 "${OUT_DIR}" +run_canonical_perf_test "${LABEL}" "fortio1" "echo2" 1600 "${DURATION}" 20 "${OUT_DIR}" + +run_canonical_perf_test "${LABEL}" "fortio2" "echo1" 100 "${DURATION}" 24 "${OUT_DIR}" +run_canonical_perf_test "${LABEL}" "fortio2" "echo1" 400 "${DURATION}" 24 "${OUT_DIR}" +run_canonical_perf_test "${LABEL}" "fortio2" "echo1" 1000 "${DURATION}" 24 "${OUT_DIR}" +run_canonical_perf_test "${LABEL}" "fortio2" "echo1" 1200 "${DURATION}" 24 "${OUT_DIR}" +run_canonical_perf_test "${LABEL}" "fortio2" "echo1" 1600 "${DURATION}" 24 "${OUT_DIR}" + +run_canonical_perf_test "${LABEL}" "fortio1" "echo2" 100 "${DURATION}" 24 "${OUT_DIR}" +run_canonical_perf_test "${LABEL}" "fortio1" "echo2" 400 "${DURATION}" 24 "${OUT_DIR}" +run_canonical_perf_test "${LABEL}" "fortio1" "echo2" 1000 "${DURATION}" 24 "${OUT_DIR}" +run_canonical_perf_test "${LABEL}" "fortio1" "echo2" 1200 "${DURATION}" 24 "${OUT_DIR}" +run_canonical_perf_test "${LABEL}" "fortio1" "echo2" 1600 "${DURATION}" 24 "${OUT_DIR}" + +python "${DIR}/convert_perf_results.py" "${OUT_DIR}" > "${OUT_DIR}/out.csv" \ No newline at end of file diff --git a/istio-1.0.4/tools/setup_perf_cluster.sh b/istio-1.0.4/tools/setup_perf_cluster.sh new file mode 100644 index 0000000..f1d70f0 --- /dev/null +++ b/istio-1.0.4/tools/setup_perf_cluster.sh @@ -0,0 +1,539 @@ +#! /bin/bash +# +# Sets up a cluster for perf testing - GCP/GKE +# tools/setup_perf_cluster.sh +# Notes: +# * See README.md +# * Make sure istioctl in your path is the one matching your release/crd/... +# * You need to update istio-auth.yaml or run from a release directory: +# source tools/setup_perf_cluster.sh +# setup_all +# (inside google you may need to rerun setup_vm_firewall multiple times) +# +# This can be used as a script or sourced and functions called interactively +# +# The script must be run/sourced from the parent of the tools/ directory +# + +PROJECT=${PROJECT:-$(gcloud config list --format 'value(core.project)' 2>/dev/null)} +ZONE=${ZONE:-us-east4-b} +CLUSTER_NAME=${CLUSTER_NAME:-istio-perf} +MACHINE_TYPE=${MACHINE_TYPE:-n1-highcpu-2} +NUM_NODES=${NUM_NODES:-6} # SvcA<->SvcB + Ingress + Pilot + Mixer + 1 extra (kube-system) +VM_NAME=${VM_NAME:-fortio-vm} +ISTIOCTL=${ISTIOCTL:-istioctl} # to override istioctl from outside of the path +FORTIO_NAMESPACE=${FORTIO_NAMESPACE:-fortio} # Namespace for non istio app +ISTIO_NAMESPACE=${ISTIO_NAMESPACE:-istio} # Namespace for istio injected app +# Should not be set to true for perf measurement but to troubleshoot the setup +DEBUG=false + +function Usage() { + echo "usage: PROJECT=project ZONE=zone $0" + echo "also settable are NUM_NODES, MACHINE_TYPE, CLUSTER_NAME, VM_NAME, VM_IMAGE" + exit 1 +} + +function List_functions() { + egrep "^function [a-z]" ${BASH_SOURCE[0]} | sed -e 's/function \([a-z_0-9]*\).*/\1/' +} + +if [[ "${BASH_SOURCE[0]}" != "${0}" ]]; then + TOOLS_DIR=${TOOLS_DIR:-$(dirname ${BASH_SOURCE[0]})} + echo "Script ${BASH_SOURCE[0]} is being sourced (Tools in $TOOLS_DIR)..." + List_functions + SOURCED=1 +else + TOOLS_DIR=${TOOLS_DIR:-$(dirname $0)} + echo "$0 is Executed, (Tools in $TOOLS_DIR) (can also be sourced interactively)..." + echo "In case of errors, retry at the failed step (readyness checks missing)" + set -e + SOURCED=0 + if [[ -z "${PROJECT}" ]]; then + Usage + fi +fi + +function update_gcp_opts() { + export GCP_OPTS="--project $PROJECT --zone $ZONE" +} + +function Execute() { + echo "### Running:" "$@" 1>&2 + "$@" +} + +function ExecuteEval() { + echo "### Running:" "$@" 1>&2 + eval "$@" +} + + +function create_cluster() { + Execute gcloud container clusters create $CLUSTER_NAME $GCP_OPTS --machine-type=$MACHINE_TYPE --num-nodes=$NUM_NODES --no-enable-legacy-authorization +} + +function delete_cluster() { + echo "Deleting CLUSTER_NAME=$CLUSTER_NAME" + Execute gcloud container clusters delete $CLUSTER_NAME $GCP_OPTS -q +} + +function create_vm() { + echo "Obtaining latest ubuntu xenial image name... (takes a few seconds)..." + VM_IMAGE=${VM_IMAGE:-$(gcloud compute images list --standard-images --filter=name~ubuntu-1604-xenial --limit=1 --uri)} + echo "Creating VM_NAME=$VM_NAME using VM_IMAGE=$VM_IMAGE" + Execute gcloud compute instances create $VM_NAME $GCP_OPTS --machine-type $MACHINE_TYPE --image $VM_IMAGE + echo "Waiting a bit for the VM to come up..." + #TODO: 'wait for vm to be ready' + sleep 45 +} + +function delete_vm() { + echo "Deleting VM_NAME=$VM_NAME" + Execute gcloud compute instances delete $VM_NAME $GCP_OPTS -q +} + +function run_on_vm() { + echo "*** Remote run: \"$1\"" 1>&2 + Execute gcloud compute ssh $VM_NAME $GCP_OPTS --command "$1" +} + +function setup_vm() { + Execute gcloud compute instances add-tags $VM_NAME $GCP_OPTS --tags https-server + run_on_vm '(sudo add-apt-repository ppa:gophers/archive > /dev/null && sudo apt-get update > /dev/null && sudo apt-get upgrade --no-install-recommends -y && sudo apt-get install --no-install-recommends -y golang-1.10-go make && mv .bashrc .bashrc.orig && (echo "export PATH=/usr/lib/go-1.10/bin:\$PATH:~/go/bin"; cat .bashrc.orig) > ~/.bashrc ) < /dev/null' +} + +function setup_vm_firewall() { + Execute gcloud compute --project=$PROJECT firewall-rules create default-allow-https --network=default --action=ALLOW --rules=tcp:443 --source-ranges=0.0.0.0/0 --target-tags=https-server || true +} + +function delete_vm_firewall() { + Execute gcloud compute --project=$PROJECT firewall-rules delete default-allow-https -q +} + +function update_fortio_on_vm() { + run_on_vm 'go get istio.io/fortio && cd go/src/istio.io/fortio && git fetch --tags && git checkout latest_release && make submodule-sync && go build -o ~/go/bin/fortio -ldflags "-X istio.io/fortio/version.tag=$(git describe --tag --match v\*) -X istio.io/fortio/version.buildInfo=$(git rev-parse HEAD)" . && sudo setcap 'cap_net_bind_service=+ep' `which fortio` && fortio version' +} + +function run_fortio_on_vm() { + run_on_vm 'pkill fortio; nohup fortio server -http-port 443 > ~/fortio.log 2>&1 &' +} + +function get_vm_ip() { + VM_IP=$(gcloud compute instances describe $VM_NAME $GCP_OPTS |grep natIP|awk -F": " '{print $2}') + VM_URL="http://$VM_IP:443/fortio/" + echo "+++ VM Ip is $VM_IP - visit (http on port 443 is not a typo:) $VM_URL" +} + +# assumes run from istio/ (or release) directory +function install_istio() { + # You need these permissions to create the necessary RBAC rules for Istio + Execute sh -c 'kubectl create clusterrolebinding cluster-admin-binding --clusterrole=cluster-admin --user="$(gcloud config get-value core/account)"' + # Use the non debug ingress and remove the -v "2" + Execute sh -c 'sed -e "s/_debug//g" install/kubernetes/istio-auth.yaml | egrep -v -e "- (-v|\"2\")" | kubectl apply -f -' +} + +function install_istio_addons() { + # Starting in 0.8, prometheus is already in istio-auth.yaml + # Execute sh -c 'kubectl apply -f install/kubernetes/addons/prometheus.yaml' + Execute sh -c 'kubectl apply -f install/kubernetes/addons/grafana.yaml' +} + +# assumes run from istio/ (or release) directory +function delete_istio() { + # Use the non debug ingress and remove the -v "2" + Execute sh -c 'kubectl delete -f install/kubernetes/istio-auth.yaml' +} + +function kubectl_setup() { + Execute gcloud container clusters get-credentials $CLUSTER_NAME $GCP_OPTS +} + +function install_non_istio_svc() { + Execute kubectl create namespace $FORTIO_NAMESPACE + Execute kubectl -n $FORTIO_NAMESPACE run fortio1 --image=istio/fortio:latest_release --port=8080 + Execute kubectl -n $FORTIO_NAMESPACE expose deployment fortio1 --target-port=8080 --type=LoadBalancer + Execute kubectl -n $FORTIO_NAMESPACE run fortio2 --image=istio/fortio:latest_release --port=8080 + Execute kubectl -n $FORTIO_NAMESPACE expose deployment fortio2 --target-port=8080 +} + +function install_istio_svc() { + Execute kubectl create namespace $ISTIO_NAMESPACE || echo "Error assumed to be ns $ISTIO_NAMESPACE already created" + FNAME=$TOOLS_DIR/perf_k8svcs + Execute sh -c "$ISTIOCTL kube-inject --debug=$DEBUG -n $ISTIO_NAMESPACE -f $FNAME.yaml > ${FNAME}_istio.yaml" + Execute kubectl apply -n $ISTIO_NAMESPACE -f ${FNAME}_istio.yaml +} + +function install_istio_ingress_rules() { + FNAME=$TOOLS_DIR/perf_istio_rules.yaml + Execute $ISTIOCTL create -n $ISTIO_NAMESPACE -f $FNAME +} + +function install_istio_cache_busting_rule() { + FNAME=$TOOLS_DIR/cache_buster.yaml + Execute $ISTIOCTL create -n $ISTIO_NAMESPACE -f $FNAME +} + +function get_fortio_k8s_ip() { + FORTIO_K8S_IP=$(kubectl -n $FORTIO_NAMESPACE get svc -o jsonpath='{.items[0].status.loadBalancer.ingress[0].ip}') + while [[ -z "${FORTIO_K8S_IP}" ]] + do + echo sleeping to get FORTIO_K8S_IP $FORTIO_K8S_IP + sleep 5 + FORTIO_K8S_IP=$(kubectl -n $FORTIO_NAMESPACE get svc -o jsonpath='{.items[0].status.loadBalancer.ingress[0].ip}') + done + echo "+++ In k8s fortio external ip: http://$FORTIO_K8S_IP:8080/fortio/" +} + +function setup_istio_addons_ingress() { + cat <<_EOF_ | kubectl apply -n istio-system -f - +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + annotations: + kubernetes.io/ingress.class: istio + name: istio-ingress +spec: + rules: + - http: + paths: + - path: /d/.* + backend: + serviceName: grafana + servicePort: http + - path: /public/.* + backend: + serviceName: grafana + servicePort: http + - path: /api/.* + backend: + serviceName: grafana + servicePort: http +_EOF_ +} + +# Doesn't work somehow... +function setup_non_istio_ingress2() { + cat <<_EOF_ | kubectl apply -n fortio -f - +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + name: fortio-ingress2 +spec: + rules: + - http: + paths: + - path: /fortio1 + backend: + serviceName: fortio1 + servicePort: 8080 + - path: /fortio2 + backend: + serviceName: fortio2 + servicePort: 8080 +_EOF_ +} + +function setup_non_istio_ingress() { + cat <<_EOF_ | kubectl apply -n fortio -f - +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + name: fortio-ingress +spec: + backend: + serviceName: fortio1 + servicePort: 8080 +_EOF_ +} + + +function get_non_istio_ingress_ip() { + K8S_INGRESS_IP=$(kubectl -n $FORTIO_NAMESPACE get ingress -o jsonpath='{.items[0].status.loadBalancer.ingress[0].ip}') + while [[ -z "${K8S_INGRESS_IP}" ]] + do + echo sleeping to get K8S_INGRESS_IP ${K8S_INGRESS_IP} + sleep 5 + K8S_INGRESS_IP=$(kubectl -n $FORTIO_NAMESPACE get ingress -o jsonpath='{.items[0].status.loadBalancer.ingress[0].ip}') + done + +# echo "+++ In k8s non istio ingress: http://$K8S_INGRESS_IP/fortio1/fortio/ and fortio2" + echo "+++ In k8s non istio ingress: http://$K8S_INGRESS_IP/fortio/" +} + +function get_istio_ingress_ip() { + ISTIO_INGRESS_IP=$(kubectl -n $ISTIO_NAMESPACE get ingress -o jsonpath='{.items[0].status.loadBalancer.ingress[0].ip}') + while [[ -z "${ISTIO_INGRESS_IP}" ]] + do + echo sleeping to get ISTIO_INGRESS_IP ${ISTIO_INGRESS_IP} + sleep 5 + ISTIO_INGRESS_IP=$(kubectl -n $ISTIO_NAMESPACE get ingress -o jsonpath='{.items[0].status.loadBalancer.ingress[0].ip}') + done + + echo "+++ In k8s istio ingress: http://$ISTIO_INGRESS_IP/fortio1/fortio/ and fortio2" + echo "+++ In k8s grafana: http://$ISTIO_INGRESS_IP/d/1/" +} + +# Set default QPS to max qps +if [ -z ${QPS+x} ] || [ $QPS == "" ]; then + echo "Setting default qps" + QPS=-1 +fi + +# Set default run duration to 30s +if [ -z ${DUR+x} ] || [ $DUR == "" ]; then + DUR="30s" +fi + +function get_istio_version() { + kubectl describe pods -n istio|grep /proxyv2:|head -1 | awk -F: '{print $3}' +} + +function get_json_file_name() { + BASE="${1}" + if [[ $TS == "" ]]; then + TS=$(date +'%Y-%m-%d-%H-%M') + fi + if [[ $VERSION == "" ]]; then + VERSION=$(get_istio_version) + fi + QPSSTR="qps_${QPS}" + if [[ $QPSSTR == "qps_-1" ]]; then + QPSSTR="qps_max" + fi + LABELS="$BASE $QPSSTR $VERSION" + FNAME=$QPSSTR-$BASE-$VERSION-$TS + file_escape + label_escape + echo $FNAME +} + +function file_escape() { + FNAME=$(echo $FNAME|sed -e "s/ /_/g") +} + +function label_escape() { + LABELS=$(echo $LABELS|sed -e "s/ /+/g") +} + +function run_fortio_test1() { + echo "Using default loadbalancer, no istio:" + Execute curl "$VM_URL?json=on&save=on&qps=$QPS&t=$DUR&c=48&load=Start&url=http://$FORTIO_K8S_IP:8080/echo" +} +function run_fortio_test2() { + echo "Using default ingress, no istio:" + Execute curl "$VM_URL?json=on&save=on&qps=$QPS&t=$DUR&c=48&load=Start&url=http://$K8S_INGRESS_IP/echo" +} + +function run_fortio_test_istio_ingress1() { + get_json_file_name "ingress to s1" + echo "Using istio ingress to fortio1, saving to $FNAME" + ExecuteEval curl -s "$VM_URL?labels=$LABELS\&json=on\&save=on\&qps=$QPS\&t=$DUR\&c=48\&load=Start\&url=http://$ISTIO_INGRESS_IP/fortio1/echo" \| tee $FNAME.json \| grep ActualQPS +} +function run_fortio_test_istio_ingress2() { + get_json_file_name "ingress to s2" + echo "Using istio ingress to fortio2, saving to $FNAME" + ExecuteEval curl -s "$VM_URL?labels=$LABELS\&json=on\&save=on\&qps=$QPS\&t=$DUR\&c=48\&load=Start\&url=http://$ISTIO_INGRESS_IP/fortio2/echo" \| tee $FNAME.json \| grep ActualQPS +} +function run_fortio_test_istio_1_2() { + get_json_file_name "s1 to s2" + echo "Using istio f1 to f2, saving to $FNAME" + ExecuteEval curl -s "http://$ISTIO_INGRESS_IP/fortio1/fortio/?labels=$LABELS\&json=on\&save=on\&qps=$QPS\&t=$DUR\&c=48\&load=Start\&url=http://echosrv2:8080/echo" \| tee $FNAME.json \| grep ActualQPS +} +function run_fortio_test_istio_2_1() { + get_json_file_name "s2 to s1" + echo "Using istio f2 to f1, saving to $FNAME" + ExecuteEval curl -s "http://$ISTIO_INGRESS_IP/fortio2/fortio/?labels=$LABELS\&json=on\&save=on\&qps=$QPS\&t=$DUR\&c=48\&load=Start\&url=http://echosrv1:8080/echo" \| tee $FNAME.json \| grep ActualQPS +} + +# Run canonical perf tests. +# The following parameters can be supplied: +# 1) Label: +# A custom label to use. This is useful when running the same suite against two target binaries/configs. +# Defaults to "canonical" +# 2) Driver: +# The load driver to use. Currently "fortio1" and "fortio2" are supported. Defaults to "fortio1". +# 3) Target: +# The target service for the load. Currently "echo1" and "echo2" are supported. +# Defaults to "echo2" +# 4) QPS: +# The QPS to apply. Defaults to 400. +# 5) Duration: +# The duration of the test. Default is 5 minutes. +# 6) Clients: +# The number of clients to use. Defaults is 16. +# 7) Outdir: +# The output dir for collecting the Json results. If not specified, a temporary dir will be created. +function run_canonical_perf_test() { + LABEL="${1}" + DRIVER="${2}" + TARGET="${3}" + QPS="${4}" + DURATION="${5}" + CLIENTS="${6}" + OUT_DIR="${7}" + + # Set defaults + LABEL="${LABEL:-canonical}" + DRIVER="${DRIVER:-fortio1}" + TARGET="${TARGET:-echo2}" + QPS="${QPS:-400}" + DURATION="${DURATION:-5m}" + CLIENTS="${CLIENTS:-16}" + + get_istio_ingress_ip + + FORTIO1_URL="http://${ISTIO_INGRESS_IP}/fortio1/fortio" + FORTIO2_URL="http://${ISTIO_INGRESS_IP}/fortio2/fortio" + case "${DRIVER}" in + "fortio1") + DRIVER_URL="${FORTIO1_URL}" + ;; + "fortio2") + DRIVER_URL="${FORTIO2_URL}" + ;; + *) + echo "unknown driver: ${DRIVER}" + exit -1 + ;; + esac + + # URL encoded URLs for echo1 and echo2. These get directly embedded as parameters into the main URL to invoke + # the test. + ECHO1_URL="echosrv1:8080/echo" + ECHO2_URL="echosrv2:8080/echo" + case "${TARGET}" in + "echo1") + TARGET_URL="${ECHO1_URL}" + ;; + "echo2") + TARGET_URL="${ECHO2_URL}" + ;; + *) + echo "unknown target: ${TARGET}" + exit -1 + ;; + esac + + GRANULARITY="0.001" + + LABELS="${LABEL}+${DRIVER}+${TARGET}+Q${QPS}+T${DURATION}+C${CLIENTS}" + + if [[ -z "${OUT_DIR// }" ]]; then + OUT_DIR=$(mktemp -d -t "istio_perf.XXXXXX") + fi + + FILE_NAME="${LABELS//\+/_}" + OUT_FILE="${OUT_DIR}/${FILE_NAME}.json" + + echo "Running '${LABELS}' and storing results in ${OUT_FILE}" + + URL="${DRIVER_URL}/?labels=${LABELS}&url=${TARGET_URL}&qps=${QPS}&t=${DURATION}&c=${CLIENTS}&r=${GRANULARITY}&json=on&save=on&load=Start" + #echo "URL: ${URL}" + + curl -s "${URL}" -o "${OUT_FILE}" +} + +function setup_vm_all() { + update_gcp_opts + create_vm + setup_vm + setup_vm_firewall + update_fortio_on_vm + run_fortio_on_vm +} + +function setup_istio_all() { + update_gcp_opts + install_istio + install_istio_svc + install_istio_ingress_rules + install_istio_cache_busting_rule + install_istio_addons + setup_istio_addons_ingress +} + +function setup_cluster_all() { + echo "Setting up CLUSTER_NAME=$CLUSTER_NAME for PROJECT=$PROJECT in ZONE=$ZONE, NUM_NODES=$NUM_NODES * MACHINE_TYPE=$MACHINE_TYPE" + create_cluster + kubectl_setup + install_non_istio_svc + setup_non_istio_ingress + setup_istio_all +} + +function setup_all() { + setup_vm_all + setup_cluster_all +} + +function delete_all() { + echo "Deleting Istio mesh, cluster $CLUSTER_NAME, Instance $VM_NAME and firewall rules for project $PROJECT in zone $ZONE" + echo "Interrupt now if you don't want to delete..." + sleep 5 + delete_istio + delete_cluster + delete_vm + delete_vm_firewall +} + +function get_ips() { + #TODO: wait for ingresses/svcs to be ready + get_vm_ip + get_fortio_k8s_ip + get_non_istio_ingress_ip + get_istio_ingress_ip +} + +function run_4_tests() { + run_fortio_test_istio_ingress1 + run_fortio_test_istio_ingress2 + run_fortio_test_istio_1_2 + run_fortio_test_istio_2_1 +} + +function run_tests() { + update_gcp_opts + get_ips + VERSION="" # reset in case it changed + TS="" # reset once per set + QPS=-1 + run_4_tests + QPS=400 + TS="" # reset once per set + run_4_tests + echo "Graph the results:" + fortio report & +} + + +function check_image_versions() { + kubectl get pods --all-namespaces -o jsonpath="{..image}" | tr -s '[[:space:]]' '\n' | sort | uniq -c | grep -v -e google.containers +} + +if [[ $SOURCED == 0 ]]; then + # Normal mode: all at once: + update_gcp_opts + setup_all + +#update_fortio_on_vm +#run_fortio_on_vm +#setup_vm_all + +# test/retry one step at a time, eg. +#install_non_istio_svc +#setup_non_istio_ingress +#get_non_istio_ingress_ip +#setup_istio_all +#install_istio_svc +#install_istio_ingress +#install_istio_ingress_rules +#setup_non_istio_ingress +#install_istio +#setup_vm_firewall +#get_ips + run_tests +#setup_vm_firewall +#get_ips +#install_istio_svc +#delete_all +fi diff --git a/istio-1.0.4/tools/setup_run b/istio-1.0.4/tools/setup_run new file mode 100644 index 0000000..4b033a6 --- /dev/null +++ b/istio-1.0.4/tools/setup_run @@ -0,0 +1,19 @@ +# very basic local run, this is meant to be source'ed +set -x +ulimit -n 16384 +mkdir -p emptydir +mkdir -p mixerconfig +cp istio/mixer/testdata/config/* mixerconfig/ +rm mixerconfig/stackdriver.yaml +cd istio; set +x; source bin/use_bazel_go.sh ; set -x; cd .. +# Need to have go installed and GOPATH/bin in the path +fortio server & +( cd proxy/src/envoy/http/mixer; ./start_envoy > /tmp/envoy.log ) & +./istio/bazel-bin/mixer/cmd/mixs/mixs server --configStoreURL=fs://$(pwd)/mixerconfig --configStoreURL=fs://$(pwd)/emptydir 2> /tmp/mixs.2.log > /tmp/mixs.1.log & +echo "starting everything..." +sleep 3 +curl -v http://localhost:9090/debug +sleep 1 +curl -v http://localhost:42422/metrics +set +x +echo "you can now run: fortio load -qps 0 -c 16 http://localhost:9090/echo" diff --git a/istio-1.0.4/tools/update_all b/istio-1.0.4/tools/update_all new file mode 100755 index 0000000..259aa04 --- /dev/null +++ b/istio-1.0.4/tools/update_all @@ -0,0 +1,13 @@ +#! /bin/bash +# update and rebuild from source +set -e +set -x +cd istio +git pull +bazel build -c opt mixer/cmd/mixs:mixs +cd ../proxy +git pull +bazel build -c opt src/envoy/mixer:envoy +go get -u istio.io/fortio +set +x +echo "### All done... source istio/tools/setup_run now" diff --git a/istio-1.0.4/tools/vagrant/Vagrantfile b/istio-1.0.4/tools/vagrant/Vagrantfile new file mode 100644 index 0000000..7cc2397 --- /dev/null +++ b/istio-1.0.4/tools/vagrant/Vagrantfile @@ -0,0 +1,23 @@ +# -*- mode: ruby -*- +# vi: set ft=ruby : + +# Vagrantfile API/syntax version. Don't touch unless you know what you're doing! +VAGRANTFILE_API_VERSION = "2" + +Vagrant.configure(VAGRANTFILE_API_VERSION) do |config| + # Every Vagrant virtual environment requires a box to build off of. + config.vm.box = "ubuntu/trusty64" + config.vm.network "forwarded_port", guest: 5000, host: 5000 + config.vm.network "private_network", ip: "192.168.33.100" + config.vm.provider "virtualbox" do |v| + v.memory = 1024 + v.cpus = 2 + end + # Share the home directory for access to host source code + config.vm.synced_folder "../../", "/home/vagrant/golang/src/istio.io/istio", owner: "vagrant", group: "vagrant" + + # Now run manual shell script for additional provisioning: + config.vm.provision "shell", path: "./provision-vagrant.sh" + +end + diff --git a/istio-1.0.4/tools/vagrant/provision-vagrant.sh b/istio-1.0.4/tools/vagrant/provision-vagrant.sh new file mode 100644 index 0000000..6b9848a --- /dev/null +++ b/istio-1.0.4/tools/vagrant/provision-vagrant.sh @@ -0,0 +1,77 @@ +#!/bin/bash +set -e +VERSION="1.9.2" + +# Update, get python-software-properties in order to get add-apt-repository, +# then update (for latest git version): +apt-get update +apt-get install -y python-software-properties +add-apt-repository -y ppa:git-core/ppa +apt-get update +apt-get install -y git +apt-get install -y make +apt-get install -y docker +# Vim & Curl: +apt-get install -y vim curl + +# Install golang +shell_profile="bashrc" +DFILE="go$VERSION.linux-amd64.tar.gz" +HOME="/home/vagrant" +echo "Downloading $DFILE ..." +wget https://dl.google.com/go/$DFILE -O /tmp/go.tar.gz + +if [ $? -ne 0 ]; then + echo "Download failed! Exiting." + exit 1 +fi + +echo "Extracting File..." +tar -C "$HOME" -xzf /tmp/go.tar.gz +mv "$HOME/go" "$HOME/.go" + +touch "$HOME/.${shell_profile}" +{ + echo '# GoLang' + echo 'export GOROOT=$HOME/.go' + echo 'export PATH=$PATH:$GOROOT/bin' + echo 'export GOPATH=$HOME/golang' + echo 'export PATH=$PATH:$GOPATH/bin' +} >> "$HOME/.${shell_profile}" + +mkdir -p $HOME/golang/{src,pkg,bin} +mkdir -p $HOME/golang/src/istio.io + +chown -R vagrant:vagrant /home/vagrant/golang +echo -e "\nGo $VERSION was installed.\nMake sure to relogin into your shell or run:" +echo -e "\n\tsource $HOME/.${shell_profile}\n\nto update your environment variables." +rm -f /tmp/go.tar.gz + +# install minikube +export K8S_VER=v1.7.4 +export MASTER_IP=127.0.0.1 +export MASTER_CLUSTER_IP=10.99.0.1 +mkdir -p /tmp/apiserver && \ +cd /tmp/apiserver && \ +wget https://storage.googleapis.com/kubernetes-release/release/v1.7.4/bin/linux/amd64/kube-apiserver && \ +chmod +x /tmp/apiserver/kube-apiserver + +cd /tmp && \ +curl -L -O https://storage.googleapis.com/kubernetes-release/easy-rsa/easy-rsa.tar.gz && \ +tar xzf easy-rsa.tar.gz && \ +cd easy-rsa-master/easyrsa3 && \ +./easyrsa init-pki && \ +./easyrsa --batch "--req-cn=${MASTER_IP}@`date +%s`" build-ca nopass && \ +./easyrsa --subject-alt-name="IP:${MASTER_IP},""IP:${MASTER_CLUSTER_IP},""DNS:kubernetes,""DNS:kubernetes.default,""DNS:kubernetes.default.svc,""DNS:kubernetes.default.svc.cluster,""DNS:kubernetes.default.svc.cluster.local" --days=10000 build-server-full server nopass && \ +cp /tmp/easy-rsa-master/easyrsa3/pki/ca.crt /tmp/apiserver/ca.crt && \ +cp /tmp/easy-rsa-master/easyrsa3/pki/issued/server.crt /tmp/apiserver/server.crt && \ +cp /tmp/easy-rsa-master/easyrsa3/pki/private/server.key /tmp/apiserver/server.key && \ +cd /tmp && \ +rm -rf /tmp/easy-rsa-master/ + +# Include minikube and kubectl in the image +curl -Lo /tmp/kubectl https://storage.googleapis.com/kubernetes-release/release/v1.7.4/bin/linux/amd64/kubectl && \ +chmod +x /tmp/kubectl && sudo mv /tmp/kubectl /usr/local/bin/ + +curl -Lo /tmp/minikube https://storage.googleapis.com/minikube/releases/v0.22.3/minikube-linux-amd64 &&\ +chmod +x /tmp/minikube && sudo mv /tmp/minikube /usr/local/bin/