Commit cd9c94e6 authored by dzmitry_paulouski's avatar dzmitry_paulouski
Browse files

New version of Istio and small fix

parent 87d196ea
Pipeline #71084 passed with stages
in 51 seconds
......@@ -22,7 +22,7 @@ spec:
value:
name: envoy.lua.basic-auth-for-airflow
typed_config:
"@type": "type.googleapis.com/envoy.config.filter.http.lua.v2.Lua"
"@type": "type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua"
inlineCode: |
function starts_with(str, start)
return str:sub(1, #start) == start
......
......@@ -19,7 +19,7 @@ spec:
value:
name: envoy.lua.remove-user-appid-header
typed_config:
"@type": "type.googleapis.com/envoy.config.filter.http.lua.v2.Lua"
"@type": "type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua"
inlineCode: |
function envoy_on_request(request_handle)
request_handle:headers():remove("x-user-id")
......@@ -47,7 +47,7 @@ spec:
value:
name: envoy.lua.user-from-msft-aad-token
typed_config:
"@type": "type.googleapis.com/envoy.config.filter.http.lua.v2.Lua"
"@type": "type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua"
inlineCode: |
msft_issuer = "https://sts.windows.net/{{ .Values.global.azure.tenant }}/"
function envoy_on_request(request_handle)
......@@ -87,7 +87,7 @@ spec:
value:
name: envoy.lua.user-from-msftonline-token
typed_config:
"@type": "type.googleapis.com/envoy.config.filter.http.lua.v2.Lua"
"@type": "type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua"
inlineCode: |
msft_issuer = "https://login.microsoftonline.com/{{ .Values.global.azure.tenant }}/v2.0"
function envoy_on_request(request_handle)
......
......@@ -27,48 +27,50 @@ metadata:
name: istio-operator
---
{{- if eq (.Values.global.isDataPartitionDeployment | default false) false}}
apiVersion: apiextensions.k8s.io/v1beta1
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: istiooperators.install.istio.io
labels:
release: istio
spec:
conversion:
strategy: None
group: install.istio.io
names:
kind: IstioOperator
listKind: IstioOperatorList
plural: istiooperators
singular: istiooperator
shortNames:
- iop
- io
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values.
More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase.
More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
spec:
description: 'Specification of the desired state of the istio control plane resource.
More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status'
type: object
status:
description: 'Status describes each of istio control plane component status at the current time.
0 means NONE, 1 means UPDATING, 2 means HEALTHY, 3 means ERROR, 4 means RECONCILING.
More info: https://github.com/istio/api/blob/master/operator/v1alpha1/istio.operator.v1alpha1.pb.html &
https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status'
type: object
versions:
- name: v1alpha1
- additionalPrinterColumns:
- description: Istio control plane revision
jsonPath: .spec.revision
name: Revision
type: string
- description: IOP current state
jsonPath: .status.status
name: Status
type: string
- description: 'CreationTimestamp is a timestamp representing the server time
when this object was created. It is not guaranteed to be set in happens-before
order across separate operations. Clients may not set this value. It is represented
in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
jsonPath: .metadata.creationTimestamp
name: Age
type: date
subresources:
status: {}
name: v1alpha1
schema:
openAPIV3Schema:
type: object
x-kubernetes-preserve-unknown-fields: true
served: true
storage: true
---
......@@ -104,12 +106,6 @@ rules:
- '*'
verbs:
- '*'
- apiGroups:
- rbac.istio.io
resources:
- '*'
verbs:
- '*'
- apiGroups:
- security.istio.io
resources:
......@@ -138,9 +134,7 @@ rules:
- daemonsets
- deployments
- deployments/finalizers
- ingresses
- replicasets
- statefulsets
verbs:
- '*'
- apiGroups:
......@@ -156,6 +150,7 @@ rules:
verbs:
- get
- create
- update
- apiGroups:
- policy
resources:
......@@ -171,6 +166,14 @@ rules:
- rolebindings
verbs:
- '*'
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- get
- create
- update
- apiGroups:
- ""
resources:
......@@ -179,6 +182,7 @@ rules:
- events
- namespaces
- pods
- pods/proxy
- persistentvolumeclaims
- secrets
- services
......@@ -211,6 +215,7 @@ spec:
- name: http-metrics
port: 8383
targetPort: 8383
protocol: TCP
selector:
name: istio-operator
---
......@@ -232,10 +237,20 @@ spec:
serviceAccountName: istio-operator
containers:
- name: istio-operator
image: docker.io/istio/operator:1.6.7
image: docker.io/istio/operator:1.11.3
command:
- operator
- server
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 1337
runAsUser: 1337
runAsNonRoot: true
imagePullPolicy: IfNotPresent
resources:
limits:
......@@ -246,12 +261,16 @@ spec:
memory: 128Mi
env:
- name: WATCH_NAMESPACE
value: istio-system
value: "istio-system"
- name: LEADER_ELECTION_NAMESPACE
value: istio-operator
value: "istio-operator"
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: OPERATOR_NAME
value: istio-operator
value: "istio-operator"
- name: WAIT_FOR_RESOURCES_TIMEOUT
value: "300s"
- name: REVISION
value: ""
......@@ -187,7 +187,7 @@ resource "azurerm_key_vault_certificate" "istio_ssl_certificate" {
]
subject_alternative_names {
dns_names = [var.dns_name, "${local.base_name}-gw.${azurerm_resource_group.main.location}.cloudapp.azure.com"]
dns_names = [var.dns_name, "${local.base_name}-istio-gw.${azurerm_resource_group.main.location}.cloudapp.azure.com"]
}
subject = "CN=*.contoso.com"
......
......@@ -426,7 +426,7 @@ variable "istio_int_load_balancer_ip" {
}
variable "aks_dns_host" {
description = "A DNS name whis will use for APPGW backend http setting"
description = "A DNS name which will be used for APPGW backend http setting"
type = string
default = ""
}
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment