diff --git a/kustomize/api-service/base/config-map.yaml b/kustomize/api-service/base/config-map.yaml new file mode 100644 index 0000000..1114392 --- /dev/null +++ b/kustomize/api-service/base/config-map.yaml @@ -0,0 +1,25 @@ +# The configuration for the ML pipelines APIServer +# Based on https://github.com/kubeflow/pipelines/blob/master/backend/src/apiserver/config/config.json +apiVersion: v1 +data: + # apiserver assumes the config is named config.json + config.json: | + { + "DBConfig": { + "DriverName": "mysql", + "DataSourceName": "", + "DBName": "mlpipeline" + }, + "ObjectStoreConfig":{ + "AccessKey": "minio", + "SecretAccessKey": "minio123", + "BucketName": "mlpipeline" + }, + "InitConnectionTimeout": "6m", + "DefaultPipelineRunnerServiceAccount": "pipeline-runner", + "ML_PIPELINE_VISUALIZATIONSERVER_SERVICE_HOST": "ml-pipeline-ml-pipeline-visualizationserver", + "ML_PIPELINE_VISUALIZATIONSERVER_SERVICE_PORT": 8888 + } +kind: ConfigMap +metadata: + name: ml-pipeline-config diff --git a/kustomize/api-service/base/deployment.yaml b/kustomize/api-service/base/deployment.yaml new file mode 100644 index 0000000..424e79b --- /dev/null +++ b/kustomize/api-service/base/deployment.yaml @@ -0,0 +1,32 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: ml-pipeline +spec: + template: + spec: + containers: + - name: ml-pipeline-api-server + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + image: gcr.io/ml-pipeline/api-server + imagePullPolicy: IfNotPresent + command: + - apiserver + - --config=/etc/ml-pipeline-config + - --sampleconfig=/config/sample_config.json + - -logtostderr=true + ports: + - containerPort: 8888 + - containerPort: 8887 + volumeMounts: + - name: config-volume + mountPath: /etc/ml-pipeline-config + serviceAccountName: ml-pipeline + volumes: + - name: config-volume + configMap: + name: ml-pipeline-config diff --git a/kustomize/api-service/base/kustomization.yaml b/kustomize/api-service/base/kustomization.yaml new file mode 100644 index 0000000..f1a53ab --- /dev/null +++ b/kustomize/api-service/base/kustomization.yaml @@ -0,0 +1,15 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +commonLabels: + app: ml-pipeline +resources: +- config-map.yaml +- deployment.yaml +- role-binding.yaml +- role.yaml +- service-account.yaml +- service.yaml +images: +- name: gcr.io/ml-pipeline/api-server + newTag: 0.1.31 + newName: gcr.io/ml-pipeline/api-server diff --git a/kustomize/api-service/base/role-binding.yaml b/kustomize/api-service/base/role-binding.yaml new file mode 100644 index 0000000..2185bbd --- /dev/null +++ b/kustomize/api-service/base/role-binding.yaml @@ -0,0 +1,11 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: RoleBinding +metadata: + name: ml-pipeline +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: ml-pipeline +subjects: +- kind: ServiceAccount + name: ml-pipeline diff --git a/kustomize/api-service/base/role.yaml b/kustomize/api-service/base/role.yaml new file mode 100644 index 0000000..0c4a0b6 --- /dev/null +++ b/kustomize/api-service/base/role.yaml @@ -0,0 +1,28 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: Role +metadata: + name: ml-pipeline +rules: +- apiGroups: + - argoproj.io + resources: + - workflows + verbs: + - create + - get + - list + - watch + - update + - patch + - delete +- apiGroups: + - kubeflow.org + resources: + - scheduledworkflows + verbs: + - create + - get + - list + - update + - patch + - delete diff --git a/kustomize/api-service/base/service-account.yaml b/kustomize/api-service/base/service-account.yaml new file mode 100644 index 0000000..95ff314 --- /dev/null +++ b/kustomize/api-service/base/service-account.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: ml-pipeline diff --git a/kustomize/api-service/base/service.yaml b/kustomize/api-service/base/service.yaml new file mode 100644 index 0000000..c708e13 --- /dev/null +++ b/kustomize/api-service/base/service.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Service +metadata: + name: ml-pipeline +spec: + ports: + - name: http + port: 8888 + protocol: TCP + targetPort: 8888 + - name: grpc + port: 8887 + protocol: TCP + targetPort: 8887 diff --git a/kustomize/api-service/kustomization.yaml b/kustomize/api-service/kustomization.yaml new file mode 100644 index 0000000..a631683 --- /dev/null +++ b/kustomize/api-service/kustomization.yaml @@ -0,0 +1,14 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +bases: +- base +commonLabels: + app.kubernetes.io/component: api-service + app.kubernetes.io/instance: api-service-0.1.31 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/name: api-service + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: 0.1.31 +kind: Kustomization +namespace: kubeflow +resources: +- overlays/application/application.yaml diff --git a/kustomize/api-service/overlays/application/application.yaml b/kustomize/api-service/overlays/application/application.yaml new file mode 100644 index 0000000..8ebe417 --- /dev/null +++ b/kustomize/api-service/overlays/application/application.yaml @@ -0,0 +1,31 @@ +apiVersion: app.k8s.io/v1beta1 +kind: Application +metadata: + name: api-service +spec: + selector: + matchLabels: + app.kubernetes.io/name: api-service + app.kubernetes.io/instance: api-service-0.1.31 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/component: api-service + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: 0.1.31 + componentKinds: + - group: core + kind: ConfigMap + - group: apps + kind: Deployment + descriptor: + type: api-service + version: v1beta1 + description: "" + maintainers: [] + owners: [] + keywords: + - api-service + - kubeflow + links: + - description: About + url: "" + addOwnerRef: true diff --git a/kustomize/api-service/overlays/application/kustomization.yaml b/kustomize/api-service/overlays/application/kustomization.yaml new file mode 100644 index 0000000..2ec4590 --- /dev/null +++ b/kustomize/api-service/overlays/application/kustomization.yaml @@ -0,0 +1,13 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +bases: +- ../../base +resources: +- application.yaml +commonLabels: + app.kubernetes.io/name: api-service + app.kubernetes.io/instance: api-service-0.1.31 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/component: api-service + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: 0.1.31 diff --git a/kustomize/application-crds/base/crd.yaml b/kustomize/application-crds/base/crd.yaml new file mode 100644 index 0000000..133342c --- /dev/null +++ b/kustomize/application-crds/base/crd.yaml @@ -0,0 +1,239 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + creationTimestamp: null + name: applications.app.k8s.io +spec: + group: app.k8s.io + names: + kind: Application + plural: applications + scope: Namespaced + validation: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + properties: + addOwnerRef: + type: boolean + assemblyPhase: + type: string + componentKinds: + items: + type: object + type: array + descriptor: + properties: + description: + type: string + icons: + items: + properties: + size: + type: string + src: + type: string + type: + type: string + required: + - src + type: object + type: array + keywords: + items: + type: string + type: array + links: + items: + properties: + description: + type: string + url: + type: string + type: object + type: array + maintainers: + items: + properties: + email: + type: string + name: + type: string + url: + type: string + type: object + type: array + notes: + type: string + owners: + items: + properties: + email: + type: string + name: + type: string + url: + type: string + type: object + type: array + type: + type: string + version: + type: string + type: object + info: + items: + properties: + name: + type: string + type: + type: string + value: + type: string + valueFrom: + properties: + configMapKeyRef: + properties: + apiVersion: + type: string + fieldPath: + type: string + key: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + resourceVersion: + type: string + uid: + type: string + type: object + ingressRef: + properties: + apiVersion: + type: string + fieldPath: + type: string + host: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + path: + type: string + resourceVersion: + type: string + uid: + type: string + type: object + secretKeyRef: + properties: + apiVersion: + type: string + fieldPath: + type: string + key: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + resourceVersion: + type: string + uid: + type: string + type: object + serviceRef: + properties: + apiVersion: + type: string + fieldPath: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + path: + type: string + port: + format: int32 + type: integer + resourceVersion: + type: string + uid: + type: string + type: object + type: + type: string + type: object + type: object + type: array + selector: + type: object + type: object + status: + properties: + components: + items: + properties: + group: + type: string + kind: + type: string + link: + type: string + name: + type: string + status: + type: string + type: object + type: array + conditions: + items: + properties: + lastTransitionTime: + format: date-time + type: string + lastUpdateTime: + format: date-time + type: string + message: + type: string + reason: + type: string + status: + type: string + type: + type: string + required: + - type + - status + type: object + type: array + observedGeneration: + format: int64 + type: integer + type: object + version: v1beta1 +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/kustomize/application-crds/base/kustomization.yaml b/kustomize/application-crds/base/kustomization.yaml new file mode 100644 index 0000000..6e120e7 --- /dev/null +++ b/kustomize/application-crds/base/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- crd.yaml diff --git a/kustomize/application-crds/kustomization.yaml b/kustomize/application-crds/kustomization.yaml new file mode 100644 index 0000000..4e745bd --- /dev/null +++ b/kustomize/application-crds/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +bases: +- base +kind: Kustomization +namespace: kubeflow diff --git a/kustomize/application/base/cluster-role-binding.yaml b/kustomize/application/base/cluster-role-binding.yaml new file mode 100644 index 0000000..f7fe51d --- /dev/null +++ b/kustomize/application/base/cluster-role-binding.yaml @@ -0,0 +1,11 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: cluster-role-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-role +subjects: +- kind: ServiceAccount + name: service-account diff --git a/kustomize/application/base/cluster-role.yaml b/kustomize/application/base/cluster-role.yaml new file mode 100644 index 0000000..169fc3b --- /dev/null +++ b/kustomize/application/base/cluster-role.yaml @@ -0,0 +1,21 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: cluster-role +rules: +- apiGroups: + - '*' + resources: + - '*' + verbs: + - get + - list + - update + - patch + - watch +- apiGroups: + - app.k8s.io + resources: + - '*' + verbs: + - '*' diff --git a/kustomize/application/base/kustomization.yaml b/kustomize/application/base/kustomization.yaml new file mode 100644 index 0000000..dcc6709 --- /dev/null +++ b/kustomize/application/base/kustomization.yaml @@ -0,0 +1,29 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- cluster-role.yaml +- cluster-role-binding.yaml +- service-account.yaml +- service.yaml +- stateful-set.yaml +namespace: kubeflow +nameprefix: application-controller- +configMapGenerator: +- name: parameters + env: params.env +generatorOptions: + disableNameSuffixHash: true +images: +- name: gcr.io/kubeflow-images-public/kubernetes-sigs/application + newName: gcr.io/kubeflow-images-public/kubernetes-sigs/application + newTag: 1.0-beta +vars: +- name: project + objref: + kind: ConfigMap + name: parameters + apiVersion: v1 + fieldref: + fieldpath: data.project +configurations: +- params.yaml diff --git a/kustomize/application/base/params.env b/kustomize/application/base/params.env new file mode 100644 index 0000000..8a76300 --- /dev/null +++ b/kustomize/application/base/params.env @@ -0,0 +1 @@ +project= diff --git a/kustomize/application/base/params.yaml b/kustomize/application/base/params.yaml new file mode 100644 index 0000000..e544ce9 --- /dev/null +++ b/kustomize/application/base/params.yaml @@ -0,0 +1,3 @@ +varReference: +- path: spec/template/spec/containers/image + kind: StatefulSet diff --git a/kustomize/application/base/service-account.yaml b/kustomize/application/base/service-account.yaml new file mode 100644 index 0000000..a36cbd8 --- /dev/null +++ b/kustomize/application/base/service-account.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: service-account diff --git a/kustomize/application/base/service.yaml b/kustomize/application/base/service.yaml new file mode 100644 index 0000000..c7368f9 --- /dev/null +++ b/kustomize/application/base/service.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Service +metadata: + name: service +spec: + ports: + - port: 443 diff --git a/kustomize/application/base/stateful-set.yaml b/kustomize/application/base/stateful-set.yaml new file mode 100644 index 0000000..6c1d74c --- /dev/null +++ b/kustomize/application/base/stateful-set.yaml @@ -0,0 +1,27 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: stateful-set +spec: + serviceName: service + selector: + matchLabels: + app: application-controller + template: + metadata: + labels: + app: application-controller + annotations: + sidecar.istio.io/inject: "false" + spec: + containers: + - name: manager + command: + - /root/manager + image: gcr.io/kubeflow-images-public/kubernetes-sigs/application + imagePullPolicy: Always + env: + - name: project + value: $(project) + serviceAccountName: service-account + volumeClaimTemplates: [] diff --git a/kustomize/application/kustomization.yaml b/kustomize/application/kustomization.yaml new file mode 100644 index 0000000..ae83a69 --- /dev/null +++ b/kustomize/application/kustomization.yaml @@ -0,0 +1,14 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +bases: +- base +commonLabels: + app.kubernetes.io/component: kubeflow + app.kubernetes.io/instance: kubeflow-v0.7.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/name: kubeflow + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: v0.7.0 +kind: Kustomization +namespace: kubeflow +resources: +- overlays/application/application.yaml diff --git a/kustomize/application/overlays/application/application.yaml b/kustomize/application/overlays/application/application.yaml new file mode 100644 index 0000000..8824962 --- /dev/null +++ b/kustomize/application/overlays/application/application.yaml @@ -0,0 +1,34 @@ +apiVersion: app.k8s.io/v1beta1 +kind: Application +metadata: + name: kubeflow +spec: + selector: + matchLabels: + app.kubernetes.io/name: kubeflow + app.kubernetes.io/instance: kubeflow-v0.7.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/component: kubeflow + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: v0.7.0 + componentKinds: + - group: app.k8s.io + kind: Application + descriptor: + type: kubeflow + version: v1beta1 + description: application that aggregates all kubeflow applications + maintainers: + - name: Jeremy Lewi + email: jlewi@google.com + - name: Kam Kasravi + email: kam.d.kasravi@intel.com + owners: + - name: Jeremy Lewi + email: jlewi@google.com + keywords: + - kubeflow + links: + - description: About + url: "https://kubeflow.org" + addOwnerRef: true diff --git a/kustomize/application/overlays/application/kustomization.yaml b/kustomize/application/overlays/application/kustomization.yaml new file mode 100644 index 0000000..efd2eec --- /dev/null +++ b/kustomize/application/overlays/application/kustomization.yaml @@ -0,0 +1,13 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +bases: +- ../../base +resources: +- application.yaml +commonLabels: + app.kubernetes.io/name: kubeflow + app.kubernetes.io/instance: kubeflow-v0.7.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/component: kubeflow + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: v0.7.0 diff --git a/kustomize/application/overlays/debug/kustomization.yaml b/kustomize/application/overlays/debug/kustomization.yaml new file mode 100644 index 0000000..93fb76b --- /dev/null +++ b/kustomize/application/overlays/debug/kustomization.yaml @@ -0,0 +1,10 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +bases: +- ../../base +patchesStrategicMerge: +- stateful-set.yaml +images: +- name: gcr.io/$(project)/application-controller + newName: gcr.io/$(project)/application-controller + newTag: latest diff --git a/kustomize/application/overlays/debug/stateful-set.yaml b/kustomize/application/overlays/debug/stateful-set.yaml new file mode 100644 index 0000000..9408dee --- /dev/null +++ b/kustomize/application/overlays/debug/stateful-set.yaml @@ -0,0 +1,25 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: stateful-set +spec: + template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + spec: + containers: + - name: manager + image: gcr.io/$(project)/application-controller:latest + command: + - /go/bin/dlv + args: + - --listen=:2345 + - --headless=true + - --api-version=2 + - exec + - /go/src/github.com/kubernetes-sigs/application/manager + ports: + - containerPort: 2345 + securityContext: + privileged: true diff --git a/kustomize/argo/base/cluster-role-binding.yaml b/kustomize/argo/base/cluster-role-binding.yaml new file mode 100644 index 0000000..979873c --- /dev/null +++ b/kustomize/argo/base/cluster-role-binding.yaml @@ -0,0 +1,29 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + labels: + app: argo + name: argo +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: argo +subjects: +- kind: ServiceAccount + name: argo + namespace: kubeflow +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + labels: + app: argo-ui + name: argo-ui +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: argo-ui +subjects: +- kind: ServiceAccount + name: argo-ui diff --git a/kustomize/argo/base/cluster-role.yaml b/kustomize/argo/base/cluster-role.yaml new file mode 100644 index 0000000..06947a1 --- /dev/null +++ b/kustomize/argo/base/cluster-role.yaml @@ -0,0 +1,79 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + labels: + app: argo + name: argo +rules: +- apiGroups: + - "" + resources: + - pods + - pods/exec + verbs: + - create + - get + - list + - watch + - update + - patch +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - watch + - list +- apiGroups: + - "" + resources: + - persistentvolumeclaims + verbs: + - create + - delete +- apiGroups: + - argoproj.io + resources: + - workflows + - workflows/finalizers + verbs: + - get + - list + - watch + - update + - patch +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + labels: + app: argo + name: argo-ui +rules: +- apiGroups: + - "" + resources: + - pods + - pods/exec + - pods/log + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - secrets + verbs: + - get +- apiGroups: + - argoproj.io + resources: + - workflows + - workflows/finalizers + verbs: + - get + - list + - watch diff --git a/kustomize/argo/base/config-map.yaml b/kustomize/argo/base/config-map.yaml new file mode 100644 index 0000000..710c342 --- /dev/null +++ b/kustomize/argo/base/config-map.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: workflow-controller-configmap + namespace: kubeflow +data: + config: | + { + executorImage: $(executorImage), + containerRuntimeExecutor: $(containerRuntimeExecutor), + artifactRepository: + { + s3: { + bucket: $(artifactRepositoryBucket), + keyPrefix: $(artifactRepositoryKeyPrefix), + endpoint: $(artifactRepositoryEndpoint), + insecure: $(artifactRepositoryInsecure), + accessKeySecret: { + name: $(artifactRepositoryAccessKeySecretName), + key: $(artifactRepositoryAccessKeySecretKey) + }, + secretKeySecret: { + name: $(artifactRepositorySecretKeySecretName), + key: $(artifactRepositorySecretKeySecretKey) + } + } + } + } + diff --git a/kustomize/argo/base/crd.yaml b/kustomize/argo/base/crd.yaml new file mode 100644 index 0000000..1b978a7 --- /dev/null +++ b/kustomize/argo/base/crd.yaml @@ -0,0 +1,15 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: workflows.argoproj.io +spec: + group: argoproj.io + names: + kind: Workflow + listKind: WorkflowList + plural: workflows + shortNames: + - wf + singular: workflow + scope: Namespaced + version: v1alpha1 diff --git a/kustomize/argo/base/deployment.yaml b/kustomize/argo/base/deployment.yaml new file mode 100644 index 0000000..17ae4d6 --- /dev/null +++ b/kustomize/argo/base/deployment.yaml @@ -0,0 +1,111 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: argo-ui + name: argo-ui + namespace: kubeflow +spec: + progressDeadlineSeconds: 600 + replicas: 1 + revisionHistoryLimit: 10 + selector: + matchLabels: + app: argo-ui + strategy: + rollingUpdate: + maxSurge: 25% + maxUnavailable: 25% + type: RollingUpdate + template: + metadata: + creationTimestamp: null + labels: + app: argo-ui + annotations: + sidecar.istio.io/inject: "false" + spec: + containers: + - env: + - name: ARGO_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: IN_CLUSTER + value: 'true' + - name: ENABLE_WEB_CONSOLE + value: 'false' + - name: BASE_HREF + value: /argo/ + image: argoproj/argoui:v2.3.0 + imagePullPolicy: IfNotPresent + name: argo-ui + resources: {} + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + readinessProbe: + httpGet: + path: / + port: 8001 + dnsPolicy: ClusterFirst + restartPolicy: Always + schedulerName: default-scheduler + securityContext: {} + serviceAccount: argo-ui + serviceAccountName: argo-ui + terminationGracePeriodSeconds: 30 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: workflow-controller + name: workflow-controller + namespace: kubeflow +spec: + progressDeadlineSeconds: 600 + replicas: 1 + revisionHistoryLimit: 10 + selector: + matchLabels: + app: workflow-controller + strategy: + rollingUpdate: + maxSurge: 25% + maxUnavailable: 25% + type: RollingUpdate + template: + metadata: + creationTimestamp: null + labels: + app: workflow-controller + annotations: + sidecar.istio.io/inject: "false" + spec: + containers: + - args: + - --configmap + - workflow-controller-configmap + command: + - workflow-controller + env: + - name: ARGO_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + image: argoproj/workflow-controller:v2.3.0 + imagePullPolicy: IfNotPresent + name: workflow-controller + resources: {} + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + dnsPolicy: ClusterFirst + restartPolicy: Always + schedulerName: default-scheduler + securityContext: {} + serviceAccount: argo + serviceAccountName: argo + terminationGracePeriodSeconds: 30 diff --git a/kustomize/argo/base/kustomization.yaml b/kustomize/argo/base/kustomization.yaml new file mode 100644 index 0000000..481dad1 --- /dev/null +++ b/kustomize/argo/base/kustomization.yaml @@ -0,0 +1,111 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- cluster-role-binding.yaml +- cluster-role.yaml +- config-map.yaml +- crd.yaml +- deployment.yaml +- service-account.yaml +- service.yaml +commonLabels: + kustomize.component: argo +images: +- name: argoproj/argoui + newName: argoproj/argoui + newTag: v2.3.0 +- name: argoproj/workflow-controller + newName: argoproj/workflow-controller + newTag: v2.3.0 +configMapGenerator: +- name: workflow-controller-parameters + env: params.env +generatorOptions: + disableNameSuffixHash: true +vars: +- name: executorImage + objref: + kind: ConfigMap + name: workflow-controller-parameters + apiVersion: v1 + fieldref: + fieldpath: data.executorImage +- name: containerRuntimeExecutor + objref: + kind: ConfigMap + name: workflow-controller-parameters + apiVersion: v1 + fieldref: + fieldpath: data.containerRuntimeExecutor +- name: artifactRepositoryBucket + objref: + kind: ConfigMap + name: workflow-controller-parameters + apiVersion: v1 + fieldref: + fieldpath: data.artifactRepositoryBucket +- name: artifactRepositoryKeyPrefix + objref: + kind: ConfigMap + name: workflow-controller-parameters + apiVersion: v1 + fieldref: + fieldpath: data.artifactRepositoryKeyPrefix +- name: artifactRepositoryEndpoint + objref: + kind: ConfigMap + name: workflow-controller-parameters + apiVersion: v1 + fieldref: + fieldpath: data.artifactRepositoryEndpoint +- name: artifactRepositoryInsecure + objref: + kind: ConfigMap + name: workflow-controller-parameters + apiVersion: v1 + fieldref: + fieldpath: data.artifactRepositoryInsecure +- name: artifactRepositoryAccessKeySecretName + objref: + kind: ConfigMap + name: workflow-controller-parameters + apiVersion: v1 + fieldref: + fieldpath: data.artifactRepositoryAccessKeySecretName +- name: artifactRepositoryAccessKeySecretKey + objref: + kind: ConfigMap + name: workflow-controller-parameters + apiVersion: v1 + fieldref: + fieldpath: data.artifactRepositoryAccessKeySecretKey +- name: artifactRepositorySecretKeySecretName + objref: + kind: ConfigMap + name: workflow-controller-parameters + apiVersion: v1 + fieldref: + fieldpath: data.artifactRepositorySecretKeySecretName +- name: artifactRepositorySecretKeySecretKey + objref: + kind: ConfigMap + name: workflow-controller-parameters + apiVersion: v1 + fieldref: + fieldpath: data.artifactRepositorySecretKeySecretKey +- name: namespace + objref: + kind: ConfigMap + name: workflow-controller-parameters + apiVersion: v1 + fieldref: + fieldpath: data.namespace +- name: clusterDomain + objref: + kind: ConfigMap + name: workflow-controller-parameters + apiVersion: v1 + fieldref: + fieldpath: data.clusterDomain +configurations: +- params.yaml diff --git a/kustomize/argo/base/params.env b/kustomize/argo/base/params.env new file mode 100644 index 0000000..1a0afc6 --- /dev/null +++ b/kustomize/argo/base/params.env @@ -0,0 +1,12 @@ +namespace=kubeflow +executorImage=argoproj/argoexec:v2.3.0 +containerRuntimeExecutor=docker +artifactRepositoryBucket=mlpipeline +artifactRepositoryKeyPrefix=artifacts +artifactRepositoryEndpoint=minio-service.kubeflow:9000 +artifactRepositoryInsecure=true +artifactRepositoryAccessKeySecretName=mlpipeline-minio-artifact +artifactRepositoryAccessKeySecretKey=accesskey +artifactRepositorySecretKeySecretName=mlpipeline-minio-artifact +artifactRepositorySecretKeySecretKey=secretkey +clusterDomain=cluster.local diff --git a/kustomize/argo/base/params.yaml b/kustomize/argo/base/params.yaml new file mode 100644 index 0000000..eade9a8 --- /dev/null +++ b/kustomize/argo/base/params.yaml @@ -0,0 +1,7 @@ +varReference: +- path: data/config + kind: ConfigMap +- path: data/config + kind: Deployment +- path: metadata/annotations/getambassador.io\/config + kind: Service diff --git a/kustomize/argo/base/service-account.yaml b/kustomize/argo/base/service-account.yaml new file mode 100644 index 0000000..6f463d9 --- /dev/null +++ b/kustomize/argo/base/service-account.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: argo +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: argo-ui + namespace: kubeflow diff --git a/kustomize/argo/base/service.yaml b/kustomize/argo/base/service.yaml new file mode 100644 index 0000000..ee0e0bd --- /dev/null +++ b/kustomize/argo/base/service.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Service +metadata: + annotations: + getambassador.io/config: |- + --- + apiVersion: ambassador/v0 + kind: Mapping + name: argo-ui-mapping + prefix: /argo/ + service: argo-ui.$(namespace) + labels: + app: argo-ui + name: argo-ui + namespace: kubeflow +spec: + ports: + - port: 80 + targetPort: 8001 + selector: + app: argo-ui + sessionAffinity: None + type: NodePort diff --git a/kustomize/argo/kustomization.yaml b/kustomize/argo/kustomization.yaml new file mode 100644 index 0000000..5856d4a --- /dev/null +++ b/kustomize/argo/kustomization.yaml @@ -0,0 +1,17 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +bases: +- base +commonLabels: + app.kubernetes.io/component: argo + app.kubernetes.io/instance: argo-v2.3.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/name: argo + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: v2.3.0 +configurations: +- overlays/istio/params.yaml +kind: Kustomization +namespace: kubeflow +resources: +- overlays/istio/virtual-service.yaml +- overlays/application/application.yaml diff --git a/kustomize/argo/overlays/application/application.yaml b/kustomize/argo/overlays/application/application.yaml new file mode 100644 index 0000000..ca45c4a --- /dev/null +++ b/kustomize/argo/overlays/application/application.yaml @@ -0,0 +1,38 @@ +apiVersion: app.k8s.io/v1beta1 +kind: Application +metadata: + name: argo +spec: + selector: + matchLabels: + app.kubernetes.io/name: argo + app.kubernetes.io/instance: argo-v2.3.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/component: argo + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: v2.3.0 + componentKinds: + - group: core + kind: ConfigMap + - group: apps + kind: Deployment + - group: core + kind: ServiceAccount + - group: core + kind: Service + - group: networking.istio.io + kind: VirtualService + descriptor: + type: argo + version: v1beta1 + description: Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes + maintainers: [] + owners: [] + keywords: + - argo + - kubeflow + links: + - description: About + url: https://github.com/argoproj/argo + addOwnerRef: true + diff --git a/kustomize/argo/overlays/application/kustomization.yaml b/kustomize/argo/overlays/application/kustomization.yaml new file mode 100644 index 0000000..0774d4f --- /dev/null +++ b/kustomize/argo/overlays/application/kustomization.yaml @@ -0,0 +1,13 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +bases: +- ../../base +resources: +- application.yaml +commonLabels: + app.kubernetes.io/name: argo + app.kubernetes.io/instance: argo-v2.3.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/component: argo + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: v2.3.0 diff --git a/kustomize/argo/overlays/istio/kustomization.yaml b/kustomize/argo/overlays/istio/kustomization.yaml new file mode 100644 index 0000000..fcd00db --- /dev/null +++ b/kustomize/argo/overlays/istio/kustomization.yaml @@ -0,0 +1,8 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +bases: +- ../../base +resources: +- virtual-service.yaml +configurations: +- params.yaml diff --git a/kustomize/argo/overlays/istio/params.yaml b/kustomize/argo/overlays/istio/params.yaml new file mode 100644 index 0000000..eea869e --- /dev/null +++ b/kustomize/argo/overlays/istio/params.yaml @@ -0,0 +1,3 @@ +varReference: +- path: spec/http/route/destination/host + kind: VirtualService diff --git a/kustomize/argo/overlays/istio/virtual-service.yaml b/kustomize/argo/overlays/istio/virtual-service.yaml new file mode 100644 index 0000000..59449ed --- /dev/null +++ b/kustomize/argo/overlays/istio/virtual-service.yaml @@ -0,0 +1,20 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: argo-ui +spec: + gateways: + - kubeflow-gateway + hosts: + - '*' + http: + - match: + - uri: + prefix: /argo/ + rewrite: + uri: / + route: + - destination: + host: argo-ui.$(namespace).svc.$(clusterDomain) + port: + number: 80 diff --git a/kustomize/centraldashboard/base/clusterrole-binding.yaml b/kustomize/centraldashboard/base/clusterrole-binding.yaml new file mode 100644 index 0000000..6731c5a --- /dev/null +++ b/kustomize/centraldashboard/base/clusterrole-binding.yaml @@ -0,0 +1,14 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: centraldashboard + name: centraldashboard +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: centraldashboard +subjects: +- kind: ServiceAccount + name: centraldashboard + namespace: $(namespace) diff --git a/kustomize/centraldashboard/base/clusterrole.yaml b/kustomize/centraldashboard/base/clusterrole.yaml new file mode 100644 index 0000000..aa251d2 --- /dev/null +++ b/kustomize/centraldashboard/base/clusterrole.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: centraldashboard + name: centraldashboard +rules: +- apiGroups: + - "" + resources: + - events + - namespaces + - nodes + verbs: + - get + - list + - watch diff --git a/kustomize/centraldashboard/base/deployment.yaml b/kustomize/centraldashboard/base/deployment.yaml new file mode 100644 index 0000000..72769f6 --- /dev/null +++ b/kustomize/centraldashboard/base/deployment.yaml @@ -0,0 +1,31 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: centraldashboard + name: centraldashboard +spec: + replicas: 1 + selector: + matchLabels: + app: centraldashboard + template: + metadata: + labels: + app: centraldashboard + spec: + containers: + - image: gcr.io/kubeflow-images-public/centraldashboard + imagePullPolicy: IfNotPresent + name: centraldashboard + ports: + - containerPort: 8082 + protocol: TCP + env: + - name: USERID_HEADER + value: $(userid-header) + - name: USERID_PREFIX + value: $(userid-prefix) + - name: PROFILES_KFAM_SERVICE_HOST + value: profiles-kfam.kubeflow + serviceAccountName: centraldashboard diff --git a/kustomize/centraldashboard/base/kustomization.yaml b/kustomize/centraldashboard/base/kustomization.yaml new file mode 100644 index 0000000..44d1604 --- /dev/null +++ b/kustomize/centraldashboard/base/kustomization.yaml @@ -0,0 +1,53 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- clusterrole-binding.yaml +- clusterrole.yaml +- deployment.yaml +- role-binding.yaml +- role.yaml +- service-account.yaml +- service.yaml +namespace: kubeflow +commonLabels: + kustomize.component: centraldashboard +images: +- name: gcr.io/kubeflow-images-public/centraldashboard + newName: gcr.io/kubeflow-images-public/centraldashboard + newTag: vmaster-g6b987df8 +configMapGenerator: +- env: params.env + name: parameters +generatorOptions: + disableNameSuffixHash: true +vars: +- fieldref: + fieldPath: metadata.namespace + name: namespace + objref: + apiVersion: v1 + kind: Service + name: centraldashboard +- fieldref: + fieldPath: data.clusterDomain + name: clusterDomain + objref: + apiVersion: v1 + kind: ConfigMap + name: parameters +- fieldref: + fieldPath: data.userid-header + name: userid-header + objref: + apiVersion: v1 + kind: ConfigMap + name: parameters +- fieldref: + fieldPath: data.userid-prefix + name: userid-prefix + objref: + apiVersion: v1 + kind: ConfigMap + name: parameters +configurations: +- params.yaml diff --git a/kustomize/centraldashboard/base/params.env b/kustomize/centraldashboard/base/params.env new file mode 100644 index 0000000..1eaf03b --- /dev/null +++ b/kustomize/centraldashboard/base/params.env @@ -0,0 +1,3 @@ +clusterDomain=cluster.local +userid-header=kubeflow-userid +userid-prefix= diff --git a/kustomize/centraldashboard/base/params.yaml b/kustomize/centraldashboard/base/params.yaml new file mode 100644 index 0000000..29daaa8 --- /dev/null +++ b/kustomize/centraldashboard/base/params.yaml @@ -0,0 +1,9 @@ +varReference: +- path: metadata/annotations/getambassador.io\/config + kind: Service +- path: spec/http/route/destination/host + kind: VirtualService +- path: spec/template/spec/containers/0/env/0/value + kind: Deployment +- path: spec/template/spec/containers/0/env/1/value + kind: Deployment \ No newline at end of file diff --git a/kustomize/centraldashboard/base/role-binding.yaml b/kustomize/centraldashboard/base/role-binding.yaml new file mode 100644 index 0000000..53eedc8 --- /dev/null +++ b/kustomize/centraldashboard/base/role-binding.yaml @@ -0,0 +1,14 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app: centraldashboard + name: centraldashboard +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: centraldashboard +subjects: +- kind: ServiceAccount + name: centraldashboard + namespace: $(namespace) diff --git a/kustomize/centraldashboard/base/role.yaml b/kustomize/centraldashboard/base/role.yaml new file mode 100644 index 0000000..11ffd36 --- /dev/null +++ b/kustomize/centraldashboard/base/role.yaml @@ -0,0 +1,25 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app: centraldashboard + name: centraldashboard +rules: +- apiGroups: + - "" + - "app.k8s.io" + resources: + - applications + - pods + - pods/exec + - pods/log + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - secrets + verbs: + - get diff --git a/kustomize/centraldashboard/base/service-account.yaml b/kustomize/centraldashboard/base/service-account.yaml new file mode 100644 index 0000000..b5a417a --- /dev/null +++ b/kustomize/centraldashboard/base/service-account.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: centraldashboard diff --git a/kustomize/centraldashboard/base/service.yaml b/kustomize/centraldashboard/base/service.yaml new file mode 100644 index 0000000..363af0c --- /dev/null +++ b/kustomize/centraldashboard/base/service.yaml @@ -0,0 +1,24 @@ +apiVersion: v1 +kind: Service +metadata: + annotations: + getambassador.io/config: |- + --- + apiVersion: ambassador/v0 + kind: Mapping + name: centralui-mapping + prefix: / + rewrite: / + service: centraldashboard.$(namespace) + labels: + app: centraldashboard + name: centraldashboard +spec: + ports: + - port: 80 + protocol: TCP + targetPort: 8082 + selector: + app: centraldashboard + sessionAffinity: None + type: ClusterIP diff --git a/kustomize/centraldashboard/kustomization.yaml b/kustomize/centraldashboard/kustomization.yaml new file mode 100644 index 0000000..07d2861 --- /dev/null +++ b/kustomize/centraldashboard/kustomization.yaml @@ -0,0 +1,17 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +bases: +- base +commonLabels: + app.kubernetes.io/component: centraldashboard + app.kubernetes.io/instance: centraldashboard-v0.7.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/name: centraldashboard + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: v0.7.0 +configurations: +- overlays/istio/params.yaml +kind: Kustomization +namespace: kubeflow +resources: +- overlays/istio/virtual-service.yaml +- overlays/application/application.yaml diff --git a/kustomize/centraldashboard/overlays/application/application.yaml b/kustomize/centraldashboard/overlays/application/application.yaml new file mode 100644 index 0000000..84d95de --- /dev/null +++ b/kustomize/centraldashboard/overlays/application/application.yaml @@ -0,0 +1,54 @@ +apiVersion: app.k8s.io/v1beta1 +kind: Application +metadata: + name: centraldashboard +spec: + selector: + matchLabels: + app.kubernetes.io/name: centraldashboard + app.kubernetes.io/instance: centraldashboard-v0.7.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/component: centraldashboard + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: v0.7.0 + componentKinds: + - group: core + kind: ConfigMap + - group: apps + kind: Deployment + - group: rbac.authorization.k8s.io + kind: RoleBinding + - group: rbac.authorization.k8s.io + kind: Role + - group: core + kind: ServiceAccount + - group: core + kind: Service + - group: networking.istio.io + kind: VirtualService + descriptor: + type: centraldashboard + version: v1beta1 + description: Provides a Dashboard UI for kubeflow + maintainers: + - name: Jason Prodonovich + email: prodonjs@gmail.com + - name: Apoorv Verma + email: apverma@google.com + - name: Adhita Selvaraj + email: adhita94@gmail.com + owners: + - name: Jason Prodonovich + email: prodonjs@gmail.com + - name: Apoorv Verma + email: apverma@google.com + - name: Adhita Selvaraj + email: adhita94@gmail.com + keywords: + - centraldashboard + - kubeflow + links: + - description: About + url: https://github.com/kubeflow/kubeflow/tree/master/components/centraldashboard + addOwnerRef: true + diff --git a/kustomize/centraldashboard/overlays/application/kustomization.yaml b/kustomize/centraldashboard/overlays/application/kustomization.yaml new file mode 100644 index 0000000..5ee930c --- /dev/null +++ b/kustomize/centraldashboard/overlays/application/kustomization.yaml @@ -0,0 +1,13 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +bases: +- ../../base +resources: +- application.yaml +commonLabels: + app.kubernetes.io/name: centraldashboard + app.kubernetes.io/instance: centraldashboard-v0.7.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/component: centraldashboard + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: v0.7.0 diff --git a/kustomize/centraldashboard/overlays/istio/kustomization.yaml b/kustomize/centraldashboard/overlays/istio/kustomization.yaml new file mode 100644 index 0000000..2718e55 --- /dev/null +++ b/kustomize/centraldashboard/overlays/istio/kustomization.yaml @@ -0,0 +1,9 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +bases: +- ../../base +resources: +- virtual-service.yaml +configurations: +- params.yaml + diff --git a/kustomize/centraldashboard/overlays/istio/params.yaml b/kustomize/centraldashboard/overlays/istio/params.yaml new file mode 100644 index 0000000..eea869e --- /dev/null +++ b/kustomize/centraldashboard/overlays/istio/params.yaml @@ -0,0 +1,3 @@ +varReference: +- path: spec/http/route/destination/host + kind: VirtualService diff --git a/kustomize/centraldashboard/overlays/istio/virtual-service.yaml b/kustomize/centraldashboard/overlays/istio/virtual-service.yaml new file mode 100644 index 0000000..f302d9d --- /dev/null +++ b/kustomize/centraldashboard/overlays/istio/virtual-service.yaml @@ -0,0 +1,20 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: centraldashboard +spec: + gateways: + - kubeflow-gateway + hosts: + - '*' + http: + - match: + - uri: + prefix: / + rewrite: + uri: / + route: + - destination: + host: centraldashboard.$(namespace).svc.$(clusterDomain) + port: + number: 80 diff --git a/kustomize/cert-manager-crds/base/crd.yaml b/kustomize/cert-manager-crds/base/crd.yaml new file mode 100644 index 0000000..84bc7b0 --- /dev/null +++ b/kustomize/cert-manager-crds/base/crd.yaml @@ -0,0 +1,5344 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + creationTimestamp: null + name: challenges.acme.cert-manager.io +spec: + additionalPrinterColumns: + - JSONPath: .status.state + name: State + type: string + - JSONPath: .spec.dnsName + name: Domain + type: string + - JSONPath: .status.reason + name: Reason + priority: 1 + type: string + - JSONPath: .metadata.creationTimestamp + description: CreationTimestamp is a timestamp representing the server time when + this object was created. It is not guaranteed to be set in happens-before order + across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. + name: Age + type: date + group: acme.cert-manager.io + names: + kind: Challenge + listKind: ChallengeList + plural: challenges + singular: challenge + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + description: Challenge is a type to represent a Challenge request with an ACME + server + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + authzURL: + description: AuthzURL is the URL to the ACME Authorization resource + that this challenge is a part of. + type: string + dnsName: + description: DNSName is the identifier that this challenge is for, e.g. + example.com. + type: string + issuerRef: + description: IssuerRef references a properly configured ACME-type Issuer + which should be used to create this Challenge. If the Issuer does + not exist, processing will be retried. If the Issuer is not an 'ACME' + Issuer, an error will be returned and the Challenge will be marked + as failed. + properties: + group: + type: string + kind: + type: string + name: + type: string + required: + - name + type: object + key: + description: Key is the ACME challenge key for this challenge + type: string + solver: + description: Solver contains the domain solving configuration that should + be used to solve this challenge resource. Only **one** of 'config' + or 'solver' may be specified, and if both are specified then no action + will be performed on the Challenge resource. + properties: + dns01: + properties: + acmedns: + description: ACMEIssuerDNS01ProviderAcmeDNS is a structure containing + the configuration for ACME-DNS servers + properties: + accountSecretRef: + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + host: + type: string + required: + - accountSecretRef + - host + type: object + akamai: + description: ACMEIssuerDNS01ProviderAkamai is a structure containing + the DNS configuration for Akamai DNS—Zone Record Management + API + properties: + accessTokenSecretRef: + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + clientSecretSecretRef: + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + clientTokenSecretRef: + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + serviceConsumerDomain: + type: string + required: + - accessTokenSecretRef + - clientSecretSecretRef + - clientTokenSecretRef + - serviceConsumerDomain + type: object + azuredns: + description: ACMEIssuerDNS01ProviderAzureDNS is a structure + containing the configuration for Azure DNS + properties: + clientID: + type: string + clientSecretSecretRef: + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + environment: + enum: + - AzurePublicCloud + - AzureChinaCloud + - AzureGermanCloud + - AzureUSGovernmentCloud + type: string + hostedZoneName: + type: string + resourceGroupName: + type: string + subscriptionID: + type: string + tenantID: + type: string + required: + - clientID + - clientSecretSecretRef + - resourceGroupName + - subscriptionID + - tenantID + type: object + clouddns: + description: ACMEIssuerDNS01ProviderCloudDNS is a structure + containing the DNS configuration for Google Cloud DNS + properties: + project: + type: string + serviceAccountSecretRef: + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + required: + - project + - serviceAccountSecretRef + type: object + cloudflare: + description: ACMEIssuerDNS01ProviderCloudflare is a structure + containing the DNS configuration for Cloudflare + properties: + apiKeySecretRef: + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + email: + type: string + required: + - apiKeySecretRef + - email + type: object + cnameStrategy: + description: CNAMEStrategy configures how the DNS01 provider + should handle CNAME records when found in DNS zones. + enum: + - None + - Follow + type: string + digitalocean: + description: ACMEIssuerDNS01ProviderDigitalOcean is a structure + containing the DNS configuration for DigitalOcean Domains + properties: + tokenSecretRef: + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + required: + - tokenSecretRef + type: object + rfc2136: + description: ACMEIssuerDNS01ProviderRFC2136 is a structure containing + the configuration for RFC2136 DNS + properties: + nameserver: + description: 'The IP address of the DNS supporting RFC2136. + Required. Note: FQDN is not a valid value, only IP.' + type: string + tsigAlgorithm: + description: 'The TSIG Algorithm configured in the DNS supporting + RFC2136. Used only when ""tsigSecretSecretRef"" and ""tsigKeyName"" + are defined. Supported values are (case-insensitive): + ""HMACMD5"" (default), ""HMACSHA1"", ""HMACSHA256"" or + ""HMACSHA512"".' + type: string + tsigKeyName: + description: The TSIG Key name configured in the DNS. If + ""tsigSecretSecretRef"" is defined, this field is required. + type: string + tsigSecretSecretRef: + description: The name of the secret containing the TSIG + value. If ""tsigKeyName"" is defined, this field is required. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + required: + - nameserver + type: object + route53: + description: ACMEIssuerDNS01ProviderRoute53 is a structure containing + the Route 53 configuration for AWS + properties: + accessKeyID: + description: 'The AccessKeyID is used for authentication. + If not set we fall-back to using env vars, shared credentials + file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + type: string + hostedZoneID: + description: If set, the provider will manage only this + zone in Route53 and will not do an lookup using the route53:ListHostedZonesByName + api call. + type: string + region: + description: Always set the region when using AccessKeyID + and SecretAccessKey + type: string + role: + description: Role is a Role ARN which the Route53 provider + will assume using either the explicit credentials AccessKeyID/SecretAccessKey + or the inferred credentials from environment variables, + shared credentials file or AWS Instance metadata + type: string + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication. + If not set we fall-back to using env vars, shared credentials + file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + required: + - region + type: object + webhook: + description: ACMEIssuerDNS01ProviderWebhook specifies configuration + for a webhook DNS01 provider, including where to POST ChallengePayload + resources. + properties: + config: + description: Additional configuration that should be passed + to the webhook apiserver when challenges are processed. + This can contain arbitrary JSON data. Secret values should + not be specified in this stanza. If secret values are + needed (e.g. credentials for a DNS service), you should + use a SecretKeySelector to reference a Secret resource. + For details on the schema of this field, consult the webhook + provider implementation's documentation. + x-kubernetes-preserve-unknown-fields: true + groupName: + description: The API group name that should be used when + POSTing ChallengePayload resources to the webhook apiserver. + This should be the same as the GroupName specified in + the webhook provider implementation. + type: string + solverName: + description: The name of the solver to use, as defined in + the webhook provider implementation. This will typically + be the name of the provider, e.g. 'cloudflare'. + type: string + required: + - groupName + - solverName + type: object + type: object + http01: + description: ACMEChallengeSolverHTTP01 contains configuration detailing + how to solve HTTP01 challenges within a Kubernetes cluster. Typically + this is accomplished through creating 'routes' of some description + that configure ingress controllers to direct traffic to 'solver + pods', which are responsible for responding to the ACME server's + HTTP requests. + properties: + ingress: + description: The ingress based HTTP01 challenge solver will + solve challenges by creating or modifying Ingress resources + in order to route requests for '/.well-known/acme-challenge/XYZ' + to 'challenge solver' pods that are provisioned by cert-manager + for each Challenge to be completed. + properties: + class: + description: The ingress class to use when creating Ingress + resources to solve ACME challenges that use this challenge + solver. Only one of 'class' or 'name' may be specified. + type: string + name: + description: The name of the ingress resource that should + have ACME challenge solving routes inserted into it in + order to solve HTTP01 challenges. This is typically used + in conjunction with ingress controllers like ingress-gce, + which maintains a 1:1 mapping between external IPs and + ingress resources. + type: string + podTemplate: + description: Optional pod template used to configure the + ACME challenge solver pods used for HTTP01 challenges + properties: + metadata: + description: ObjectMeta overrides for the pod used to + solve HTTP01 challenges. Only the 'labels' and 'annotations' + fields may be set. If labels or annotations overlap + with in-built values, the values here will override + the in-built values. + type: object + spec: + description: PodSpec defines overrides for the HTTP01 + challenge solver pod. Only the 'nodeSelector', 'affinity' + and 'tolerations' fields are supported currently. + All other fields will be ignored. + properties: + affinity: + description: If specified, the pod's scheduling + constraints + properties: + nodeAffinity: + description: Describes node affinity scheduling + rules for the pod. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to + schedule pods to nodes that satisfy the + affinity expressions specified by this + field, but it may choose a node that violates + one or more of the expressions. The node + that is most preferred is the one with + the greatest sum of weights, i.e. for + each node that meets all of the scheduling + requirements (resource request, requiredDuringScheduling + affinity expressions, etc.), compute a + sum by iterating through the elements + of this field and adding "weight" to the + sum if the node matches the corresponding + matchExpressions; the node(s) with the + highest sum are the most preferred. + items: + description: An empty preferred scheduling + term matches all objects with implicit + weight 0 (i.e. it's a no-op). A null + preferred scheduling term matches no + objects (i.e. is also a no-op). + properties: + preference: + description: A node selector term, + associated with the corresponding + weight. + properties: + matchExpressions: + description: A list of node selector + requirements by node's labels. + items: + description: A node selector + requirement is a selector + that contains values, a key, + and an operator that relates + the key and values. + properties: + key: + description: The label key + that the selector applies + to. + type: string + operator: + description: Represents + a key's relationship to + a set of values. Valid + operators are In, NotIn, + Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array of + string values. If the + operator is In or NotIn, + the values array must + be non-empty. If the operator + is Exists or DoesNotExist, + the values array must + be empty. If the operator + is Gt or Lt, the values + array must have a single + element, which will be + interpreted as an integer. + This array is replaced + during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node selector + requirements by node's fields. + items: + description: A node selector + requirement is a selector + that contains values, a key, + and an operator that relates + the key and values. + properties: + key: + description: The label key + that the selector applies + to. + type: string + operator: + description: Represents + a key's relationship to + a set of values. Valid + operators are In, NotIn, + Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array of + string values. If the + operator is In or NotIn, + the values array must + be non-empty. If the operator + is Exists or DoesNotExist, + the values array must + be empty. If the operator + is Gt or Lt, the values + array must have a single + element, which will be + interpreted as an integer. + This array is replaced + during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + weight: + description: Weight associated with + matching the corresponding nodeSelectorTerm, + in the range 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not met at + scheduling time, the pod will not be scheduled + onto the node. If the affinity requirements + specified by this field cease to be met + at some point during pod execution (e.g. + due to an update), the system may or may + not try to eventually evict the pod from + its node. + properties: + nodeSelectorTerms: + description: Required. A list of node + selector terms. The terms are ORed. + items: + description: A null or empty node + selector term matches no objects. + The requirements of them are ANDed. + The TopologySelectorTerm type implements + a subset of the NodeSelectorTerm. + properties: + matchExpressions: + description: A list of node selector + requirements by node's labels. + items: + description: A node selector + requirement is a selector + that contains values, a key, + and an operator that relates + the key and values. + properties: + key: + description: The label key + that the selector applies + to. + type: string + operator: + description: Represents + a key's relationship to + a set of values. Valid + operators are In, NotIn, + Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array of + string values. If the + operator is In or NotIn, + the values array must + be non-empty. If the operator + is Exists or DoesNotExist, + the values array must + be empty. If the operator + is Gt or Lt, the values + array must have a single + element, which will be + interpreted as an integer. + This array is replaced + during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node selector + requirements by node's fields. + items: + description: A node selector + requirement is a selector + that contains values, a key, + and an operator that relates + the key and values. + properties: + key: + description: The label key + that the selector applies + to. + type: string + operator: + description: Represents + a key's relationship to + a set of values. Valid + operators are In, NotIn, + Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: An array of + string values. If the + operator is In or NotIn, + the values array must + be non-empty. If the operator + is Exists or DoesNotExist, + the values array must + be empty. If the operator + is Gt or Lt, the values + array must have a single + element, which will be + interpreted as an integer. + This array is replaced + during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + type: array + required: + - nodeSelectorTerms + type: object + type: object + podAffinity: + description: Describes pod affinity scheduling + rules (e.g. co-locate this pod in the same + node, zone, etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to + schedule pods to nodes that satisfy the + affinity expressions specified by this + field, but it may choose a node that violates + one or more of the expressions. The node + that is most preferred is the one with + the greatest sum of weights, i.e. for + each node that meets all of the scheduling + requirements (resource request, requiredDuringScheduling + affinity expressions, etc.), compute a + sum by iterating through the elements + of this field and adding "weight" to the + sum if the node has pods which matches + the corresponding podAffinityTerm; the + node(s) with the highest sum are the most + preferred. + items: + description: The weights of all of the + matched WeightedPodAffinityTerm fields + are added per-node to find the most + preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity + term, associated with the corresponding + weight. + properties: + labelSelector: + description: A label query over + a set of resources, in this + case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key and + values. + properties: + key: + description: key is + the label key that + the selector applies + to. + type: string + operator: + description: operator + represents a key's + relationship to a + set of values. Valid + operators are In, + NotIn, Exists and + DoesNotExist. + type: string + values: + description: values + is an array of string + values. If the operator + is In or NotIn, the + values array must + be non-empty. If the + operator is Exists + or DoesNotExist, the + values array must + be empty. This array + is replaced during + a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is + a map of {key,value} pairs. + A single {key,value} in + the matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", + the operator is "In", and + the values array contains + only "value". The requirements + are ANDed. + type: object + type: object + namespaces: + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means "this + pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should be + co-located (affinity) or not + co-located (anti-affinity) with + the pods matching the labelSelector + in the specified namespaces, + where co-located is defined + as running on a node whose value + of the label with key topologyKey + matches that of any node on + which any of the selected pods + is running. Empty topologyKey + is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated with + matching the corresponding podAffinityTerm, + in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not met at + scheduling time, the pod will not be scheduled + onto the node. If the affinity requirements + specified by this field cease to be met + at some point during pod execution (e.g. + due to a pod label update), the system + may or may not try to eventually evict + the pod from its node. When there are + multiple elements, the lists of nodes + corresponding to each podAffinityTerm + are intersected, i.e. all terms must be + satisfied. + items: + description: Defines a set of pods (namely + those matching the labelSelector relative + to the given namespace(s)) that this + pod should be co-located (affinity) + or not co-located (anti-affinity) with, + where co-located is defined as running + on a node whose value of the label with + key matches that of any + node on which a pod of the set of pods + is running + properties: + labelSelector: + description: A label query over a + set of resources, in this case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, a key, + and an operator that relates + the key and values. + properties: + key: + description: key is the + label key that the selector + applies to. + type: string + operator: + description: operator represents + a key's relationship to + a set of values. Valid + operators are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values is an + array of string values. + If the operator is In + or NotIn, the values array + must be non-empty. If + the operator is Exists + or DoesNotExist, the values + array must be empty. This + array is replaced during + a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a + map of {key,value} pairs. A + single {key,value} in the matchLabels + map is equivalent to an element + of matchExpressions, whose key + field is "key", the operator + is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + namespaces: + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); null + or empty list means "this pod's + namespace" + items: + type: string + type: array + topologyKey: + description: This pod should be co-located + (affinity) or not co-located (anti-affinity) + with the pods matching the labelSelector + in the specified namespaces, where + co-located is defined as running + on a node whose value of the label + with key topologyKey matches that + of any node on which any of the + selected pods is running. Empty + topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + podAntiAffinity: + description: Describes pod anti-affinity scheduling + rules (e.g. avoid putting this pod in the + same node, zone, etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to + schedule pods to nodes that satisfy the + anti-affinity expressions specified by + this field, but it may choose a node that + violates one or more of the expressions. + The node that is most preferred is the + one with the greatest sum of weights, + i.e. for each node that meets all of the + scheduling requirements (resource request, + requiredDuringScheduling anti-affinity + expressions, etc.), compute a sum by iterating + through the elements of this field and + adding "weight" to the sum if the node + has pods which matches the corresponding + podAffinityTerm; the node(s) with the + highest sum are the most preferred. + items: + description: The weights of all of the + matched WeightedPodAffinityTerm fields + are added per-node to find the most + preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity + term, associated with the corresponding + weight. + properties: + labelSelector: + description: A label query over + a set of resources, in this + case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key and + values. + properties: + key: + description: key is + the label key that + the selector applies + to. + type: string + operator: + description: operator + represents a key's + relationship to a + set of values. Valid + operators are In, + NotIn, Exists and + DoesNotExist. + type: string + values: + description: values + is an array of string + values. If the operator + is In or NotIn, the + values array must + be non-empty. If the + operator is Exists + or DoesNotExist, the + values array must + be empty. This array + is replaced during + a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is + a map of {key,value} pairs. + A single {key,value} in + the matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", + the operator is "In", and + the values array contains + only "value". The requirements + are ANDed. + type: object + type: object + namespaces: + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means "this + pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should be + co-located (affinity) or not + co-located (anti-affinity) with + the pods matching the labelSelector + in the specified namespaces, + where co-located is defined + as running on a node whose value + of the label with key topologyKey + matches that of any node on + which any of the selected pods + is running. Empty topologyKey + is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated with + matching the corresponding podAffinityTerm, + in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity requirements + specified by this field are not met at + scheduling time, the pod will not be scheduled + onto the node. If the anti-affinity requirements + specified by this field cease to be met + at some point during pod execution (e.g. + due to a pod label update), the system + may or may not try to eventually evict + the pod from its node. When there are + multiple elements, the lists of nodes + corresponding to each podAffinityTerm + are intersected, i.e. all terms must be + satisfied. + items: + description: Defines a set of pods (namely + those matching the labelSelector relative + to the given namespace(s)) that this + pod should be co-located (affinity) + or not co-located (anti-affinity) with, + where co-located is defined as running + on a node whose value of the label with + key matches that of any + node on which a pod of the set of pods + is running + properties: + labelSelector: + description: A label query over a + set of resources, in this case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, a key, + and an operator that relates + the key and values. + properties: + key: + description: key is the + label key that the selector + applies to. + type: string + operator: + description: operator represents + a key's relationship to + a set of values. Valid + operators are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values is an + array of string values. + If the operator is In + or NotIn, the values array + must be non-empty. If + the operator is Exists + or DoesNotExist, the values + array must be empty. This + array is replaced during + a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a + map of {key,value} pairs. A + single {key,value} in the matchLabels + map is equivalent to an element + of matchExpressions, whose key + field is "key", the operator + is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + namespaces: + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); null + or empty list means "this pod's + namespace" + items: + type: string + type: array + topologyKey: + description: This pod should be co-located + (affinity) or not co-located (anti-affinity) + with the pods matching the labelSelector + in the specified namespaces, where + co-located is defined as running + on a node whose value of the label + with key topologyKey matches that + of any node on which any of the + selected pods is running. Empty + topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + type: object + nodeSelector: + additionalProperties: + type: string + description: 'NodeSelector is a selector which must + be true for the pod to fit on a node. Selector + which must match a node''s labels for the pod + to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + type: object + tolerations: + description: If specified, the pod's tolerations. + items: + description: The pod this Toleration is attached + to tolerates any taint that matches the triple + using the matching operator + . + properties: + effect: + description: Effect indicates the taint effect + to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, + PreferNoSchedule and NoExecute. + type: string + key: + description: Key is the taint key that the + toleration applies to. Empty means match + all taint keys. If the key is empty, operator + must be Exists; this combination means to + match all values and all keys. + type: string + operator: + description: Operator represents a key's relationship + to the value. Valid operators are Exists + and Equal. Defaults to Equal. Exists is + equivalent to wildcard for value, so that + a pod can tolerate all taints of a particular + category. + type: string + tolerationSeconds: + description: TolerationSeconds represents + the period of time the toleration (which + must be of effect NoExecute, otherwise this + field is ignored) tolerates the taint. By + default, it is not set, which means tolerate + the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict + immediately) by the system. + format: int64 + type: integer + value: + description: Value is the taint value the + toleration matches to. If the operator is + Exists, the value should be empty, otherwise + just a regular string. + type: string + type: object + type: array + type: object + type: object + serviceType: + description: Optional service type for Kubernetes solver + service + type: string + type: object + type: object + selector: + description: Selector selects a set of DNSNames on the Certificate + resource that should be solved using this challenge solver. + properties: + dnsNames: + description: List of DNSNames that this solver will be used + to solve. If specified and a match is found, a dnsNames selector + will take precedence over a dnsZones selector. If multiple + solvers match with the same dnsNames value, the solver with + the most matching labels in matchLabels will be selected. + If neither has more matches, the solver defined earlier in + the list will be selected. + items: + type: string + type: array + dnsZones: + description: List of DNSZones that this solver will be used + to solve. The most specific DNS zone match specified here + will take precedence over other DNS zone matches, so a solver + specifying sys.example.com will be selected over one specifying + example.com for the domain www.sys.example.com. If multiple + solvers match with the same dnsZones value, the solver with + the most matching labels in matchLabels will be selected. + If neither has more matches, the solver defined earlier in + the list will be selected. + items: + type: string + type: array + matchLabels: + additionalProperties: + type: string + description: A label selector that is used to refine the set + of certificate's that this challenge solver will apply to. + type: object + type: object + type: object + token: + description: Token is the ACME challenge token for this challenge. + type: string + type: + description: Type is the type of ACME challenge this resource represents, + e.g. "dns01" or "http01" + type: string + url: + description: URL is the URL of the ACME Challenge resource for this + challenge. This can be used to lookup details about the status of + this challenge. + type: string + wildcard: + description: Wildcard will be true if this challenge is for a wildcard + identifier, for example '*.example.com' + type: boolean + required: + - authzURL + - dnsName + - issuerRef + - key + - token + - type + - url + type: object + status: + properties: + presented: + description: Presented will be set to true if the challenge values for + this challenge are currently 'presented'. This *does not* imply the + self check is passing. Only that the values have been 'submitted' + for the appropriate challenge mechanism (i.e. the DNS01 TXT record + has been presented, or the HTTP01 configuration has been configured). + type: boolean + processing: + description: Processing is used to denote whether this challenge should + be processed or not. This field will only be set to true by the 'scheduling' + component. It will only be set to false by the 'challenges' controller, + after the challenge has reached a final state or timed out. If this + field is set to false, the challenge controller will not take any + more action. + type: boolean + reason: + description: Reason contains human readable information on why the Challenge + is in the current state. + type: string + state: + description: State contains the current 'state' of the challenge. If + not set, the state of the challenge is unknown. + enum: + - valid + - ready + - pending + - processing + - invalid + - expired + - errored + type: string + type: object + required: + - metadata + type: object + version: v1alpha2 + versions: + - name: v1alpha2 + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: orders.acme.cert-manager.io +spec: + additionalPrinterColumns: + - JSONPath: .status.state + name: State + type: string + - JSONPath: .spec.issuerRef.name + name: Issuer + priority: 1 + type: string + - JSONPath: .status.reason + name: Reason + priority: 1 + type: string + - JSONPath: .metadata.creationTimestamp + description: CreationTimestamp is a timestamp representing the server time when + this object was created. It is not guaranteed to be set in happens-before order + across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. + name: Age + type: date + group: acme.cert-manager.io + names: + kind: Order + listKind: OrderList + plural: orders + singular: order + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + description: Order is a type to represent an Order with an ACME server + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + commonName: + description: CommonName is the common name as specified on the DER encoded + CSR. If CommonName is not specified, the first DNSName specified will + be used as the CommonName. At least one of CommonName or a DNSNames + must be set. This field must match the corresponding field on the + DER encoded CSR. + type: string + csr: + description: Certificate signing request bytes in DER encoding. This + will be used when finalizing the order. This field must be set on + the order. + format: byte + type: string + dnsNames: + description: DNSNames is a list of DNS names that should be included + as part of the Order validation process. If CommonName is not specified, + the first DNSName specified will be used as the CommonName. At least + one of CommonName or a DNSNames must be set. This field must match + the corresponding field on the DER encoded CSR. + items: + type: string + type: array + issuerRef: + description: IssuerRef references a properly configured ACME-type Issuer + which should be used to create this Order. If the Issuer does not + exist, processing will be retried. If the Issuer is not an 'ACME' + Issuer, an error will be returned and the Order will be marked as + failed. + properties: + group: + type: string + kind: + type: string + name: + type: string + required: + - name + type: object + required: + - csr + - issuerRef + type: object + status: + properties: + authorizations: + description: Authorizations contains data returned from the ACME server + on what authoriations must be completed in order to validate the DNS + names specified on the Order. + items: + description: ACMEAuthorization contains data returned from the ACME + server on an authorization that must be completed in order validate + a DNS name on an ACME Order resource. + properties: + challenges: + description: Challenges specifies the challenge types offered + by the ACME server. One of these challenge types will be selected + when validating the DNS name and an appropriate Challenge resource + will be created to perform the ACME challenge process. + items: + description: Challenge specifies a challenge offered by the + ACME server for an Order. An appropriate Challenge resource + can be created to perform the ACME challenge process. + properties: + token: + description: Token is the token that must be presented for + this challenge. This is used to compute the 'key' that + must also be presented. + type: string + type: + description: Type is the type of challenge being offered, + e.g. http-01, dns-01 + type: string + url: + description: URL is the URL of this challenge. It can be + used to retrieve additional metadata about the Challenge + from the ACME server. + type: string + required: + - token + - type + - url + type: object + type: array + identifier: + description: Identifier is the DNS name to be validated as part + of this authorization + type: string + url: + description: URL is the URL of the Authorization that must be + completed + type: string + wildcard: + description: Wildcard will be true if this authorization is for + a wildcard DNS name. If this is true, the identifier will be + the *non-wildcard* version of the DNS name. For example, if + '*.example.com' is the DNS name being validated, this field + will be 'true' and the 'identifier' field will be 'example.com'. + type: boolean + required: + - url + type: object + type: array + certificate: + description: Certificate is a copy of the PEM encoded certificate for + this Order. This field will be populated after the order has been + successfully finalized with the ACME server, and the order has transitioned + to the 'valid' state. + format: byte + type: string + failureTime: + description: FailureTime stores the time that this order failed. This + is used to influence garbage collection and back-off. + format: date-time + type: string + finalizeURL: + description: FinalizeURL of the Order. This is used to obtain certificates + for this order once it has been completed. + type: string + reason: + description: Reason optionally provides more information about a why + the order is in the current state. + type: string + state: + description: State contains the current state of this Order resource. + States 'success' and 'expired' are 'final' + enum: + - valid + - ready + - pending + - processing + - invalid + - expired + - errored + type: string + url: + description: URL of the Order. This will initially be empty when the + resource is first created. The Order controller will populate this + field when the Order is first processed. This field will be immutable + after it is initially set. + type: string + type: object + required: + - metadata + type: object + version: v1alpha2 + versions: + - name: v1alpha2 + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: certificaterequests.cert-manager.io +spec: + additionalPrinterColumns: + - JSONPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - JSONPath: .spec.issuerRef.name + name: Issuer + priority: 1 + type: string + - JSONPath: .status.conditions[?(@.type=="Ready")].message + name: Status + priority: 1 + type: string + - JSONPath: .metadata.creationTimestamp + description: CreationTimestamp is a timestamp representing the server time when + this object was created. It is not guaranteed to be set in happens-before order + across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. + name: Age + type: date + group: cert-manager.io + names: + kind: CertificateRequest + listKind: CertificateRequestList + plural: certificaterequests + shortNames: + - cr + - crs + singular: certificaterequest + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + description: CertificateRequest is a type to represent a Certificate Signing + Request + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: CertificateRequestSpec defines the desired state of CertificateRequest + properties: + csr: + description: Byte slice containing the PEM encoded CertificateSigningRequest + format: byte + type: string + duration: + description: Requested certificate default Duration + type: string + isCA: + description: IsCA will mark the resulting certificate as valid for signing. + This implies that the 'cert sign' usage is set + type: boolean + issuerRef: + description: IssuerRef is a reference to the issuer for this CertificateRequest. If + the 'kind' field is not set, or set to 'Issuer', an Issuer resource + with the given name in the same namespace as the CertificateRequest + will be used. If the 'kind' field is set to 'ClusterIssuer', a ClusterIssuer + with the provided name will be used. The 'name' field in this stanza + is required at all times. The group field refers to the API group + of the issuer which defaults to 'cert-manager.io' if empty. + properties: + group: + type: string + kind: + type: string + name: + type: string + required: + - name + type: object + usages: + description: Usages is the set of x509 actions that are enabled for + a given key. Defaults are ('digital signature', 'key encipherment') + if empty + items: + description: 'KeyUsage specifies valid usage contexts for keys. See: + https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12' + enum: + - signing + - digital signature + - content commitment + - key encipherment + - key agreement + - data encipherment + - cert sign + - crl sign + - encipher only + - decipher only + - any + - server auth + - client auth + - code signing + - email protection + - s/mime + - ipsec end system + - ipsec tunnel + - ipsec user + - timestamping + - ocsp signing + - microsoft sgc + - netscape sgc + type: string + type: array + required: + - issuerRef + type: object + status: + description: CertificateStatus defines the observed state of CertificateRequest + and resulting signed certificate. + properties: + ca: + description: Byte slice containing the PEM encoded certificate authority + of the signed certificate. + format: byte + type: string + certificate: + description: Byte slice containing a PEM encoded signed certificate + resulting from the given certificate signing request. + format: byte + type: string + conditions: + items: + description: CertificateRequestCondition contains condition information + for a CertificateRequest. + properties: + lastTransitionTime: + description: LastTransitionTime is the timestamp corresponding + to the last status change of this condition. + format: date-time + type: string + message: + description: Message is a human readable description of the details + of the last transition, complementing reason. + type: string + reason: + description: Reason is a brief machine readable explanation for + the condition's last transition. + type: string + status: + description: Status of the condition, one of ('True', 'False', + 'Unknown'). + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: Type of the condition, currently ('Ready'). + type: string + required: + - status + - type + type: object + type: array + failureTime: + description: FailureTime stores the time that this CertificateRequest + failed. This is used to influence garbage collection and back-off. + format: date-time + type: string + type: object + type: object + version: v1alpha2 + versions: + - name: v1alpha2 + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] + +--- + +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: certificates.cert-manager.io +spec: + additionalPrinterColumns: + - JSONPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - JSONPath: .spec.secretName + name: Secret + type: string + - JSONPath: .spec.issuerRef.name + name: Issuer + priority: 1 + type: string + - JSONPath: .status.conditions[?(@.type=="Ready")].message + name: Status + priority: 1 + type: string + - JSONPath: .metadata.creationTimestamp + description: CreationTimestamp is a timestamp representing the server time when + this object was created. It is not guaranteed to be set in happens-before order + across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. + name: Age + type: date + group: cert-manager.io + names: + kind: Certificate + listKind: CertificateList + plural: certificates + shortNames: + - cert + - certs + singular: certificate + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + description: Certificate is a type to represent a Certificate from ACME + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: CertificateSpec defines the desired state of Certificate. A + valid Certificate requires at least one of a CommonName, DNSName, or URISAN + to be valid. + properties: + commonName: + description: CommonName is a common name to be used on the Certificate. + The CommonName should have a length of 64 characters or fewer to avoid + generating invalid CSRs. + type: string + dnsNames: + description: DNSNames is a list of subject alt names to be used on the + Certificate. + items: + type: string + type: array + duration: + description: Certificate default Duration + type: string + ipAddresses: + description: IPAddresses is a list of IP addresses to be used on the + Certificate + items: + type: string + type: array + isCA: + description: IsCA will mark this Certificate as valid for signing. This + implies that the 'cert sign' usage is set + type: boolean + issuerRef: + description: IssuerRef is a reference to the issuer for this certificate. + If the 'kind' field is not set, or set to 'Issuer', an Issuer resource + with the given name in the same namespace as the Certificate will + be used. If the 'kind' field is set to 'ClusterIssuer', a ClusterIssuer + with the provided name will be used. The 'name' field in this stanza + is required at all times. + properties: + group: + type: string + kind: + type: string + name: + type: string + required: + - name + type: object + keyAlgorithm: + description: KeyAlgorithm is the private key algorithm of the corresponding + private key for this certificate. If provided, allowed values are + either "rsa" or "ecdsa" If KeyAlgorithm is specified and KeySize is + not provided, key size of 256 will be used for "ecdsa" key algorithm + and key size of 2048 will be used for "rsa" key algorithm. + enum: + - rsa + - ecdsa + type: string + keyEncoding: + description: KeyEncoding is the private key cryptography standards (PKCS) + for this certificate's private key to be encoded in. If provided, + allowed values are "pkcs1" and "pkcs8" standing for PKCS#1 and PKCS#8, + respectively. If KeyEncoding is not specified, then PKCS#1 will be + used by default. + enum: + - pkcs1 + - pkcs8 + type: string + keySize: + description: KeySize is the key bit size of the corresponding private + key for this certificate. If provided, value must be between 2048 + and 8192 inclusive when KeyAlgorithm is empty or is set to "rsa", + and value must be one of (256, 384, 521) when KeyAlgorithm is set + to "ecdsa". + type: integer + organization: + description: Organization is the organization to be used on the Certificate + items: + type: string + type: array + renewBefore: + description: Certificate renew before expiration duration + type: string + secretName: + description: SecretName is the name of the secret resource to store + this secret in + type: string + uriSANs: + description: URISANs is a list of URI Subject Alternative Names to be + set on this Certificate. + items: + type: string + type: array + usages: + description: Usages is the set of x509 actions that are enabled for + a given key. Defaults are ('digital signature', 'key encipherment') + if empty + items: + description: 'KeyUsage specifies valid usage contexts for keys. See: + https://tools.ietf.org/html/rfc5280#section-4.2.1.3 https://tools.ietf.org/html/rfc5280#section-4.2.1.12' + enum: + - signing + - digital signature + - content commitment + - key encipherment + - key agreement + - data encipherment + - cert sign + - crl sign + - encipher only + - decipher only + - any + - server auth + - client auth + - code signing + - email protection + - s/mime + - ipsec end system + - ipsec tunnel + - ipsec user + - timestamping + - ocsp signing + - microsoft sgc + - netscape sgc + type: string + type: array + required: + - issuerRef + - secretName + type: object + status: + description: CertificateStatus defines the observed state of Certificate + properties: + conditions: + items: + description: CertificateCondition contains condition information for + an Certificate. + properties: + lastTransitionTime: + description: LastTransitionTime is the timestamp corresponding + to the last status change of this condition. + format: date-time + type: string + message: + description: Message is a human readable description of the details + of the last transition, complementing reason. + type: string + reason: + description: Reason is a brief machine readable explanation for + the condition's last transition. + type: string + status: + description: Status of the condition, one of ('True', 'False', + 'Unknown'). + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: Type of the condition, currently ('Ready'). + type: string + required: + - status + - type + type: object + type: array + lastFailureTime: + format: date-time + type: string + notAfter: + description: The expiration time of the certificate stored in the secret + named by this resource in spec.secretName. + format: date-time + type: string + type: object + type: object + version: v1alpha2 + versions: + - name: v1alpha2 + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] + +--- + +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: clusterissuers.cert-manager.io +spec: + group: cert-manager.io + names: + kind: ClusterIssuer + listKind: ClusterIssuerList + plural: clusterissuers + singular: clusterissuer + scope: Cluster + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: IssuerSpec is the specification of an Issuer. This includes + any configuration required for the issuer. + properties: + acme: + description: ACMEIssuer contains the specification for an ACME issuer + properties: + email: + description: Email is the email for this account + type: string + privateKeySecretRef: + description: PrivateKey is the name of a secret containing the private + key for this user account. + properties: + key: + description: The key of the secret to select from. Must be a + valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + server: + description: Server is the ACME server URL + type: string + skipTLSVerify: + description: If true, skip verifying the ACME server TLS certificate + type: boolean + solvers: + description: Solvers is a list of challenge solvers that will be + used to solve ACME challenges for the matching domains. + items: + properties: + dns01: + properties: + acmedns: + description: ACMEIssuerDNS01ProviderAcmeDNS is a structure + containing the configuration for ACME-DNS servers + properties: + accountSecretRef: + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + required: + - name + type: object + host: + type: string + required: + - accountSecretRef + - host + type: object + akamai: + description: ACMEIssuerDNS01ProviderAkamai is a structure + containing the DNS configuration for Akamai DNS—Zone + Record Management API + properties: + accessTokenSecretRef: + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + required: + - name + type: object + clientSecretSecretRef: + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + required: + - name + type: object + clientTokenSecretRef: + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + required: + - name + type: object + serviceConsumerDomain: + type: string + required: + - accessTokenSecretRef + - clientSecretSecretRef + - clientTokenSecretRef + - serviceConsumerDomain + type: object + azuredns: + description: ACMEIssuerDNS01ProviderAzureDNS is a structure + containing the configuration for Azure DNS + properties: + clientID: + type: string + clientSecretSecretRef: + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + required: + - name + type: object + environment: + enum: + - AzurePublicCloud + - AzureChinaCloud + - AzureGermanCloud + - AzureUSGovernmentCloud + type: string + hostedZoneName: + type: string + resourceGroupName: + type: string + subscriptionID: + type: string + tenantID: + type: string + required: + - clientID + - clientSecretSecretRef + - resourceGroupName + - subscriptionID + - tenantID + type: object + clouddns: + description: ACMEIssuerDNS01ProviderCloudDNS is a structure + containing the DNS configuration for Google Cloud DNS + properties: + project: + type: string + serviceAccountSecretRef: + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + required: + - name + type: object + required: + - project + - serviceAccountSecretRef + type: object + cloudflare: + description: ACMEIssuerDNS01ProviderCloudflare is a structure + containing the DNS configuration for Cloudflare + properties: + apiKeySecretRef: + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + required: + - name + type: object + email: + type: string + required: + - apiKeySecretRef + - email + type: object + cnameStrategy: + description: CNAMEStrategy configures how the DNS01 provider + should handle CNAME records when found in DNS zones. + enum: + - None + - Follow + type: string + digitalocean: + description: ACMEIssuerDNS01ProviderDigitalOcean is a + structure containing the DNS configuration for DigitalOcean + Domains + properties: + tokenSecretRef: + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + required: + - name + type: object + required: + - tokenSecretRef + type: object + rfc2136: + description: ACMEIssuerDNS01ProviderRFC2136 is a structure + containing the configuration for RFC2136 DNS + properties: + nameserver: + description: 'The IP address of the DNS supporting + RFC2136. Required. Note: FQDN is not a valid value, + only IP.' + type: string + tsigAlgorithm: + description: 'The TSIG Algorithm configured in the + DNS supporting RFC2136. Used only when ""tsigSecretSecretRef"" + and ""tsigKeyName"" are defined. Supported values + are (case-insensitive): ""HMACMD5"" (default), ""HMACSHA1"", + ""HMACSHA256"" or ""HMACSHA512"".' + type: string + tsigKeyName: + description: The TSIG Key name configured in the DNS. + If ""tsigSecretSecretRef"" is defined, this field + is required. + type: string + tsigSecretSecretRef: + description: The name of the secret containing the + TSIG value. If ""tsigKeyName"" is defined, this + field is required. + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + required: + - name + type: object + required: + - nameserver + type: object + route53: + description: ACMEIssuerDNS01ProviderRoute53 is a structure + containing the Route 53 configuration for AWS + properties: + accessKeyID: + description: 'The AccessKeyID is used for authentication. + If not set we fall-back to using env vars, shared + credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + type: string + hostedZoneID: + description: If set, the provider will manage only + this zone in Route53 and will not do an lookup using + the route53:ListHostedZonesByName api call. + type: string + region: + description: Always set the region when using AccessKeyID + and SecretAccessKey + type: string + role: + description: Role is a Role ARN which the Route53 + provider will assume using either the explicit credentials + AccessKeyID/SecretAccessKey or the inferred credentials + from environment variables, shared credentials file + or AWS Instance metadata + type: string + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication. + If not set we fall-back to using env vars, shared + credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + required: + - name + type: object + required: + - region + type: object + webhook: + description: ACMEIssuerDNS01ProviderWebhook specifies + configuration for a webhook DNS01 provider, including + where to POST ChallengePayload resources. + properties: + config: + description: Additional configuration that should + be passed to the webhook apiserver when challenges + are processed. This can contain arbitrary JSON data. + Secret values should not be specified in this stanza. + If secret values are needed (e.g. credentials for + a DNS service), you should use a SecretKeySelector + to reference a Secret resource. For details on the + schema of this field, consult the webhook provider + implementation's documentation. + x-kubernetes-preserve-unknown-fields: true + groupName: + description: The API group name that should be used + when POSTing ChallengePayload resources to the webhook + apiserver. This should be the same as the GroupName + specified in the webhook provider implementation. + type: string + solverName: + description: The name of the solver to use, as defined + in the webhook provider implementation. This will + typically be the name of the provider, e.g. 'cloudflare'. + type: string + required: + - groupName + - solverName + type: object + type: object + http01: + description: ACMEChallengeSolverHTTP01 contains configuration + detailing how to solve HTTP01 challenges within a Kubernetes + cluster. Typically this is accomplished through creating + 'routes' of some description that configure ingress controllers + to direct traffic to 'solver pods', which are responsible + for responding to the ACME server's HTTP requests. + properties: + ingress: + description: The ingress based HTTP01 challenge solver + will solve challenges by creating or modifying Ingress + resources in order to route requests for '/.well-known/acme-challenge/XYZ' + to 'challenge solver' pods that are provisioned by cert-manager + for each Challenge to be completed. + properties: + class: + description: The ingress class to use when creating + Ingress resources to solve ACME challenges that + use this challenge solver. Only one of 'class' or + 'name' may be specified. + type: string + name: + description: The name of the ingress resource that + should have ACME challenge solving routes inserted + into it in order to solve HTTP01 challenges. This + is typically used in conjunction with ingress controllers + like ingress-gce, which maintains a 1:1 mapping + between external IPs and ingress resources. + type: string + podTemplate: + description: Optional pod template used to configure + the ACME challenge solver pods used for HTTP01 challenges + properties: + metadata: + description: ObjectMeta overrides for the pod + used to solve HTTP01 challenges. Only the 'labels' + and 'annotations' fields may be set. If labels + or annotations overlap with in-built values, + the values here will override the in-built values. + type: object + spec: + description: PodSpec defines overrides for the + HTTP01 challenge solver pod. Only the 'nodeSelector', + 'affinity' and 'tolerations' fields are supported + currently. All other fields will be ignored. + properties: + affinity: + description: If specified, the pod's scheduling + constraints + properties: + nodeAffinity: + description: Describes node affinity scheduling + rules for the pod. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer + to schedule pods to nodes that satisfy + the affinity expressions specified + by this field, but it may choose + a node that violates one or more + of the expressions. The node that + is most preferred is the one with + the greatest sum of weights, i.e. + for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling + affinity expressions, etc.), compute + a sum by iterating through the elements + of this field and adding "weight" + to the sum if the node matches the + corresponding matchExpressions; + the node(s) with the highest sum + are the most preferred. + items: + description: An empty preferred + scheduling term matches all objects + with implicit weight 0 (i.e. it's + a no-op). A null preferred scheduling + term matches no objects (i.e. + is also a no-op). + properties: + preference: + description: A node selector + term, associated with the + corresponding weight. + properties: + matchExpressions: + description: A list of node + selector requirements + by node's labels. + items: + description: A node selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + properties: + key: + description: The label + key that the selector + applies to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators + are In, NotIn, Exists, + DoesNotExist. Gt, + and Lt. + type: string + values: + description: An array + of string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. If + the operator is + Gt or Lt, the values + array must have + a single element, + which will be interpreted + as an integer. This + array is replaced + during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node + selector requirements + by node's fields. + items: + description: A node selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + properties: + key: + description: The label + key that the selector + applies to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators + are In, NotIn, Exists, + DoesNotExist. Gt, + and Lt. + type: string + values: + description: An array + of string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. If + the operator is + Gt or Lt, the values + array must have + a single element, + which will be interpreted + as an integer. This + array is replaced + during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + weight: + description: Weight associated + with matching the corresponding + nodeSelectorTerm, in the range + 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not + met at scheduling time, the pod + will not be scheduled onto the node. + If the affinity requirements specified + by this field cease to be met at + some point during pod execution + (e.g. due to an update), the system + may or may not try to eventually + evict the pod from its node. + properties: + nodeSelectorTerms: + description: Required. A list + of node selector terms. The + terms are ORed. + items: + description: A null or empty + node selector term matches + no objects. The requirements + of them are ANDed. The TopologySelectorTerm + type implements a subset of + the NodeSelectorTerm. + properties: + matchExpressions: + description: A list of node + selector requirements + by node's labels. + items: + description: A node selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + properties: + key: + description: The label + key that the selector + applies to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators + are In, NotIn, Exists, + DoesNotExist. Gt, + and Lt. + type: string + values: + description: An array + of string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. If + the operator is + Gt or Lt, the values + array must have + a single element, + which will be interpreted + as an integer. This + array is replaced + during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node + selector requirements + by node's fields. + items: + description: A node selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + properties: + key: + description: The label + key that the selector + applies to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators + are In, NotIn, Exists, + DoesNotExist. Gt, + and Lt. + type: string + values: + description: An array + of string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. If + the operator is + Gt or Lt, the values + array must have + a single element, + which will be interpreted + as an integer. This + array is replaced + during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + type: array + required: + - nodeSelectorTerms + type: object + type: object + podAffinity: + description: Describes pod affinity scheduling + rules (e.g. co-locate this pod in the + same node, zone, etc. as some other + pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer + to schedule pods to nodes that satisfy + the affinity expressions specified + by this field, but it may choose + a node that violates one or more + of the expressions. The node that + is most preferred is the one with + the greatest sum of weights, i.e. + for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling + affinity expressions, etc.), compute + a sum by iterating through the elements + of this field and adding "weight" + to the sum if the node has pods + which matches the corresponding + podAffinityTerm; the node(s) with + the highest sum are the most preferred. + items: + description: The weights of all + of the matched WeightedPodAffinityTerm + fields are added per-node to find + the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod + affinity term, associated + with the corresponding weight. + properties: + labelSelector: + description: A label query + over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label + selector requirements. + The requirements are + ANDed. + items: + description: A label + selector requirement + is a selector that + contains values, + a key, and an operator + that relates the + key and values. + properties: + key: + description: key + is the label + key that the + selector applies + to. + type: string + operator: + description: operator + represents a + key's relationship + to a set of + values. Valid + operators are + In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values + is an array + of string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or + DoesNotExist, + the values array + must be empty. + This array is + replaced during + a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + in the matchLabels + map is equivalent + to an element of matchExpressions, + whose key field is + "key", the operator + is "In", and the values + array contains only + "value". The requirements + are ANDed. + type: object + type: object + namespaces: + description: namespaces + specifies which namespaces + the labelSelector applies + to (matches against); + null or empty list means + "this pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should + be co-located (affinity) + or not co-located (anti-affinity) + with the pods matching + the labelSelector in the + specified namespaces, + where co-located is defined + as running on a node whose + value of the label with + key topologyKey matches + that of any node on which + any of the selected pods + is running. Empty topologyKey + is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated + with matching the corresponding + podAffinityTerm, in the range + 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not + met at scheduling time, the pod + will not be scheduled onto the node. + If the affinity requirements specified + by this field cease to be met at + some point during pod execution + (e.g. due to a pod label update), + the system may or may not try to + eventually evict the pod from its + node. When there are multiple elements, + the lists of nodes corresponding + to each podAffinityTerm are intersected, + i.e. all terms must be satisfied. + items: + description: Defines a set of pods + (namely those matching the labelSelector + relative to the given namespace(s)) + that this pod should be co-located + (affinity) or not co-located (anti-affinity) + with, where co-located is defined + as running on a node whose value + of the label with key + matches that of any node on which + a pod of the set of pods is running + properties: + labelSelector: + description: A label query over + a set of resources, in this + case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + properties: + key: + description: key is + the label key that + the selector applies + to. + type: string + operator: + description: operator + represents a key's + relationship to + a set of values. + Valid operators + are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values + is an array of string + values. If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. This + array is replaced + during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + in the matchLabels map + is equivalent to an element + of matchExpressions, whose + key field is "key", the + operator is "In", and + the values array contains + only "value". The requirements + are ANDed. + type: object + type: object + namespaces: + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means "this + pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should + be co-located (affinity) or + not co-located (anti-affinity) + with the pods matching the + labelSelector in the specified + namespaces, where co-located + is defined as running on a + node whose value of the label + with key topologyKey matches + that of any node on which + any of the selected pods is + running. Empty topologyKey + is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + podAntiAffinity: + description: Describes pod anti-affinity + scheduling rules (e.g. avoid putting + this pod in the same node, zone, etc. + as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer + to schedule pods to nodes that satisfy + the anti-affinity expressions specified + by this field, but it may choose + a node that violates one or more + of the expressions. The node that + is most preferred is the one with + the greatest sum of weights, i.e. + for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling + anti-affinity expressions, etc.), + compute a sum by iterating through + the elements of this field and adding + "weight" to the sum if the node + has pods which matches the corresponding + podAffinityTerm; the node(s) with + the highest sum are the most preferred. + items: + description: The weights of all + of the matched WeightedPodAffinityTerm + fields are added per-node to find + the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod + affinity term, associated + with the corresponding weight. + properties: + labelSelector: + description: A label query + over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label + selector requirements. + The requirements are + ANDed. + items: + description: A label + selector requirement + is a selector that + contains values, + a key, and an operator + that relates the + key and values. + properties: + key: + description: key + is the label + key that the + selector applies + to. + type: string + operator: + description: operator + represents a + key's relationship + to a set of + values. Valid + operators are + In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values + is an array + of string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or + DoesNotExist, + the values array + must be empty. + This array is + replaced during + a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + in the matchLabels + map is equivalent + to an element of matchExpressions, + whose key field is + "key", the operator + is "In", and the values + array contains only + "value". The requirements + are ANDed. + type: object + type: object + namespaces: + description: namespaces + specifies which namespaces + the labelSelector applies + to (matches against); + null or empty list means + "this pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should + be co-located (affinity) + or not co-located (anti-affinity) + with the pods matching + the labelSelector in the + specified namespaces, + where co-located is defined + as running on a node whose + value of the label with + key topologyKey matches + that of any node on which + any of the selected pods + is running. Empty topologyKey + is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated + with matching the corresponding + podAffinityTerm, in the range + 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity + requirements specified by this field + are not met at scheduling time, + the pod will not be scheduled onto + the node. If the anti-affinity requirements + specified by this field cease to + be met at some point during pod + execution (e.g. due to a pod label + update), the system may or may not + try to eventually evict the pod + from its node. When there are multiple + elements, the lists of nodes corresponding + to each podAffinityTerm are intersected, + i.e. all terms must be satisfied. + items: + description: Defines a set of pods + (namely those matching the labelSelector + relative to the given namespace(s)) + that this pod should be co-located + (affinity) or not co-located (anti-affinity) + with, where co-located is defined + as running on a node whose value + of the label with key + matches that of any node on which + a pod of the set of pods is running + properties: + labelSelector: + description: A label query over + a set of resources, in this + case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + properties: + key: + description: key is + the label key that + the selector applies + to. + type: string + operator: + description: operator + represents a key's + relationship to + a set of values. + Valid operators + are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values + is an array of string + values. If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. This + array is replaced + during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + in the matchLabels map + is equivalent to an element + of matchExpressions, whose + key field is "key", the + operator is "In", and + the values array contains + only "value". The requirements + are ANDed. + type: object + type: object + namespaces: + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means "this + pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should + be co-located (affinity) or + not co-located (anti-affinity) + with the pods matching the + labelSelector in the specified + namespaces, where co-located + is defined as running on a + node whose value of the label + with key topologyKey matches + that of any node on which + any of the selected pods is + running. Empty topologyKey + is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + type: object + nodeSelector: + additionalProperties: + type: string + description: 'NodeSelector is a selector which + must be true for the pod to fit on a node. + Selector which must match a node''s labels + for the pod to be scheduled on that node. + More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + type: object + tolerations: + description: If specified, the pod's tolerations. + items: + description: The pod this Toleration is + attached to tolerates any taint that matches + the triple using the + matching operator . + properties: + effect: + description: Effect indicates the taint + effect to match. Empty means match + all taint effects. When specified, + allowed values are NoSchedule, PreferNoSchedule + and NoExecute. + type: string + key: + description: Key is the taint key that + the toleration applies to. Empty means + match all taint keys. If the key is + empty, operator must be Exists; this + combination means to match all values + and all keys. + type: string + operator: + description: Operator represents a key's + relationship to the value. Valid operators + are Exists and Equal. Defaults to + Equal. Exists is equivalent to wildcard + for value, so that a pod can tolerate + all taints of a particular category. + type: string + tolerationSeconds: + description: TolerationSeconds represents + the period of time the toleration + (which must be of effect NoExecute, + otherwise this field is ignored) tolerates + the taint. By default, it is not set, + which means tolerate the taint forever + (do not evict). Zero and negative + values will be treated as 0 (evict + immediately) by the system. + format: int64 + type: integer + value: + description: Value is the taint value + the toleration matches to. If the + operator is Exists, the value should + be empty, otherwise just a regular + string. + type: string + type: object + type: array + type: object + type: object + serviceType: + description: Optional service type for Kubernetes + solver service + type: string + type: object + type: object + selector: + description: Selector selects a set of DNSNames on the Certificate + resource that should be solved using this challenge solver. + properties: + dnsNames: + description: List of DNSNames that this solver will be + used to solve. If specified and a match is found, a + dnsNames selector will take precedence over a dnsZones + selector. If multiple solvers match with the same dnsNames + value, the solver with the most matching labels in matchLabels + will be selected. If neither has more matches, the solver + defined earlier in the list will be selected. + items: + type: string + type: array + dnsZones: + description: List of DNSZones that this solver will be + used to solve. The most specific DNS zone match specified + here will take precedence over other DNS zone matches, + so a solver specifying sys.example.com will be selected + over one specifying example.com for the domain www.sys.example.com. + If multiple solvers match with the same dnsZones value, + the solver with the most matching labels in matchLabels + will be selected. If neither has more matches, the solver + defined earlier in the list will be selected. + items: + type: string + type: array + matchLabels: + additionalProperties: + type: string + description: A label selector that is used to refine the + set of certificate's that this challenge solver will + apply to. + type: object + type: object + type: object + type: array + required: + - privateKeySecretRef + - server + type: object + ca: + properties: + secretName: + description: SecretName is the name of the secret used to sign Certificates + issued by this Issuer. + type: string + required: + - secretName + type: object + selfSigned: + type: object + vault: + properties: + auth: + description: Vault authentication + properties: + appRole: + description: This Secret contains a AppRole and Secret + properties: + path: + description: Where the authentication path is mounted in + Vault. + type: string + roleId: + type: string + secretRef: + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + required: + - path + - roleId + - secretRef + type: object + kubernetes: + description: This contains a Role and Secret with a ServiceAccount + token to authenticate with vault. + properties: + mountPath: + description: The value here will be used as part of the + path used when authenticating with vault, for example + if you set a value of "foo", the path used will be "/v1/auth/foo/login". + If unspecified, the default value "kubernetes" will be + used. + type: string + role: + description: A required field containing the Vault Role + to assume. A Role binds a Kubernetes ServiceAccount with + a set of Vault policies. + type: string + secretRef: + description: The required Secret field containing a Kubernetes + ServiceAccount JWT used for authenticating with Vault. + Use of 'ambient credentials' is not supported. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + required: + - role + - secretRef + type: object + tokenSecretRef: + description: This Secret contains the Vault token key + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + type: object + caBundle: + description: Base64 encoded CA bundle to validate Vault server certificate. + Only used if the Server URL is using HTTPS protocol. This parameter + is ignored for plain HTTP protocol connection. If not set the + system root certificates are used to validate the TLS connection. + format: byte + type: string + path: + description: Vault URL path to the certificate role + type: string + server: + description: Server is the vault connection address + type: string + required: + - auth + - path + - server + type: object + venafi: + description: VenafiIssuer describes issuer configuration details for + Venafi Cloud. + properties: + cloud: + description: Cloud specifies the Venafi cloud configuration settings. + Only one of TPP or Cloud may be specified. + properties: + apiTokenSecretRef: + description: APITokenSecretRef is a secret key selector for + the Venafi Cloud API token. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + url: + description: URL is the base URL for Venafi Cloud + type: string + required: + - apiTokenSecretRef + - url + type: object + tpp: + description: TPP specifies Trust Protection Platform configuration + settings. Only one of TPP or Cloud may be specified. + properties: + caBundle: + description: CABundle is a PEM encoded TLS certifiate to use + to verify connections to the TPP instance. If specified, system + roots will not be used and the issuing CA for the TPP instance + must be verifiable using the provided root. If not specified, + the connection will be verified using the cert-manager system + root certificates. + format: byte + type: string + credentialsRef: + description: CredentialsRef is a reference to a Secret containing + the username and password for the TPP server. The secret must + contain two keys, 'username' and 'password'. + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + url: + description: URL is the base URL for the Venafi TPP instance + type: string + required: + - credentialsRef + - url + type: object + zone: + description: Zone is the Venafi Policy Zone to use for this issuer. + All requests made to the Venafi platform will be restricted by + the named zone policy. This field is required. + type: string + required: + - zone + type: object + type: object + status: + description: IssuerStatus contains status information about an Issuer + properties: + acme: + properties: + lastRegisteredEmail: + description: LastRegisteredEmail is the email associated with the + latest registered ACME account, in order to track changes made + to registered account associated with the Issuer + type: string + uri: + description: URI is the unique account identifier, which can also + be used to retrieve account details from the CA + type: string + type: object + conditions: + items: + description: IssuerCondition contains condition information for an + Issuer. + properties: + lastTransitionTime: + description: LastTransitionTime is the timestamp corresponding + to the last status change of this condition. + format: date-time + type: string + message: + description: Message is a human readable description of the details + of the last transition, complementing reason. + type: string + reason: + description: Reason is a brief machine readable explanation for + the condition's last transition. + type: string + status: + description: Status of the condition, one of ('True', 'False', + 'Unknown'). + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: Type of the condition, currently ('Ready'). + type: string + required: + - status + - type + type: object + type: array + type: object + type: object + version: v1alpha2 + versions: + - name: v1alpha2 + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] + +--- + +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: issuers.cert-manager.io +spec: + group: cert-manager.io + names: + kind: Issuer + listKind: IssuerList + plural: issuers + singular: issuer + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: IssuerSpec is the specification of an Issuer. This includes + any configuration required for the issuer. + properties: + acme: + description: ACMEIssuer contains the specification for an ACME issuer + properties: + email: + description: Email is the email for this account + type: string + privateKeySecretRef: + description: PrivateKey is the name of a secret containing the private + key for this user account. + properties: + key: + description: The key of the secret to select from. Must be a + valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + server: + description: Server is the ACME server URL + type: string + skipTLSVerify: + description: If true, skip verifying the ACME server TLS certificate + type: boolean + solvers: + description: Solvers is a list of challenge solvers that will be + used to solve ACME challenges for the matching domains. + items: + properties: + dns01: + properties: + acmedns: + description: ACMEIssuerDNS01ProviderAcmeDNS is a structure + containing the configuration for ACME-DNS servers + properties: + accountSecretRef: + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + required: + - name + type: object + host: + type: string + required: + - accountSecretRef + - host + type: object + akamai: + description: ACMEIssuerDNS01ProviderAkamai is a structure + containing the DNS configuration for Akamai DNS—Zone + Record Management API + properties: + accessTokenSecretRef: + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + required: + - name + type: object + clientSecretSecretRef: + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + required: + - name + type: object + clientTokenSecretRef: + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + required: + - name + type: object + serviceConsumerDomain: + type: string + required: + - accessTokenSecretRef + - clientSecretSecretRef + - clientTokenSecretRef + - serviceConsumerDomain + type: object + azuredns: + description: ACMEIssuerDNS01ProviderAzureDNS is a structure + containing the configuration for Azure DNS + properties: + clientID: + type: string + clientSecretSecretRef: + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + required: + - name + type: object + environment: + enum: + - AzurePublicCloud + - AzureChinaCloud + - AzureGermanCloud + - AzureUSGovernmentCloud + type: string + hostedZoneName: + type: string + resourceGroupName: + type: string + subscriptionID: + type: string + tenantID: + type: string + required: + - clientID + - clientSecretSecretRef + - resourceGroupName + - subscriptionID + - tenantID + type: object + clouddns: + description: ACMEIssuerDNS01ProviderCloudDNS is a structure + containing the DNS configuration for Google Cloud DNS + properties: + project: + type: string + serviceAccountSecretRef: + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + required: + - name + type: object + required: + - project + - serviceAccountSecretRef + type: object + cloudflare: + description: ACMEIssuerDNS01ProviderCloudflare is a structure + containing the DNS configuration for Cloudflare + properties: + apiKeySecretRef: + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + required: + - name + type: object + email: + type: string + required: + - apiKeySecretRef + - email + type: object + cnameStrategy: + description: CNAMEStrategy configures how the DNS01 provider + should handle CNAME records when found in DNS zones. + enum: + - None + - Follow + type: string + digitalocean: + description: ACMEIssuerDNS01ProviderDigitalOcean is a + structure containing the DNS configuration for DigitalOcean + Domains + properties: + tokenSecretRef: + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + required: + - name + type: object + required: + - tokenSecretRef + type: object + rfc2136: + description: ACMEIssuerDNS01ProviderRFC2136 is a structure + containing the configuration for RFC2136 DNS + properties: + nameserver: + description: 'The IP address of the DNS supporting + RFC2136. Required. Note: FQDN is not a valid value, + only IP.' + type: string + tsigAlgorithm: + description: 'The TSIG Algorithm configured in the + DNS supporting RFC2136. Used only when ""tsigSecretSecretRef"" + and ""tsigKeyName"" are defined. Supported values + are (case-insensitive): ""HMACMD5"" (default), ""HMACSHA1"", + ""HMACSHA256"" or ""HMACSHA512"".' + type: string + tsigKeyName: + description: The TSIG Key name configured in the DNS. + If ""tsigSecretSecretRef"" is defined, this field + is required. + type: string + tsigSecretSecretRef: + description: The name of the secret containing the + TSIG value. If ""tsigKeyName"" is defined, this + field is required. + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + required: + - name + type: object + required: + - nameserver + type: object + route53: + description: ACMEIssuerDNS01ProviderRoute53 is a structure + containing the Route 53 configuration for AWS + properties: + accessKeyID: + description: 'The AccessKeyID is used for authentication. + If not set we fall-back to using env vars, shared + credentials file or AWS Instance metadata see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + type: string + hostedZoneID: + description: If set, the provider will manage only + this zone in Route53 and will not do an lookup using + the route53:ListHostedZonesByName api call. + type: string + region: + description: Always set the region when using AccessKeyID + and SecretAccessKey + type: string + role: + description: Role is a Role ARN which the Route53 + provider will assume using either the explicit credentials + AccessKeyID/SecretAccessKey or the inferred credentials + from environment variables, shared credentials file + or AWS Instance metadata + type: string + secretAccessKeySecretRef: + description: The SecretAccessKey is used for authentication. + If not set we fall-back to using env vars, shared + credentials file or AWS Instance metadata https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials + properties: + key: + description: The key of the secret to select from. + Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + required: + - name + type: object + required: + - region + type: object + webhook: + description: ACMEIssuerDNS01ProviderWebhook specifies + configuration for a webhook DNS01 provider, including + where to POST ChallengePayload resources. + properties: + config: + description: Additional configuration that should + be passed to the webhook apiserver when challenges + are processed. This can contain arbitrary JSON data. + Secret values should not be specified in this stanza. + If secret values are needed (e.g. credentials for + a DNS service), you should use a SecretKeySelector + to reference a Secret resource. For details on the + schema of this field, consult the webhook provider + implementation's documentation. + x-kubernetes-preserve-unknown-fields: true + groupName: + description: The API group name that should be used + when POSTing ChallengePayload resources to the webhook + apiserver. This should be the same as the GroupName + specified in the webhook provider implementation. + type: string + solverName: + description: The name of the solver to use, as defined + in the webhook provider implementation. This will + typically be the name of the provider, e.g. 'cloudflare'. + type: string + required: + - groupName + - solverName + type: object + type: object + http01: + description: ACMEChallengeSolverHTTP01 contains configuration + detailing how to solve HTTP01 challenges within a Kubernetes + cluster. Typically this is accomplished through creating + 'routes' of some description that configure ingress controllers + to direct traffic to 'solver pods', which are responsible + for responding to the ACME server's HTTP requests. + properties: + ingress: + description: The ingress based HTTP01 challenge solver + will solve challenges by creating or modifying Ingress + resources in order to route requests for '/.well-known/acme-challenge/XYZ' + to 'challenge solver' pods that are provisioned by cert-manager + for each Challenge to be completed. + properties: + class: + description: The ingress class to use when creating + Ingress resources to solve ACME challenges that + use this challenge solver. Only one of 'class' or + 'name' may be specified. + type: string + name: + description: The name of the ingress resource that + should have ACME challenge solving routes inserted + into it in order to solve HTTP01 challenges. This + is typically used in conjunction with ingress controllers + like ingress-gce, which maintains a 1:1 mapping + between external IPs and ingress resources. + type: string + podTemplate: + description: Optional pod template used to configure + the ACME challenge solver pods used for HTTP01 challenges + properties: + metadata: + description: ObjectMeta overrides for the pod + used to solve HTTP01 challenges. Only the 'labels' + and 'annotations' fields may be set. If labels + or annotations overlap with in-built values, + the values here will override the in-built values. + type: object + spec: + description: PodSpec defines overrides for the + HTTP01 challenge solver pod. Only the 'nodeSelector', + 'affinity' and 'tolerations' fields are supported + currently. All other fields will be ignored. + properties: + affinity: + description: If specified, the pod's scheduling + constraints + properties: + nodeAffinity: + description: Describes node affinity scheduling + rules for the pod. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer + to schedule pods to nodes that satisfy + the affinity expressions specified + by this field, but it may choose + a node that violates one or more + of the expressions. The node that + is most preferred is the one with + the greatest sum of weights, i.e. + for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling + affinity expressions, etc.), compute + a sum by iterating through the elements + of this field and adding "weight" + to the sum if the node matches the + corresponding matchExpressions; + the node(s) with the highest sum + are the most preferred. + items: + description: An empty preferred + scheduling term matches all objects + with implicit weight 0 (i.e. it's + a no-op). A null preferred scheduling + term matches no objects (i.e. + is also a no-op). + properties: + preference: + description: A node selector + term, associated with the + corresponding weight. + properties: + matchExpressions: + description: A list of node + selector requirements + by node's labels. + items: + description: A node selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + properties: + key: + description: The label + key that the selector + applies to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators + are In, NotIn, Exists, + DoesNotExist. Gt, + and Lt. + type: string + values: + description: An array + of string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. If + the operator is + Gt or Lt, the values + array must have + a single element, + which will be interpreted + as an integer. This + array is replaced + during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node + selector requirements + by node's fields. + items: + description: A node selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + properties: + key: + description: The label + key that the selector + applies to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators + are In, NotIn, Exists, + DoesNotExist. Gt, + and Lt. + type: string + values: + description: An array + of string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. If + the operator is + Gt or Lt, the values + array must have + a single element, + which will be interpreted + as an integer. This + array is replaced + during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + weight: + description: Weight associated + with matching the corresponding + nodeSelectorTerm, in the range + 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not + met at scheduling time, the pod + will not be scheduled onto the node. + If the affinity requirements specified + by this field cease to be met at + some point during pod execution + (e.g. due to an update), the system + may or may not try to eventually + evict the pod from its node. + properties: + nodeSelectorTerms: + description: Required. A list + of node selector terms. The + terms are ORed. + items: + description: A null or empty + node selector term matches + no objects. The requirements + of them are ANDed. The TopologySelectorTerm + type implements a subset of + the NodeSelectorTerm. + properties: + matchExpressions: + description: A list of node + selector requirements + by node's labels. + items: + description: A node selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + properties: + key: + description: The label + key that the selector + applies to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators + are In, NotIn, Exists, + DoesNotExist. Gt, + and Lt. + type: string + values: + description: An array + of string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. If + the operator is + Gt or Lt, the values + array must have + a single element, + which will be interpreted + as an integer. This + array is replaced + during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node + selector requirements + by node's fields. + items: + description: A node selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + properties: + key: + description: The label + key that the selector + applies to. + type: string + operator: + description: Represents + a key's relationship + to a set of values. + Valid operators + are In, NotIn, Exists, + DoesNotExist. Gt, + and Lt. + type: string + values: + description: An array + of string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. If + the operator is + Gt or Lt, the values + array must have + a single element, + which will be interpreted + as an integer. This + array is replaced + during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + type: array + required: + - nodeSelectorTerms + type: object + type: object + podAffinity: + description: Describes pod affinity scheduling + rules (e.g. co-locate this pod in the + same node, zone, etc. as some other + pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer + to schedule pods to nodes that satisfy + the affinity expressions specified + by this field, but it may choose + a node that violates one or more + of the expressions. The node that + is most preferred is the one with + the greatest sum of weights, i.e. + for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling + affinity expressions, etc.), compute + a sum by iterating through the elements + of this field and adding "weight" + to the sum if the node has pods + which matches the corresponding + podAffinityTerm; the node(s) with + the highest sum are the most preferred. + items: + description: The weights of all + of the matched WeightedPodAffinityTerm + fields are added per-node to find + the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod + affinity term, associated + with the corresponding weight. + properties: + labelSelector: + description: A label query + over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label + selector requirements. + The requirements are + ANDed. + items: + description: A label + selector requirement + is a selector that + contains values, + a key, and an operator + that relates the + key and values. + properties: + key: + description: key + is the label + key that the + selector applies + to. + type: string + operator: + description: operator + represents a + key's relationship + to a set of + values. Valid + operators are + In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values + is an array + of string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or + DoesNotExist, + the values array + must be empty. + This array is + replaced during + a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + in the matchLabels + map is equivalent + to an element of matchExpressions, + whose key field is + "key", the operator + is "In", and the values + array contains only + "value". The requirements + are ANDed. + type: object + type: object + namespaces: + description: namespaces + specifies which namespaces + the labelSelector applies + to (matches against); + null or empty list means + "this pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should + be co-located (affinity) + or not co-located (anti-affinity) + with the pods matching + the labelSelector in the + specified namespaces, + where co-located is defined + as running on a node whose + value of the label with + key topologyKey matches + that of any node on which + any of the selected pods + is running. Empty topologyKey + is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated + with matching the corresponding + podAffinityTerm, in the range + 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements + specified by this field are not + met at scheduling time, the pod + will not be scheduled onto the node. + If the affinity requirements specified + by this field cease to be met at + some point during pod execution + (e.g. due to a pod label update), + the system may or may not try to + eventually evict the pod from its + node. When there are multiple elements, + the lists of nodes corresponding + to each podAffinityTerm are intersected, + i.e. all terms must be satisfied. + items: + description: Defines a set of pods + (namely those matching the labelSelector + relative to the given namespace(s)) + that this pod should be co-located + (affinity) or not co-located (anti-affinity) + with, where co-located is defined + as running on a node whose value + of the label with key + matches that of any node on which + a pod of the set of pods is running + properties: + labelSelector: + description: A label query over + a set of resources, in this + case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + properties: + key: + description: key is + the label key that + the selector applies + to. + type: string + operator: + description: operator + represents a key's + relationship to + a set of values. + Valid operators + are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values + is an array of string + values. If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. This + array is replaced + during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + in the matchLabels map + is equivalent to an element + of matchExpressions, whose + key field is "key", the + operator is "In", and + the values array contains + only "value". The requirements + are ANDed. + type: object + type: object + namespaces: + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means "this + pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should + be co-located (affinity) or + not co-located (anti-affinity) + with the pods matching the + labelSelector in the specified + namespaces, where co-located + is defined as running on a + node whose value of the label + with key topologyKey matches + that of any node on which + any of the selected pods is + running. Empty topologyKey + is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + podAntiAffinity: + description: Describes pod anti-affinity + scheduling rules (e.g. avoid putting + this pod in the same node, zone, etc. + as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer + to schedule pods to nodes that satisfy + the anti-affinity expressions specified + by this field, but it may choose + a node that violates one or more + of the expressions. The node that + is most preferred is the one with + the greatest sum of weights, i.e. + for each node that meets all of + the scheduling requirements (resource + request, requiredDuringScheduling + anti-affinity expressions, etc.), + compute a sum by iterating through + the elements of this field and adding + "weight" to the sum if the node + has pods which matches the corresponding + podAffinityTerm; the node(s) with + the highest sum are the most preferred. + items: + description: The weights of all + of the matched WeightedPodAffinityTerm + fields are added per-node to find + the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod + affinity term, associated + with the corresponding weight. + properties: + labelSelector: + description: A label query + over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label + selector requirements. + The requirements are + ANDed. + items: + description: A label + selector requirement + is a selector that + contains values, + a key, and an operator + that relates the + key and values. + properties: + key: + description: key + is the label + key that the + selector applies + to. + type: string + operator: + description: operator + represents a + key's relationship + to a set of + values. Valid + operators are + In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values + is an array + of string values. + If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or + DoesNotExist, + the values array + must be empty. + This array is + replaced during + a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + in the matchLabels + map is equivalent + to an element of matchExpressions, + whose key field is + "key", the operator + is "In", and the values + array contains only + "value". The requirements + are ANDed. + type: object + type: object + namespaces: + description: namespaces + specifies which namespaces + the labelSelector applies + to (matches against); + null or empty list means + "this pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should + be co-located (affinity) + or not co-located (anti-affinity) + with the pods matching + the labelSelector in the + specified namespaces, + where co-located is defined + as running on a node whose + value of the label with + key topologyKey matches + that of any node on which + any of the selected pods + is running. Empty topologyKey + is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated + with matching the corresponding + podAffinityTerm, in the range + 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity + requirements specified by this field + are not met at scheduling time, + the pod will not be scheduled onto + the node. If the anti-affinity requirements + specified by this field cease to + be met at some point during pod + execution (e.g. due to a pod label + update), the system may or may not + try to eventually evict the pod + from its node. When there are multiple + elements, the lists of nodes corresponding + to each podAffinityTerm are intersected, + i.e. all terms must be satisfied. + items: + description: Defines a set of pods + (namely those matching the labelSelector + relative to the given namespace(s)) + that this pod should be co-located + (affinity) or not co-located (anti-affinity) + with, where co-located is defined + as running on a node whose value + of the label with key + matches that of any node on which + a pod of the set of pods is running + properties: + labelSelector: + description: A label query over + a set of resources, in this + case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, + a key, and an operator + that relates the key + and values. + properties: + key: + description: key is + the label key that + the selector applies + to. + type: string + operator: + description: operator + represents a key's + relationship to + a set of values. + Valid operators + are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values + is an array of string + values. If the operator + is In or NotIn, + the values array + must be non-empty. + If the operator + is Exists or DoesNotExist, + the values array + must be empty. This + array is replaced + during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels + is a map of {key,value} + pairs. A single {key,value} + in the matchLabels map + is equivalent to an element + of matchExpressions, whose + key field is "key", the + operator is "In", and + the values array contains + only "value". The requirements + are ANDed. + type: object + type: object + namespaces: + description: namespaces specifies + which namespaces the labelSelector + applies to (matches against); + null or empty list means "this + pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should + be co-located (affinity) or + not co-located (anti-affinity) + with the pods matching the + labelSelector in the specified + namespaces, where co-located + is defined as running on a + node whose value of the label + with key topologyKey matches + that of any node on which + any of the selected pods is + running. Empty topologyKey + is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + type: object + nodeSelector: + additionalProperties: + type: string + description: 'NodeSelector is a selector which + must be true for the pod to fit on a node. + Selector which must match a node''s labels + for the pod to be scheduled on that node. + More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + type: object + tolerations: + description: If specified, the pod's tolerations. + items: + description: The pod this Toleration is + attached to tolerates any taint that matches + the triple using the + matching operator . + properties: + effect: + description: Effect indicates the taint + effect to match. Empty means match + all taint effects. When specified, + allowed values are NoSchedule, PreferNoSchedule + and NoExecute. + type: string + key: + description: Key is the taint key that + the toleration applies to. Empty means + match all taint keys. If the key is + empty, operator must be Exists; this + combination means to match all values + and all keys. + type: string + operator: + description: Operator represents a key's + relationship to the value. Valid operators + are Exists and Equal. Defaults to + Equal. Exists is equivalent to wildcard + for value, so that a pod can tolerate + all taints of a particular category. + type: string + tolerationSeconds: + description: TolerationSeconds represents + the period of time the toleration + (which must be of effect NoExecute, + otherwise this field is ignored) tolerates + the taint. By default, it is not set, + which means tolerate the taint forever + (do not evict). Zero and negative + values will be treated as 0 (evict + immediately) by the system. + format: int64 + type: integer + value: + description: Value is the taint value + the toleration matches to. If the + operator is Exists, the value should + be empty, otherwise just a regular + string. + type: string + type: object + type: array + type: object + type: object + serviceType: + description: Optional service type for Kubernetes + solver service + type: string + type: object + type: object + selector: + description: Selector selects a set of DNSNames on the Certificate + resource that should be solved using this challenge solver. + properties: + dnsNames: + description: List of DNSNames that this solver will be + used to solve. If specified and a match is found, a + dnsNames selector will take precedence over a dnsZones + selector. If multiple solvers match with the same dnsNames + value, the solver with the most matching labels in matchLabels + will be selected. If neither has more matches, the solver + defined earlier in the list will be selected. + items: + type: string + type: array + dnsZones: + description: List of DNSZones that this solver will be + used to solve. The most specific DNS zone match specified + here will take precedence over other DNS zone matches, + so a solver specifying sys.example.com will be selected + over one specifying example.com for the domain www.sys.example.com. + If multiple solvers match with the same dnsZones value, + the solver with the most matching labels in matchLabels + will be selected. If neither has more matches, the solver + defined earlier in the list will be selected. + items: + type: string + type: array + matchLabels: + additionalProperties: + type: string + description: A label selector that is used to refine the + set of certificate's that this challenge solver will + apply to. + type: object + type: object + type: object + type: array + required: + - privateKeySecretRef + - server + type: object + ca: + properties: + secretName: + description: SecretName is the name of the secret used to sign Certificates + issued by this Issuer. + type: string + required: + - secretName + type: object + selfSigned: + type: object + vault: + properties: + auth: + description: Vault authentication + properties: + appRole: + description: This Secret contains a AppRole and Secret + properties: + path: + description: Where the authentication path is mounted in + Vault. + type: string + roleId: + type: string + secretRef: + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + required: + - path + - roleId + - secretRef + type: object + kubernetes: + description: This contains a Role and Secret with a ServiceAccount + token to authenticate with vault. + properties: + mountPath: + description: The value here will be used as part of the + path used when authenticating with vault, for example + if you set a value of "foo", the path used will be "/v1/auth/foo/login". + If unspecified, the default value "kubernetes" will be + used. + type: string + role: + description: A required field containing the Vault Role + to assume. A Role binds a Kubernetes ServiceAccount with + a set of Vault policies. + type: string + secretRef: + description: The required Secret field containing a Kubernetes + ServiceAccount JWT used for authenticating with Vault. + Use of 'ambient credentials' is not supported. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + required: + - role + - secretRef + type: object + tokenSecretRef: + description: This Secret contains the Vault token key + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + type: object + caBundle: + description: Base64 encoded CA bundle to validate Vault server certificate. + Only used if the Server URL is using HTTPS protocol. This parameter + is ignored for plain HTTP protocol connection. If not set the + system root certificates are used to validate the TLS connection. + format: byte + type: string + path: + description: Vault URL path to the certificate role + type: string + server: + description: Server is the vault connection address + type: string + required: + - auth + - path + - server + type: object + venafi: + description: VenafiIssuer describes issuer configuration details for + Venafi Cloud. + properties: + cloud: + description: Cloud specifies the Venafi cloud configuration settings. + Only one of TPP or Cloud may be specified. + properties: + apiTokenSecretRef: + description: APITokenSecretRef is a secret key selector for + the Venafi Cloud API token. + properties: + key: + description: The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + url: + description: URL is the base URL for Venafi Cloud + type: string + required: + - apiTokenSecretRef + - url + type: object + tpp: + description: TPP specifies Trust Protection Platform configuration + settings. Only one of TPP or Cloud may be specified. + properties: + caBundle: + description: CABundle is a PEM encoded TLS certifiate to use + to verify connections to the TPP instance. If specified, system + roots will not be used and the issuing CA for the TPP instance + must be verifiable using the provided root. If not specified, + the connection will be verified using the cert-manager system + root certificates. + format: byte + type: string + credentialsRef: + description: CredentialsRef is a reference to a Secret containing + the username and password for the TPP server. The secret must + contain two keys, 'username' and 'password'. + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + required: + - name + type: object + url: + description: URL is the base URL for the Venafi TPP instance + type: string + required: + - credentialsRef + - url + type: object + zone: + description: Zone is the Venafi Policy Zone to use for this issuer. + All requests made to the Venafi platform will be restricted by + the named zone policy. This field is required. + type: string + required: + - zone + type: object + type: object + status: + description: IssuerStatus contains status information about an Issuer + properties: + acme: + properties: + lastRegisteredEmail: + description: LastRegisteredEmail is the email associated with the + latest registered ACME account, in order to track changes made + to registered account associated with the Issuer + type: string + uri: + description: URI is the unique account identifier, which can also + be used to retrieve account details from the CA + type: string + type: object + conditions: + items: + description: IssuerCondition contains condition information for an + Issuer. + properties: + lastTransitionTime: + description: LastTransitionTime is the timestamp corresponding + to the last status change of this condition. + format: date-time + type: string + message: + description: Message is a human readable description of the details + of the last transition, complementing reason. + type: string + reason: + description: Reason is a brief machine readable explanation for + the condition's last transition. + type: string + status: + description: Status of the condition, one of ('True', 'False', + 'Unknown'). + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: Type of the condition, currently ('Ready'). + type: string + required: + - status + - type + type: object + type: array + type: object + type: object + version: v1alpha2 + versions: + - name: v1alpha2 + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/kustomize/cert-manager-crds/base/kustomization.yaml b/kustomize/cert-manager-crds/base/kustomization.yaml new file mode 100644 index 0000000..6e120e7 --- /dev/null +++ b/kustomize/cert-manager-crds/base/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- crd.yaml diff --git a/kustomize/cert-manager-crds/kustomization.yaml b/kustomize/cert-manager-crds/kustomization.yaml new file mode 100644 index 0000000..3f91980 --- /dev/null +++ b/kustomize/cert-manager-crds/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +bases: +- base +kind: Kustomization +namespace: cert-manager diff --git a/kustomize/cert-manager-kube-system-resources/base/kustomization.yaml b/kustomize/cert-manager-kube-system-resources/base/kustomization.yaml new file mode 100644 index 0000000..29e2ec3 --- /dev/null +++ b/kustomize/cert-manager-kube-system-resources/base/kustomization.yaml @@ -0,0 +1,23 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: kube-system +resources: +- role-binding.yaml +- role.yaml +commonLabels: + kustomize.component: cert-manager +configMapGenerator: +- name: cert-manager-kube-params-parameters + env: params.env +generatorOptions: + disableNameSuffixHash: true +vars: +- name: certManagerNamespace + objref: + kind: ConfigMap + name: cert-manager-kube-params-parameters + apiVersion: v1 + fieldref: + fieldpath: data.certManagerNamespace +configurations: +- params.yaml diff --git a/kustomize/cert-manager-kube-system-resources/base/params.env b/kustomize/cert-manager-kube-system-resources/base/params.env new file mode 100644 index 0000000..29adda1 --- /dev/null +++ b/kustomize/cert-manager-kube-system-resources/base/params.env @@ -0,0 +1 @@ +certManagerNamespace=cert-manager diff --git a/kustomize/cert-manager-kube-system-resources/base/params.yaml b/kustomize/cert-manager-kube-system-resources/base/params.yaml new file mode 100644 index 0000000..52278c2 --- /dev/null +++ b/kustomize/cert-manager-kube-system-resources/base/params.yaml @@ -0,0 +1,3 @@ +varReference: +- path: subjects/namespace + kind: RoleBinding diff --git a/kustomize/cert-manager-kube-system-resources/base/role-binding.yaml b/kustomize/cert-manager-kube-system-resources/base/role-binding.yaml new file mode 100644 index 0000000..8cdb6d4 --- /dev/null +++ b/kustomize/cert-manager-kube-system-resources/base/role-binding.yaml @@ -0,0 +1,58 @@ +# grant cert-manager permission to manage the leaderelection configmap in the +# leader election namespace +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: RoleBinding +metadata: + name: cert-manager-cainjector:leaderelection + labels: + app: cainjector +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cert-manager-cainjector:leaderelection +subjects: +- apiGroup: "" + kind: ServiceAccount + name: cert-manager-cainjector + namespace: $(certManagerNamespace) + +--- + +# grant cert-manager permission to manage the leaderelection configmap in the +# leader election namespace +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: RoleBinding +metadata: + name: cert-manager:leaderelection + labels: + app: cert-manager +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cert-manager:leaderelection +subjects: +- apiGroup: "" + kind: ServiceAccount + name: cert-manager + namespace: $(certManagerNamespace) + +--- + +# apiserver gets the ability to read authentication. This allows it to +# read the specific configmap that has the requestheader-* entries to +# api agg +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: RoleBinding +metadata: + name: cert-manager-webhook:webhook-authentication-reader + labels: + app: webhook +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: extension-apiserver-authentication-reader +subjects: +- apiGroup: "" + kind: ServiceAccount + name: cert-manager-webhook + namespace: $(certManagerNamespace) diff --git a/kustomize/cert-manager-kube-system-resources/base/role.yaml b/kustomize/cert-manager-kube-system-resources/base/role.yaml new file mode 100644 index 0000000..2d26c9f --- /dev/null +++ b/kustomize/cert-manager-kube-system-resources/base/role.yaml @@ -0,0 +1,28 @@ +# leader election rules +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: Role +metadata: + name: cert-manager-cainjector:leaderelection + labels: + app: cainjector +rules: + # Used for leader election by the controller + # TODO: refine the permission to *just* the leader election configmap + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get", "create", "update", "patch"] + +--- + +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: Role +metadata: + name: cert-manager:leaderelection + labels: + app: cert-manager +rules: + # Used for leader election by the controller + # TODO: refine the permission to *just* the leader election configmap + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get", "create", "update", "patch"] diff --git a/kustomize/cert-manager-kube-system-resources/kustomization.yaml b/kustomize/cert-manager-kube-system-resources/kustomization.yaml new file mode 100644 index 0000000..2017545 --- /dev/null +++ b/kustomize/cert-manager-kube-system-resources/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +bases: +- base +kind: Kustomization +namespace: kube-system diff --git a/kustomize/cert-manager/base/api-service.yaml b/kustomize/cert-manager/base/api-service.yaml new file mode 100644 index 0000000..c31c83e --- /dev/null +++ b/kustomize/cert-manager/base/api-service.yaml @@ -0,0 +1,16 @@ +apiVersion: apiregistration.k8s.io/v1beta1 +kind: APIService +metadata: + name: v1beta1.webhook.cert-manager.io + labels: + app: webhook + annotations: + cert-manager.io/inject-ca-from-secret: "cert-manager/cert-manager-webhook-tls" +spec: + group: webhook.cert-manager.io + groupPriorityMinimum: 1000 + versionPriority: 15 + service: + name: cert-manager-webhook + namespace: $(namespace) + version: v1beta1 diff --git a/kustomize/cert-manager/base/cluster-role-binding.yaml b/kustomize/cert-manager/base/cluster-role-binding.yaml new file mode 100644 index 0000000..d2b850f --- /dev/null +++ b/kustomize/cert-manager/base/cluster-role-binding.yaml @@ -0,0 +1,135 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: cert-manager-controller-issuers + labels: + app: cert-manager +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cert-manager-controller-issuers +subjects: +- name: cert-manager + namespace: $(namespace) + kind: ServiceAccount + +--- + +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: cert-manager-controller-clusterissuers + labels: + app: cert-manager +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cert-manager-controller-clusterissuers +subjects: +- name: cert-manager + namespace: $(namespace) + kind: ServiceAccount + +--- + +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: cert-manager-controller-certificates + labels: + app: cert-manager +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cert-manager-controller-certificates +subjects: +- name: cert-manager + namespace: $(namespace) + kind: ServiceAccount + +--- + +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: cert-manager-controller-orders + labels: + app: cert-manager +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cert-manager-controller-orders +subjects: +- name: cert-manager + namespace: $(namespace) + kind: ServiceAccount + +--- + +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: cert-manager-controller-challenges + labels: + app: cert-manager +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cert-manager-controller-challenges +subjects: +- name: cert-manager + namespace: $(namespace) + kind: ServiceAccount + +--- + +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: cert-manager-controller-ingress-shim + labels: + app: cert-manager +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cert-manager-controller-ingress-shim +subjects: +- name: cert-manager + namespace: $(namespace) + kind: ServiceAccount + +--- +# apiserver gets the auth-delegator role to delegate auth decisions to +# the core apiserver +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: cert-manager-webhook:auth-delegator + labels: + app: webhook +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:auth-delegator +subjects: +- apiGroup: "" + kind: ServiceAccount + name: cert-manager-webhook + namespace: $(namespace) + +--- + +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: cert-manager-cainjector + labels: + app: cainjector +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cert-manager-cainjector +subjects: +- name: cert-manager-cainjector + namespace: $(namespace) + kind: ServiceAccount diff --git a/kustomize/cert-manager/base/cluster-role.yaml b/kustomize/cert-manager/base/cluster-role.yaml new file mode 100644 index 0000000..0f9f24d --- /dev/null +++ b/kustomize/cert-manager/base/cluster-role.yaml @@ -0,0 +1,265 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: cert-manager-cainjector + labels: + app: cainjector +rules: + - apiGroups: ["cert-manager.io"] + resources: ["certificates"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["get", "create", "update", "patch"] + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["apiregistration.k8s.io"] + resources: ["apiservices"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "list", "watch", "update"] + +--- + +# Issuer controller role +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: cert-manager-controller-issuers + labels: + app: cert-manager +rules: + - apiGroups: ["cert-manager.io"] + resources: ["issuers", "issuers/status"] + verbs: ["update"] + - apiGroups: ["cert-manager.io"] + resources: ["issuers"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch", "create", "update", "delete"] + - apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] + +--- + +# ClusterIssuer controller role +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: cert-manager-controller-clusterissuers + labels: + app: cert-manager +rules: + - apiGroups: ["cert-manager.io"] + resources: ["clusterissuers", "clusterissuers/status"] + verbs: ["update"] + - apiGroups: ["cert-manager.io"] + resources: ["clusterissuers"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch", "create", "update", "delete"] + - apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] + +--- + +# Certificates controller role +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: cert-manager-controller-certificates + labels: + app: cert-manager +rules: + - apiGroups: ["cert-manager.io"] + resources: ["certificates", "certificates/status", "certificaterequests", "certificaterequests/status"] + verbs: ["update"] + - apiGroups: ["cert-manager.io"] + resources: ["certificates", "certificaterequests", "clusterissuers", "issuers"] + verbs: ["get", "list", "watch"] + # We require these rules to support users with the OwnerReferencesPermissionEnforcement + # admission controller enabled: + # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement + - apiGroups: ["cert-manager.io"] + resources: ["certificates/finalizers"] + verbs: ["update"] + - apiGroups: ["acme.cert-manager.io"] + resources: ["orders"] + verbs: ["create", "delete", "get", "list", "watch"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch", "create", "update", "delete"] + - apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] + +--- + +# Orders controller role +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: cert-manager-controller-orders + labels: + app: cert-manager +rules: + - apiGroups: ["acme.cert-manager.io"] + resources: ["orders", "orders/status"] + verbs: ["update"] + - apiGroups: ["acme.cert-manager.io"] + resources: ["orders", "challenges"] + verbs: ["get", "list", "watch"] + - apiGroups: ["cert-manager.io"] + resources: ["clusterissuers", "issuers"] + verbs: ["get", "list", "watch"] + - apiGroups: ["acme.cert-manager.io"] + resources: ["challenges"] + verbs: ["create", "delete"] + # We require these rules to support users with the OwnerReferencesPermissionEnforcement + # admission controller enabled: + # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement + - apiGroups: ["acme.cert-manager.io"] + resources: ["orders/finalizers"] + verbs: ["update"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] + +--- + +# Challenges controller role +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: cert-manager-controller-challenges + labels: + app: cert-manager +rules: + # Use to update challenge resource status + - apiGroups: ["acme.cert-manager.io"] + resources: ["challenges", "challenges/status"] + verbs: ["update"] + # Used to watch challenge resources + - apiGroups: ["acme.cert-manager.io"] + resources: ["challenges"] + verbs: ["get", "list", "watch"] + # Used to watch challenges, issuer and clusterissuer resources + - apiGroups: ["cert-manager.io"] + resources: ["issuers", "clusterissuers"] + verbs: ["get", "list", "watch"] + # Need to be able to retrieve ACME account private key to complete challenges + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch"] + # Used to create events + - apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] + # HTTP01 rules + - apiGroups: [""] + resources: ["pods", "services"] + verbs: ["get", "list", "watch", "create", "delete"] + - apiGroups: ["extensions", "networking.k8s.io/v1"] + resources: ["ingresses"] + verbs: ["get", "list", "watch", "create", "delete", "update"] + # We require these rules to support users with the OwnerReferencesPermissionEnforcement + # admission controller enabled: + # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement + - apiGroups: ["acme.cert-manager.io"] + resources: ["challenges/finalizers"] + verbs: ["update"] + # DNS01 rules (duplicated above) + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch"] + +--- + +# ingress-shim controller role +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: cert-manager-controller-ingress-shim + labels: + app: cert-manager +rules: + - apiGroups: ["cert-manager.io"] + resources: ["certificates", "certificaterequests"] + verbs: ["create", "update", "delete"] + - apiGroups: ["cert-manager.io"] + resources: ["certificates", "certificaterequests", "issuers", "clusterissuers"] + verbs: ["get", "list", "watch"] + - apiGroups: ["networking.k8s.io/v1"] + resources: ["ingresses"] + verbs: ["get", "list", "watch"] + # We require these rules to support users with the OwnerReferencesPermissionEnforcement + # admission controller enabled: + # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement + - apiGroups: ["networking.k8s.io/v1"] + resources: ["ingresses/finalizers"] + verbs: ["update"] + - apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: cert-manager-webhook:webhook-requester + labels: + app: webhook +rules: +- apiGroups: + - admission.cert-manager.io + resources: + - certificates + - certificaterequests + - issuers + - clusterissuers + verbs: + - create + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: cert-manager-view + labels: + app: cert-manager + rbac.authorization.k8s.io/aggregate-to-view: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + rbac.authorization.k8s.io/aggregate-to-admin: "true" +rules: +- apiGroups: ["cert-manager.io"] + resources: ["certificates", "certificaterequests", "issuers"] + verbs: ["get", "list", "watch"] + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: cert-manager-edit + labels: + app: cert-manager + rbac.authorization.k8s.io/aggregate-to-edit: "true" + rbac.authorization.k8s.io/aggregate-to-admin: "true" +rules: +- apiGroups: ["cert-manager.io"] + resources: ["certificates", "certificaterequests", "issuers"] + verbs: ["create", "delete", "deletecollection", "patch", "update"] diff --git a/kustomize/cert-manager/base/deployment.yaml b/kustomize/cert-manager/base/deployment.yaml new file mode 100644 index 0000000..b0debd7 --- /dev/null +++ b/kustomize/cert-manager/base/deployment.yaml @@ -0,0 +1,124 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: cert-manager-cainjector + labels: + app: cainjector +spec: + replicas: 1 + selector: + matchLabels: + app: cainjector + template: + metadata: + labels: + app: cainjector + annotations: + spec: + serviceAccountName: cert-manager-cainjector + containers: + - name: cainjector + image: "quay.io/jetstack/cert-manager-cainjector:v0.11.0" + imagePullPolicy: IfNotPresent + args: + - --v=2 + - --leader-election-namespace=kube-system + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + resources: + {} + +--- + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: cert-manager + labels: + app: cert-manager +spec: + replicas: 1 + selector: + matchLabels: + app: cert-manager + template: + metadata: + labels: + app: cert-manager + annotations: + prometheus.io/path: "/metrics" + prometheus.io/scrape: 'true' + prometheus.io/port: '9402' + spec: + serviceAccountName: cert-manager + containers: + - name: cert-manager + image: "quay.io/jetstack/cert-manager-controller:v0.11.0" + imagePullPolicy: IfNotPresent + args: + - --v=2 + - --cluster-resource-namespace=$(POD_NAMESPACE) + - --leader-election-namespace=kube-system + - --webhook-namespace=$(POD_NAMESPACE) + - --webhook-ca-secret=cert-manager-webhook-ca + - --webhook-serving-secret=cert-manager-webhook-tls + - --webhook-dns-names=cert-manager-webhook,cert-manager-webhook.$(namespace),cert-manager-webhook.$(namespace).svc + ports: + - containerPort: 9402 + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + resources: + requests: + cpu: 10m + memory: 32Mi + +--- + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: cert-manager-webhook + labels: + app: webhook +spec: + replicas: 1 + selector: + matchLabels: + app: webhook + template: + metadata: + labels: + app: webhook + annotations: + spec: + serviceAccountName: cert-manager-webhook + containers: + - name: cert-manager + image: "quay.io/jetstack/cert-manager-webhook:v0.11.0" + imagePullPolicy: IfNotPresent + args: + - --v=2 + - --secure-port=6443 + - --tls-cert-file=/certs/tls.crt + - --tls-private-key-file=/certs/tls.key + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + resources: + {} + + volumeMounts: + - name: certs + mountPath: /certs + volumes: + - name: certs + secret: + secretName: cert-manager-webhook-tls diff --git a/kustomize/cert-manager/base/kustomization.yaml b/kustomize/cert-manager/base/kustomization.yaml new file mode 100644 index 0000000..ea709c9 --- /dev/null +++ b/kustomize/cert-manager/base/kustomization.yaml @@ -0,0 +1,40 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: cert-manager +resources: +- namespace.yaml +- api-service.yaml +- cluster-role-binding.yaml +- cluster-role.yaml +- deployment.yaml +- mutating-webhook-configuration.yaml +- service-account.yaml +- service.yaml +- validating-webhook-configuration.yaml +commonLabels: + kustomize.component: cert-manager +images: +- name: quay.io/jetstack/cert-manager-controller + newName: quay.io/jetstack/cert-manager-controller + newTag: v0.11.0 +- name: quay.io/jetstack/cert-manager-webhook + newName: quay.io/jetstack/cert-manager-webhook + newTag: v0.11.0 +- name: quay.io/jetstack/cert-manager-cainjector + newName: quay.io/jetstack/cert-manager-cainjector + newTag: v0.11.0 +configMapGenerator: +- name: cert-manager-parameters + env: params.env +generatorOptions: + disableNameSuffixHash: true +vars: +- name: namespace + objref: + kind: ConfigMap + name: cert-manager-parameters + apiVersion: v1 + fieldref: + fieldpath: data.namespace +configurations: +- params.yaml diff --git a/kustomize/cert-manager/base/mutating-webhook-configuration.yaml b/kustomize/cert-manager/base/mutating-webhook-configuration.yaml new file mode 100644 index 0000000..8c73c1c --- /dev/null +++ b/kustomize/cert-manager/base/mutating-webhook-configuration.yaml @@ -0,0 +1,32 @@ +apiVersion: admissionregistration.k8s.io/v1beta1 +kind: MutatingWebhookConfiguration +metadata: + name: cert-manager-webhook + labels: + app: webhook + annotations: + cert-manager.io/inject-apiserver-ca: "true" +webhooks: + - name: webhook.cert-manager.io + rules: + - apiGroups: + - "cert-manager.io" + apiVersions: + - v1alpha2 + operations: + - CREATE + - UPDATE + resources: + - certificates + - issuers + - clusterissuers + - orders + - challenges + - certificaterequests + failurePolicy: Fail + clientConfig: + service: + name: kubernetes + namespace: default + path: /apis/webhook.cert-manager.io/v1beta1/mutations + caBundle: "" diff --git a/kustomize/cert-manager/base/namespace.yaml b/kustomize/cert-manager/base/namespace.yaml new file mode 100644 index 0000000..4a7da48 --- /dev/null +++ b/kustomize/cert-manager/base/namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: $(namespace) diff --git a/kustomize/cert-manager/base/params.env b/kustomize/cert-manager/base/params.env new file mode 100644 index 0000000..b29ab79 --- /dev/null +++ b/kustomize/cert-manager/base/params.env @@ -0,0 +1 @@ +namespace=cert-manager diff --git a/kustomize/cert-manager/base/params.yaml b/kustomize/cert-manager/base/params.yaml new file mode 100644 index 0000000..6a761d9 --- /dev/null +++ b/kustomize/cert-manager/base/params.yaml @@ -0,0 +1,9 @@ +varReference: +- path: subjects/namespace + kind: ClusterRoleBinding +- path: spec/template/spec/containers/args + kind: Deployment +- path: metadata/name + kind: Namespace +- path: spec/service/namespace + kind: APIService diff --git a/kustomize/cert-manager/base/service-account.yaml b/kustomize/cert-manager/base/service-account.yaml new file mode 100644 index 0000000..734dc32 --- /dev/null +++ b/kustomize/cert-manager/base/service-account.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: cert-manager-cainjector + labels: + app: cainjector + +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: cert-manager + annotations: + labels: + app: cert-manager + +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: cert-manager-webhook + labels: + app: webhook diff --git a/kustomize/cert-manager/base/service.yaml b/kustomize/cert-manager/base/service.yaml new file mode 100644 index 0000000..2334a8f --- /dev/null +++ b/kustomize/cert-manager/base/service.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Service +metadata: + name: cert-manager + labels: + app: cert-manager +spec: + type: ClusterIP + ports: + - protocol: TCP + port: 9402 + targetPort: 9402 + selector: + app: cert-manager + +--- +apiVersion: v1 +kind: Service +metadata: + name: cert-manager-webhook + labels: + app: webhook +spec: + type: ClusterIP + ports: + - name: https + port: 443 + targetPort: 6443 + selector: + app: webhook diff --git a/kustomize/cert-manager/base/validating-webhook-configuration.yaml b/kustomize/cert-manager/base/validating-webhook-configuration.yaml new file mode 100644 index 0000000..ddd48cd --- /dev/null +++ b/kustomize/cert-manager/base/validating-webhook-configuration.yaml @@ -0,0 +1,31 @@ +apiVersion: admissionregistration.k8s.io/v1beta1 +kind: ValidatingWebhookConfiguration +metadata: + name: cert-manager-webhook + labels: + app: webhook + annotations: + cert-manager.io/inject-apiserver-ca: "true" +webhooks: + - name: webhook.certmanager.k8s.io + rules: + - apiGroups: + - "cert-manager.io" + apiVersions: + - v1alpha2 + operations: + - CREATE + - UPDATE + resources: + - certificates + - issuers + - clusterissuers + - certificaterequests + failurePolicy: Fail + sideEffects: None + clientConfig: + service: + name: kubernetes + namespace: default + path: /apis/webhook.cert-manager.io/v1beta1/validations + caBundle: "" diff --git a/kustomize/cert-manager/kustomization.yaml b/kustomize/cert-manager/kustomization.yaml new file mode 100644 index 0000000..24c570d --- /dev/null +++ b/kustomize/cert-manager/kustomization.yaml @@ -0,0 +1,18 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +bases: +- base +commonLabels: + app.kubernetes.io/component: cert-manager + app.kubernetes.io/instance: cert-manager-v0.7.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/name: cert-manager + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: v0.7.0 + kustomize.component: cert-manager +configurations: +- overlays/application/params.yaml +kind: Kustomization +namespace: cert-manager +resources: +- overlays/self-signed/cluster-issuer.yaml +- overlays/application/application.yaml diff --git a/kustomize/cert-manager/overlays/application/application.yaml b/kustomize/cert-manager/overlays/application/application.yaml new file mode 100644 index 0000000..94ab2c5 --- /dev/null +++ b/kustomize/cert-manager/overlays/application/application.yaml @@ -0,0 +1,35 @@ +apiVersion: app.k8s.io/v1beta1 +kind: Application +metadata: + name: cert-manager +spec: + selector: + matchLabels: + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: cert-manager-v0.7.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/component: cert-manager + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: v0.7.0 + componentKinds: + - group: rbac + kind: ClusterRole + - group: rbac + kind: ClusterRoleBinding + - group: core + kind: Namespace + - group: core + kind: Service + - group: apps + kind: Deployment + - group: core + kind: ServiceAccount + descriptor: + type: "" + version: "v0.10.0" + description: "Automatically provision and manage TLS certificates in Kubernetes https://jetstack.io." + keywords: + - cert-manager + links: + - description: About + url: "https://github.com/jetstack/cert-manager" diff --git a/kustomize/cert-manager/overlays/application/kustomization.yaml b/kustomize/cert-manager/overlays/application/kustomization.yaml new file mode 100644 index 0000000..5d9084f --- /dev/null +++ b/kustomize/cert-manager/overlays/application/kustomization.yaml @@ -0,0 +1,15 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +bases: +- ../../base +resources: +- application.yaml +configurations: +- params.yaml +commonLabels: + app.kubernetes.io/name: cert-manager + app.kubernetes.io/instance: cert-manager-v0.7.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/component: cert-manager + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: v0.7.0 diff --git a/kustomize/cert-manager/overlays/application/params.yaml b/kustomize/cert-manager/overlays/application/params.yaml new file mode 100644 index 0000000..af6f60a --- /dev/null +++ b/kustomize/cert-manager/overlays/application/params.yaml @@ -0,0 +1,11 @@ +varReference: +- path: metadata/name + kind: Application +- path: spec/selector/matchLabels/app.kubernetes.io\/instance + kind: Application +- path: spec/template/metadata/labels/app.kubernetes.io\/instance + kind: Deployment +- path: spec/selector/matchLabels/app.kubernetes.io\/instance + kind: Deployment +- path: spec/selector/app.kubernetes.io\/instance + kind: Service diff --git a/kustomize/cert-manager/overlays/letsencrypt/cluster-issuer.yaml b/kustomize/cert-manager/overlays/letsencrypt/cluster-issuer.yaml new file mode 100644 index 0000000..2b98572 --- /dev/null +++ b/kustomize/cert-manager/overlays/letsencrypt/cluster-issuer.yaml @@ -0,0 +1,11 @@ +apiVersion: cert-manager.io/v1alpha2 +kind: ClusterIssuer +metadata: + name: letsencrypt-prod +spec: + acme: + email: $(acmeEmail) + http01: {} + privateKeySecretRef: + name: letsencrypt-prod-secret + server: $(acmeUrl) diff --git a/kustomize/cert-manager/overlays/letsencrypt/kustomization.yaml b/kustomize/cert-manager/overlays/letsencrypt/kustomization.yaml new file mode 100644 index 0000000..30106ca --- /dev/null +++ b/kustomize/cert-manager/overlays/letsencrypt/kustomization.yaml @@ -0,0 +1,32 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +bases: +- ../../base +namespace: cert-manager +resources: +- cluster-issuer.yaml +commonLabels: + kustomize.component: cert-manager +configMapGenerator: +- name: cert-manager-parameters + behavior: merge + env: params.env +generatorOptions: + disableNameSuffixHash: true +vars: +- name: acmeEmail + objref: + kind: ConfigMap + name: cert-manager-parameters + apiVersion: v1 + fieldref: + fieldpath: data.acmeEmail +- name: acmeUrl + objref: + kind: ConfigMap + name: cert-manager-parameters + apiVersion: v1 + fieldref: + fieldpath: data.acmeUrl +configurations: +- params.yaml diff --git a/kustomize/cert-manager/overlays/letsencrypt/params.env b/kustomize/cert-manager/overlays/letsencrypt/params.env new file mode 100644 index 0000000..6307dcd --- /dev/null +++ b/kustomize/cert-manager/overlays/letsencrypt/params.env @@ -0,0 +1,2 @@ +acmeEmail= +acmeUrl=https://acme-v02.api.letsencrypt.org/directory diff --git a/kustomize/cert-manager/overlays/letsencrypt/params.yaml b/kustomize/cert-manager/overlays/letsencrypt/params.yaml new file mode 100644 index 0000000..e671a3e --- /dev/null +++ b/kustomize/cert-manager/overlays/letsencrypt/params.yaml @@ -0,0 +1,5 @@ +varReference: +- path: spec/acme/email + kind: ClusterIssuer +- path: spec/acme/server + kind: ClusterIssuer diff --git a/kustomize/cert-manager/overlays/self-signed/cluster-issuer.yaml b/kustomize/cert-manager/overlays/self-signed/cluster-issuer.yaml new file mode 100644 index 0000000..eaf9703 --- /dev/null +++ b/kustomize/cert-manager/overlays/self-signed/cluster-issuer.yaml @@ -0,0 +1,6 @@ +apiVersion: cert-manager.io/v1alpha2 +kind: ClusterIssuer +metadata: + name: kubeflow-self-signing-issuer +spec: + selfSigned: {} diff --git a/kustomize/cert-manager/overlays/self-signed/kustomization.yaml b/kustomize/cert-manager/overlays/self-signed/kustomization.yaml new file mode 100644 index 0000000..70d7329 --- /dev/null +++ b/kustomize/cert-manager/overlays/self-signed/kustomization.yaml @@ -0,0 +1,8 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +bases: +- ../../base +resources: +- cluster-issuer.yaml +commonLabels: + kustomize.component: cert-manager diff --git a/kustomize/dex/base/config-map.yaml b/kustomize/dex/base/config-map.yaml new file mode 100644 index 0000000..bffd3cd --- /dev/null +++ b/kustomize/dex/base/config-map.yaml @@ -0,0 +1,30 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: dex +data: + config.yaml: | + issuer: $(issuer) + storage: + type: kubernetes + config: + inCluster: true + web: + http: 0.0.0.0:5556 + logger: + level: "debug" + format: text + oauth2: + skipApprovalScreen: true + enablePasswordDB: true + staticPasswords: + - email: $(static_email) + hash: $(static_password_hash) + username: $(static_username) + userID: $(static_user_id) + staticClients: + - id: $(client_id) + redirectURIs: $(oidc_redirect_uris) + name: 'Dex Login Application' + secret: $(application_secret) diff --git a/kustomize/dex/base/crds.yaml b/kustomize/dex/base/crds.yaml new file mode 100644 index 0000000..cd18744 --- /dev/null +++ b/kustomize/dex/base/crds.yaml @@ -0,0 +1,45 @@ +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: authcodes.dex.coreos.com +spec: + group: dex.coreos.com + names: + kind: AuthCode + listKind: AuthCodeList + plural: authcodes + singular: authcode + scope: Namespaced + version: v1 +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: dex +rules: +- apiGroups: ["dex.coreos.com"] # API group created by dex + resources: ["*"] + verbs: ["*"] +- apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["create"] # To manage its own resources identity must be able to create customresourcedefinitions. +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: dex +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: dex +subjects: +- kind: ServiceAccount + name: dex # Service account assigned to the dex pod. + namespace: auth # The namespace dex is running in. +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: dex + namespace: auth diff --git a/kustomize/dex/base/deployment.yaml b/kustomize/dex/base/deployment.yaml new file mode 100644 index 0000000..5a21be2 --- /dev/null +++ b/kustomize/dex/base/deployment.yaml @@ -0,0 +1,34 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: dex + name: dex +spec: + replicas: 1 + selector: + matchLabels: + app: dex + template: + metadata: + labels: + app: dex + spec: + serviceAccountName: dex + containers: + - image: quay.io/coreos/dex:v2.9.0 + name: dex + command: ["dex", "serve", "/etc/dex/cfg/config.yaml"] + ports: + - name: http + containerPort: 5556 + volumeMounts: + - name: config + mountPath: /etc/dex/cfg + volumes: + - name: config + configMap: + name: dex + items: + - key: config.yaml + path: config.yaml diff --git a/kustomize/dex/base/kustomization.yaml b/kustomize/dex/base/kustomization.yaml new file mode 100644 index 0000000..2111d27 --- /dev/null +++ b/kustomize/dex/base/kustomization.yaml @@ -0,0 +1,84 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: auth +resources: +- namespace.yaml +- config-map.yaml +- crds.yaml +- deployment.yaml +- service.yaml +configMapGenerator: +- name: dex-parameters + env: params.env +generatorOptions: + disableNameSuffixHash: true +vars: +- name: dex_domain + objref: + kind: ConfigMap + name: dex-parameters + apiVersion: v1 + fieldref: + fieldpath: data.dex_domain +- name: issuer + objref: + kind: ConfigMap + name: dex-parameters + apiVersion: v1 + fieldref: + fieldpath: data.issuer +- name: static_email + objref: + kind: ConfigMap + name: dex-parameters + apiVersion: v1 + fieldref: + fieldpath: data.static_email +- name: static_password_hash + objref: + kind: ConfigMap + name: dex-parameters + apiVersion: v1 + fieldref: + fieldpath: data.static_password_hash +- name: static_username + objref: + kind: ConfigMap + name: dex-parameters + apiVersion: v1 + fieldref: + fieldpath: data.static_username +- name: static_user_id + objref: + kind: ConfigMap + name: dex-parameters + apiVersion: v1 + fieldref: + fieldpath: data.static_user_id +- name: client_id + objref: + kind: ConfigMap + name: dex-parameters + apiVersion: v1 + fieldref: + fieldpath: data.client_id +- name: oidc_redirect_uris + objref: + kind: ConfigMap + name: dex-parameters + apiVersion: v1 + fieldref: + fieldpath: data.oidc_redirect_uris +- name: application_secret + objref: + kind: ConfigMap + name: dex-parameters + apiVersion: v1 + fieldref: + fieldpath: data.application_secret +configurations: +- params.yaml +images: +- name: quay.io/coreos/dex + newName: gcr.io/arrikto/dexidp/dex + newTag: 4bede5eb80822fc3a7fc9edca0ed2605cd339d17 diff --git a/kustomize/dex/base/namespace.yaml b/kustomize/dex/base/namespace.yaml new file mode 100644 index 0000000..6b34cab --- /dev/null +++ b/kustomize/dex/base/namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: auth diff --git a/kustomize/dex/base/params.env b/kustomize/dex/base/params.env new file mode 100644 index 0000000..69bb1f1 --- /dev/null +++ b/kustomize/dex/base/params.env @@ -0,0 +1,11 @@ +# Dex Server Parameters (some params are shared with client) +dex_domain=dex.example.com +# Set issuer to https if tls is enabled +issuer=http://dex.auth.svc.cluster.local:5556/dex +static_email=leonard.aukea@volvocars.com +static_password_hash=$2y$12$ruoM7FqXrpVgaol44eRZW.4HWS8SAvg6KYVVSCIwKQPBmTpCm.EeO +static_username=admin +static_user_id=08a8684b-db88-4b73-90a9-3cd1661f5466 +client_id=kubeflow-oidc-authservice +oidc_redirect_uris=["/login/oidc"] +application_secret=pUBnBOY80SnXgjibTYM9ZWNzY2xreNGQok diff --git a/kustomize/dex/base/params.yaml b/kustomize/dex/base/params.yaml new file mode 100644 index 0000000..af2393a --- /dev/null +++ b/kustomize/dex/base/params.yaml @@ -0,0 +1,5 @@ +varReference: +- path: spec/template/spec/volumes/secret/secretName + kind: Deployment +- path: data/config.yaml + kind: ConfigMap diff --git a/kustomize/dex/base/service.yaml b/kustomize/dex/base/service.yaml new file mode 100644 index 0000000..7f00882 --- /dev/null +++ b/kustomize/dex/base/service.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Service +metadata: + name: dex +spec: + type: NodePort + ports: + - name: dex + port: 5556 + protocol: TCP + targetPort: 5556 + nodePort: 32000 + selector: + app: dex diff --git a/kustomize/dex/kustomization.yaml b/kustomize/dex/kustomization.yaml new file mode 100644 index 0000000..db51a6d --- /dev/null +++ b/kustomize/dex/kustomization.yaml @@ -0,0 +1,23 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +bases: +- base +configMapGenerator: +- behavior: merge + env: overlays/istio/params.env + name: dex-parameters +configurations: +- overlays/istio/params.yaml +generatorOptions: + disableNameSuffixHash: true +kind: Kustomization +namespace: auth +resources: +- overlays/istio/virtual-service.yaml +vars: +- fieldref: + fieldPath: data.namespace + name: namespace + objref: + apiVersion: v1 + kind: ConfigMap + name: dex-parameters diff --git a/kustomize/dex/overlays/istio/kustomization.yaml b/kustomize/dex/overlays/istio/kustomization.yaml new file mode 100644 index 0000000..b94f52f --- /dev/null +++ b/kustomize/dex/overlays/istio/kustomization.yaml @@ -0,0 +1,23 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +bases: +- ../../base +resources: +- virtual-service.yaml + +configMapGenerator: +- name: dex-parameters + behavior: merge + env: params.env +generatorOptions: + disableNameSuffixHash: true +vars: +- name: namespace + objref: + kind: ConfigMap + name: dex-parameters + apiVersion: v1 + fieldref: + fieldpath: data.namespace +configurations: +- params.yaml diff --git a/kustomize/dex/overlays/istio/params.env b/kustomize/dex/overlays/istio/params.env new file mode 100644 index 0000000..d0f7784 --- /dev/null +++ b/kustomize/dex/overlays/istio/params.env @@ -0,0 +1 @@ +namespace=auth diff --git a/kustomize/dex/overlays/istio/params.yaml b/kustomize/dex/overlays/istio/params.yaml new file mode 100644 index 0000000..eea869e --- /dev/null +++ b/kustomize/dex/overlays/istio/params.yaml @@ -0,0 +1,3 @@ +varReference: +- path: spec/http/route/destination/host + kind: VirtualService diff --git a/kustomize/dex/overlays/istio/virtual-service.yaml b/kustomize/dex/overlays/istio/virtual-service.yaml new file mode 100644 index 0000000..c84d890 --- /dev/null +++ b/kustomize/dex/overlays/istio/virtual-service.yaml @@ -0,0 +1,22 @@ +# This config is gated on kiali upgrade to 0.21 from 0.16 in istio 1.1.6: +# https://github.com/kiali/kiali/issues/1154 +# https://github.com/istio/istio/issues/11131 + +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: dex +spec: + gateways: + - kubeflow/kubeflow-gateway + hosts: + - '*' + http: + - match: + - uri: + prefix: /dex/ + route: + - destination: + host: dex.$(namespace).svc.cluster.local + port: + number: 5556 diff --git a/kustomize/dex/overlays/ldap/config-map.yaml b/kustomize/dex/overlays/ldap/config-map.yaml new file mode 100644 index 0000000..3df2035 --- /dev/null +++ b/kustomize/dex/overlays/ldap/config-map.yaml @@ -0,0 +1,97 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: dex +data: + config.yaml: | + issuer: $(issuer) + storage: + type: kubernetes + config: + inCluster: true + web: + https: 0.0.0.0:5556 + tlsCert: /etc/dex/tls/tls.crt + tlsKey: /etc/dex/tls/tls.key + # For HTTP configuration remove tls configs and add + #http: 0.0.0.0:5556 + logger: + level: "debug" + format: text + connectors: + - type: ldap + # Required field for connector id. + id: ldap + # Required field for connector name. + name: LDAP + config: + # Host and optional port of the LDAP server in the form "host:port". + # If the port is not supplied, it will be guessed based on "insecureNoSSL", + # and "startTLS" flags. 389 for insecure or StartTLS connections, 636 + # otherwise. + host: $(ldap_host) + # Following field is required if the LDAP host is not using TLS (port 389). + # Because this option inherently leaks passwords to anyone on the same network + # as dex, THIS OPTION MAY BE REMOVED WITHOUT WARNING IN A FUTURE RELEASE. + # + insecureNoSSL: true + # If a custom certificate isn't provide, this option can be used to turn on + # TLS certificate checks. As noted, it is insecure and shouldn't be used outside + # of explorative phases. + # + insecureSkipVerify: true + # When connecting to the server, connect using the ldap:// protocol then issue + # a StartTLS command. If unspecified, connections will use the ldaps:// protocol + # + # startTLS: true + # Path to a trusted root certificate file. Default: use the host's root CA. + #rootCA: /etc/dex/ldap.ca + # A raw certificate file can also be provided inline. + #rootCAData: + # The DN and password for an application service account. The connector uses + # these credentials to search for users and groups. Not required if the LDAP + # server provides access for anonymous auth. + # Please note that if the bind password contains a '$', it has to be saved in an + # environment variable which should be given as the value to 'bindPW'. + bindDN: $(ldap_bind_dn) + bindPW: $(ldap_bind_pw) + # User search maps a username and password entered by a user to a LDAP entry. + userSearch: + # BaseDN to start the search from. It will translate to the query + # "(&(objectClass=person)(uid=))". + baseDN: $(ldap_user_base_dn) + # Optional filter to apply when searching the directory. + filter: "(objectClass=posixAccount)" + # username attribute used for comparing user entries. This will be translated + # and combine with the other filter as "(=)". + username: mail + # The following three fields are direct mappings of attributes on the user entry. + # String representation of the user. + idAttr: uid + # Required. Attribute to map to Email. + emailAttr: mail + # Maps to display name of users. No default value. + nameAttr: uid + + # Group search queries for groups given a user entry. + groupSearch: + # BaseDN to start the search from. It will translate to the query + # "(&(objectClass=group)(member=))". + baseDN: $(ldap_group_base_dn) + # Optional filter to apply when searching the directory. + filter: "(objectClass=posixGroup)" + # Following two fields are used to match a user to a group. It adds an additional + # requirement to the filter that an attribute in the group must match the user's + # attribute value. + userAttr: gidNumber + groupAttr: gidNumber + # Represents group name. + nameAttr: cn + oauth2: + skipApprovalScreen: true + staticClients: + - id: $(client_id) + redirectURIs: $(oidc_redirect_uris) + name: 'Dex Login Application' + secret: $(application_secret) diff --git a/kustomize/dex/overlays/ldap/deployment.yaml b/kustomize/dex/overlays/ldap/deployment.yaml new file mode 100644 index 0000000..251be1d --- /dev/null +++ b/kustomize/dex/overlays/ldap/deployment.yaml @@ -0,0 +1,19 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: dex + name: dex +spec: + template: + spec: + serviceAccountName: dex + containers: + - name: dex + volumeMounts: + - name: tls + mountPath: /etc/dex/tls + volumes: + - name: tls + secret: + secretName: $(dex_domain).tls diff --git a/kustomize/dex/overlays/ldap/kustomization.yaml b/kustomize/dex/overlays/ldap/kustomization.yaml new file mode 100644 index 0000000..e1aec92 --- /dev/null +++ b/kustomize/dex/overlays/ldap/kustomization.yaml @@ -0,0 +1,54 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: auth +bases: +- ../../base + +patchesStrategicMerge: +- config-map.yaml +- deployment.yaml + +configMapGenerator: +- name: dex-parameters + behavior: merge + env: params.env +generatorOptions: + disableNameSuffixHash: true +vars: +- name: ldap_host + objref: + kind: ConfigMap + name: dex-parameters + apiVersion: v1 + fieldref: + fieldpath: data.ldap_host +- name: ldap_bind_dn + objref: + kind: ConfigMap + name: dex-parameters + apiVersion: v1 + fieldref: + fieldpath: data.ldap_bind_dn +- name: ldap_bind_pw + objref: + kind: ConfigMap + name: dex-parameters + apiVersion: v1 + fieldref: + fieldpath: data.ldap_bind_pw +- name: ldap_user_base_dn + objref: + kind: ConfigMap + name: dex-parameters + apiVersion: v1 + fieldref: + fieldpath: data.ldap_user_base_dn +- name: ldap_group_base_dn + objref: + kind: ConfigMap + name: dex-parameters + apiVersion: v1 + fieldref: + fieldpath: data.ldap_group_base_dn +configurations: +- params.yaml diff --git a/kustomize/dex/overlays/ldap/params.env b/kustomize/dex/overlays/ldap/params.env new file mode 100644 index 0000000..626cb14 --- /dev/null +++ b/kustomize/dex/overlays/ldap/params.env @@ -0,0 +1,11 @@ +# Dex Server Parameters (some params are shared with client) +dex_domain=dex.example.com +issuer=https://dex.example.com:32000 +ldap_host=ldap.auth.svc.cluster.local:389 +ldap_bind_dn=cn=admin,dc=example,dc=org +ldap_bind_pw=admin +ldap_user_base_dn=ou=People,dc=example,dc=org +ldap_group_base_dn=ou=Groups,dc=example,dc=org +client_id=ldapdexapp +oidc_redirect_uris=['http://login.example.org:5555/callback/onprem-cluster'] +application_secret=pUBnBOY80SnXgjibTYM9ZWNzY2xreNGQok diff --git a/kustomize/dex/overlays/ldap/params.yaml b/kustomize/dex/overlays/ldap/params.yaml new file mode 100644 index 0000000..5d9e2ad --- /dev/null +++ b/kustomize/dex/overlays/ldap/params.yaml @@ -0,0 +1,3 @@ +varReference: +- path: data/config.yaml + kind: ConfigMap diff --git a/kustomize/istio-crds/base/crds.yaml b/kustomize/istio-crds/base/crds.yaml new file mode 100644 index 0000000..f58a3c2 --- /dev/null +++ b/kustomize/istio-crds/base/crds.yaml @@ -0,0 +1,1535 @@ +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: virtualservices.networking.istio.io + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: networking.istio.io + names: + kind: VirtualService + listKind: VirtualServiceList + plural: virtualservices + singular: virtualservice + shortNames: + - vs + categories: + - istio-io + - networking-istio-io + scope: Namespaced + version: v1alpha3 + additionalPrinterColumns: + - JSONPath: .spec.gateways + description: The names of gateways and sidecars that should apply these routes + name: Gateways + type: string + - JSONPath: .spec.hosts + description: The destination hosts to which traffic is being sent + name: Hosts + type: string + - JSONPath: .metadata.creationTimestamp + description: |- + CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + + Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata + name: Age + type: date +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: destinationrules.networking.istio.io + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: networking.istio.io + names: + kind: DestinationRule + listKind: DestinationRuleList + plural: destinationrules + singular: destinationrule + shortNames: + - dr + categories: + - istio-io + - networking-istio-io + scope: Namespaced + version: v1alpha3 + additionalPrinterColumns: + - JSONPath: .spec.host + description: The name of a service from the service registry + name: Host + type: string + - JSONPath: .metadata.creationTimestamp + description: |- + CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + + Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata + name: Age + type: date +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: serviceentries.networking.istio.io + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: networking.istio.io + names: + kind: ServiceEntry + listKind: ServiceEntryList + plural: serviceentries + singular: serviceentry + shortNames: + - se + categories: + - istio-io + - networking-istio-io + scope: Namespaced + version: v1alpha3 + additionalPrinterColumns: + - JSONPath: .spec.hosts + description: The hosts associated with the ServiceEntry + name: Hosts + type: string + - JSONPath: .spec.location + description: Whether the service is external to the mesh or part of the mesh (MESH_EXTERNAL or MESH_INTERNAL) + name: Location + type: string + - JSONPath: .spec.resolution + description: Service discovery mode for the hosts (NONE, STATIC, or DNS) + name: Resolution + type: string + - JSONPath: .metadata.creationTimestamp + description: |- + CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + + Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata + name: Age + type: date +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: gateways.networking.istio.io + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: networking.istio.io + names: + kind: Gateway + plural: gateways + singular: gateway + shortNames: + - gw + categories: + - istio-io + - networking-istio-io + scope: Namespaced + version: v1alpha3 +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: envoyfilters.networking.istio.io + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: networking.istio.io + names: + kind: EnvoyFilter + plural: envoyfilters + singular: envoyfilter + categories: + - istio-io + - networking-istio-io + scope: Namespaced + version: v1alpha3 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: clusterrbacconfigs.rbac.istio.io + labels: + app: istio-pilot + istio: rbac + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: rbac.istio.io + names: + kind: ClusterRbacConfig + plural: clusterrbacconfigs + singular: clusterrbacconfig + categories: + - istio-io + - rbac-istio-io + scope: Cluster + version: v1alpha1 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: policies.authentication.istio.io + labels: + app: istio-citadel + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: authentication.istio.io + names: + kind: Policy + plural: policies + singular: policy + categories: + - istio-io + - authentication-istio-io + scope: Namespaced + version: v1alpha1 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: meshpolicies.authentication.istio.io + labels: + app: istio-citadel + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: authentication.istio.io + names: + kind: MeshPolicy + listKind: MeshPolicyList + plural: meshpolicies + singular: meshpolicy + categories: + - istio-io + - authentication-istio-io + scope: Cluster + version: v1alpha1 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: httpapispecbindings.config.istio.io + labels: + app: istio-mixer + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: HTTPAPISpecBinding + plural: httpapispecbindings + singular: httpapispecbinding + categories: + - istio-io + - apim-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: httpapispecs.config.istio.io + labels: + app: istio-mixer + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: HTTPAPISpec + plural: httpapispecs + singular: httpapispec + categories: + - istio-io + - apim-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: quotaspecbindings.config.istio.io + labels: + app: istio-mixer + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: QuotaSpecBinding + plural: quotaspecbindings + singular: quotaspecbinding + categories: + - istio-io + - apim-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: quotaspecs.config.istio.io + labels: + app: istio-mixer + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: QuotaSpec + plural: quotaspecs + singular: quotaspec + categories: + - istio-io + - apim-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: rules.config.istio.io + labels: + app: mixer + package: istio.io.mixer + istio: core + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: rule + plural: rules + singular: rule + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: attributemanifests.config.istio.io + labels: + app: mixer + package: istio.io.mixer + istio: core + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: attributemanifest + plural: attributemanifests + singular: attributemanifest + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: bypasses.config.istio.io + labels: + app: mixer + package: bypass + istio: mixer-adapter + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: bypass + plural: bypasses + singular: bypass + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: circonuses.config.istio.io + labels: + app: mixer + package: circonus + istio: mixer-adapter + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: circonus + plural: circonuses + singular: circonus + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: deniers.config.istio.io + labels: + app: mixer + package: denier + istio: mixer-adapter + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: denier + plural: deniers + singular: denier + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: fluentds.config.istio.io + labels: + app: mixer + package: fluentd + istio: mixer-adapter + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: fluentd + plural: fluentds + singular: fluentd + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: kubernetesenvs.config.istio.io + labels: + app: mixer + package: kubernetesenv + istio: mixer-adapter + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: kubernetesenv + plural: kubernetesenvs + singular: kubernetesenv + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: listcheckers.config.istio.io + labels: + app: mixer + package: listchecker + istio: mixer-adapter + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: listchecker + plural: listcheckers + singular: listchecker + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: memquotas.config.istio.io + labels: + app: mixer + package: memquota + istio: mixer-adapter + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: memquota + plural: memquotas + singular: memquota + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: noops.config.istio.io + labels: + app: mixer + package: noop + istio: mixer-adapter + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: noop + plural: noops + singular: noop + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: opas.config.istio.io + labels: + app: mixer + package: opa + istio: mixer-adapter + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: opa + plural: opas + singular: opa + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: prometheuses.config.istio.io + labels: + app: mixer + package: prometheus + istio: mixer-adapter + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: prometheus + plural: prometheuses + singular: prometheus + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: rbacs.config.istio.io + labels: + app: mixer + package: rbac + istio: mixer-adapter + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: rbac + plural: rbacs + singular: rbac + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: redisquotas.config.istio.io + labels: + app: mixer + package: redisquota + istio: mixer-adapter + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: redisquota + plural: redisquotas + singular: redisquota + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: signalfxs.config.istio.io + labels: + app: mixer + package: signalfx + istio: mixer-adapter + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: signalfx + plural: signalfxs + singular: signalfx + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: solarwindses.config.istio.io + labels: + app: mixer + package: solarwinds + istio: mixer-adapter + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: solarwinds + plural: solarwindses + singular: solarwinds + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: stackdrivers.config.istio.io + labels: + app: mixer + package: stackdriver + istio: mixer-adapter + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: stackdriver + plural: stackdrivers + singular: stackdriver + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: statsds.config.istio.io + labels: + app: mixer + package: statsd + istio: mixer-adapter + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: statsd + plural: statsds + singular: statsd + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: stdios.config.istio.io + labels: + app: mixer + package: stdio + istio: mixer-adapter + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: stdio + plural: stdios + singular: stdio + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: apikeys.config.istio.io + labels: + app: mixer + package: apikey + istio: mixer-instance + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: apikey + plural: apikeys + singular: apikey + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: authorizations.config.istio.io + labels: + app: mixer + package: authorization + istio: mixer-instance + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: authorization + plural: authorizations + singular: authorization + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: checknothings.config.istio.io + labels: + app: mixer + package: checknothing + istio: mixer-instance + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: checknothing + plural: checknothings + singular: checknothing + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: kuberneteses.config.istio.io + labels: + app: mixer + package: adapter.template.kubernetes + istio: mixer-instance + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: kubernetes + plural: kuberneteses + singular: kubernetes + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: listentries.config.istio.io + labels: + app: mixer + package: listentry + istio: mixer-instance + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: listentry + plural: listentries + singular: listentry + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: logentries.config.istio.io + labels: + app: mixer + package: logentry + istio: mixer-instance + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: logentry + plural: logentries + singular: logentry + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 + additionalPrinterColumns: + - JSONPath: .spec.severity + description: The importance of the log entry + name: Severity + type: string + - JSONPath: .spec.timestamp + description: The time value for the log entry + name: Timestamp + type: string + - JSONPath: .spec.monitored_resource_type + description: Optional expression to compute the type of the monitored resource this log entry is being recorded on + name: Res Type + type: string + - JSONPath: .metadata.creationTimestamp + description: |- + CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + + Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata + name: Age + type: date +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: edges.config.istio.io + labels: + app: mixer + package: edge + istio: mixer-instance + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: edge + plural: edges + singular: edge + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: metrics.config.istio.io + labels: + app: mixer + package: metric + istio: mixer-instance + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: metric + plural: metrics + singular: metric + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: quotas.config.istio.io + labels: + app: mixer + package: quota + istio: mixer-instance + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: quota + plural: quotas + singular: quota + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: reportnothings.config.istio.io + labels: + app: mixer + package: reportnothing + istio: mixer-instance + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: reportnothing + plural: reportnothings + singular: reportnothing + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: tracespans.config.istio.io + labels: + app: mixer + package: tracespan + istio: mixer-instance + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: tracespan + plural: tracespans + singular: tracespan + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: rbacconfigs.rbac.istio.io + labels: + app: mixer + package: istio.io.mixer + istio: rbac + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: rbac.istio.io + names: + kind: RbacConfig + plural: rbacconfigs + singular: rbacconfig + categories: + - istio-io + - rbac-istio-io + scope: Namespaced + version: v1alpha1 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: serviceroles.rbac.istio.io + labels: + app: mixer + package: istio.io.mixer + istio: rbac + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: rbac.istio.io + names: + kind: ServiceRole + plural: serviceroles + singular: servicerole + categories: + - istio-io + - rbac-istio-io + scope: Namespaced + version: v1alpha1 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: servicerolebindings.rbac.istio.io + labels: + app: mixer + package: istio.io.mixer + istio: rbac + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: rbac.istio.io + names: + kind: ServiceRoleBinding + plural: servicerolebindings + singular: servicerolebinding + categories: + - istio-io + - rbac-istio-io + scope: Namespaced + version: v1alpha1 + additionalPrinterColumns: + - JSONPath: .spec.roleRef.name + description: The name of the ServiceRole object being referenced + name: Reference + type: string + - JSONPath: .metadata.creationTimestamp + description: |- + CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + + Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata + name: Age + type: date +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: adapters.config.istio.io + labels: + app: mixer + package: adapter + istio: mixer-adapter + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: adapter + plural: adapters + singular: adapter + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: instances.config.istio.io + labels: + app: mixer + package: instance + istio: mixer-instance + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: instance + plural: instances + singular: instance + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: templates.config.istio.io + labels: + app: mixer + package: template + istio: mixer-template + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: template + plural: templates + singular: template + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: handlers.config.istio.io + labels: + app: mixer + package: handler + istio: mixer-handler + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: handler + plural: handlers + singular: handler + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: cloudwatches.config.istio.io + labels: + app: mixer + package: cloudwatch + istio: mixer-adapter + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: cloudwatch + plural: cloudwatches + singular: cloudwatch + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: dogstatsds.config.istio.io + labels: + app: mixer + package: dogstatsd + istio: mixer-adapter + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: dogstatsd + plural: dogstatsds + singular: dogstatsd + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: sidecars.networking.istio.io + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: networking.istio.io + names: + kind: Sidecar + plural: sidecars + singular: sidecar + categories: + - istio-io + - networking-istio-io + scope: Namespaced + version: v1alpha3 +--- +kind: CustomResourceDefinition +apiVersion: apiextensions.k8s.io/v1beta1 +metadata: + name: zipkins.config.istio.io + labels: + app: mixer + package: zipkin + istio: mixer-adapter + annotations: + "helm.sh/resource-policy": keep +spec: + group: config.istio.io + names: + kind: zipkin + plural: zipkins + singular: zipkin + categories: + - istio-io + - policy-istio-io + scope: Namespaced + version: v1alpha2 +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: clusterissuers.certmanager.k8s.io + labels: + app: certmanager + chart: certmanager + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: certmanager.k8s.io + version: v1alpha1 + names: + kind: ClusterIssuer + plural: clusterissuers + scope: Cluster +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: issuers.certmanager.k8s.io + labels: + app: certmanager + chart: certmanager + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + group: certmanager.k8s.io + version: v1alpha1 + names: + kind: Issuer + plural: issuers + scope: Namespaced +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: certificates.certmanager.k8s.io + labels: + app: certmanager + chart: certmanager + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + additionalPrinterColumns: + - JSONPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - JSONPath: .spec.secretName + name: Secret + type: string + - JSONPath: .spec.issuerRef.name + name: Issuer + type: string + priority: 1 + - JSONPath: .status.conditions[?(@.type=="Ready")].message + name: Status + type: string + priority: 1 + - JSONPath: .metadata.creationTimestamp + description: |- + CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + + Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata + name: Age + type: date + group: certmanager.k8s.io + version: v1alpha1 + scope: Namespaced + names: + kind: Certificate + plural: certificates + shortNames: + - cert + - certs +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: orders.certmanager.k8s.io + labels: + app: certmanager + chart: certmanager + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + additionalPrinterColumns: + - JSONPath: .status.state + name: State + type: string + - JSONPath: .spec.issuerRef.name + name: Issuer + type: string + priority: 1 + - JSONPath: .status.reason + name: Reason + type: string + priority: 1 + - JSONPath: .metadata.creationTimestamp + description: |- + CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + + Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata + name: Age + type: date + group: certmanager.k8s.io + version: v1alpha1 + names: + kind: Order + plural: orders + scope: Namespaced +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: challenges.certmanager.k8s.io + labels: + app: certmanager + chart: certmanager + heritage: Tiller + release: istio + annotations: + "helm.sh/resource-policy": keep +spec: + additionalPrinterColumns: + - JSONPath: .status.state + name: State + type: string + - JSONPath: .spec.dnsName + name: Domain + type: string + - JSONPath: .status.reason + name: Reason + type: string + - JSONPath: .metadata.creationTimestamp + description: |- + CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + + Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata + name: Age + type: date + group: certmanager.k8s.io + version: v1alpha1 + names: + kind: Challenge + plural: challenges + scope: Namespaced diff --git a/kustomize/istio-crds/base/kustomization.yaml b/kustomize/istio-crds/base/kustomization.yaml new file mode 100644 index 0000000..ca49cac --- /dev/null +++ b/kustomize/istio-crds/base/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- crds.yaml +namespace: kubeflow diff --git a/kustomize/istio-crds/kustomization.yaml b/kustomize/istio-crds/kustomization.yaml new file mode 100644 index 0000000..e907d64 --- /dev/null +++ b/kustomize/istio-crds/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +bases: +- base +kind: Kustomization +namespace: istio-system diff --git a/kustomize/istio-install/base/istio-noauth.yaml b/kustomize/istio-install/base/istio-noauth.yaml new file mode 100644 index 0000000..518d955 --- /dev/null +++ b/kustomize/istio-install/base/istio-noauth.yaml @@ -0,0 +1,17385 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: istio-system + labels: + istio-injection: disabled +--- +# Source: istio/charts/kiali/templates/demosecret.yaml + +apiVersion: v1 +kind: Secret +metadata: + name: kiali + labels: + app: kiali + chart: kiali + heritage: Tiller + release: istio +type: Opaque +data: + username: YWRtaW4= # admin + passphrase: YWRtaW4= # admin + +--- +# Source: istio/charts/galley/templates/configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-galley-configuration + labels: + app: galley + chart: galley + heritage: Tiller + release: istio + istio: galley +data: + validatingwebhookconfiguration.yaml: |- + apiVersion: admissionregistration.k8s.io/v1beta1 + kind: ValidatingWebhookConfiguration + metadata: + name: istio-galley + namespace: istio-system + labels: + app: galley + chart: galley + heritage: Tiller + release: istio + istio: galley + webhooks: + - name: pilot.validation.istio.io + clientConfig: + service: + name: istio-galley + namespace: istio-system + path: "/admitpilot" + caBundle: "" + rules: + - operations: + - CREATE + - UPDATE + apiGroups: + - config.istio.io + apiVersions: + - v1alpha2 + resources: + - httpapispecs + - httpapispecbindings + - quotaspecs + - quotaspecbindings + - operations: + - CREATE + - UPDATE + apiGroups: + - rbac.istio.io + apiVersions: + - "*" + resources: + - "*" + - operations: + - CREATE + - UPDATE + apiGroups: + - authentication.istio.io + apiVersions: + - "*" + resources: + - "*" + - operations: + - CREATE + - UPDATE + apiGroups: + - networking.istio.io + apiVersions: + - "*" + resources: + - destinationrules + - envoyfilters + - gateways + - serviceentries + - sidecars + - virtualservices + failurePolicy: Fail + - name: mixer.validation.istio.io + clientConfig: + service: + name: istio-galley + namespace: istio-system + path: "/admitmixer" + caBundle: "" + rules: + - operations: + - CREATE + - UPDATE + apiGroups: + - config.istio.io + apiVersions: + - v1alpha2 + resources: + - rules + - attributemanifests + - circonuses + - deniers + - fluentds + - kubernetesenvs + - listcheckers + - memquotas + - noops + - opas + - prometheuses + - rbacs + - solarwindses + - stackdrivers + - cloudwatches + - dogstatsds + - statsds + - stdios + - apikeys + - authorizations + - checknothings + # - kuberneteses + - listentries + - logentries + - metrics + - quotas + - reportnothings + - tracespans + failurePolicy: Fail +--- +# Source: istio/charts/grafana/templates/configmap-custom-resources.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-grafana-custom-resources + labels: + app: grafana + chart: grafana + heritage: Tiller + release: istio + istio: grafana +data: + custom-resources.yaml: |- + apiVersion: authentication.istio.io/v1alpha1 + kind: Policy + metadata: + name: grafana-ports-mtls-disabled + namespace: istio-system + labels: + app: grafana + chart: grafana + heritage: Tiller + release: istio + spec: + targets: + - name: grafana + ports: + - number: 3000 + run.sh: |- + #!/bin/sh + + set -x + + if [ "$#" -ne "1" ]; then + echo "first argument should be path to custom resource yaml" + exit 1 + fi + + pathToResourceYAML=${1} + + kubectl get validatingwebhookconfiguration istio-galley 2>/dev/null + if [ "$?" -eq 0 ]; then + echo "istio-galley validatingwebhookconfiguration found - waiting for istio-galley deployment to be ready" + while true; do + kubectl -n istio-system get deployment istio-galley 2>/dev/null + if [ "$?" -eq 0 ]; then + break + fi + sleep 1 + done + kubectl -n istio-system rollout status deployment istio-galley + if [ "$?" -ne 0 ]; then + echo "istio-galley deployment rollout status check failed" + exit 1 + fi + echo "istio-galley deployment ready for configuration validation" + fi + sleep 5 + kubectl apply -f ${pathToResourceYAML} + + +--- +# Source: istio/charts/grafana/templates/configmap-dashboards.yaml + +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-grafana-configuration-dashboards-galley-dashboard + labels: + app: grafana + chart: grafana + heritage: Tiller + release: istio + istio: grafana +data: + galley-dashboard.json: '{ + "__inputs": [ + { + "name": "DS_PROMETHEUS", + "label": "Prometheus", + "description": "", + "type": "datasource", + "pluginId": "prometheus", + "pluginName": "Prometheus" + } + ], + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": "-- Grafana --", + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "type": "dashboard" + } + ] + }, + "editable": false, + "gnetId": null, + "graphTooltip": 0, + "links": [], + "panels": [ + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 5, + "w": 24, + "x": 0, + "y": 0 + }, + "id": 46, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(istio_build{component=\"galley\"}) by (tag)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ tag }}", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Galley Versions", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "collapsed": false, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 5 + }, + "id": 40, + "panels": [], + "title": "Resource Usage", + "type": "row" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 8, + "w": 6, + "x": 0, + "y": 6 + }, + "id": 36, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "process_virtual_memory_bytes{job=\"galley\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Virtual Memory", + "refId": "A" + }, + { + "expr": "process_resident_memory_bytes{job=\"galley\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Resident Memory", + "refId": "B" + }, + { + "expr": "go_memstats_heap_sys_bytes{job=\"galley\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "heap sys", + "refId": "C" + }, + { + "expr": "go_memstats_heap_alloc_bytes{job=\"galley\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "heap alloc", + "refId": "D" + }, + { + "expr": "go_memstats_alloc_bytes{job=\"galley\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Alloc", + "refId": "F" + }, + { + "expr": "go_memstats_heap_inuse_bytes{job=\"galley\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Heap in-use", + "refId": "G" + }, + { + "expr": "go_memstats_stack_inuse_bytes{job=\"galley\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Stack in-use", + "refId": "H" + }, + { + "expr": "sum(container_memory_usage_bytes{container_name=~\"galley\", pod_name=~\"istio-galley-.*\"})", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Total (kis)", + "refId": "E" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Memory", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 8, + "w": 6, + "x": 6, + "y": 6 + }, + "id": 38, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(rate(container_cpu_usage_seconds_total{container_name=~\"galley\", pod_name=~\"istio-galley-.*\"}[1m]))", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Total (k8s)", + "refId": "A" + }, + { + "expr": "sum(rate(container_cpu_usage_seconds_total{container_name=~\"galley\", pod_name=~\"istio-galley-.*\"}[1m])) by (container_name)", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "{{ container_name }} (k8s)", + "refId": "B" + }, + { + "expr": "irate(process_cpu_seconds_total{job=\"galley\"}[1m])", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "galley (self-reported)", + "refId": "C" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "CPU", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 8, + "w": 6, + "x": 12, + "y": 6 + }, + "id": 42, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "process_open_fds{job=\"galley\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Open FDs (galley)", + "refId": "A" + }, + { + "expr": "container_fs_usage_bytes{container_name=~\"galley\", pod_name=~\"istio-galley-.*\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "{{ container_name }} ", + "refId": "B" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Disk", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 8, + "w": 6, + "x": 18, + "y": 6 + }, + "id": 44, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "go_goroutines{job=\"galley\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "goroutines_total", + "refId": "A" + }, + { + "expr": "galley_mcp_source_clients_total", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "clients_total", + "refId": "B" + }, + { + "expr": "go_goroutines{job=\"galley\"}/galley_mcp_source_clients_total", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "avg_goroutines_per_client", + "refId": "C" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Goroutines", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "collapsed": false, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 14 + }, + "id": 10, + "panels": [], + "title": "Runtime", + "type": "row" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 0, + "y": 15 + }, + "id": 2, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(rate(galley_runtime_strategy_on_change_total[1m])) * 60", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Strategy Change Events", + "refId": "A" + }, + { + "expr": "sum(rate(galley_runtime_processor_events_processed_total[1m])) * 60", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Processed Events", + "refId": "B" + }, + { + "expr": "sum(rate(galley_runtime_processor_snapshots_published_total[1m])) * 60", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Snapshot Published", + "refId": "C" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Event Rates", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": "Events/min", + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": "", + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 8, + "y": 15 + }, + "id": 4, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(rate(galley_runtime_strategy_timer_max_time_reached_total[1m])) * 60", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Max Time Reached", + "refId": "A" + }, + { + "expr": "sum(rate(galley_runtime_strategy_timer_quiesce_reached_total[1m])) * 60", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Quiesce Reached", + "refId": "B" + }, + { + "expr": "sum(rate(galley_runtime_strategy_timer_resets_total[1m])) * 60", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Timer Resets", + "refId": "C" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Timer Rates", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": "Events/min", + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 16, + "y": 15 + }, + "id": 8, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 3, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": true, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum by (le) (galley_runtime_processor_snapshot_events_total_bucket))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "P50", + "refId": "A" + }, + { + "expr": "histogram_quantile(0.90, sum by (le) (galley_runtime_processor_snapshot_events_total_bucket))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "P90", + "refId": "B" + }, + { + "expr": "histogram_quantile(0.95, sum by (le) (galley_runtime_processor_snapshot_events_total_bucket))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "P95", + "refId": "C" + }, + { + "expr": "histogram_quantile(0.99, sum by (le) (galley_runtime_processor_snapshot_events_total_bucket))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "P99", + "refId": "D" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Events Per Snapshot", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 8, + "y": 21 + }, + "id": 6, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum by (typeURL) (galley_runtime_state_type_instances_total)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ typeURL }}", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "State Type Instances", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": "Count", + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "collapsed": false, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 27 + }, + "id": 34, + "panels": [], + "title": "Validation", + "type": "row" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 0, + "y": 28 + }, + "id": 28, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "galley_validation_cert_key_updates{job=\"galley\"}", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Key Updates", + "refId": "A" + }, + { + "expr": "galley_validation_cert_key_update_errors{job=\"galley\"}", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Key Update Errors: {{ error }}", + "refId": "B" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Validation Webhook Certificate", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 8, + "y": 28 + }, + "id": 30, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(galley_validation_passed{job=\"galley\"}) by (group, version, resource)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Passed: {{ group }}/{{ version }}/{{resource}}", + "refId": "A" + }, + { + "expr": "sum(galley_validation_failed{job=\"galley\"}) by (group, version, resource, reason)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Failed: {{ group }}/{{ version }}/{{resource}} ({{ reason}})", + "refId": "B" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Resource Validation", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 16, + "y": 28 + }, + "id": 32, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(galley_validation_http_error{job=\"galley\"}) by (status)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ status }}", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Validation HTTP Errors", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "collapsed": false, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 34 + }, + "id": 12, + "panels": [], + "title": "Kubernetes Source", + "type": "row" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 0, + "y": 35 + }, + "id": 14, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "rate(galley_source_kube_event_success_total[1m]) * 60", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Success", + "refId": "A" + }, + { + "expr": "rate(galley_source_kube_event_error_total[1m]) * 60", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Error", + "refId": "B" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Source Event Rate", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": "Events/min", + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 8, + "y": 35 + }, + "id": 16, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "rate(galley_source_kube_dynamic_converter_success_total[1m]) * 60", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{apiVersion=\"{{apiVersion}}\",group=\"{{group}}\",kind=\"{{kind}}\"}", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Kubernetes Object Conversion Successes", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": "Conversions/min", + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 16, + "y": 35 + }, + "id": 24, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "rate(galley_source_kube_dynamic_converter_failure_total[1m]) * 60", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Error", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Kubernetes Object Conversion Failures", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": "Failures/min", + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "collapsed": false, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 41 + }, + "id": 18, + "panels": [], + "title": "Mesh Configuration Protocol", + "type": "row" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 0, + "y": 42 + }, + "id": 20, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(galley_mcp_source_clients_total)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Clients", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Connected Clients", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 8, + "y": 42 + }, + "id": 22, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum by(collection)(irate(galley_mcp_source_request_acks_total[1m]) * 60)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Request ACKs", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": "ACKs/min", + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 16, + "y": 42 + }, + "id": 26, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "rate(galley_mcp_source_request_nacks_total[1m]) * 60", + "format": "time_series", + "intervalFactor": 1, + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeRegions": [], + "timeShift": null, + "title": "Request NACKs", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": "NACKs/min", + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + } + ], + "refresh": "5s", + "schemaVersion": 16, + "style": "dark", + "tags": [], + "templating": { + "list": [] + }, + "time": { + "from": "now-5m", + "to": "now" + }, + "timepicker": { + "refresh_intervals": [ + "5s", + "10s", + "30s", + "1m", + "5m", + "15m", + "30m", + "1h", + "2h", + "1d" + ], + "time_options": [ + "5m", + "15m", + "1h", + "6h", + "12h", + "24h", + "2d", + "7d", + "30d" + ] + }, + "timezone": "", + "title": "Istio Galley Dashboard", + "uid": "TSEY6jLmk", + "version": 1 +} +' +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-grafana-configuration-dashboards-istio-mesh-dashboard + labels: + app: grafana + chart: grafana + heritage: Tiller + release: istio + istio: grafana +data: + istio-mesh-dashboard.json: '{ + "__inputs": [ + { + "name": "DS_PROMETHEUS", + "label": "Prometheus", + "description": "", + "type": "datasource", + "pluginId": "prometheus", + "pluginName": "Prometheus" + } + ], + "__requires": [ + { + "type": "grafana", + "id": "grafana", + "name": "Grafana", + "version": "5.2.3" + }, + { + "type": "panel", + "id": "graph", + "name": "Graph", + "version": "5.0.0" + }, + { + "type": "datasource", + "id": "prometheus", + "name": "Prometheus", + "version": "5.0.0" + }, + { + "type": "panel", + "id": "singlestat", + "name": "Singlestat", + "version": "5.0.0" + }, + { + "type": "panel", + "id": "table", + "name": "Table", + "version": "5.0.0" + }, + { + "type": "panel", + "id": "text", + "name": "Text", + "version": "5.0.0" + } + ], + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": "-- Grafana --", + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "type": "dashboard" + } + ] + }, + "editable": false, + "gnetId": null, + "graphTooltip": 0, + "id": null, + "links": [], + "panels": [ + { + "content": "
\n
\n Istio\n
\n
\n Istio is an open platform that provides a uniform way to connect,\n manage, and \n secure microservices.\n
\n Need help? Join the Istio community.\n
\n
", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 0 + }, + "height": "50px", + "id": 13, + "links": [], + "mode": "html", + "style": { + "font-size": "18pt" + }, + "title": "", + "transparent": true, + "type": "text" + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "datasource": "Prometheus", + "format": "ops", + "gauge": { + "maxValue": 100, + "minValue": 0, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": true + }, + "gridPos": { + "h": 3, + "w": 6, + "x": 0, + "y": 3 + }, + "id": 20, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "round(sum(irate(istio_requests_total{reporter=\"destination\"}[1m])), 0.001)", + "intervalFactor": 1, + "refId": "A", + "step": 4 + } + ], + "thresholds": "", + "title": "Global Request Volume", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "avg" + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "datasource": "Prometheus", + "format": "percentunit", + "gauge": { + "maxValue": 100, + "minValue": 80, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": false + }, + "gridPos": { + "h": 3, + "w": 6, + "x": 6, + "y": 3 + }, + "id": 21, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "sum(rate(istio_requests_total{reporter=\"destination\", response_code!~\"5.*\"}[1m])) / sum(rate(istio_requests_total{reporter=\"destination\"}[1m]))", + "format": "time_series", + "intervalFactor": 1, + "refId": "A", + "step": 4 + } + ], + "thresholds": "95, 99, 99.5", + "title": "Global Success Rate (non-5xx responses)", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "avg" + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "datasource": "Prometheus", + "format": "ops", + "gauge": { + "maxValue": 100, + "minValue": 0, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": true + }, + "gridPos": { + "h": 3, + "w": 6, + "x": 12, + "y": 3 + }, + "id": 22, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "sum(irate(istio_requests_total{reporter=\"destination\", response_code=~\"4.*\"}[1m])) ", + "format": "time_series", + "intervalFactor": 1, + "refId": "A", + "step": 4 + } + ], + "thresholds": "", + "title": "4xxs", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "avg" + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "datasource": "Prometheus", + "format": "ops", + "gauge": { + "maxValue": 100, + "minValue": 0, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": true + }, + "gridPos": { + "h": 3, + "w": 6, + "x": 18, + "y": 3 + }, + "id": 23, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "sum(irate(istio_requests_total{reporter=\"destination\", response_code=~\"5.*\"}[1m])) ", + "format": "time_series", + "intervalFactor": 1, + "refId": "A", + "step": 4 + } + ], + "thresholds": "", + "title": "5xxs", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "avg" + }, + { + "columns": [], + "datasource": "Prometheus", + "fontSize": "100%", + "gridPos": { + "h": 21, + "w": 24, + "x": 0, + "y": 6 + }, + "hideTimeOverride": false, + "id": 73, + "links": [], + "pageSize": null, + "repeat": null, + "repeatDirection": "v", + "scroll": true, + "showHeader": true, + "sort": { + "col": 4, + "desc": true + }, + "styles": [ + { + "alias": "Workload", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "link": false, + "linkTargetBlank": false, + "linkTooltip": "Workload dashboard", + "linkUrl": "/dashboard/db/istio-workload-dashboard?var-namespace=$__cell_2&var-workload=$__cell_", + "pattern": "destination_workload", + "preserveFormat": false, + "sanitize": false, + "thresholds": [], + "type": "hidden", + "unit": "short" + }, + { + "alias": "", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "pattern": "Time", + "thresholds": [], + "type": "hidden", + "unit": "short" + }, + { + "alias": "Requests", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "pattern": "Value #A", + "thresholds": [], + "type": "number", + "unit": "ops" + }, + { + "alias": "P50 Latency", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "pattern": "Value #B", + "thresholds": [], + "type": "number", + "unit": "s" + }, + { + "alias": "P90 Latency", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "pattern": "Value #D", + "thresholds": [], + "type": "number", + "unit": "s" + }, + { + "alias": "P99 Latency", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "pattern": "Value #E", + "thresholds": [], + "type": "number", + "unit": "s" + }, + { + "alias": "Success Rate", + "colorMode": "cell", + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "pattern": "Value #F", + "thresholds": [ + ".95", + " 1.00" + ], + "type": "number", + "unit": "percentunit" + }, + { + "alias": "Workload", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "link": true, + "linkTooltip": "$__cell dashboard", + "linkUrl": "/dashboard/db/istio-workload-dashboard?var-workload=$__cell_2&var-namespace=$__cell_3", + "pattern": "destination_workload_var", + "thresholds": [], + "type": "number", + "unit": "short" + }, + { + "alias": "Service", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "link": true, + "linkTooltip": "$__cell dashboard", + "linkUrl": "/dashboard/db/istio-service-dashboard?var-service=$__cell", + "pattern": "destination_service", + "thresholds": [], + "type": "string", + "unit": "short" + }, + { + "alias": "", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "pattern": "destination_workload_namespace", + "thresholds": [], + "type": "hidden", + "unit": "short" + } + ], + "targets": [ + { + "expr": "label_join(sum(rate(istio_requests_total{reporter=\"destination\", response_code=\"200\"}[1m])) by (destination_workload, destination_workload_namespace, destination_service), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")", + "format": "table", + "hide": false, + "instant": true, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload}}.{{ destination_workload_namespace }}", + "refId": "A" + }, + { + "expr": "label_join(histogram_quantile(0.50, sum(rate(istio_request_duration_seconds_bucket{reporter=\"destination\"}[1m])) by (le, destination_workload, destination_workload_namespace)), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")", + "format": "table", + "hide": false, + "instant": true, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload}}.{{ destination_workload_namespace }}", + "refId": "B" + }, + { + "expr": "label_join(histogram_quantile(0.90, sum(rate(istio_request_duration_seconds_bucket{reporter=\"destination\"}[1m])) by (le, destination_workload, destination_workload_namespace)), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")", + "format": "table", + "hide": false, + "instant": true, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }}", + "refId": "D" + }, + { + "expr": "label_join(histogram_quantile(0.99, sum(rate(istio_request_duration_seconds_bucket{reporter=\"destination\"}[1m])) by (le, destination_workload, destination_workload_namespace)), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")", + "format": "table", + "hide": false, + "instant": true, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }}", + "refId": "E" + }, + { + "expr": "label_join((sum(rate(istio_requests_total{reporter=\"destination\", response_code!~\"5.*\"}[1m])) by (destination_workload, destination_workload_namespace) / sum(rate(istio_requests_total{reporter=\"destination\"}[1m])) by (destination_workload, destination_workload_namespace)), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")", + "format": "table", + "hide": false, + "instant": true, + "interval": "", + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }}", + "refId": "F" + } + ], + "timeFrom": null, + "title": "HTTP/GRPC Workloads", + "transform": "table", + "transparent": false, + "type": "table" + }, + { + "columns": [], + "datasource": "Prometheus", + "fontSize": "100%", + "gridPos": { + "h": 18, + "w": 24, + "x": 0, + "y": 27 + }, + "hideTimeOverride": false, + "id": 109, + "links": [], + "pageSize": null, + "repeatDirection": "v", + "scroll": true, + "showHeader": true, + "sort": { + "col": 2, + "desc": true + }, + "styles": [ + { + "alias": "Workload", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "link": false, + "linkTargetBlank": false, + "linkTooltip": "$__cell dashboard", + "linkUrl": "/dashboard/db/istio-tcp-workload-dashboard?var-namespace=$__cell_2&&var-workload=$__cell", + "pattern": "destination_workload", + "preserveFormat": false, + "sanitize": false, + "thresholds": [], + "type": "hidden", + "unit": "short" + }, + { + "alias": "Bytes Sent", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "pattern": "Value #A", + "thresholds": [ + "" + ], + "type": "number", + "unit": "Bps" + }, + { + "alias": "Bytes Received", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "pattern": "Value #C", + "thresholds": [], + "type": "number", + "unit": "Bps" + }, + { + "alias": "", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "pattern": "Time", + "thresholds": [], + "type": "hidden", + "unit": "short" + }, + { + "alias": "Workload", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "link": true, + "linkTooltip": "$__cell dashboard", + "linkUrl": "/dashboard/db/istio-workload-dashboard?var-namespace=$__cell_3&var-workload=$__cell_2", + "pattern": "destination_workload_var", + "thresholds": [], + "type": "string", + "unit": "short" + }, + { + "alias": "", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "pattern": "destination_workload_namespace", + "thresholds": [], + "type": "hidden", + "unit": "short" + }, + { + "alias": "Service", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "link": true, + "linkTooltip": "$__cell dashboard", + "linkUrl": "/dashboard/db/istio-service-dashboard?var-service=$__cell", + "pattern": "destination_service", + "thresholds": [], + "type": "number", + "unit": "short" + } + ], + "targets": [ + { + "expr": "label_join(sum(rate(istio_tcp_received_bytes_total{reporter=\"source\"}[1m])) by (destination_workload, destination_workload_namespace, destination_service), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")", + "format": "table", + "hide": false, + "instant": true, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}", + "refId": "C" + }, + { + "expr": "label_join(sum(rate(istio_tcp_sent_bytes_total{reporter=\"source\"}[1m])) by (destination_workload, destination_workload_namespace, destination_service), \"destination_workload_var\", \".\", \"destination_workload\", \"destination_workload_namespace\")", + "format": "table", + "hide": false, + "instant": true, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}", + "refId": "A" + } + ], + "timeFrom": null, + "title": "TCP Workloads", + "transform": "table", + "transparent": false, + "type": "table" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 9, + "w": 24, + "x": 0, + "y": 45 + }, + "id": 111, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(istio_build) by (component, tag)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ component }}: {{ tag }}", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Istio Components by Version", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "transparent": false, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + } + ], + "refresh": "5s", + "schemaVersion": 16, + "style": "dark", + "tags": [], + "templating": { + "list": [] + }, + "time": { + "from": "now-5m", + "to": "now" + }, + "timepicker": { + "refresh_intervals": [ + "5s", + "10s", + "30s", + "1m", + "5m", + "15m", + "30m", + "1h", + "2h", + "1d" + ], + "time_options": [ + "5m", + "15m", + "1h", + "6h", + "12h", + "24h", + "2d", + "7d", + "30d" + ] + }, + "timezone": "browser", + "title": "Istio Mesh Dashboard", + "version": 4 +} +' +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-grafana-configuration-dashboards-istio-performance-dashboard + labels: + app: grafana + chart: grafana + heritage: Tiller + release: istio + istio: grafana +data: + istio-performance-dashboard.json: '{ + "__inputs": [ + { + "name": "DS_PROMETHEUS", + "label": "Prometheus", + "description": "", + "type": "datasource", + "pluginId": "prometheus", + "pluginName": "Prometheus" + } + ], + "__requires": [ + { + "type": "grafana", + "id": "grafana", + "name": "Grafana", + "version": "5.2.3" + }, + { + "type": "panel", + "id": "graph", + "name": "Graph", + "version": "5.0.0" + }, + { + "type": "datasource", + "id": "prometheus", + "name": "Prometheus", + "version": "5.0.0" + }, + { + "type": "panel", + "id": "text", + "name": "Text", + "version": "5.0.0" + } + ], + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": "-- Grafana --", + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "type": "dashboard" + } + ] + }, + "editable": false, + "gnetId": null, + "graphTooltip": 0, + "id": null, + "links": [], + "panels": [ + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 9, + "w": 12, + "x": 0, + "y": 0 + }, + "id": 2, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "(sum(rate(container_cpu_usage_seconds_total{pod_name=~\"istio-telemetry-.*\",container_name=~\"mixer|istio-proxy\"}[1m]))/ (round(sum(irate(istio_requests_total[1m])), 0.001)/1000))/ (sum(irate(istio_requests_total{source_workload=\"istio-ingressgateway\"}[1m])) >bool 10)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-telemetry", + "refId": "A" + }, + { + "expr": "sum(rate(container_cpu_usage_seconds_total{pod_name=~\"istio-ingressgateway-.*\",container_name=\"istio-proxy\"}[1m])) / (round(sum(irate(istio_requests_total{source_workload=\"istio-ingressgateway\", reporter=\"source\"}[1m])), 0.001)/1000)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-ingressgateway", + "refId": "B" + }, + { + "expr": "(sum(rate(container_cpu_usage_seconds_total{namespace!=\"istio-system\",container_name=\"istio-proxy\"}[1m]))/ (round(sum(irate(istio_requests_total[1m])), 0.001)/1000))/ (sum(irate(istio_requests_total{source_workload=\"istio-ingressgateway\"}[1m])) >bool 10)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-proxy", + "refId": "C" + }, + { + "expr": "(sum(rate(container_cpu_usage_seconds_total{pod_name=~\"istio-policy-.*\",container_name=~\"mixer|istio-proxy\"}[1m]))/ (round(sum(irate(istio_requests_total[1m])), 0.001)/1000)) / (sum(irate(istio_requests_total{source_workload=\"istio-ingressgateway\"}[1m])) >bool 10)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-policy", + "refId": "D" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "vCPU / 1k rps", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 9, + "w": 12, + "x": 12, + "y": 0 + }, + "id": 6, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(rate(container_cpu_usage_seconds_total{pod_name=~\"istio-telemetry-.*\",container_name=~\"mixer|istio-proxy\"}[1m]))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-telemetry", + "refId": "A" + }, + { + "expr": "sum(rate(container_cpu_usage_seconds_total{pod_name=~\"istio-ingressgateway-.*\",container_name=\"istio-proxy\"}[1m]))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-ingressgateway", + "refId": "B" + }, + { + "expr": "sum(rate(container_cpu_usage_seconds_total{namespace!=\"istio-system\",container_name=\"istio-proxy\"}[1m]))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-proxy", + "refId": "C" + }, + { + "expr": "sum(rate(container_cpu_usage_seconds_total{pod_name=~\"istio-policy-.*\",container_name=~\"mixer|istio-proxy\"}[1m]))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-policy", + "refId": "D" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "vCPU", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 9, + "w": 12, + "x": 0, + "y": 9 + }, + "id": 4, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "(sum(container_memory_usage_bytes{pod_name=~\"istio-telemetry-.*\"}) / (sum(irate(istio_requests_total[1m])) / 1000)) / (sum(irate(istio_requests_total{source_workload=\"istio-ingressgateway\"}[1m])) >bool 10)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-telemetry / 1k rps", + "refId": "A" + }, + { + "expr": "sum(container_memory_usage_bytes{pod_name=~\"istio-ingressgateway-.*\"}) / count(container_memory_usage_bytes{pod_name=~\"istio-ingressgateway-.*\",container_name!=\"POD\"})", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "per istio-ingressgateway", + "refId": "C" + }, + { + "expr": "sum(container_memory_usage_bytes{namespace!=\"istio-system\",container_name=\"istio-proxy\"}) / count(container_memory_usage_bytes{namespace!=\"istio-system\",container_name=\"istio-proxy\"})", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "per istio-proxy", + "refId": "B" + }, + { + "expr": "(sum(container_memory_usage_bytes{pod_name=~\"istio-policy-.*\"}) / (sum(irate(istio_requests_total[1m])) / 1000))/ (sum(irate(istio_requests_total{source_workload=\"istio-ingressgateway\"}[1m])) >bool 10)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-policy / 1k rps", + "refId": "D" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Memory", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "decbytes", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 9, + "w": 12, + "x": 12, + "y": 9 + }, + "id": 5, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(irate(istio_response_bytes_sum{destination_workload=\"istio-telemetry\"}[1m])) + sum(irate(istio_request_bytes_sum{destination_workload=\"istio-telemetry\"}[1m]))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-telemetry", + "refId": "A" + }, + { + "expr": "sum(irate(istio_response_bytes_sum{source_workload=\"istio-ingressgateway\", reporter=\"source\"}[1m]))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-ingressgateway", + "refId": "C" + }, + { + "expr": "sum(irate(istio_response_bytes_sum{source_workload_namespace!=\"istio-system\", reporter=\"source\"}[1m])) + sum(irate(istio_response_bytes_sum{destination_workload_namespace!=\"istio-system\", reporter=\"destination\"}[1m])) + sum(irate(istio_request_bytes_sum{source_workload_namespace!=\"istio-system\", reporter=\"source\"}[1m])) + sum(irate(istio_request_bytes_sum{destination_workload_namespace!=\"istio-system\", reporter=\"destination\"}[1m]))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-proxy", + "refId": "D" + }, + { + "expr": "sum(irate(istio_response_bytes_sum{destination_workload=\"istio-policy\"}[1m])) + sum(irate(istio_request_bytes_sum{destination_workload=\"istio-policy\"}[1m]))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "istio-policy", + "refId": "E" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Bytes transferred / sec", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "bytes", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 9, + "w": 24, + "x": 0, + "y": 18 + }, + "id": 8, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(istio_build) by (component, tag)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ component }}: {{ tag }}", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Istio Components by Version", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "transparent": false, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "content": "The charts on this dashboard are intended to show Istio main components cost in terms resources utilization under steady load.\n\n- **vCPU/1k rps:** shows vCPU utilization by the main Istio components normalized by 1000 requests/second. When idle or low traffic, this chart will be blank. The curve for istio-proxy refers to the services sidecars only. \n- **vCPU:** vCPU utilization by Istio components, not normalized.\n- **Memory:** memory footprint for the components. Telemetry and policy are normalized by 1k rps, and no data is shown when there is no traffic. For ingress and istio-proxy, the data is per instance. \n- **Bytes transferred/ sec:** shows the number of bytes flowing through each Istio component.", + "gridPos": { + "h": 4, + "w": 24, + "x": 0, + "y": 18 + }, + "id": 11, + "links": [], + "mode": "markdown", + "title": "Istio Performance Dashboard Readme", + "type": "text" + } + ], + "schemaVersion": 16, + "style": "dark", + "tags": [], + "templating": { + "list": [] + }, + "time": { + "from": "now-5m", + "to": "now" + }, + "timepicker": { + "refresh_intervals": [ + "5s", + "10s", + "30s", + "1m", + "5m", + "15m", + "30m", + "1h", + "2h", + "1d" + ], + "time_options": [ + "5m", + "15m", + "1h", + "6h", + "12h", + "24h", + "2d", + "7d", + "30d" + ] + }, + "timezone": "", + "title": "Istio Performance Dashboard", + "version": 4 +} +' +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-grafana-configuration-dashboards-istio-service-dashboard + labels: + app: grafana + chart: grafana + heritage: Tiller + release: istio + istio: grafana +data: + istio-service-dashboard.json: '{ + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": "-- Grafana --", + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "type": "dashboard" + } + ] + }, + "editable": false, + "gnetId": null, + "graphTooltip": 0, + "iteration": 1536442501501, + "links": [], + "panels": [ + { + "content": "
\nSERVICE: $service\n
", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 0 + }, + "id": 89, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "datasource": "Prometheus", + "format": "ops", + "gauge": { + "maxValue": 100, + "minValue": 0, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": true + }, + "gridPos": { + "h": 4, + "w": 6, + "x": 0, + "y": 3 + }, + "id": 12, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "round(sum(irate(istio_requests_total{reporter=\"source\",destination_service=~\"$service\"}[5m])), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "refId": "A", + "step": 4 + } + ], + "thresholds": "", + "title": "Client Request Volume", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "current" + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "rgba(50, 172, 45, 0.97)", + "rgba(237, 129, 40, 0.89)", + "rgba(245, 54, 54, 0.9)" + ], + "datasource": "Prometheus", + "decimals": null, + "format": "percentunit", + "gauge": { + "maxValue": 100, + "minValue": 80, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": false + }, + "gridPos": { + "h": 4, + "w": 6, + "x": 6, + "y": 3 + }, + "id": 14, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "sum(irate(istio_requests_total{reporter=\"source\",destination_service=~\"$service\",response_code!~\"5.*\"}[5m])) / sum(irate(istio_requests_total{reporter=\"source\",destination_service=~\"$service\"}[5m]))", + "format": "time_series", + "intervalFactor": 1, + "refId": "B" + } + ], + "thresholds": "95, 99, 99.5", + "title": "Client Success Rate (non-5xx responses)", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "avg" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 4, + "w": 6, + "x": 12, + "y": 3 + }, + "id": 87, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": false, + "hideZero": false, + "max": false, + "min": false, + "rightSide": true, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\",destination_service=~\"$service\"}[1m])) by (le))", + "format": "time_series", + "interval": "", + "intervalFactor": 1, + "legendFormat": "P50", + "refId": "A" + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\",destination_service=~\"$service\"}[1m])) by (le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "P90", + "refId": "B" + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\",destination_service=~\"$service\"}[1m])) by (le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "P99", + "refId": "C" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Client Request Duration", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "s", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "#299c46", + "rgba(237, 129, 40, 0.89)", + "#d44a3a" + ], + "datasource": "Prometheus", + "format": "Bps", + "gauge": { + "maxValue": 100, + "minValue": 0, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": true + }, + "gridPos": { + "h": 4, + "w": 6, + "x": 18, + "y": 3 + }, + "id": 84, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "sum(irate(istio_tcp_received_bytes_total{reporter=\"source\", destination_service=~\"$service\"}[1m]))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "", + "refId": "A" + } + ], + "thresholds": "", + "title": "TCP Received Bytes", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "avg" + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "datasource": "Prometheus", + "format": "ops", + "gauge": { + "maxValue": 100, + "minValue": 0, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": true + }, + "gridPos": { + "h": 4, + "w": 6, + "x": 0, + "y": 7 + }, + "id": 97, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "round(sum(irate(istio_requests_total{reporter=\"destination\",destination_service=~\"$service\"}[5m])), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "refId": "A", + "step": 4 + } + ], + "thresholds": "", + "title": "Server Request Volume", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "current" + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "rgba(50, 172, 45, 0.97)", + "rgba(237, 129, 40, 0.89)", + "rgba(245, 54, 54, 0.9)" + ], + "datasource": "Prometheus", + "decimals": null, + "format": "percentunit", + "gauge": { + "maxValue": 100, + "minValue": 80, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": false + }, + "gridPos": { + "h": 4, + "w": 6, + "x": 6, + "y": 7 + }, + "id": 98, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "sum(irate(istio_requests_total{reporter=\"destination\",destination_service=~\"$service\",response_code!~\"5.*\"}[5m])) / sum(irate(istio_requests_total{reporter=\"destination\",destination_service=~\"$service\"}[5m]))", + "format": "time_series", + "intervalFactor": 1, + "refId": "B" + } + ], + "thresholds": "95, 99, 99.5", + "title": "Server Success Rate (non-5xx responses)", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "avg" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 4, + "w": 6, + "x": 12, + "y": 7 + }, + "id": 99, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": false, + "hideZero": false, + "max": false, + "min": false, + "rightSide": true, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\",destination_service=~\"$service\"}[1m])) by (le))", + "format": "time_series", + "interval": "", + "intervalFactor": 1, + "legendFormat": "P50", + "refId": "A" + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\",destination_service=~\"$service\"}[1m])) by (le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "P90", + "refId": "B" + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\",destination_service=~\"$service\"}[1m])) by (le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "P99", + "refId": "C" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Server Request Duration", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "s", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "#299c46", + "rgba(237, 129, 40, 0.89)", + "#d44a3a" + ], + "datasource": "Prometheus", + "format": "Bps", + "gauge": { + "maxValue": 100, + "minValue": 0, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": true + }, + "gridPos": { + "h": 4, + "w": 6, + "x": 18, + "y": 7 + }, + "id": 100, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "sum(irate(istio_tcp_sent_bytes_total{reporter=\"source\", destination_service=~\"$service\"}[1m])) ", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "", + "refId": "A" + } + ], + "thresholds": "", + "title": "TCP Sent Bytes", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "avg" + }, + { + "content": "
\nCLIENT WORKLOADS\n
", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 11 + }, + "id": 45, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 0, + "gridPos": { + "h": 6, + "w": 12, + "x": 0, + "y": 14 + }, + "id": 25, + "legend": { + "avg": false, + "current": false, + "hideEmpty": true, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null as zero", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(irate(istio_requests_total{connection_security_policy=\"mutual_tls\",destination_service=~\"$service\",reporter=\"source\",source_workload=~\"$srcwl\",source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace, response_code), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace }} : {{ response_code }} (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "round(sum(irate(istio_requests_total{connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", reporter=\"source\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace, response_code), 0.001)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace }} : {{ response_code }}", + "refId": "A", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Requests by Source And Response Code", + "tooltip": { + "shared": false, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [ + "total" + ] + }, + "yaxes": [ + { + "format": "ops", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 12, + "x": 12, + "y": 14 + }, + "id": 26, + "legend": { + "avg": false, + "current": false, + "hideEmpty": true, + "hideZero": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(irate(istio_requests_total{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\",response_code!~\"5.*\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace) / sum(irate(istio_requests_total{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace }} (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "sum(irate(istio_requests_total{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\",response_code!~\"5.*\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace) / sum(irate(istio_requests_total{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace }}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Success Rate (non-5xx responses) By Source", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "percentunit", + "label": null, + "logBase": 1, + "max": "1.01", + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "description": "", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 0, + "y": 20 + }, + "id": 27, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": true, + "hideZero": false, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50 (🔐mTLS)", + "refId": "D", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90 (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95 (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99 (🔐mTLS)", + "refId": "C", + "step": 2 + }, + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50", + "refId": "E", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90", + "refId": "F", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95", + "refId": "G", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99", + "refId": "H", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Request Duration by Source", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "s", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 8, + "y": 20 + }, + "id": 28, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": true, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50 (🔐mTLS)", + "refId": "D", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90 (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95 (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99 (🔐mTLS)", + "refId": "C", + "step": 2 + }, + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50", + "refId": "E", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90", + "refId": "F", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95", + "refId": "G", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99", + "refId": "H", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Request Size By Source", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "decbytes", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 16, + "y": 20 + }, + "id": 68, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": true, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50 (🔐mTLS)", + "refId": "D", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90 (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95 (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99 (🔐mTLS)", + "refId": "C", + "step": 2 + }, + { + "expr": "histogram_quantile(0.50, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50", + "refId": "E", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90", + "refId": "F", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95", + "refId": "G", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99", + "refId": "H", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Response Size By Source", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "decbytes", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 12, + "x": 0, + "y": 26 + }, + "id": 80, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(irate(istio_tcp_received_bytes_total{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace), 0.001)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace}} (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "round(sum(irate(istio_tcp_received_bytes_total{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace}}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Bytes Received from Incoming TCP Connection", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "Bps", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 12, + "x": 12, + "y": 26 + }, + "id": 82, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy=\"mutual_tls\", reporter=\"source\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace}} (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy!=\"mutual_tls\", reporter=\"source\", destination_service=~\"$service\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace}}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Bytes Sent to Incoming TCP Connection", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "Bps", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "content": "
\nSERVICE WORKLOADS\n
", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 32 + }, + "id": 69, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 0, + "gridPos": { + "h": 6, + "w": 12, + "x": 0, + "y": 35 + }, + "id": 90, + "legend": { + "avg": false, + "current": false, + "hideEmpty": true, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null as zero", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(irate(istio_requests_total{connection_security_policy=\"mutual_tls\",destination_service=~\"$service\",reporter=\"destination\",destination_workload=~\"$dstwl\",destination_workload_namespace=~\"$dstns\"}[5m])) by (destination_workload, destination_workload_namespace, response_code), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} : {{ response_code }} (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "round(sum(irate(istio_requests_total{connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", reporter=\"destination\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[5m])) by (destination_workload, destination_workload_namespace, response_code), 0.001)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} : {{ response_code }}", + "refId": "A", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Requests by Destination And Response Code", + "tooltip": { + "shared": false, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [ + "total" + ] + }, + "yaxes": [ + { + "format": "ops", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 12, + "x": 12, + "y": 35 + }, + "id": 91, + "legend": { + "avg": false, + "current": false, + "hideEmpty": true, + "hideZero": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(irate(istio_requests_total{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\",response_code!~\"5.*\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[5m])) by (destination_workload, destination_workload_namespace) / sum(rate(istio_requests_total{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[5m])) by (destination_workload, destination_workload_namespace)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "sum(irate(istio_requests_total{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\",response_code!~\"5.*\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[5m])) by (destination_workload, destination_workload_namespace) / sum(rate(istio_requests_total{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[5m])) by (destination_workload, destination_workload_namespace)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Success Rate (non-5xx responses) By Source", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "percentunit", + "label": null, + "logBase": 1, + "max": "1.01", + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "description": "", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 0, + "y": 41 + }, + "id": 94, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": true, + "hideZero": false, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P50 (🔐mTLS)", + "refId": "D", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P90 (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P95 (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P99 (🔐mTLS)", + "refId": "C", + "step": 2 + }, + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P50", + "refId": "E", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P90", + "refId": "F", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P95", + "refId": "G", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P99", + "refId": "H", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Request Duration by Source", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "s", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 8, + "y": 41 + }, + "id": 95, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": true, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P50 (🔐mTLS)", + "refId": "D", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P90 (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P95 (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P99 (🔐mTLS)", + "refId": "C", + "step": 2 + }, + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P50", + "refId": "E", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P90", + "refId": "F", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P95", + "refId": "G", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P99", + "refId": "H", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Request Size By Source", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "decbytes", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 16, + "y": 41 + }, + "id": 96, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": true, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P50 (🔐mTLS)", + "refId": "D", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P90 (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P95 (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P99 (🔐mTLS)", + "refId": "C", + "step": 2 + }, + { + "expr": "histogram_quantile(0.50, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P50", + "refId": "E", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P90", + "refId": "F", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P95", + "refId": "G", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace }} P99", + "refId": "H", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Response Size By Source", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "decbytes", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 12, + "x": 0, + "y": 47 + }, + "id": 92, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(irate(istio_tcp_received_bytes_total{reporter=\"source\", connection_security_policy=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace), 0.001)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace}} (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "round(sum(irate(istio_tcp_received_bytes_total{reporter=\"source\", connection_security_policy!=\"mutual_tls\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{ destination_workload_namespace}}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Bytes Received from Incoming TCP Connection", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "Bps", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 12, + "x": 12, + "y": 47 + }, + "id": 93, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy=\"mutual_tls\", reporter=\"source\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{destination_workload_namespace }} (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy!=\"mutual_tls\", reporter=\"source\", destination_service=~\"$service\", destination_workload=~\"$dstwl\", destination_workload_namespace=~\"$dstns\"}[1m])) by (destination_workload, destination_workload_namespace), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ destination_workload }}.{{destination_workload_namespace }}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Bytes Sent to Incoming TCP Connection", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "Bps", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + } + ], + "refresh": "10s", + "schemaVersion": 16, + "style": "dark", + "tags": [], + "templating": { + "list": [ + { + "allValue": null, + "datasource": "Prometheus", + "hide": 0, + "includeAll": false, + "label": "Service", + "multi": false, + "name": "service", + "options": [], + "query": "label_values(destination_service)", + "refresh": 1, + "regex": "", + "sort": 0, + "tagValuesQuery": "", + "tags": [], + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "allValue": null, + "current": { + "text": "All", + "value": "$__all" + }, + "datasource": "Prometheus", + "hide": 0, + "includeAll": true, + "label": "Client Workload Namespace", + "multi": true, + "name": "srcns", + "options": [], + "query": "query_result( sum(istio_requests_total{reporter=\"destination\", destination_service=\"$service\"}) by (source_workload_namespace) or sum(istio_tcp_sent_bytes_total{reporter=\"destination\", destination_service=~\"$service\"}) by (source_workload_namespace))", + "refresh": 1, + "regex": "/.*namespace=\"([^\"]*).*/", + "sort": 2, + "tagValuesQuery": "", + "tags": [], + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "allValue": null, + "current": { + "text": "All", + "value": "$__all" + }, + "datasource": "Prometheus", + "hide": 0, + "includeAll": true, + "label": "Client Workload", + "multi": true, + "name": "srcwl", + "options": [], + "query": "query_result( sum(istio_requests_total{reporter=\"destination\", destination_service=~\"$service\", source_workload_namespace=~\"$srcns\"}) by (source_workload) or sum(istio_tcp_sent_bytes_total{reporter=\"destination\", destination_service=~\"$service\", source_workload_namespace=~\"$srcns\"}) by (source_workload))", + "refresh": 1, + "regex": "/.*workload=\"([^\"]*).*/", + "sort": 3, + "tagValuesQuery": "", + "tags": [], + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "allValue": null, + "current": { + "text": "All", + "value": "$__all" + }, + "datasource": "Prometheus", + "hide": 0, + "includeAll": true, + "label": "Service Workload Namespace", + "multi": true, + "name": "dstns", + "options": [], + "query": "query_result( sum(istio_requests_total{reporter=\"destination\", destination_service=\"$service\"}) by (destination_workload_namespace) or sum(istio_tcp_sent_bytes_total{reporter=\"destination\", destination_service=~\"$service\"}) by (destination_workload_namespace))", + "refresh": 1, + "regex": "/.*namespace=\"([^\"]*).*/", + "sort": 2, + "tagValuesQuery": "", + "tags": [], + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "allValue": null, + "current": { + "text": "All", + "value": "$__all" + }, + "datasource": "Prometheus", + "hide": 0, + "includeAll": true, + "label": "Service Workload", + "multi": true, + "name": "dstwl", + "options": [], + "query": "query_result( sum(istio_requests_total{reporter=\"destination\", destination_service=~\"$service\", destination_workload_namespace=~\"$dstns\"}) by (destination_workload) or sum(istio_tcp_sent_bytes_total{reporter=\"destination\", destination_service=~\"$service\", destination_workload_namespace=~\"$dstns\"}) by (destination_workload))", + "refresh": 1, + "regex": "/.*workload=\"([^\"]*).*/", + "sort": 3, + "tagValuesQuery": "", + "tags": [], + "tagsQuery": "", + "type": "query", + "useTags": false + } + ] + }, + "time": { + "from": "now-5m", + "to": "now" + }, + "timepicker": { + "refresh_intervals": [ + "5s", + "10s", + "30s", + "1m", + "5m", + "15m", + "30m", + "1h", + "2h", + "1d" + ], + "time_options": [ + "5m", + "15m", + "1h", + "6h", + "12h", + "24h", + "2d", + "7d", + "30d" + ] + }, + "timezone": "", + "title": "Istio Service Dashboard", + "uid": "LJ_uJAvmk", + "version": 1 +} +' +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-grafana-configuration-dashboards-istio-workload-dashboard + labels: + app: grafana + chart: grafana + heritage: Tiller + release: istio + istio: grafana +data: + istio-workload-dashboard.json: '{ + "__inputs": [ + { + "name": "DS_PROMETHEUS", + "label": "Prometheus", + "description": "", + "type": "datasource", + "pluginId": "prometheus", + "pluginName": "Prometheus" + } + ], + "__requires": [ + { + "type": "grafana", + "id": "grafana", + "name": "Grafana", + "version": "5.0.4" + }, + { + "type": "panel", + "id": "graph", + "name": "Graph", + "version": "5.0.0" + }, + { + "type": "datasource", + "id": "prometheus", + "name": "Prometheus", + "version": "5.0.0" + }, + { + "type": "panel", + "id": "singlestat", + "name": "Singlestat", + "version": "5.0.0" + }, + { + "type": "panel", + "id": "text", + "name": "Text", + "version": "5.0.0" + } + ], + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": "-- Grafana --", + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "type": "dashboard" + } + ] + }, + "editable": false, + "gnetId": null, + "graphTooltip": 0, + "id": null, + "iteration": 1531345461465, + "links": [], + "panels": [ + { + "content": "
\nWORKLOAD: $workload.$namespace\n
", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 0 + }, + "id": 89, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "datasource": "Prometheus", + "format": "ops", + "gauge": { + "maxValue": 100, + "minValue": 0, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": true + }, + "gridPos": { + "h": 4, + "w": 8, + "x": 0, + "y": 3 + }, + "id": 12, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "round(sum(irate(istio_requests_total{reporter=\"destination\",destination_workload_namespace=~\"$namespace\",destination_workload=~\"$workload\"}[5m])), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "refId": "A", + "step": 4 + } + ], + "thresholds": "", + "title": "Incoming Request Volume", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "current" + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "rgba(50, 172, 45, 0.97)", + "rgba(237, 129, 40, 0.89)", + "rgba(245, 54, 54, 0.9)" + ], + "datasource": "Prometheus", + "decimals": null, + "format": "percentunit", + "gauge": { + "maxValue": 100, + "minValue": 80, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": false + }, + "gridPos": { + "h": 4, + "w": 8, + "x": 8, + "y": 3 + }, + "id": 14, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "sum(irate(istio_requests_total{reporter=\"destination\",destination_workload_namespace=~\"$namespace\",destination_workload=~\"$workload\",response_code!~\"5.*\"}[5m])) / sum(irate(istio_requests_total{reporter=\"destination\",destination_workload_namespace=~\"$namespace\",destination_workload=~\"$workload\"}[5m]))", + "format": "time_series", + "intervalFactor": 1, + "refId": "B" + } + ], + "thresholds": "95, 99, 99.5", + "title": "Incoming Success Rate (non-5xx responses)", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "avg" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 4, + "w": 8, + "x": 16, + "y": 3 + }, + "id": 87, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": false, + "hideZero": false, + "max": false, + "min": false, + "rightSide": true, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\",destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\"}[1m])) by (le))", + "format": "time_series", + "interval": "", + "intervalFactor": 1, + "legendFormat": "P50", + "refId": "A" + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\",destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\"}[1m])) by (le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "P90", + "refId": "B" + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\",destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\"}[1m])) by (le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "P99", + "refId": "C" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Request Duration", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "s", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "#299c46", + "rgba(237, 129, 40, 0.89)", + "#d44a3a" + ], + "datasource": "Prometheus", + "format": "Bps", + "gauge": { + "maxValue": 100, + "minValue": 0, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": true + }, + "gridPos": { + "h": 4, + "w": 12, + "x": 0, + "y": 7 + }, + "id": 84, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "sum(irate(istio_tcp_sent_bytes_total{reporter=\"destination\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\"}[1m])) + sum(irate(istio_tcp_received_bytes_total{reporter=\"destination\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\"}[1m]))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "", + "refId": "A" + } + ], + "thresholds": "", + "title": "TCP Server Traffic", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "avg" + }, + { + "cacheTimeout": null, + "colorBackground": false, + "colorValue": false, + "colors": [ + "#299c46", + "rgba(237, 129, 40, 0.89)", + "#d44a3a" + ], + "datasource": "Prometheus", + "format": "Bps", + "gauge": { + "maxValue": 100, + "minValue": 0, + "show": false, + "thresholdLabels": false, + "thresholdMarkers": true + }, + "gridPos": { + "h": 4, + "w": 12, + "x": 12, + "y": 7 + }, + "id": 85, + "interval": null, + "links": [], + "mappingType": 1, + "mappingTypes": [ + { + "name": "value to text", + "value": 1 + }, + { + "name": "range to text", + "value": 2 + } + ], + "maxDataPoints": 100, + "nullPointMode": "connected", + "nullText": null, + "postfix": "", + "postfixFontSize": "50%", + "prefix": "", + "prefixFontSize": "50%", + "rangeMaps": [ + { + "from": "null", + "text": "N/A", + "to": "null" + } + ], + "sparkline": { + "fillColor": "rgba(31, 118, 189, 0.18)", + "full": true, + "lineColor": "rgb(31, 120, 193)", + "show": true + }, + "tableColumn": "", + "targets": [ + { + "expr": "sum(irate(istio_tcp_sent_bytes_total{reporter=\"source\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\"}[1m])) + sum(irate(istio_tcp_received_bytes_total{reporter=\"source\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\"}[1m]))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "", + "refId": "A" + } + ], + "thresholds": "", + "title": "TCP Client Traffic", + "transparent": false, + "type": "singlestat", + "valueFontSize": "80%", + "valueMaps": [ + { + "op": "=", + "text": "N/A", + "value": "null" + } + ], + "valueName": "avg" + }, + { + "content": "
\nINBOUND WORKLOADS\n
", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 11 + }, + "id": 45, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 0, + "gridPos": { + "h": 6, + "w": 12, + "x": 0, + "y": 14 + }, + "id": 25, + "legend": { + "avg": false, + "current": false, + "hideEmpty": true, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null as zero", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(irate(istio_requests_total{connection_security_policy=\"mutual_tls\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\", reporter=\"destination\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace, response_code), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace }} : {{ response_code }} (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "round(sum(irate(istio_requests_total{connection_security_policy!=\"mutual_tls\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\", reporter=\"destination\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace, response_code), 0.001)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace }} : {{ response_code }}", + "refId": "A", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Requests by Source And Response Code", + "tooltip": { + "shared": false, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [ + "total" + ] + }, + "yaxes": [ + { + "format": "ops", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 12, + "x": 12, + "y": 14 + }, + "id": 26, + "legend": { + "avg": false, + "current": false, + "hideEmpty": true, + "hideZero": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(irate(istio_requests_total{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\",response_code!~\"5.*\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace) / sum(rate(istio_requests_total{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace }} (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "sum(irate(istio_requests_total{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\",response_code!~\"5.*\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace) / sum(rate(istio_requests_total{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[5m])) by (source_workload, source_workload_namespace)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace }}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Success Rate (non-5xx responses) By Source", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "percentunit", + "label": null, + "logBase": 1, + "max": "1.01", + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "description": "", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 0, + "y": 20 + }, + "id": 27, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": true, + "hideZero": false, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50 (🔐mTLS)", + "refId": "D", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90 (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95 (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99 (🔐mTLS)", + "refId": "C", + "step": 2 + }, + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50", + "refId": "E", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90", + "refId": "F", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95", + "refId": "G", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99", + "refId": "H", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Request Duration by Source", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "s", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 8, + "y": 20 + }, + "id": 28, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": true, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50 (🔐mTLS)", + "refId": "D", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90 (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95 (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99 (🔐mTLS)", + "refId": "C", + "step": 2 + }, + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50", + "refId": "E", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90", + "refId": "F", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95", + "refId": "G", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99", + "refId": "H", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Request Size By Source", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "decbytes", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 16, + "y": 20 + }, + "id": 68, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": true, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50 (🔐mTLS)", + "refId": "D", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90 (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95 (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99 (🔐mTLS)", + "refId": "C", + "step": 2 + }, + { + "expr": "histogram_quantile(0.50, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P50", + "refId": "E", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P90", + "refId": "F", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P95", + "refId": "G", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_response_bytes_bucket{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload=~\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{source_workload}}.{{source_workload_namespace}} P99", + "refId": "H", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Response Size By Source", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "decbytes", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 12, + "x": 0, + "y": 26 + }, + "id": 80, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(irate(istio_tcp_received_bytes_total{reporter=\"destination\", connection_security_policy=\"mutual_tls\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace), 0.001)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace}} (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "round(sum(irate(istio_tcp_received_bytes_total{reporter=\"destination\", connection_security_policy!=\"mutual_tls\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace}}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Bytes Received from Incoming TCP Connection", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "Bps", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 12, + "x": 12, + "y": 26 + }, + "id": 82, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy=\"mutual_tls\", reporter=\"destination\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace}} (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy!=\"mutual_tls\", reporter=\"destination\", destination_workload_namespace=~\"$namespace\", destination_workload=~\"$workload\", source_workload=~\"$srcwl\", source_workload_namespace=~\"$srcns\"}[1m])) by (source_workload, source_workload_namespace), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ source_workload }}.{{ source_workload_namespace}}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Bytes Sent to Incoming TCP Connection", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "Bps", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ] + }, + { + "content": "
\nOUTBOUND SERVICES\n
", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 32 + }, + "id": 69, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 0, + "gridPos": { + "h": 6, + "w": 12, + "x": 0, + "y": 35 + }, + "id": 70, + "legend": { + "avg": false, + "current": false, + "hideEmpty": true, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null as zero", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(irate(istio_requests_total{connection_security_policy=\"mutual_tls\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\", reporter=\"source\", destination_service=~\"$dstsvc\"}[5m])) by (destination_service, response_code), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} : {{ response_code }} (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "round(sum(irate(istio_requests_total{connection_security_policy!=\"mutual_tls\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\", reporter=\"source\", destination_service=~\"$dstsvc\"}[5m])) by (destination_service, response_code), 0.001)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} : {{ response_code }}", + "refId": "A", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Outgoing Requests by Destination And Response Code", + "tooltip": { + "shared": false, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [ + "total" + ] + }, + "yaxes": [ + { + "format": "ops", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 12, + "x": 12, + "y": 35 + }, + "id": 71, + "legend": { + "avg": false, + "current": false, + "hideEmpty": true, + "hideZero": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(irate(istio_requests_total{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\",response_code!~\"5.*\", destination_service=~\"$dstsvc\"}[5m])) by (destination_service) / sum(irate(istio_requests_total{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\", destination_service=~\"$dstsvc\"}[5m])) by (destination_service)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "sum(irate(istio_requests_total{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\",response_code!~\"5.*\", destination_service=~\"$dstsvc\"}[5m])) by (destination_service) / sum(irate(istio_requests_total{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\", destination_service=~\"$dstsvc\"}[5m])) by (destination_service)", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{destination_service }}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Outgoing Success Rate (non-5xx responses) By Destination", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "percentunit", + "label": null, + "logBase": 1, + "max": "1.01", + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "description": "", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 0, + "y": 41 + }, + "id": 72, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": true, + "hideZero": false, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P50 (🔐mTLS)", + "refId": "D", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P90 (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P95 (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P99 (🔐mTLS)", + "refId": "C", + "step": 2 + }, + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P50", + "refId": "E", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P90", + "refId": "F", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P95", + "refId": "G", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_duration_seconds_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P99", + "refId": "H", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Outgoing Request Duration by Destination", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "s", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 8, + "y": 41 + }, + "id": 73, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": true, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P50 (🔐mTLS)", + "refId": "D", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P90 (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P95 (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P99 (🔐mTLS)", + "refId": "C", + "step": 2 + }, + { + "expr": "histogram_quantile(0.50, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P50", + "refId": "E", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P90", + "refId": "F", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P95", + "refId": "G", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_request_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P99", + "refId": "H", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Outgoing Request Size By Destination", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "decbytes", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 16, + "y": 41 + }, + "id": 74, + "legend": { + "alignAsTable": false, + "avg": false, + "current": false, + "hideEmpty": true, + "max": false, + "min": false, + "rightSide": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.50, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P50 (🔐mTLS)", + "refId": "D", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P90 (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P95 (🔐mTLS)", + "refId": "B", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P99 (🔐mTLS)", + "refId": "C", + "step": 2 + }, + { + "expr": "histogram_quantile(0.50, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P50", + "refId": "E", + "step": 2 + }, + { + "expr": "histogram_quantile(0.90, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P90", + "refId": "F", + "step": 2 + }, + { + "expr": "histogram_quantile(0.95, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P95", + "refId": "G", + "step": 2 + }, + { + "expr": "histogram_quantile(0.99, sum(irate(istio_response_bytes_bucket{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service, le))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} P99", + "refId": "H", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Response Size By Destination", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "decbytes", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 12, + "x": 0, + "y": 47 + }, + "id": 76, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy=\"mutual_tls\", reporter=\"source\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "round(sum(irate(istio_tcp_sent_bytes_total{connection_security_policy!=\"mutual_tls\", reporter=\"source\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ destination_service }}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Bytes Sent on Outgoing TCP Connection", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "Bps", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ] + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 12, + "x": 12, + "y": 47 + }, + "id": 78, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(irate(istio_tcp_received_bytes_total{reporter=\"source\", connection_security_policy=\"mutual_tls\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ destination_service }} (🔐mTLS)", + "refId": "A", + "step": 2 + }, + { + "expr": "round(sum(irate(istio_tcp_received_bytes_total{reporter=\"source\", connection_security_policy!=\"mutual_tls\", source_workload_namespace=~\"$namespace\", source_workload=~\"$workload\", destination_service=~\"$dstsvc\"}[1m])) by (destination_service), 0.001)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ destination_service }}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Bytes Received from Outgoing TCP Connection", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "Bps", + "label": null, + "logBase": 1, + "max": null, + "min": "0", + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ] + } + ], + "refresh": "10s", + "schemaVersion": 16, + "style": "dark", + "tags": [], + "templating": { + "list": [ + { + "allValue": null, + "current": {}, + "datasource": "Prometheus", + "hide": 0, + "includeAll": false, + "label": "Namespace", + "multi": false, + "name": "namespace", + "options": [], + "query": "query_result(sum(istio_requests_total) by (destination_workload_namespace) or sum(istio_tcp_sent_bytes_total) by (destination_workload_namespace))", + "refresh": 1, + "regex": "/.*_namespace=\"([^\"]*).*/", + "sort": 0, + "tagValuesQuery": "", + "tags": [], + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "allValue": null, + "current": {}, + "datasource": "Prometheus", + "hide": 0, + "includeAll": false, + "label": "Workload", + "multi": false, + "name": "workload", + "options": [], + "query": "query_result((sum(istio_requests_total{destination_workload_namespace=~\"$namespace\"}) by (destination_workload) or sum(istio_requests_total{source_workload_namespace=~\"$namespace\"}) by (source_workload)) or (sum(istio_tcp_sent_bytes_total{destination_workload_namespace=~\"$namespace\"}) by (destination_workload) or sum(istio_tcp_sent_bytes_total{source_workload_namespace=~\"$namespace\"}) by (source_workload)))", + "refresh": 1, + "regex": "/.*workload=\"([^\"]*).*/", + "sort": 1, + "tagValuesQuery": "", + "tags": [], + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "allValue": null, + "current": {}, + "datasource": "Prometheus", + "hide": 0, + "includeAll": true, + "label": "Inbound Workload Namespace", + "multi": true, + "name": "srcns", + "options": [], + "query": "query_result( sum(istio_requests_total{reporter=\"destination\", destination_workload=\"$workload\", destination_workload_namespace=~\"$namespace\"}) by (source_workload_namespace) or sum(istio_tcp_sent_bytes_total{reporter=\"destination\", destination_workload=\"$workload\", destination_workload_namespace=~\"$namespace\"}) by (source_workload_namespace))", + "refresh": 1, + "regex": "/.*namespace=\"([^\"]*).*/", + "sort": 2, + "tagValuesQuery": "", + "tags": [], + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "allValue": null, + "current": {}, + "datasource": "Prometheus", + "hide": 0, + "includeAll": true, + "label": "Inbound Workload", + "multi": true, + "name": "srcwl", + "options": [], + "query": "query_result( sum(istio_requests_total{reporter=\"destination\", destination_workload=\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload_namespace=~\"$srcns\"}) by (source_workload) or sum(istio_tcp_sent_bytes_total{reporter=\"destination\", destination_workload=\"$workload\", destination_workload_namespace=~\"$namespace\", source_workload_namespace=~\"$srcns\"}) by (source_workload))", + "refresh": 1, + "regex": "/.*workload=\"([^\"]*).*/", + "sort": 3, + "tagValuesQuery": "", + "tags": [], + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "allValue": null, + "current": {}, + "datasource": "Prometheus", + "hide": 0, + "includeAll": true, + "label": "Destination Service", + "multi": true, + "name": "dstsvc", + "options": [], + "query": "query_result( sum(istio_requests_total{reporter=\"source\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\"}) by (destination_service) or sum(istio_tcp_sent_bytes_total{reporter=\"source\", source_workload=~\"$workload\", source_workload_namespace=~\"$namespace\"}) by (destination_service))", + "refresh": 1, + "regex": "/.*destination_service=\"([^\"]*).*/", + "sort": 4, + "tagValuesQuery": "", + "tags": [], + "tagsQuery": "", + "type": "query", + "useTags": false + } + ] + }, + "time": { + "from": "now-5m", + "to": "now" + }, + "timepicker": { + "refresh_intervals": [ + "5s", + "10s", + "30s", + "1m", + "5m", + "15m", + "30m", + "1h", + "2h", + "1d" + ], + "time_options": [ + "5m", + "15m", + "1h", + "6h", + "12h", + "24h", + "2d", + "7d", + "30d" + ] + }, + "timezone": "", + "title": "Istio Workload Dashboard", + "uid": "UbsSZTDik", + "version": 1 +} +' +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-grafana-configuration-dashboards-mixer-dashboard + labels: + app: grafana + chart: grafana + heritage: Tiller + release: istio + istio: grafana +data: + mixer-dashboard.json: '{ + "__inputs": [ + { + "name": "DS_PROMETHEUS", + "label": "Prometheus", + "description": "", + "type": "datasource", + "pluginId": "prometheus", + "pluginName": "Prometheus" + } + ], + "__requires": [ + { + "type": "grafana", + "id": "grafana", + "name": "Grafana", + "version": "5.2.3" + }, + { + "type": "panel", + "id": "graph", + "name": "Graph", + "version": "5.0.0" + }, + { + "type": "datasource", + "id": "prometheus", + "name": "Prometheus", + "version": "5.0.0" + }, + { + "type": "panel", + "id": "text", + "name": "Text", + "version": "5.0.0" + } + ], + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": "-- Grafana --", + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "limit": 100, + "name": "Annotations & Alerts", + "showIn": 0, + "type": "dashboard" + } + ] + }, + "editable": false, + "gnetId": null, + "graphTooltip": 1, + "id": null, + "iteration": 1543881232533, + "links": [], + "panels": [ + { + "content": "

Deployed Versions

", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 0 + }, + "height": "40", + "id": 62, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 5, + "w": 24, + "x": 0, + "y": 3 + }, + "id": 64, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(istio_build{component=\"mixer\"}) by (tag)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ tag }}", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Mixer Versions", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "content": "

Resource Usage

", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 8 + }, + "height": "40", + "id": 29, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 0, + "y": 11 + }, + "id": 5, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(process_virtual_memory_bytes{job=~\"istio-telemetry|istio-policy\"}) by (job)", + "format": "time_series", + "instant": false, + "intervalFactor": 2, + "legendFormat": "Virtual Memory ({{ job }})", + "refId": "I" + }, + { + "expr": "sum(process_resident_memory_bytes{job=~\"istio-telemetry|istio-policy\"}) by (job)", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Resident Memory ({{ job }})", + "refId": "H" + }, + { + "expr": "sum(go_memstats_heap_sys_bytes{job=~\"istio-telemetry|istio-policy\"}) by (job)", + "format": "time_series", + "hide": true, + "intervalFactor": 2, + "legendFormat": "heap sys ({{ job }})", + "refId": "A" + }, + { + "expr": "sum(go_memstats_heap_alloc_bytes{job=~\"istio-telemetry|istio-policy\"}) by (job)", + "format": "time_series", + "hide": true, + "intervalFactor": 2, + "legendFormat": "heap alloc ({{ job }})", + "refId": "D" + }, + { + "expr": "sum(go_memstats_alloc_bytes{job=~\"istio-telemetry|istio-policy\"}) by (job)", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Alloc ({{ job }})", + "refId": "F" + }, + { + "expr": "sum(go_memstats_heap_inuse_bytes{job=~\"istio-telemetry|istio-policy\"}) by (job)", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "Heap in-use ({{ job }})", + "refId": "E" + }, + { + "expr": "sum(go_memstats_stack_inuse_bytes{job=~\"istio-telemetry|istio-policy\"}) by (job)", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Stack in-use ({{ job }})", + "refId": "G" + }, + { + "expr": "sum(label_replace(container_memory_usage_bytes{container_name=~\"mixer|istio-proxy\", pod_name=~\"istio-telemetry-.*|istio-policy-.*\"}, \"service\", \"$1\" , \"pod_name\", \"(istio-telemetry|istio-policy)-.*\")) by (service)", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "{{ service }} total (k8s)", + "refId": "C" + }, + { + "expr": "sum(label_replace(container_memory_usage_bytes{container_name=~\"mixer|istio-proxy\", pod_name=~\"istio-telemetry-.*|istio-policy-.*\"}, \"service\", \"$1\" , \"pod_name\", \"(istio-telemetry|istio-policy)-.*\")) by (container_name, service)", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "{{ service }} - {{ container_name }} (k8s)", + "refId": "B" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Memory", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "bytes", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 6, + "y": 11 + }, + "id": 6, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "label_replace(sum(rate(container_cpu_usage_seconds_total{container_name=~\"mixer|istio-proxy\", pod_name=~\"istio-telemetry-.*|istio-policy-.*\"}[1m])) by (pod_name), \"service\", \"$1\" , \"pod_name\", \"(istio-telemetry|istio-policy)-.*\")", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "{{ service }} total (k8s)", + "refId": "A" + }, + { + "expr": "label_replace(sum(rate(container_cpu_usage_seconds_total{container_name=~\"mixer|istio-proxy\", pod_name=~\"istio-telemetry-.*|istio-policy-.*\"}[1m])) by (container_name, pod_name), \"service\", \"$1\" , \"pod_name\", \"(istio-telemetry|istio-policy)-.*\")", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "{{ service }} - {{ container_name }} (k8s)", + "refId": "B" + }, + { + "expr": "sum(irate(process_cpu_seconds_total{job=~\"istio-telemetry|istio-policy\"}[1m])) by (job)", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "{{ job }} (self-reported)", + "refId": "C" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "CPU", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 12, + "y": 11 + }, + "id": 7, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(process_open_fds{job=~\"istio-telemetry|istio-policy\"}) by (job)", + "format": "time_series", + "hide": true, + "instant": false, + "interval": "", + "intervalFactor": 2, + "legendFormat": "Open FDs ({{ job }})", + "refId": "A" + }, + { + "expr": "sum(label_replace(container_fs_usage_bytes{container_name=~\"mixer|istio-proxy\", pod_name=~\"istio-telemetry-.*|istio-policy-.*\"}, \"service\", \"$1\" , \"pod_name\", \"(istio-telemetry|istio-policy)-.*\")) by (container_name, service)", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "{{ service }} - {{ container_name }}", + "refId": "B" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Disk", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "bytes", + "label": "", + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "decimals": null, + "format": "none", + "label": "", + "logBase": 1024, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 18, + "y": 11 + }, + "id": 4, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": false, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(go_goroutines{job=~\"istio-telemetry|istio-policy\"}) by (job)", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Number of Goroutines ({{ job }})", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Goroutines", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": "", + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "content": "

Mixer Overview

", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 18 + }, + "height": "40px", + "id": 30, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 6, + "x": 0, + "y": 21 + }, + "id": 9, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(rate(grpc_io_server_completed_rpcs[1m]))", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "mixer (Total)", + "refId": "B" + }, + { + "expr": "sum(rate(grpc_io_server_completed_rpcs[1m])) by (grpc_server_method)", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "mixer ({{ grpc_server_method }})", + "refId": "C" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Incoming Requests", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "ops", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 6, + "x": 6, + "y": 21 + }, + "id": 8, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [ + { + "alias": "{}", + "yaxis": 1 + } + ], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.5, sum(rate(grpc_io_server_server_latency_bucket{}[1m])) by (grpc_server_method, le))", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "{{ grpc_server_method }} 0.5", + "refId": "B" + }, + { + "expr": "histogram_quantile(0.9, sum(rate(grpc_io_server_server_latency_bucket{}[1m])) by (grpc_server_method, le))", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "{{ grpc_server_method }} 0.9", + "refId": "C" + }, + { + "expr": "histogram_quantile(0.99, sum(rate(grpc_io_server_server_latency_bucket{}[1m])) by (grpc_server_method, le))", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "{{ grpc_server_method }} 0.99", + "refId": "D" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Response Durations", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "ms", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 6, + "x": 12, + "y": 21 + }, + "id": 11, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(rate(grpc_server_handled_total{grpc_code=~\"Unknown|Unimplemented|Internal|DataLoss\"}[1m])) by (grpc_method)", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Mixer {{ grpc_method }}", + "refId": "B" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Server Error Rate (5xx responses)", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 6, + "x": 18, + "y": 21 + }, + "id": 12, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(irate(grpc_server_handled_total{grpc_code!=\"OK\",grpc_service=~\".*Mixer\"}[1m])) by (grpc_method)", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Mixer {{ grpc_method }}", + "refId": "B" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Non-successes (4xxs)", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "content": "

Adapters and Config

", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 27 + }, + "id": 28, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 12, + "x": 0, + "y": 30 + }, + "id": 13, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(irate(mixer_runtime_dispatches_total{adapter=~\"$adapter\"}[1m])) by (adapter)", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "{{ adapter }}", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Adapter Dispatch Count", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 12, + "x": 12, + "y": 30 + }, + "id": 14, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "histogram_quantile(0.5, sum(irate(mixer_runtime_dispatch_duration_seconds_bucket{adapter=~\"$adapter\"}[1m])) by (adapter, le))", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "{{ adapter }} - p50", + "refId": "A" + }, + { + "expr": "histogram_quantile(0.9, sum(irate(mixer_runtime_dispatch_duration_seconds_bucket{adapter=~\"$adapter\"}[1m])) by (adapter, le))", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "{{ adapter }} - p90 ", + "refId": "B" + }, + { + "expr": "histogram_quantile(0.99, sum(irate(mixer_runtime_dispatch_duration_seconds_bucket{adapter=~\"$adapter\"}[1m])) by (adapter, le))", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "{{ adapter }} - p99", + "refId": "C" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Adapter Dispatch Duration", + "tooltip": { + "shared": true, + "sort": 1, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "s", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 0, + "y": 37 + }, + "id": 60, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "scalar(topk(1, max(mixer_config_rule_config_count) by (configID)))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Rules", + "refId": "A" + }, + { + "expr": "scalar(topk(1, max(mixer_config_rule_config_error_count) by (configID)))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Config Errors", + "refId": "B" + }, + { + "expr": "scalar(topk(1, max(mixer_config_rule_config_match_error_count) by (configID)))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Match Errors", + "refId": "C" + }, + { + "expr": "scalar(topk(1, max(mixer_config_unsatisfied_action_handler_count) by (configID)))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Unsatisfied Actions", + "refId": "D" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Rules", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 6, + "y": 37 + }, + "id": 56, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "scalar(topk(1, max(mixer_config_instance_config_count) by (configID)))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Instances", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Instances in Latest Config", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 12, + "y": 37 + }, + "id": 54, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "scalar(topk(1, max(mixer_config_handler_config_count) by (configID)))", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Handlers", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Handlers in Latest Config", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 18, + "y": 37 + }, + "id": 58, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "scalar(topk(1, max(mixer_config_attribute_count) by (configID)))", + "format": "time_series", + "instant": false, + "intervalFactor": 1, + "legendFormat": "Attributes", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Attributes in Latest Config", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "content": "

Individual Adapters

", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 44 + }, + "id": 23, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "collapsed": false, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 47 + }, + "id": 46, + "panels": [], + "repeat": "adapter", + "title": "$adapter Adapter", + "type": "row" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 12, + "x": 0, + "y": 48 + }, + "id": 17, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "label_replace(irate(mixer_runtime_dispatches_total{adapter=\"$adapter\"}[1m]),\"handler\", \"$1 ($3)\", \"handler\", \"(.*)\\\\.(.*)\\\\.(.*)\")", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "{{ handler }} (error: {{ error }})", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Dispatch Count By Handler", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 12, + "x": 12, + "y": 48 + }, + "id": 18, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "label_replace(histogram_quantile(0.5, sum(rate(mixer_runtime_dispatch_duration_seconds_bucket{adapter=\"$adapter\"}[1m])) by (handler, error, le)), \"handler_short\", \"$1 ($3)\", \"handler\", \"(.*)\\\\.(.*)\\\\.(.*)\")", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "p50 - {{ handler_short }} (error: {{ error }})", + "refId": "A" + }, + { + "expr": "label_replace(histogram_quantile(0.9, sum(irate(mixer_runtime_dispatch_duration_seconds_bucket{adapter=\"$adapter\"}[1m])) by (handler, error, le)), \"handler_short\", \"$1 ($3)\", \"handler\", \"(.*)\\\\.(.*)\\\\.(.*)\")", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "p90 - {{ handler_short }} (error: {{ error }})", + "refId": "D" + }, + { + "expr": "label_replace(histogram_quantile(0.99, sum(irate(mixer_runtime_dispatch_duration_seconds_bucket{adapter=\"$adapter\"}[1m])) by (handler, error, le)), \"handler_short\", \"$1 ($3)\", \"handler\", \"(.*)\\\\.(.*)\\\\.(.*)\")", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "p99 - {{ handler_short }} (error: {{ error }})", + "refId": "E" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Dispatch Duration By Handler", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "s", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + } + ], + "refresh": "5s", + "schemaVersion": 16, + "style": "dark", + "tags": [], + "templating": { + "list": [ + { + "allValue": null, + "current": {}, + "datasource": "Prometheus", + "hide": 0, + "includeAll": true, + "label": "Adapter", + "multi": true, + "name": "adapter", + "options": [], + "query": "label_values(adapter)", + "refresh": 2, + "regex": "", + "sort": 1, + "tagValuesQuery": "", + "tags": [], + "tagsQuery": "", + "type": "query", + "useTags": false + } + ] + }, + "time": { + "from": "now-5m", + "to": "now" + }, + "timepicker": { + "refresh_intervals": [ + "5s", + "10s", + "30s", + "1m", + "5m", + "15m", + "30m", + "1h", + "2h", + "1d" + ], + "time_options": [ + "5m", + "15m", + "1h", + "6h", + "12h", + "24h", + "2d", + "7d", + "30d" + ] + }, + "timezone": "", + "title": "Istio Mixer Dashboard", + "version": 4 +} +' +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-grafana-configuration-dashboards-pilot-dashboard + labels: + app: grafana + chart: grafana + heritage: Tiller + release: istio + istio: grafana +data: + pilot-dashboard.json: '{ + "__inputs": [ + { + "name": "DS_PROMETHEUS", + "label": "Prometheus", + "description": "", + "type": "datasource", + "pluginId": "prometheus", + "pluginName": "Prometheus" + } + ], + "__requires": [ + { + "type": "grafana", + "id": "grafana", + "name": "Grafana", + "version": "5.2.3" + }, + { + "type": "panel", + "id": "graph", + "name": "Graph", + "version": "5.0.0" + }, + { + "type": "datasource", + "id": "prometheus", + "name": "Prometheus", + "version": "5.0.0" + }, + { + "type": "panel", + "id": "text", + "name": "Text", + "version": "5.0.0" + } + ], + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": "-- Grafana --", + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "type": "dashboard" + } + ] + }, + "editable": false, + "gnetId": null, + "graphTooltip": 1, + "id": null, + "links": [], + "panels": [ + { + "content": "

Deployed Versions

", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 0 + }, + "height": "40", + "id": 58, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 5, + "w": 24, + "x": 0, + "y": 3 + }, + "id": 56, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(istio_build{component=\"pilot\"}) by (tag)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ tag }}", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Pilot Versions", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "content": "

Resource Usage

", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 8 + }, + "height": "40", + "id": 29, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 0, + "y": 11 + }, + "id": 5, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "process_virtual_memory_bytes{job=\"pilot\"}", + "format": "time_series", + "instant": false, + "intervalFactor": 2, + "legendFormat": "Virtual Memory", + "refId": "I", + "step": 2 + }, + { + "expr": "process_resident_memory_bytes{job=\"pilot\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Resident Memory", + "refId": "H", + "step": 2 + }, + { + "expr": "go_memstats_heap_sys_bytes{job=\"pilot\"}", + "format": "time_series", + "hide": true, + "intervalFactor": 2, + "legendFormat": "heap sys", + "refId": "A" + }, + { + "expr": "go_memstats_heap_alloc_bytes{job=\"pilot\"}", + "format": "time_series", + "hide": true, + "intervalFactor": 2, + "legendFormat": "heap alloc", + "refId": "D" + }, + { + "expr": "go_memstats_alloc_bytes{job=\"pilot\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Alloc", + "refId": "F", + "step": 2 + }, + { + "expr": "go_memstats_heap_inuse_bytes{job=\"pilot\"}", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "Heap in-use", + "refId": "E", + "step": 2 + }, + { + "expr": "go_memstats_stack_inuse_bytes{job=\"pilot\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Stack in-use", + "refId": "G", + "step": 2 + }, + { + "expr": "sum(container_memory_usage_bytes{container_name=~\"discovery|istio-proxy\", pod_name=~\"istio-pilot-.*\"})", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "Total (k8s)", + "refId": "C", + "step": 2 + }, + { + "expr": "container_memory_usage_bytes{container_name=~\"discovery|istio-proxy\", pod_name=~\"istio-pilot-.*\"}", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "{{ container_name }} (k8s)", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Memory", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "bytes", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 6, + "y": 11 + }, + "id": 6, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(rate(container_cpu_usage_seconds_total{container_name=~\"discovery|istio-proxy\", pod_name=~\"istio-pilot-.*\"}[1m]))", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "Total (k8s)", + "refId": "A", + "step": 2 + }, + { + "expr": "sum(rate(container_cpu_usage_seconds_total{container_name=~\"discovery|istio-proxy\", pod_name=~\"istio-pilot-.*\"}[1m])) by (container_name)", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "{{ container_name }} (k8s)", + "refId": "B", + "step": 2 + }, + { + "expr": "irate(process_cpu_seconds_total{job=\"pilot\"}[1m])", + "format": "time_series", + "hide": false, + "intervalFactor": 2, + "legendFormat": "pilot (self-reported)", + "refId": "C", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "CPU", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 12, + "y": 11 + }, + "id": 7, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "process_open_fds{job=\"pilot\"}", + "format": "time_series", + "hide": true, + "instant": false, + "interval": "", + "intervalFactor": 2, + "legendFormat": "Open FDs (pilot)", + "refId": "A" + }, + { + "expr": "container_fs_usage_bytes{container_name=~\"discovery|istio-proxy\", pod_name=~\"istio-pilot-.*\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "{{ container_name }}", + "refId": "B", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Disk", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "bytes", + "label": "", + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "decimals": null, + "format": "none", + "label": "", + "logBase": 1024, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 6, + "x": 18, + "y": 11 + }, + "id": 4, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": false, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "go_goroutines{job=\"pilot\"}", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Number of Goroutines", + "refId": "A", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Goroutines", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": "", + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "content": "

xDS

", + "gridPos": { + "h": 3, + "w": 24, + "x": 0, + "y": 18 + }, + "id": 28, + "links": [], + "mode": "html", + "title": "", + "transparent": true, + "type": "text" + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 0, + "y": 21 + }, + "id": 40, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(irate(envoy_cluster_update_success{cluster_name=\"xds-grpc\"}[1m]))", + "format": "time_series", + "hide": false, + "intervalFactor": 1, + "legendFormat": "XDS GRPC Successes", + "refId": "C" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Updates", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "ops", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "ops", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 8, + "y": 21 + }, + "id": 42, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "round(sum(rate(envoy_cluster_update_attempt{cluster_name=\"xds-grpc\"}[1m])) - sum(rate(envoy_cluster_update_success{cluster_name=\"xds-grpc\"}[1m])))", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "XDS GRPC ", + "refId": "A", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Failures", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "ops", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": false + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 6, + "w": 8, + "x": 16, + "y": 21 + }, + "id": 41, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(envoy_cluster_upstream_cx_active{cluster_name=\"xds-grpc\"})", + "format": "time_series", + "intervalFactor": 2, + "legendFormat": "Pilot (XDS GRPC)", + "refId": "C", + "step": 2 + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Active Connections", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 8, + "w": 8, + "x": 0, + "y": 27 + }, + "id": 45, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "pilot_conflict_inbound_listener{job=\"pilot\"}", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Inbound Listeners", + "refId": "B" + }, + { + "expr": "pilot_conflict_outbound_listener_http_over_current_tcp{job=\"pilot\"}", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Outbound Listeners (http over current tcp)", + "refId": "A" + }, + { + "expr": "pilot_conflict_outbound_listener_tcp_over_current_tcp{job=\"pilot\"}", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Outbound Listeners (tcp over current tcp)", + "refId": "C" + }, + { + "expr": "pilot_conflict_outbound_listener_tcp_over_current_http{job=\"pilot\"}", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Outbound Listeners (tcp over current http)", + "refId": "D" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Conflicts", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 8, + "w": 8, + "x": 8, + "y": 27 + }, + "id": 47, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "pilot_virt_services{job=\"pilot\"}", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Virtual Services", + "refId": "A" + }, + { + "expr": "pilot_services{job=\"pilot\"}", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Services", + "refId": "B" + }, + { + "expr": "label_replace(sum(pilot_xds_cds_reject{job=\"pilot\"}) by (node, err), \"node\", \"$1\", \"node\", \".*~.*~(.*)~.*\")", + "format": "time_series", + "hide": true, + "intervalFactor": 1, + "legendFormat": "Rejected CDS Configs - {{ node }}: {{ err }}", + "refId": "C" + }, + { + "expr": "pilot_xds_eds_reject{job=\"pilot\"}", + "format": "time_series", + "hide": true, + "intervalFactor": 1, + "legendFormat": "Rejected EDS Configs", + "refId": "D" + }, + { + "expr": "pilot_xds{job=\"pilot\"}", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Connected Endpoints", + "refId": "E" + }, + { + "expr": "rate(pilot_xds_write_timeout{job=\"pilot\"}[1m])", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Write Timeouts", + "refId": "F" + }, + { + "expr": "rate(pilot_xds_push_timeout{job=\"pilot\"}[1m])", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Push Timeouts", + "refId": "G" + }, + { + "expr": "rate(pilot_xds_pushes{job=\"pilot\"}[1m])", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Pushes ({{ type }})", + "refId": "H" + }, + { + "expr": "rate(pilot_xds_push_errors{job=\"pilot\"}[1m])", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "Push Errors ({{ type }})", + "refId": "I" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "ADS Monitoring", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 8, + "w": 8, + "x": 16, + "y": 27 + }, + "id": 49, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "label_replace(sum(pilot_xds_cds_reject{job=\"pilot\"}) by (node, err), \"node\", \"$1\", \"node\", \".*~.*~(.*)~.*\")", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ node }} ({{ err }})", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Rejected CDS Configs", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 8, + "x": 0, + "y": 35 + }, + "id": 52, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "label_replace(sum(pilot_xds_eds_reject{job=\"pilot\"}) by (node, err), \"node\", \"$1\", \"node\", \".*~.*~(.*)~.*\")", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ node }} ({{err}})", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Rejected EDS Configs", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 8, + "x": 8, + "y": 35 + }, + "id": 54, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "label_replace(sum(pilot_xds_lds_reject{job=\"pilot\"}) by (node, err), \"node\", \"$1\", \"node\", \".*~.*~(.*)~.*\")", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ node }} ({{err}})", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Rejected LDS Configs", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": {}, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 8, + "x": 16, + "y": 35 + }, + "id": 53, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "label_replace(sum(pilot_xds_rds_reject{job=\"pilot\"}) by (node, err), \"node\", \"$1\", \"node\", \".*~.*~(.*)~.*\")", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ node }} ({{err}})", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "Rejected RDS Configs", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + }, + { + "aliasColors": { + "outbound|80||default-http-backend.kube-system.svc.cluster.local": "rgba(255, 255, 255, 0.97)" + }, + "bars": false, + "dashLength": 10, + "dashes": false, + "datasource": "Prometheus", + "fill": 1, + "gridPos": { + "h": 7, + "w": 8, + "x": 0, + "y": 42 + }, + "id": 51, + "legend": { + "avg": false, + "current": false, + "max": false, + "min": false, + "show": true, + "total": false, + "values": false + }, + "lines": true, + "linewidth": 1, + "links": [], + "nullPointMode": "null", + "percentage": false, + "pointradius": 5, + "points": false, + "renderer": "flot", + "seriesOverrides": [ + { + "alias": "outbound|80||default-http-backend.kube-system.svc.cluster.local", + "yaxis": 1 + } + ], + "spaceLength": 10, + "stack": false, + "steppedLine": false, + "targets": [ + { + "expr": "sum(pilot_xds_eds_instances{job=\"pilot\"}) by (cluster)", + "format": "time_series", + "intervalFactor": 1, + "legendFormat": "{{ cluster }}", + "refId": "A" + } + ], + "thresholds": [], + "timeFrom": null, + "timeShift": null, + "title": "EDS Instances", + "tooltip": { + "shared": true, + "sort": 0, + "value_type": "individual" + }, + "type": "graph", + "xaxis": { + "buckets": null, + "mode": "time", + "name": null, + "show": true, + "values": [] + }, + "yaxes": [ + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + }, + { + "format": "short", + "label": null, + "logBase": 1, + "max": null, + "min": null, + "show": true + } + ], + "yaxis": { + "align": false, + "alignLevel": null + } + } + ], + "refresh": "5s", + "schemaVersion": 16, + "style": "dark", + "tags": [], + "templating": { + "list": [] + }, + "time": { + "from": "now-5m", + "to": "now" + }, + "timepicker": { + "refresh_intervals": [ + "5s", + "10s", + "30s", + "1m", + "5m", + "15m", + "30m", + "1h", + "2h", + "1d" + ], + "time_options": [ + "5m", + "15m", + "1h", + "6h", + "12h", + "24h", + "2d", + "7d", + "30d" + ] + }, + "timezone": "browser", + "title": "Istio Pilot Dashboard", + "version": 4 +} +' +--- + +--- +# Source: istio/charts/grafana/templates/configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-grafana + labels: + app: grafana + chart: grafana + heritage: Tiller + release: istio + istio: grafana +data: + datasources.yaml: | + apiVersion: 1 + datasources: + - access: proxy + editable: true + isDefault: true + jsonData: + timeInterval: 5s + name: Prometheus + orgId: 1 + type: prometheus + url: http://prometheus:9090 + + dashboardproviders.yaml: | + apiVersion: 1 + providers: + - disableDeletion: false + folder: istio + name: istio + options: + path: /var/lib/grafana/dashboards/istio + orgId: 1 + type: file + +--- +# Source: istio/charts/kiali/templates/configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: kiali + labels: + app: kiali + chart: kiali + heritage: Tiller + release: istio +data: + config.yaml: | + istio_namespace: istio-system + server: + port: 20001 + external_services: + istio: + url_service_version: http://istio-pilot:8080/version + jaeger: + url: + grafana: + url: + +--- +# Source: istio/charts/prometheus/templates/configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: prometheus + labels: + app: prometheus + chart: prometheus + heritage: Tiller + release: istio +data: + prometheus.yml: |- + global: + scrape_interval: 15s + scrape_configs: + + - job_name: 'istio-mesh' + kubernetes_sd_configs: + - role: endpoints + namespaces: + names: + - istio-system + + relabel_configs: + - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] + action: keep + regex: istio-telemetry;prometheus + + # Scrape config for envoy stats + - job_name: 'envoy-stats' + metrics_path: /stats/prometheus + kubernetes_sd_configs: + - role: pod + + relabel_configs: + - source_labels: [__meta_kubernetes_pod_container_port_name] + action: keep + regex: '.*-envoy-prom' + - source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port] + action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:15090 + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_pod_label_(.+) + - source_labels: [__meta_kubernetes_namespace] + action: replace + target_label: namespace + - source_labels: [__meta_kubernetes_pod_name] + action: replace + target_label: pod_name + + metric_relabel_configs: + # Exclude some of the envoy metrics that have massive cardinality + # This list may need to be pruned further moving forward, as informed + # by performance and scalability testing. + - source_labels: [ cluster_name ] + regex: '(outbound|inbound|prometheus_stats).*' + action: drop + - source_labels: [ tcp_prefix ] + regex: '(outbound|inbound|prometheus_stats).*' + action: drop + - source_labels: [ listener_address ] + regex: '(.+)' + action: drop + - source_labels: [ http_conn_manager_listener_prefix ] + regex: '(.+)' + action: drop + - source_labels: [ http_conn_manager_prefix ] + regex: '(.+)' + action: drop + - source_labels: [ __name__ ] + regex: 'envoy_tls.*' + action: drop + - source_labels: [ __name__ ] + regex: 'envoy_tcp_downstream.*' + action: drop + - source_labels: [ __name__ ] + regex: 'envoy_http_(stats|admin).*' + action: drop + - source_labels: [ __name__ ] + regex: 'envoy_cluster_(lb|retry|bind|internal|max|original).*' + action: drop + + - job_name: 'istio-policy' + kubernetes_sd_configs: + - role: endpoints + namespaces: + names: + - istio-system + + + relabel_configs: + - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] + action: keep + regex: istio-policy;http-monitoring + + - job_name: 'istio-telemetry' + kubernetes_sd_configs: + - role: endpoints + namespaces: + names: + - istio-system + + relabel_configs: + - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] + action: keep + regex: istio-telemetry;http-monitoring + + - job_name: 'pilot' + kubernetes_sd_configs: + - role: endpoints + namespaces: + names: + - istio-system + + relabel_configs: + - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] + action: keep + regex: istio-pilot;http-monitoring + + - job_name: 'galley' + kubernetes_sd_configs: + - role: endpoints + namespaces: + names: + - istio-system + + relabel_configs: + - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] + action: keep + regex: istio-galley;http-monitoring + + - job_name: 'citadel' + kubernetes_sd_configs: + - role: endpoints + namespaces: + names: + - istio-system + + relabel_configs: + - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] + action: keep + regex: istio-citadel;http-monitoring + + # scrape config for API servers + - job_name: 'kubernetes-apiservers' + kubernetes_sd_configs: + - role: endpoints + namespaces: + names: + - default + scheme: https + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + relabel_configs: + - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] + action: keep + regex: kubernetes;https + + # scrape config for nodes (kubelet) + - job_name: 'kubernetes-nodes' + scheme: https + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + kubernetes_sd_configs: + - role: node + relabel_configs: + - action: labelmap + regex: __meta_kubernetes_node_label_(.+) + - target_label: __address__ + replacement: kubernetes.default.svc:443 + - source_labels: [__meta_kubernetes_node_name] + regex: (.+) + target_label: __metrics_path__ + replacement: /api/v1/nodes/${1}/proxy/metrics + + # Scrape config for Kubelet cAdvisor. + # + # This is required for Kubernetes 1.7.3 and later, where cAdvisor metrics + # (those whose names begin with 'container_') have been removed from the + # Kubelet metrics endpoint. This job scrapes the cAdvisor endpoint to + # retrieve those metrics. + # + # In Kubernetes 1.7.0-1.7.2, these metrics are only exposed on the cAdvisor + # HTTP endpoint; use "replacement: /api/v1/nodes/${1}:4194/proxy/metrics" + # in that case (and ensure cAdvisor's HTTP server hasn't been disabled with + # the --cadvisor-port=0 Kubelet flag). + # + # This job is not necessary and should be removed in Kubernetes 1.6 and + # earlier versions, or it will cause the metrics to be scraped twice. + - job_name: 'kubernetes-cadvisor' + scheme: https + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + kubernetes_sd_configs: + - role: node + relabel_configs: + - action: labelmap + regex: __meta_kubernetes_node_label_(.+) + - target_label: __address__ + replacement: kubernetes.default.svc:443 + - source_labels: [__meta_kubernetes_node_name] + regex: (.+) + target_label: __metrics_path__ + replacement: /api/v1/nodes/${1}/proxy/metrics/cadvisor + + # scrape config for service endpoints. + - job_name: 'kubernetes-service-endpoints' + kubernetes_sd_configs: + - role: endpoints + relabel_configs: + - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scrape] + action: keep + regex: true + - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scheme] + action: replace + target_label: __scheme__ + regex: (https?) + - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_path] + action: replace + target_label: __metrics_path__ + regex: (.+) + - source_labels: [__address__, __meta_kubernetes_service_annotation_prometheus_io_port] + action: replace + target_label: __address__ + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + - action: labelmap + regex: __meta_kubernetes_service_label_(.+) + - source_labels: [__meta_kubernetes_namespace] + action: replace + target_label: kubernetes_namespace + - source_labels: [__meta_kubernetes_service_name] + action: replace + target_label: kubernetes_name + + - job_name: 'kubernetes-pods' + kubernetes_sd_configs: + - role: pod + relabel_configs: # If first two labels are present, pod should be scraped by the istio-secure job. + - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape] + action: keep + regex: true + # Keep target if there's no sidecar or if prometheus.io/scheme is explicitly set to "http" + - source_labels: [__meta_kubernetes_pod_annotation_sidecar_istio_io_status, __meta_kubernetes_pod_annotation_prometheus_io_scheme] + action: keep + regex: ((;.*)|(.*;http)) + - source_labels: [__meta_kubernetes_pod_annotation_istio_mtls] + action: drop + regex: (true) + - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_path] + action: replace + target_label: __metrics_path__ + regex: (.+) + - source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port] + action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_pod_label_(.+) + - source_labels: [__meta_kubernetes_namespace] + action: replace + target_label: namespace + - source_labels: [__meta_kubernetes_pod_name] + action: replace + target_label: pod_name + + - job_name: 'kubernetes-pods-istio-secure' + scheme: https + tls_config: + ca_file: /etc/istio-certs/root-cert.pem + cert_file: /etc/istio-certs/cert-chain.pem + key_file: /etc/istio-certs/key.pem + insecure_skip_verify: true # prometheus does not support secure naming. + kubernetes_sd_configs: + - role: pod + relabel_configs: + - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape] + action: keep + regex: true + # sidecar status annotation is added by sidecar injector and + # istio_workload_mtls_ability can be specifically placed on a pod to indicate its ability to receive mtls traffic. + - source_labels: [__meta_kubernetes_pod_annotation_sidecar_istio_io_status, __meta_kubernetes_pod_annotation_istio_mtls] + action: keep + regex: (([^;]+);([^;]*))|(([^;]*);(true)) + - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scheme] + action: drop + regex: (http) + - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_path] + action: replace + target_label: __metrics_path__ + regex: (.+) + - source_labels: [__address__] # Only keep address that is host:port + action: keep # otherwise an extra target with ':443' is added for https scheme + regex: ([^:]+):(\d+) + - source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port] + action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_pod_label_(.+) + - source_labels: [__meta_kubernetes_namespace] + action: replace + target_label: namespace + - source_labels: [__meta_kubernetes_pod_name] + action: replace + target_label: pod_name +--- +# Source: istio/charts/security/templates/configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-security-custom-resources + labels: + app: security + chart: security + heritage: Tiller + release: istio + istio: citadel +data: + custom-resources.yaml: |- + # Authentication policy to enable permissive mode for all services (that have sidecar) in the mesh. + apiVersion: "authentication.istio.io/v1alpha1" + kind: "MeshPolicy" + metadata: + name: "default" + labels: + app: security + chart: security + heritage: Tiller + release: istio + spec: + peers: + - mtls: + mode: PERMISSIVE + run.sh: |- + #!/bin/sh + + set -x + + if [ "$#" -ne "1" ]; then + echo "first argument should be path to custom resource yaml" + exit 1 + fi + + pathToResourceYAML=${1} + + kubectl get validatingwebhookconfiguration istio-galley 2>/dev/null + if [ "$?" -eq 0 ]; then + echo "istio-galley validatingwebhookconfiguration found - waiting for istio-galley deployment to be ready" + while true; do + kubectl -n istio-system get deployment istio-galley 2>/dev/null + if [ "$?" -eq 0 ]; then + break + fi + sleep 1 + done + kubectl -n istio-system rollout status deployment istio-galley + if [ "$?" -ne 0 ]; then + echo "istio-galley deployment rollout status check failed" + exit 1 + fi + echo "istio-galley deployment ready for configuration validation" + fi + sleep 5 + kubectl apply -f ${pathToResourceYAML} + + +--- +# Source: istio/templates/configmap.yaml + +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio + labels: + app: istio + chart: istio + heritage: Tiller + release: istio +data: + mesh: |- + # Set the following variable to true to disable policy checks by the Mixer. + # Note that metrics will still be reported to the Mixer. + disablePolicyChecks: false + + # Set enableTracing to false to disable request tracing. + enableTracing: true + + # Set accessLogFile to empty string to disable access log. + accessLogFile: "/dev/stdout" + + # If accessLogEncoding is TEXT, value will be used directly as the log format + # example: "[%START_TIME%] %REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%\n" + # If AccessLogEncoding is JSON, value will be parsed as map[string]string + # example: '{"start_time": "%START_TIME%", "req_method": "%REQ(:METHOD)%"}' + # Leave empty to use default log format + accessLogFormat: "" + + # Set accessLogEncoding to JSON or TEXT to configure sidecar access log + accessLogEncoding: 'TEXT' + mixerCheckServer: istio-policy.istio-system.svc.cluster.local:9091 + mixerReportServer: istio-telemetry.istio-system.svc.cluster.local:9091 + # policyCheckFailOpen allows traffic in cases when the mixer policy service cannot be reached. + # Default is false which means the traffic is denied when the client is unable to connect to Mixer. + policyCheckFailOpen: false + # Let Pilot give ingresses the public IP of the Istio ingressgateway + ingressService: istio-ingressgateway + + # Default connect timeout for dynamic clusters generated by Pilot and returned via XDS + connectTimeout: 10s + + # DNS refresh rate for Envoy clusters of type STRICT_DNS + dnsRefreshRate: 5s + + # Unix Domain Socket through which envoy communicates with NodeAgent SDS to get + # key/cert for mTLS. Use secret-mount files instead of SDS if set to empty. + sdsUdsPath: + + # This flag is used by secret discovery service(SDS). + # If set to true(prerequisite: https://kubernetes.io/docs/concepts/storage/volumes/#projected), Istio will inject volumes mount + # for k8s service account JWT, so that K8s API server mounts k8s service account JWT to envoy container, which + # will be used to generate key/cert eventually. This isn't supported for non-k8s case. + enableSdsTokenMount: false + + # This flag is used by secret discovery service(SDS). + # If set to true, envoy will fetch normal k8s service account JWT from '/var/run/secrets/kubernetes.io/serviceaccount/token' + # (https://kubernetes.io/docs/tasks/access-application-cluster/access-cluster/#accessing-the-api-from-a-pod) + # and pass to sds server, which will be used to request key/cert eventually. + # this flag is ignored if enableSdsTokenMount is set. + # This isn't supported for non-k8s case. + sdsUseK8sSaJwt: false + + # The trust domain corresponds to the trust root of a system. + # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain + trustDomain: + + # Set the default behavior of the sidecar for handling outbound traffic from the application: + # ALLOW_ANY - outbound traffic to unknown destinations will be allowed, in case there are no + # services or ServiceEntries for the destination port + # REGISTRY_ONLY - restrict outbound traffic to services defined in the service registry as well + # as those defined through ServiceEntries + outboundTrafficPolicy: + mode: ALLOW_ANY + + localityLbSetting: + {} + + + # The namespace to treat as the administrative root namespace for istio + # configuration. + rootNamespace: istio-system + configSources: + - address: istio-galley.istio-system.svc:9901 + + defaultConfig: + # + # TCP connection timeout between Envoy & the application, and between Envoys. Used for static clusters + # defined in Envoy's configuration file + connectTimeout: 10s + # + ### ADVANCED SETTINGS ############# + # Where should envoy's configuration be stored in the istio-proxy container + configPath: "/etc/istio/proxy" + binaryPath: "/usr/local/bin/envoy" + # The pseudo service name used for Envoy. + serviceCluster: istio-proxy + # These settings that determine how long an old Envoy + # process should be kept alive after an occasional reload. + drainDuration: 45s + parentShutdownDuration: 1m0s + # + # The mode used to redirect inbound connections to Envoy. This setting + # has no effect on outbound traffic: iptables REDIRECT is always used for + # outbound connections. + # If "REDIRECT", use iptables REDIRECT to NAT and redirect to Envoy. + # The "REDIRECT" mode loses source addresses during redirection. + # If "TPROXY", use iptables TPROXY to redirect to Envoy. + # The "TPROXY" mode preserves both the source and destination IP + # addresses and ports, so that they can be used for advanced filtering + # and manipulation. + # The "TPROXY" mode also configures the sidecar to run with the + # CAP_NET_ADMIN capability, which is required to use TPROXY. + #interceptionMode: REDIRECT + # + # Port where Envoy listens (on local host) for admin commands + # You can exec into the istio-proxy container in a pod and + # curl the admin port (curl http://localhost:15000/) to obtain + # diagnostic information from Envoy. See + # https://lyft.github.io/envoy/docs/operations/admin.html + # for more details + proxyAdminPort: 15000 + # + # Set concurrency to a specific number to control the number of Proxy worker threads. + # If set to 0 (default), then start worker thread for each CPU thread/core. + concurrency: 2 + # + tracing: + zipkin: + # Address of the Zipkin collector + address: zipkin.istio-system:9411 + # + # Mutual TLS authentication between sidecars and istio control plane. + controlPlaneAuthPolicy: NONE + # + # Address where istio Pilot service is running + discoveryAddress: istio-pilot.istio-system:15010 + + # Configuration file for the mesh networks to be used by the Split Horizon EDS. + meshNetworks: |- + networks: {} + +--- +# Source: istio/templates/sidecar-injector-configmap.yaml + +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-sidecar-injector + labels: + app: istio + chart: istio + heritage: Tiller + release: istio + istio: sidecar-injector +data: + config: |- + policy: enabled + template: |- + rewriteAppHTTPProbe: false + initContainers: + [[ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) "NONE" ]] + - name: istio-init + image: "docker.io/istio/proxy_init:1.1.6" + args: + - "-p" + - [[ .MeshConfig.ProxyListenPort ]] + - "-u" + - 1337 + - "-m" + - [[ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode ]] + - "-i" + - "[[ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` "*" ]]" + - "-x" + - "[[ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` "" ]]" + - "-b" + - "[[ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` (includeInboundPorts .Spec.Containers) ]]" + - "-d" + - "[[ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` 15020 ) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` "" ) ]]" + [[ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -]] + - "-k" + - "[[ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` ]]" + [[ end -]] + imagePullPolicy: IfNotPresent + resources: + requests: + cpu: 10m + memory: 10Mi + limits: + cpu: 100m + memory: 50Mi + securityContext: + runAsUser: 0 + runAsNonRoot: false + capabilities: + add: + - NET_ADMIN + restartPolicy: Always + [[ end -]] + containers: + - name: istio-proxy + image: [[ annotation .ObjectMeta `sidecar.istio.io/proxyImage` "docker.io/istio/proxyv2:1.1.6" ]] + ports: + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - sidecar + - --domain + - $(POD_NAMESPACE).svc.cluster.local + - --configPath + - [[ .ProxyConfig.ConfigPath ]] + - --binaryPath + - [[ .ProxyConfig.BinaryPath ]] + - --serviceCluster + [[ if ne "" (index .ObjectMeta.Labels "app") -]] + - [[ index .ObjectMeta.Labels "app" ]].$(POD_NAMESPACE) + [[ else -]] + - [[ valueOrDefault .DeploymentMeta.Name "istio-proxy" ]].[[ valueOrDefault .DeploymentMeta.Namespace "default" ]] + [[ end -]] + - --drainDuration + - [[ formatDuration .ProxyConfig.DrainDuration ]] + - --parentShutdownDuration + - [[ formatDuration .ProxyConfig.ParentShutdownDuration ]] + - --discoveryAddress + - [[ annotation .ObjectMeta `sidecar.istio.io/discoveryAddress` .ProxyConfig.DiscoveryAddress ]] + - --zipkinAddress + - [[ .ProxyConfig.GetTracing.GetZipkin.GetAddress ]] + - --connectTimeout + - [[ formatDuration .ProxyConfig.ConnectTimeout ]] + - --proxyAdminPort + - [[ .ProxyConfig.ProxyAdminPort ]] + [[ if gt .ProxyConfig.Concurrency 0 -]] + - --concurrency + - [[ .ProxyConfig.Concurrency ]] + [[ end -]] + - --controlPlaneAuthPolicy + - [[ annotation .ObjectMeta `sidecar.istio.io/controlPlaneAuthPolicy` .ProxyConfig.ControlPlaneAuthPolicy ]] + [[- if (ne (annotation .ObjectMeta `status.sidecar.istio.io/port` 15020 ) "0") ]] + - --statusPort + - [[ annotation .ObjectMeta `status.sidecar.istio.io/port` 15020 ]] + - --applicationPorts + - "[[ annotation .ObjectMeta `readiness.status.sidecar.istio.io/applicationPorts` (applicationPorts .Spec.Containers) ]]" + [[- end ]] + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + + - name: ISTIO_META_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: ISTIO_META_CONFIG_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: ISTIO_META_INTERCEPTION_MODE + value: [[ or (index .ObjectMeta.Annotations "sidecar.istio.io/interceptionMode") .ProxyConfig.InterceptionMode.String ]] + [[ if .ObjectMeta.Annotations ]] + - name: ISTIO_METAJSON_ANNOTATIONS + value: | + [[ toJSON .ObjectMeta.Annotations ]] + [[ end ]] + [[ if .ObjectMeta.Labels ]] + - name: ISTIO_METAJSON_LABELS + value: | + [[ toJSON .ObjectMeta.Labels ]] + [[ end ]] + [[- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) ]] + - name: ISTIO_BOOTSTRAP_OVERRIDE + value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" + [[- end ]] + imagePullPolicy: IfNotPresent + [[ if (ne (annotation .ObjectMeta `status.sidecar.istio.io/port` 15020 ) "0") ]] + readinessProbe: + httpGet: + path: /healthz/ready + port: [[ annotation .ObjectMeta `status.sidecar.istio.io/port` 15020 ]] + initialDelaySeconds: [[ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` 1 ]] + periodSeconds: [[ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` 2 ]] + failureThreshold: [[ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` 30 ]] + [[ end -]]securityContext: + readOnlyRootFilesystem: true + [[ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) "TPROXY" -]] + capabilities: + add: + - NET_ADMIN + runAsGroup: 1337 + [[ else -]] + + runAsUser: 1337 + [[- end ]] + resources: + [[ if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -]] + requests: + [[ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -]] + cpu: "[[ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` ]]" + [[ end ]] + [[ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -]] + memory: "[[ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` ]]" + [[ end ]] + [[ else -]] + limits: + cpu: 2000m + memory: 128Mi + requests: + cpu: 10m + memory: 40Mi + + [[ end -]] + volumeMounts: + [[- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) ]] + - mountPath: /etc/istio/custom-bootstrap + name: custom-bootstrap-volume + [[- end ]] + - mountPath: /etc/istio/proxy + name: istio-envoy + - mountPath: /etc/certs/ + name: istio-certs + readOnly: true + [[- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` ]] + [[ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) ]] + - name: "[[ $index ]]" + [[ toYaml $value | indent 4 ]] + [[ end ]] + [[- end ]] + volumes: + [[- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) ]] + - name: custom-bootstrap-volume + configMap: + name: [[ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` `` ]] + [[- end ]] + - emptyDir: + medium: Memory + name: istio-envoy + - name: istio-certs + secret: + optional: true + [[ if eq .Spec.ServiceAccountName "" -]] + secretName: istio.default + [[ else -]] + secretName: [[ printf "istio.%s" .Spec.ServiceAccountName ]] + [[ end -]] + [[- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` ]] + [[ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) ]] + - name: "[[ $index ]]" + [[ toYaml $value | indent 2 ]] + [[ end ]] + [[ end ]] + +--- +# Source: istio/charts/galley/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: istio-galley-service-account + labels: + app: galley + chart: galley + heritage: Tiller + release: istio + +--- +# Source: istio/charts/gateways/templates/serviceaccount.yaml + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: istio-egressgateway-service-account + labels: + app: istio-egressgateway + chart: gateways + heritage: Tiller + release: istio +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: istio-ingressgateway-service-account + labels: + app: istio-ingressgateway + chart: gateways + heritage: Tiller + release: istio +--- + + +--- +# Source: istio/charts/grafana/templates/create-custom-resources-job.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: istio-grafana-post-install-account + labels: + app: grafana + chart: grafana + heritage: Tiller + release: istio +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istio-grafana-post-install-istio-system + labels: + app: grafana + chart: grafana + heritage: Tiller + release: istio +rules: +- apiGroups: ["authentication.istio.io"] # needed to create default authn policy + resources: ["*"] + verbs: ["*"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istio-grafana-post-install-role-binding-istio-system + labels: + app: grafana + chart: grafana + heritage: Tiller + release: istio +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-grafana-post-install-istio-system +subjects: + - kind: ServiceAccount + name: istio-grafana-post-install-account + namespace: istio-system +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: istio-grafana-post-install-1.1.6 + annotations: + "helm.sh/hook": post-install + "helm.sh/hook-delete-policy": hook-succeeded + labels: + app: grafana + chart: grafana + heritage: Tiller + release: istio +spec: + template: + metadata: + name: istio-grafana-post-install + labels: + app: istio-grafana + chart: grafana + heritage: Tiller + release: istio + spec: + serviceAccountName: istio-grafana-post-install-account + containers: + - name: kubectl + image: "docker.io/istio/kubectl:1.1.6" + command: [ "/bin/bash", "/tmp/grafana/run.sh", "/tmp/grafana/custom-resources.yaml" ] + volumeMounts: + - mountPath: "/tmp/grafana" + name: tmp-configmap-grafana + volumes: + - name: tmp-configmap-grafana + configMap: + name: istio-grafana-custom-resources + restartPolicy: OnFailure + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - ppc64le + - s390x + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - ppc64le + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - s390x + +--- +# Source: istio/charts/kiali/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: kiali-service-account + labels: + app: kiali + chart: kiali + heritage: Tiller + release: istio + +--- +# Source: istio/charts/mixer/templates/serviceaccount.yaml + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: istio-mixer-service-account + labels: + app: mixer + chart: mixer + heritage: Tiller + release: istio + +--- +# Source: istio/charts/pilot/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: istio-pilot-service-account + labels: + app: pilot + chart: pilot + heritage: Tiller + release: istio + +--- +# Source: istio/charts/prometheus/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: prometheus + labels: + app: prometheus + chart: prometheus + heritage: Tiller + release: istio + +--- +# Source: istio/charts/security/templates/cleanup-secrets.yaml +# The reason for creating a ServiceAccount and ClusterRole specifically for this +# post-delete hooked job is because the citadel ServiceAccount is being deleted +# before this hook is launched. On the other hand, running this hook before the +# deletion of the citadel (e.g. pre-delete) won't delete the secrets because they +# will be re-created immediately by the to-be-deleted citadel. +# +# It's also important that the ServiceAccount, ClusterRole and ClusterRoleBinding +# will be ready before running the hooked Job therefore the hook weights. + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: istio-cleanup-secrets-service-account + annotations: + "helm.sh/hook": post-delete + "helm.sh/hook-delete-policy": hook-succeeded + "helm.sh/hook-weight": "1" + labels: + app: security + chart: security + heritage: Tiller + release: istio +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istio-cleanup-secrets-istio-system + annotations: + "helm.sh/hook": post-delete + "helm.sh/hook-delete-policy": hook-succeeded + "helm.sh/hook-weight": "1" + labels: + app: security + chart: security + heritage: Tiller + release: istio +rules: +- apiGroups: [""] + resources: ["secrets"] + verbs: ["list", "delete"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istio-cleanup-secrets-istio-system + annotations: + "helm.sh/hook": post-delete + "helm.sh/hook-delete-policy": hook-succeeded + "helm.sh/hook-weight": "2" + labels: + app: security + chart: security + heritage: Tiller + release: istio +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-cleanup-secrets-istio-system +subjects: + - kind: ServiceAccount + name: istio-cleanup-secrets-service-account + namespace: istio-system +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: istio-cleanup-secrets-1.1.6 + annotations: + "helm.sh/hook": post-delete + "helm.sh/hook-delete-policy": hook-succeeded + "helm.sh/hook-weight": "3" + labels: + app: security + chart: security + heritage: Tiller + release: istio +spec: + template: + metadata: + name: istio-cleanup-secrets + labels: + app: security + chart: security + heritage: Tiller + release: istio + spec: + serviceAccountName: istio-cleanup-secrets-service-account + containers: + - name: kubectl + image: "docker.io/istio/kubectl:1.1.6" + imagePullPolicy: IfNotPresent + command: + - /bin/bash + - -c + - > + kubectl get secret --all-namespaces | grep "istio.io/key-and-cert" | while read -r entry; do + ns=$(echo $entry | awk '{print $1}'); + name=$(echo $entry | awk '{print $2}'); + kubectl delete secret $name -n $ns; + done + restartPolicy: OnFailure + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - ppc64le + - s390x + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - ppc64le + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - s390x + +--- +# Source: istio/charts/security/templates/create-custom-resources-job.yaml + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: istio-security-post-install-account + labels: + app: security + chart: security + heritage: Tiller + release: istio +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: istio-security-post-install-istio-system + labels: + app: security + chart: security + heritage: Tiller + release: istio +rules: +- apiGroups: ["authentication.istio.io"] # needed to create default authn policy + resources: ["*"] + verbs: ["*"] +- apiGroups: ["networking.istio.io"] # needed to create security destination rules + resources: ["*"] + verbs: ["*"] +- apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + verbs: ["get"] +- apiGroups: ["extensions", "apps"] + resources: ["deployments", "replicasets"] + verbs: ["get", "list", "watch"] +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: istio-security-post-install-role-binding-istio-system + labels: + app: security + chart: security + heritage: Tiller + release: istio +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-security-post-install-istio-system +subjects: + - kind: ServiceAccount + name: istio-security-post-install-account + namespace: istio-system +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: istio-security-post-install-1.1.6 + annotations: + "helm.sh/hook": post-install + "helm.sh/hook-delete-policy": hook-succeeded + labels: + app: security + chart: security + heritage: Tiller + release: istio +spec: + template: + metadata: + name: istio-security-post-install + labels: + app: security + chart: security + heritage: Tiller + release: istio + spec: + serviceAccountName: istio-security-post-install-account + containers: + - name: kubectl + image: "docker.io/istio/kubectl:1.1.6" + imagePullPolicy: IfNotPresent + command: [ "/bin/bash", "/tmp/security/run.sh", "/tmp/security/custom-resources.yaml" ] + volumeMounts: + - mountPath: "/tmp/security" + name: tmp-configmap-security + volumes: + - name: tmp-configmap-security + configMap: + name: istio-security-custom-resources + restartPolicy: OnFailure + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - ppc64le + - s390x + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - ppc64le + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - s390x + +--- +# Source: istio/charts/security/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: istio-citadel-service-account + labels: + app: security + chart: security + heritage: Tiller + release: istio + +--- +# Source: istio/charts/sidecarInjectorWebhook/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: istio-sidecar-injector-service-account + labels: + app: sidecarInjectorWebhook + chart: sidecarInjectorWebhook + heritage: Tiller + release: istio + istio: sidecar-injector + +--- +# Source: istio/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: istio-multi + +--- +# Source: istio/charts/galley/templates/clusterrole.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istio-galley-istio-system + labels: + app: galley + chart: galley + heritage: Tiller + release: istio +rules: +- apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + verbs: ["*"] +- apiGroups: ["config.istio.io"] # istio mixer CRD watcher + resources: ["*"] + verbs: ["get", "list", "watch"] +- apiGroups: ["networking.istio.io"] + resources: ["*"] + verbs: ["get", "list", "watch"] +- apiGroups: ["authentication.istio.io"] + resources: ["*"] + verbs: ["get", "list", "watch"] +- apiGroups: ["rbac.istio.io"] + resources: ["*"] + verbs: ["get", "list", "watch"] +- apiGroups: ["extensions","apps"] + resources: ["deployments"] + resourceNames: ["istio-galley"] + verbs: ["get"] +- apiGroups: [""] + resources: ["pods", "nodes", "services", "endpoints"] + verbs: ["get", "list", "watch"] +- apiGroups: ["extensions"] + resources: ["ingresses"] + verbs: ["get", "list", "watch"] +- apiGroups: ["extensions", "apps"] + resources: ["deployments/finalizers"] + resourceNames: ["istio-galley"] + verbs: ["update"] + +--- +# Source: istio/charts/gateways/templates/clusterrole.yaml + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istio-egressgateway-istio-system + labels: + app: egressgateway + chart: gateways + heritage: Tiller + release: istio +rules: +- apiGroups: ["networking.istio.io"] + resources: ["virtualservices", "destinationrules", "gateways"] + verbs: ["get", "watch", "list", "update"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istio-ingressgateway-istio-system + labels: + app: ingressgateway + chart: gateways + heritage: Tiller + release: istio +rules: +- apiGroups: ["networking.istio.io"] + resources: ["virtualservices", "destinationrules", "gateways"] + verbs: ["get", "watch", "list", "update"] +--- + +--- +# Source: istio/charts/kiali/templates/clusterrole.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kiali + labels: + app: kiali + chart: kiali + heritage: Tiller + release: istio +rules: +- apiGroups: [""] + resources: + - configmaps + - endpoints + - namespaces + - nodes + - pods + - services + - replicationcontrollers + verbs: + - get + - list + - watch +- apiGroups: ["extensions", "apps"] + resources: + - deployments + - statefulsets + - replicasets + verbs: + - get + - list + - watch +- apiGroups: ["autoscaling"] + resources: + - horizontalpodautoscalers + verbs: + - get + - list + - watch +- apiGroups: ["batch"] + resources: + - cronjobs + - jobs + verbs: + - get + - list + - watch +- apiGroups: ["config.istio.io"] + resources: + - apikeys + - authorizations + - checknothings + - circonuses + - deniers + - fluentds + - handlers + - kubernetesenvs + - kuberneteses + - listcheckers + - listentries + - logentries + - memquotas + - metrics + - opas + - prometheuses + - quotas + - quotaspecbindings + - quotaspecs + - rbacs + - reportnothings + - rules + - solarwindses + - stackdrivers + - statsds + - stdios + verbs: + - create + - delete + - get + - list + - patch + - watch +- apiGroups: ["networking.istio.io"] + resources: + - destinationrules + - gateways + - serviceentries + - virtualservices + verbs: + - create + - delete + - get + - list + - patch + - watch +- apiGroups: ["authentication.istio.io"] + resources: + - policies + - meshpolicies + verbs: + - create + - delete + - get + - list + - patch + - watch +- apiGroups: ["rbac.istio.io"] + resources: + - clusterrbacconfigs + - rbacconfigs + - serviceroles + - servicerolebindings + verbs: + - create + - delete + - get + - list + - patch + - watch +- apiGroups: ["monitoring.kiali.io"] + resources: + - monitoringdashboards + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kiali-viewer + labels: + app: kiali + chart: kiali + heritage: Tiller + release: istio +rules: +- apiGroups: [""] + resources: + - configmaps + - endpoints + - namespaces + - nodes + - pods + - services + - replicationcontrollers + verbs: + - get + - list + - watch +- apiGroups: ["extensions", "apps"] + resources: + - deployments + - statefulsets + - replicasets + verbs: + - get + - list + - watch +- apiGroups: ["autoscaling"] + resources: + - horizontalpodautoscalers + verbs: + - get + - list + - watch +- apiGroups: ["batch"] + resources: + - cronjobs + - jobs + verbs: + - get + - list + - watch +- apiGroups: ["config.istio.io"] + resources: + - apikeys + - authorizations + - checknothings + - circonuses + - deniers + - fluentds + - handlers + - kubernetesenvs + - kuberneteses + - listcheckers + - listentries + - logentries + - memquotas + - metrics + - opas + - prometheuses + - quotas + - quotaspecbindings + - quotaspecs + - rbacs + - reportnothings + - rules + - servicecontrolreports + - servicecontrols + - solarwindses + - stackdrivers + - statsds + - stdios + verbs: + - get + - list + - watch +- apiGroups: ["networking.istio.io"] + resources: + - destinationrules + - gateways + - serviceentries + - virtualservices + verbs: + - get + - list + - watch +- apiGroups: ["authentication.istio.io"] + resources: + - policies + - meshpolicies + verbs: + - get + - list + - watch +- apiGroups: ["rbac.istio.io"] + resources: + - clusterrbacconfigs + - rbacconfigs + - serviceroles + - servicerolebindings + verbs: + - get + - list + - watch +- apiGroups: ["monitoring.kiali.io"] + resources: + - monitoringdashboards + verbs: + - get + +--- +# Source: istio/charts/mixer/templates/clusterrole.yaml + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istio-mixer-istio-system + labels: + app: mixer + chart: mixer + heritage: Tiller + release: istio +rules: +- apiGroups: ["config.istio.io"] # istio CRD watcher + resources: ["*"] + verbs: ["create", "get", "list", "watch", "patch"] +- apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "list", "watch"] +- apiGroups: [""] + resources: ["configmaps", "endpoints", "pods", "services", "namespaces", "secrets", "replicationcontrollers"] + verbs: ["get", "list", "watch"] +- apiGroups: ["extensions", "apps"] + resources: ["replicasets"] + verbs: ["get", "list", "watch"] + +--- +# Source: istio/charts/pilot/templates/clusterrole.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istio-pilot-istio-system + labels: + app: pilot + chart: pilot + heritage: Tiller + release: istio +rules: +- apiGroups: ["config.istio.io"] + resources: ["*"] + verbs: ["*"] +- apiGroups: ["rbac.istio.io"] + resources: ["*"] + verbs: ["get", "watch", "list"] +- apiGroups: ["networking.istio.io"] + resources: ["*"] + verbs: ["*"] +- apiGroups: ["authentication.istio.io"] + resources: ["*"] + verbs: ["*"] +- apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["*"] +- apiGroups: ["extensions", "networking.k8s.io"] + resources: ["ingresses", "ingresses/status"] + verbs: ["*"] +- apiGroups: [""] + resources: ["configmaps"] + verbs: ["create", "get", "list", "watch", "update"] +- apiGroups: [""] + resources: ["endpoints", "pods", "services", "namespaces", "nodes", "secrets"] + verbs: ["get", "list", "watch"] + +--- +# Source: istio/charts/prometheus/templates/clusterrole.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: prometheus-istio-system + labels: + app: prometheus + chart: prometheus + heritage: Tiller + release: istio +rules: +- apiGroups: [""] + resources: + - nodes + - services + - endpoints + - pods + - nodes/proxy + verbs: ["get", "list", "watch"] +- apiGroups: [""] + resources: + - configmaps + verbs: ["get"] +- nonResourceURLs: ["/metrics"] + verbs: ["get"] + +--- +# Source: istio/charts/security/templates/clusterrole.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istio-citadel-istio-system + labels: + app: security + chart: security + heritage: Tiller + release: istio +rules: +- apiGroups: [""] + resources: ["configmaps"] + verbs: ["create", "get", "update"] +- apiGroups: [""] + resources: ["secrets"] + verbs: ["create", "get", "watch", "list", "update", "delete"] +- apiGroups: [""] + resources: ["serviceaccounts", "services"] + verbs: ["get", "watch", "list"] +- apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] + +--- +# Source: istio/charts/sidecarInjectorWebhook/templates/clusterrole.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istio-sidecar-injector-istio-system + labels: + app: sidecarInjectorWebhook + chart: sidecarInjectorWebhook + heritage: Tiller + release: istio + istio: sidecar-injector +rules: +- apiGroups: [""] + resources: ["configmaps"] + verbs: ["get", "list", "watch"] +- apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "patch"] + +--- +# Source: istio/templates/clusterrole.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: istio-reader +rules: + - apiGroups: [''] + resources: ['nodes', 'pods', 'services', 'endpoints', "replicationcontrollers"] + verbs: ['get', 'watch', 'list'] + - apiGroups: ["extensions", "apps"] + resources: ["replicasets"] + verbs: ["get", "list", "watch"] + +--- +# Source: istio/charts/galley/templates/clusterrolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istio-galley-admin-role-binding-istio-system + labels: + app: galley + chart: galley + heritage: Tiller + release: istio +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-galley-istio-system +subjects: + - kind: ServiceAccount + name: istio-galley-service-account + namespace: istio-system + +--- +# Source: istio/charts/gateways/templates/clusterrolebindings.yaml + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istio-egressgateway-istio-system + labels: + app: egressgateway + chart: gateways + heritage: Tiller + release: istio +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-egressgateway-istio-system +subjects: +- kind: ServiceAccount + name: istio-egressgateway-service-account +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istio-ingressgateway-istio-system + labels: + app: ingressgateway + chart: gateways + heritage: Tiller + release: istio +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-ingressgateway-istio-system +subjects: +- kind: ServiceAccount + name: istio-ingressgateway-service-account +--- + +--- +# Source: istio/charts/kiali/templates/clusterrolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istio-kiali-admin-role-binding-istio-system + labels: + app: kiali + chart: kiali + heritage: Tiller + release: istio +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kiali +subjects: +- kind: ServiceAccount + name: kiali-service-account + +--- +# Source: istio/charts/mixer/templates/clusterrolebinding.yaml + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istio-mixer-admin-role-binding-istio-system + labels: + app: mixer + chart: mixer + heritage: Tiller + release: istio +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-mixer-istio-system +subjects: + - kind: ServiceAccount + name: istio-mixer-service-account + namespace: istio-system + +--- +# Source: istio/charts/pilot/templates/clusterrolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istio-pilot-istio-system + labels: + app: pilot + chart: pilot + heritage: Tiller + release: istio +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-pilot-istio-system +subjects: + - kind: ServiceAccount + name: istio-pilot-service-account + namespace: istio-system + +--- +# Source: istio/charts/prometheus/templates/clusterrolebindings.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: prometheus-istio-system + labels: + app: prometheus + chart: prometheus + heritage: Tiller + release: istio +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: prometheus-istio-system +subjects: +- kind: ServiceAccount + name: prometheus + +--- +# Source: istio/charts/security/templates/clusterrolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istio-citadel-istio-system + labels: + app: security + chart: security + heritage: Tiller + release: istio +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-citadel-istio-system +subjects: + - kind: ServiceAccount + name: istio-citadel-service-account + namespace: istio-system + +--- +# Source: istio/charts/sidecarInjectorWebhook/templates/clusterrolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istio-sidecar-injector-admin-role-binding-istio-system + labels: + app: sidecarInjectorWebhook + chart: sidecarInjectorWebhook + heritage: Tiller + release: istio + istio: sidecar-injector +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-sidecar-injector-istio-system +subjects: + - kind: ServiceAccount + name: istio-sidecar-injector-service-account + namespace: istio-system + +--- +# Source: istio/templates/clusterrolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istio-multi + labels: + chart: istio-1.1.0 +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-reader +subjects: +- kind: ServiceAccount + name: istio-multi + +--- +# Source: istio/charts/gateways/templates/role.yaml + +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: istio-ingressgateway-sds +rules: +- apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "watch", "list"] +--- + +--- +# Source: istio/charts/gateways/templates/rolebindings.yaml + +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: istio-ingressgateway-sds +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: istio-ingressgateway-sds +subjects: +- kind: ServiceAccount + name: istio-ingressgateway-service-account +--- + +--- +# Source: istio/charts/galley/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: istio-galley + labels: + app: galley + chart: galley + heritage: Tiller + release: istio + istio: galley +spec: + ports: + - port: 443 + name: https-validation + - port: 15014 + name: http-monitoring + - port: 9901 + name: grpc-mcp + selector: + istio: galley + +--- +# Source: istio/charts/gateways/templates/service.yaml + +apiVersion: v1 +kind: Service +metadata: + name: istio-egressgateway + labels: + chart: gateways + heritage: Tiller + release: istio + app: istio-egressgateway + istio: egressgateway +spec: + type: ClusterIP + selector: + release: istio + app: istio-egressgateway + istio: egressgateway + ports: + - + name: http2 + port: 80 + - + name: https + port: 443 + - + name: tls + port: 15443 + targetPort: 15443 +--- +apiVersion: v1 +kind: Service +metadata: + name: istio-ingressgateway + annotations: + beta.cloud.google.com/backend-config: '{"ports": {"http2":"iap-backendconfig"}}' + labels: + chart: gateways + heritage: Tiller + release: istio + app: istio-ingressgateway + istio: ingressgateway +spec: + type: NodePort + selector: + release: istio + app: istio-ingressgateway + istio: ingressgateway + ports: + - + name: status-port + port: 15020 + targetPort: 15020 + - + name: http2 + nodePort: 31380 + port: 80 + targetPort: 80 + - + name: https + nodePort: 31390 + port: 443 + - + name: tcp + nodePort: 31400 + port: 31400 + - + name: https-kiali + port: 15029 + targetPort: 15029 + - + name: https-prometheus + port: 15030 + targetPort: 15030 + - + name: https-grafana + port: 15031 + targetPort: 15031 + - + name: https-tracing + port: 15032 + targetPort: 15032 + - + name: tls + port: 15443 + targetPort: 15443 +--- + +--- +# Source: istio/charts/grafana/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: grafana + labels: + app: grafana + chart: grafana + heritage: Tiller + release: istio +spec: + type: ClusterIP + ports: + - port: 3000 + targetPort: 3000 + protocol: TCP + name: http + selector: + app: grafana + +--- +# Source: istio/charts/kiali/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: kiali + labels: + app: kiali + chart: kiali + heritage: Tiller + release: istio +spec: + ports: + - name: http-kiali + protocol: TCP + port: 20001 + selector: + app: kiali + +--- +# Source: istio/charts/mixer/templates/service.yaml + +apiVersion: v1 +kind: Service +metadata: + name: istio-policy + annotations: + networking.istio.io/exportTo: "*" + labels: + app: mixer + chart: mixer + heritage: Tiller + release: istio + istio: mixer +spec: + ports: + - name: grpc-mixer + port: 9091 + - name: grpc-mixer-mtls + port: 15004 + - name: http-monitoring + port: 15014 + selector: + istio: mixer + istio-mixer-type: policy +--- +apiVersion: v1 +kind: Service +metadata: + name: istio-telemetry + annotations: + networking.istio.io/exportTo: "*" + labels: + app: mixer + chart: mixer + heritage: Tiller + release: istio + istio: mixer +spec: + ports: + - name: grpc-mixer + port: 9091 + - name: grpc-mixer-mtls + port: 15004 + - name: http-monitoring + port: 15014 + - name: prometheus + port: 42422 + selector: + istio: mixer + istio-mixer-type: telemetry +--- + + +--- +# Source: istio/charts/pilot/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: istio-pilot + labels: + app: pilot + chart: pilot + heritage: Tiller + release: istio + istio: pilot +spec: + ports: + - port: 15010 + name: grpc-xds # direct + - port: 15011 + name: https-xds # mTLS + - port: 8080 + name: http-legacy-discovery # direct + - port: 15014 + name: http-monitoring + selector: + istio: pilot + +--- +# Source: istio/charts/prometheus/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: prometheus + annotations: + prometheus.io/scrape: 'true' + labels: + app: prometheus + chart: prometheus + heritage: Tiller + release: istio +spec: + selector: + app: prometheus + ports: + - name: http-prometheus + protocol: TCP + port: 9090 + +--- +# Source: istio/charts/security/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + # we use the normal name here (e.g. 'prometheus') + # as grafana is configured to use this as a data source + name: istio-citadel + labels: + app: security + chart: security + heritage: Tiller + release: istio + istio: citadel +spec: + ports: + - name: grpc-citadel + port: 8060 + targetPort: 8060 + protocol: TCP + - name: http-monitoring + port: 15014 + selector: + istio: citadel + +--- +# Source: istio/charts/sidecarInjectorWebhook/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: istio-sidecar-injector + labels: + app: sidecarInjectorWebhook + chart: sidecarInjectorWebhook + heritage: Tiller + release: istio + istio: sidecar-injector +spec: + ports: + - port: 443 + selector: + istio: sidecar-injector + +--- +# Source: istio/charts/galley/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: istio-galley + labels: + app: galley + chart: galley + heritage: Tiller + release: istio + istio: galley +spec: + replicas: 1 + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + selector: + matchLabels: + app: galley + chart: galley + heritage: Tiller + release: istio + istio: galley + template: + metadata: + labels: + app: galley + chart: galley + heritage: Tiller + release: istio + istio: galley + annotations: + sidecar.istio.io/inject: "false" + spec: + serviceAccountName: istio-galley-service-account + containers: + - name: galley + image: "docker.io/istio/galley:1.1.6" + imagePullPolicy: IfNotPresent + ports: + - containerPort: 443 + - containerPort: 15014 + - containerPort: 9901 + command: + - /usr/local/bin/galley + - server + - --meshConfigFile=/etc/mesh-config/mesh + - --livenessProbeInterval=1s + - --livenessProbePath=/healthliveness + - --readinessProbePath=/healthready + - --readinessProbeInterval=1s + - --deployment-namespace=istio-system + - --insecure=true + - --validation-webhook-config-file + - /etc/config/validatingwebhookconfiguration.yaml + - --monitoringPort=15014 + - --log_output_level=default:info + # see https://github.com/istio/istio/issues/15352 + - --enable-validation=true + volumeMounts: + - name: certs + mountPath: /etc/certs + readOnly: true + - name: config + mountPath: /etc/config + readOnly: true + - name: mesh-config + mountPath: /etc/mesh-config + readOnly: true + livenessProbe: + exec: + command: + - /usr/local/bin/galley + - probe + - --probe-path=/healthliveness + - --interval=10s + initialDelaySeconds: 5 + periodSeconds: 5 + readinessProbe: + exec: + command: + - /usr/local/bin/galley + - probe + - --probe-path=/healthready + - --interval=10s + initialDelaySeconds: 5 + periodSeconds: 5 + resources: + requests: + cpu: 10m + + volumes: + - name: certs + secret: + secretName: istio.istio-galley-service-account + - name: config + configMap: + name: istio-galley-configuration + - name: mesh-config + configMap: + name: istio + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - ppc64le + - s390x + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - ppc64le + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - s390x + +--- +# Source: istio/charts/gateways/templates/deployment.yaml + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: istio-egressgateway + labels: + chart: gateways + heritage: Tiller + release: istio + app: istio-egressgateway + istio: egressgateway +spec: + selector: + matchLabels: + chart: gateways + heritage: Tiller + release: istio + app: istio-egressgateway + istio: egressgateway + template: + metadata: + labels: + chart: gateways + heritage: Tiller + release: istio + app: istio-egressgateway + istio: egressgateway + annotations: + sidecar.istio.io/inject: "false" + spec: + serviceAccountName: istio-egressgateway-service-account + containers: + - name: istio-proxy + image: "docker.io/istio/proxyv2:1.1.6" + imagePullPolicy: IfNotPresent + ports: + - containerPort: 80 + - containerPort: 443 + - containerPort: 15443 + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - router + - --domain + - $(POD_NAMESPACE).svc.cluster.local + - --log_output_level=default:info + - --drainDuration + - '45s' #drainDuration + - --parentShutdownDuration + - '1m0s' #parentShutdownDuration + - --connectTimeout + - '10s' #connectTimeout + - --serviceCluster + - istio-egressgateway + - --zipkinAddress + - zipkin:9411 + - --proxyAdminPort + - "15000" + - --statusPort + - "15020" + - --controlPlaneAuthPolicy + - NONE + - --discoveryAddress + - istio-pilot:15010 + readinessProbe: + failureThreshold: 30 + httpGet: + path: /healthz/ready + port: 15020 + scheme: HTTP + initialDelaySeconds: 1 + periodSeconds: 2 + successThreshold: 1 + timeoutSeconds: 1 + resources: + limits: + cpu: 100m + memory: 128Mi + requests: + cpu: 10m + memory: 40Mi + + env: + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + - name: HOST_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.hostIP + - name: ISTIO_META_POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: ISTIO_META_CONFIG_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: ISTIO_META_ROUTER_MODE + value: sni-dnat + volumeMounts: + - name: istio-certs + mountPath: /etc/certs + readOnly: true + - name: egressgateway-certs + mountPath: "/etc/istio/egressgateway-certs" + readOnly: true + - name: egressgateway-ca-certs + mountPath: "/etc/istio/egressgateway-ca-certs" + readOnly: true + volumes: + - name: istio-certs + secret: + secretName: istio.istio-egressgateway-service-account + optional: true + - name: egressgateway-certs + secret: + secretName: "istio-egressgateway-certs" + optional: true + - name: egressgateway-ca-certs + secret: + secretName: "istio-egressgateway-ca-certs" + optional: true + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - ppc64le + - s390x + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - ppc64le + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - s390x +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: istio-ingressgateway + labels: + chart: gateways + heritage: Tiller + release: istio + app: istio-ingressgateway + istio: ingressgateway +spec: + selector: + matchLabels: + chart: gateways + heritage: Tiller + release: istio + app: istio-ingressgateway + istio: ingressgateway + template: + metadata: + labels: + chart: gateways + heritage: Tiller + release: istio + app: istio-ingressgateway + istio: ingressgateway + annotations: + sidecar.istio.io/inject: "false" + spec: + serviceAccountName: istio-ingressgateway-service-account + containers: + - name: istio-proxy + image: "docker.io/istio/proxyv2:1.1.6" + imagePullPolicy: IfNotPresent + ports: + - containerPort: 15020 + - containerPort: 80 + - containerPort: 443 + - containerPort: 31400 + - containerPort: 15029 + - containerPort: 15030 + - containerPort: 15031 + - containerPort: 15032 + - containerPort: 15443 + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - router + - --domain + - $(POD_NAMESPACE).svc.cluster.local + - --log_output_level=default:info + - --drainDuration + - '45s' #drainDuration + - --parentShutdownDuration + - '1m0s' #parentShutdownDuration + - --connectTimeout + - '10s' #connectTimeout + - --serviceCluster + - istio-ingressgateway + - --zipkinAddress + - zipkin:9411 + - --proxyAdminPort + - "15000" + - --statusPort + - "15020" + - --controlPlaneAuthPolicy + - NONE + - --discoveryAddress + - istio-pilot:15010 + readinessProbe: + failureThreshold: 30 + httpGet: + path: /healthz/ready + port: 15020 + scheme: HTTP + initialDelaySeconds: 1 + periodSeconds: 2 + successThreshold: 1 + timeoutSeconds: 1 + resources: + limits: + cpu: 100m + memory: 128Mi + requests: + cpu: 10m + memory: 40Mi + + env: + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + - name: HOST_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.hostIP + - name: ISTIO_META_POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: ISTIO_META_CONFIG_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: ISTIO_META_ROUTER_MODE + value: sni-dnat + volumeMounts: + - name: istio-certs + mountPath: /etc/certs + readOnly: true + - name: ingressgateway-certs + mountPath: "/etc/istio/ingressgateway-certs" + readOnly: true + - name: ingressgateway-ca-certs + mountPath: "/etc/istio/ingressgateway-ca-certs" + readOnly: true + volumes: + - name: istio-certs + secret: + secretName: istio.istio-ingressgateway-service-account + optional: true + - name: ingressgateway-certs + secret: + secretName: "istio-ingressgateway-certs" + optional: true + - name: ingressgateway-ca-certs + secret: + secretName: "istio-ingressgateway-ca-certs" + optional: true + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - ppc64le + - s390x + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - ppc64le + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - s390x +--- + +--- +# Source: istio/charts/grafana/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: grafana + labels: + app: grafana + chart: grafana + heritage: Tiller + release: istio +spec: + replicas: 1 + selector: + matchLabels: + app: grafana + chart: grafana + heritage: Tiller + release: istio + template: + metadata: + labels: + app: grafana + chart: grafana + heritage: Tiller + release: istio + annotations: + sidecar.istio.io/inject: "false" + spec: + securityContext: + runAsUser: 472 + fsGroup: 472 + containers: + - name: grafana + image: "grafana/grafana:6.0.2" + imagePullPolicy: IfNotPresent + ports: + - containerPort: 3000 + readinessProbe: + httpGet: + path: /login + port: 3000 + env: + - name: GRAFANA_PORT + value: "3000" + - name: GF_AUTH_BASIC_ENABLED + value: "false" + - name: GF_AUTH_ANONYMOUS_ENABLED + value: "true" + - name: GF_AUTH_ANONYMOUS_ORG_ROLE + value: Admin + - name: GF_PATHS_DATA + value: /data/grafana + resources: + requests: + cpu: 10m + + volumeMounts: + - name: data + mountPath: /data/grafana + - name: dashboards-istio-galley-dashboard + mountPath: "/var/lib/grafana/dashboards/istio/galley-dashboard.json" + subPath: galley-dashboard.json + readOnly: true + - name: dashboards-istio-istio-mesh-dashboard + mountPath: "/var/lib/grafana/dashboards/istio/istio-mesh-dashboard.json" + subPath: istio-mesh-dashboard.json + readOnly: true + - name: dashboards-istio-istio-performance-dashboard + mountPath: "/var/lib/grafana/dashboards/istio/istio-performance-dashboard.json" + subPath: istio-performance-dashboard.json + readOnly: true + - name: dashboards-istio-istio-service-dashboard + mountPath: "/var/lib/grafana/dashboards/istio/istio-service-dashboard.json" + subPath: istio-service-dashboard.json + readOnly: true + - name: dashboards-istio-istio-workload-dashboard + mountPath: "/var/lib/grafana/dashboards/istio/istio-workload-dashboard.json" + subPath: istio-workload-dashboard.json + readOnly: true + - name: dashboards-istio-mixer-dashboard + mountPath: "/var/lib/grafana/dashboards/istio/mixer-dashboard.json" + subPath: mixer-dashboard.json + readOnly: true + - name: dashboards-istio-pilot-dashboard + mountPath: "/var/lib/grafana/dashboards/istio/pilot-dashboard.json" + subPath: pilot-dashboard.json + readOnly: true + - name: config + mountPath: "/etc/grafana/provisioning/datasources/datasources.yaml" + subPath: datasources.yaml + - name: config + mountPath: "/etc/grafana/provisioning/dashboards/dashboardproviders.yaml" + subPath: dashboardproviders.yaml + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - ppc64le + - s390x + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - ppc64le + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - s390x + volumes: + - name: config + configMap: + name: istio-grafana + - name: data + emptyDir: {} + - name: dashboards-istio-galley-dashboard + configMap: + name: istio-grafana-configuration-dashboards-galley-dashboard + - name: dashboards-istio-istio-mesh-dashboard + configMap: + name: istio-grafana-configuration-dashboards-istio-mesh-dashboard + - name: dashboards-istio-istio-performance-dashboard + configMap: + name: istio-grafana-configuration-dashboards-istio-performance-dashboard + - name: dashboards-istio-istio-service-dashboard + configMap: + name: istio-grafana-configuration-dashboards-istio-service-dashboard + - name: dashboards-istio-istio-workload-dashboard + configMap: + name: istio-grafana-configuration-dashboards-istio-workload-dashboard + - name: dashboards-istio-mixer-dashboard + configMap: + name: istio-grafana-configuration-dashboards-mixer-dashboard + - name: dashboards-istio-pilot-dashboard + configMap: + name: istio-grafana-configuration-dashboards-pilot-dashboard + +--- +# Source: istio/charts/kiali/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: kiali + labels: + app: kiali + chart: kiali + heritage: Tiller + release: istio +spec: + replicas: 1 + selector: + matchLabels: + app: kiali + template: + metadata: + name: kiali + labels: + app: kiali + chart: kiali + heritage: Tiller + release: istio + annotations: + sidecar.istio.io/inject: "false" + scheduler.alpha.kubernetes.io/critical-pod: "" + prometheus.io/scrape: "true" + prometheus.io/port: "9090" + spec: + serviceAccountName: kiali-service-account + containers: + - image: "docker.io/kiali/kiali:v0.16" + name: kiali + command: + - "/opt/kiali/kiali" + - "-config" + - "/kiali-configuration/config.yaml" + - "-v" + - "4" + env: + - name: ACTIVE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: PROMETHEUS_SERVICE_URL + value: http://prometheus:9090 + - name: SERVER_WEB_ROOT + value: /kiali + volumeMounts: + - name: kiali-configuration + mountPath: "/kiali-configuration" + - name: kiali-secret + mountPath: "/kiali-secret" + resources: + requests: + cpu: 10m + + volumes: + - name: kiali-configuration + configMap: + name: kiali + - name: kiali-secret + secret: + secretName: kiali + optional: true + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - ppc64le + - s390x + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - ppc64le + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - s390x + +--- +# Source: istio/charts/mixer/templates/deployment.yaml + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: istio-policy + labels: + app: istio-mixer + chart: mixer + heritage: Tiller + release: istio + istio: mixer +spec: + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + selector: + matchLabels: + istio: mixer + istio-mixer-type: policy + template: + metadata: + labels: + app: policy + chart: mixer + heritage: Tiller + release: istio + istio: mixer + istio-mixer-type: policy + annotations: + sidecar.istio.io/inject: "false" + spec: + serviceAccountName: istio-mixer-service-account + volumes: + - name: istio-certs + secret: + secretName: istio.istio-mixer-service-account + optional: true + - name: uds-socket + emptyDir: {} + - name: policy-adapter-secret + secret: + secretName: policy-adapter-secret + optional: true + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - ppc64le + - s390x + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - ppc64le + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - s390x + containers: + - name: mixer + image: "docker.io/istio/mixer:1.1.6" + imagePullPolicy: IfNotPresent + ports: + - containerPort: 15014 + - containerPort: 42422 + args: + - --monitoringPort=15014 + - --address + - unix:///sock/mixer.socket + - --log_output_level=default:info + - --configStoreURL=mcp://istio-galley.istio-system.svc:9901 + - --configDefaultNamespace=istio-system + - --useAdapterCRDs=true + - --trace_zipkin_url=http://zipkin:9411/api/v1/spans + env: + - name: GODEBUG + value: "gctrace=1" + - name: GOMAXPROCS + value: "6" + resources: + limits: + cpu: 100m + memory: 100Mi + requests: + cpu: 10m + memory: 100Mi + + volumeMounts: + - name: istio-certs + mountPath: /etc/certs + readOnly: true + - name: uds-socket + mountPath: /sock + livenessProbe: + httpGet: + path: /version + port: 15014 + initialDelaySeconds: 5 + periodSeconds: 5 + - name: istio-proxy + image: "docker.io/istio/proxyv2:1.1.6" + imagePullPolicy: IfNotPresent + ports: + - containerPort: 9091 + - containerPort: 15004 + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - --domain + - $(POD_NAMESPACE).svc.cluster.local + - --serviceCluster + - istio-policy + - --templateFile + - /etc/istio/proxy/envoy_policy.yaml.tmpl + - --controlPlaneAuthPolicy + - NONE + env: + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + resources: + limits: + cpu: 2000m + memory: 128Mi + requests: + cpu: 10m + memory: 40Mi + + volumeMounts: + - name: istio-certs + mountPath: /etc/certs + readOnly: true + - name: uds-socket + mountPath: /sock + - name: policy-adapter-secret + mountPath: /var/run/secrets/istio.io/policy/adapter + readOnly: true + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: istio-telemetry + labels: + app: istio-mixer + chart: mixer + heritage: Tiller + release: istio + istio: mixer +spec: + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + selector: + matchLabels: + istio: mixer + istio-mixer-type: telemetry + template: + metadata: + labels: + app: telemetry + chart: mixer + heritage: Tiller + release: istio + istio: mixer + istio-mixer-type: telemetry + annotations: + sidecar.istio.io/inject: "false" + spec: + serviceAccountName: istio-mixer-service-account + volumes: + - name: istio-certs + secret: + secretName: istio.istio-mixer-service-account + optional: true + - name: uds-socket + emptyDir: {} + - name: telemetry-adapter-secret + secret: + secretName: telemetry-adapter-secret + optional: true + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - ppc64le + - s390x + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - ppc64le + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - s390x + containers: + - name: mixer + image: "docker.io/istio/mixer:1.1.6" + imagePullPolicy: IfNotPresent + ports: + - containerPort: 15014 + - containerPort: 42422 + args: + - --monitoringPort=15014 + - --address + - unix:///sock/mixer.socket + - --log_output_level=default:info + - --configStoreURL=mcp://istio-galley.istio-system.svc:9901 + - --configDefaultNamespace=istio-system + - --useAdapterCRDs=true + - --trace_zipkin_url=http://zipkin:9411/api/v1/spans + - --averageLatencyThreshold + - 100ms + - --loadsheddingMode + - enforce + env: + - name: GODEBUG + value: "gctrace=1" + - name: GOMAXPROCS + value: "6" + resources: + limits: + cpu: 100m + memory: 100Mi + requests: + cpu: 50m + memory: 100Mi + + volumeMounts: + - name: istio-certs + mountPath: /etc/certs + readOnly: true + - name: telemetry-adapter-secret + mountPath: /var/run/secrets/istio.io/telemetry/adapter + readOnly: true + - name: uds-socket + mountPath: /sock + livenessProbe: + httpGet: + path: /version + port: 15014 + initialDelaySeconds: 5 + periodSeconds: 5 + - name: istio-proxy + image: "docker.io/istio/proxyv2:1.1.6" + imagePullPolicy: IfNotPresent + ports: + - containerPort: 9091 + - containerPort: 15004 + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - --domain + - $(POD_NAMESPACE).svc.cluster.local + - --serviceCluster + - istio-telemetry + - --templateFile + - /etc/istio/proxy/envoy_telemetry.yaml.tmpl + - --controlPlaneAuthPolicy + - NONE + env: + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + resources: + limits: + cpu: 2000m + memory: 128Mi + requests: + cpu: 10m + memory: 40Mi + + volumeMounts: + - name: istio-certs + mountPath: /etc/certs + readOnly: true + - name: uds-socket + mountPath: /sock + +--- + +--- +# Source: istio/charts/pilot/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: istio-pilot + # TODO: default template doesn't have this, which one is right ? + labels: + app: pilot + chart: pilot + heritage: Tiller + release: istio + istio: pilot + annotations: + checksum/config-volume: f8da08b6b8c170dde721efd680270b2901e750d4aa186ebb6c22bef5b78a43f9 +spec: + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + selector: + matchLabels: + istio: pilot + template: + metadata: + labels: + app: pilot + chart: pilot + heritage: Tiller + release: istio + istio: pilot + annotations: + sidecar.istio.io/inject: "false" + spec: + serviceAccountName: istio-pilot-service-account + containers: + - name: discovery + image: "docker.io/istio/pilot:1.1.6" + imagePullPolicy: IfNotPresent + args: + - "discovery" + - --monitoringAddr=:15014 + - --log_output_level=default:info + - --domain + - cluster.local + - --secureGrpcAddr + - "" + - --keepaliveMaxServerConnectionAge + - "30m" + ports: + - containerPort: 8080 + - containerPort: 15010 + readinessProbe: + httpGet: + path: /ready + port: 8080 + initialDelaySeconds: 5 + periodSeconds: 30 + timeoutSeconds: 5 + env: + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: GODEBUG + value: "gctrace=1" + - name: PILOT_PUSH_THROTTLE + value: "100" + - name: PILOT_TRACE_SAMPLING + value: "100" + - name: PILOT_DISABLE_XDS_MARSHALING_TO_ANY + value: "1" + resources: + limits: + cpu: 100m + memory: 200Mi + requests: + cpu: 10m + memory: 100Mi + + volumeMounts: + - name: config-volume + mountPath: /etc/istio/config + - name: istio-certs + mountPath: /etc/certs + readOnly: true + - name: istio-proxy + image: "docker.io/istio/proxyv2:1.1.6" + imagePullPolicy: IfNotPresent + ports: + - containerPort: 15003 + - containerPort: 15005 + - containerPort: 15007 + - containerPort: 15011 + args: + - proxy + - --domain + - $(POD_NAMESPACE).svc.cluster.local + - --serviceCluster + - istio-pilot + - --templateFile + - /etc/istio/proxy/envoy_pilot.yaml.tmpl + - --controlPlaneAuthPolicy + - NONE + env: + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + resources: + limits: + cpu: 2000m + memory: 128Mi + requests: + cpu: 10m + memory: 40Mi + + volumeMounts: + - name: istio-certs + mountPath: /etc/certs + readOnly: true + volumes: + - name: config-volume + configMap: + name: istio + - name: istio-certs + secret: + secretName: istio.istio-pilot-service-account + optional: true + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - ppc64le + - s390x + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - ppc64le + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - s390x + +--- +# Source: istio/charts/prometheus/templates/deployment.yaml +# TODO: the original template has service account, roles, etc +apiVersion: apps/v1 +kind: Deployment +metadata: + name: prometheus + labels: + app: prometheus + chart: prometheus + heritage: Tiller + release: istio +spec: + replicas: 1 + selector: + matchLabels: + app: prometheus + template: + metadata: + labels: + app: prometheus + chart: prometheus + heritage: Tiller + release: istio + annotations: + sidecar.istio.io/inject: "false" + spec: + serviceAccountName: prometheus + containers: + - name: prometheus + image: "docker.io/prom/prometheus:v2.3.1" + imagePullPolicy: IfNotPresent + args: + - '--storage.tsdb.retention=6h' + - '--config.file=/etc/prometheus/prometheus.yml' + ports: + - containerPort: 9090 + name: http + livenessProbe: + httpGet: + path: /-/healthy + port: 9090 + readinessProbe: + httpGet: + path: /-/ready + port: 9090 + resources: + requests: + cpu: 10m + + volumeMounts: + - name: config-volume + mountPath: /etc/prometheus + - mountPath: /etc/istio-certs + name: istio-certs + volumes: + - name: config-volume + configMap: + name: prometheus + - name: istio-certs + secret: + defaultMode: 420 + secretName: istio.default + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - ppc64le + - s390x + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - ppc64le + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - s390x + +--- +# Source: istio/charts/security/templates/deployment.yaml +# istio CA watching all namespaces +apiVersion: apps/v1 +kind: Deployment +metadata: + name: istio-citadel + labels: + app: security + chart: security + heritage: Tiller + release: istio + istio: citadel +spec: + replicas: 1 + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + selector: + matchLabels: + app: security + chart: security + heritage: Tiller + release: istio + istio: citadel + template: + metadata: + labels: + app: security + chart: security + heritage: Tiller + release: istio + istio: citadel + annotations: + sidecar.istio.io/inject: "false" + spec: + serviceAccountName: istio-citadel-service-account + containers: + - name: citadel + image: "docker.io/istio/citadel:1.1.6" + imagePullPolicy: IfNotPresent + args: + - --append-dns-names=true + - --grpc-port=8060 + - --grpc-hostname=citadel + - --citadel-storage-namespace=istio-system + - --custom-dns-names=istio-pilot-service-account.istio-system:istio-pilot.istio-system + - --monitoring-port=15014 + - --self-signed-ca=true + livenessProbe: + httpGet: + path: /version + port: 15014 + initialDelaySeconds: 5 + periodSeconds: 5 + resources: + requests: + cpu: 10m + + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - ppc64le + - s390x + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - ppc64le + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - s390x + +--- +# Source: istio/charts/sidecarInjectorWebhook/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: istio-sidecar-injector + labels: + app: sidecarInjectorWebhook + chart: sidecarInjectorWebhook + heritage: Tiller + release: istio + istio: sidecar-injector +spec: + replicas: 1 + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + selector: + matchLabels: + app: sidecarInjectorWebhook + chart: sidecarInjectorWebhook + heritage: Tiller + release: istio + istio: sidecar-injector + template: + metadata: + labels: + app: sidecarInjectorWebhook + chart: sidecarInjectorWebhook + heritage: Tiller + release: istio + istio: sidecar-injector + annotations: + sidecar.istio.io/inject: "false" + spec: + serviceAccountName: istio-sidecar-injector-service-account + containers: + - name: sidecar-injector-webhook + image: "docker.io/istio/sidecar_injector:1.1.6" + imagePullPolicy: IfNotPresent + args: + - --caCertFile=/etc/istio/certs/root-cert.pem + - --tlsCertFile=/etc/istio/certs/cert-chain.pem + - --tlsKeyFile=/etc/istio/certs/key.pem + - --injectConfig=/etc/istio/inject/config + - --meshConfig=/etc/istio/config/mesh + - --healthCheckInterval=2s + - --healthCheckFile=/health + volumeMounts: + - name: config-volume + mountPath: /etc/istio/config + readOnly: true + - name: certs + mountPath: /etc/istio/certs + readOnly: true + - name: inject-config + mountPath: /etc/istio/inject + readOnly: true + livenessProbe: + exec: + command: + - /usr/local/bin/sidecar-injector + - probe + - --probe-path=/health + - --interval=4s + initialDelaySeconds: 4 + periodSeconds: 4 + readinessProbe: + exec: + command: + - /usr/local/bin/sidecar-injector + - probe + - --probe-path=/health + - --interval=4s + initialDelaySeconds: 4 + periodSeconds: 4 + resources: + requests: + cpu: 10m + + volumes: + - name: config-volume + configMap: + name: istio + - name: certs + secret: + secretName: istio.istio-sidecar-injector-service-account + - name: inject-config + configMap: + name: istio-sidecar-injector + items: + - key: config + path: config + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - ppc64le + - s390x + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - ppc64le + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - s390x + +--- +# Source: istio/charts/tracing/templates/deployment-jaeger.yaml + + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: istio-tracing + labels: + app: jaeger + chart: tracing + heritage: Tiller + release: istio +spec: + selector: + matchLabels: + app: jaeger + chart: tracing + heritage: Tiller + release: istio + template: + metadata: + labels: + app: jaeger + chart: tracing + heritage: Tiller + release: istio + annotations: + sidecar.istio.io/inject: "false" + prometheus.io/scrape: "true" + prometheus.io/port: "16686" + prometheus.io/path: "/jaeger/metrics" + spec: + containers: + - name: jaeger + image: "docker.io/jaegertracing/all-in-one:1.9" + imagePullPolicy: IfNotPresent + ports: + - containerPort: 9411 + - containerPort: 16686 + - containerPort: 5775 + protocol: UDP + - containerPort: 6831 + protocol: UDP + - containerPort: 6832 + protocol: UDP + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: COLLECTOR_ZIPKIN_HTTP_PORT + value: "9411" + - name: MEMORY_MAX_TRACES + value: "50000" + - name: QUERY_BASE_PATH + value: /jaeger + livenessProbe: + httpGet: + path: / + port: 16686 + readinessProbe: + httpGet: + path: / + port: 16686 + resources: + requests: + cpu: 10m + + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - ppc64le + - s390x + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - amd64 + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - ppc64le + - weight: 2 + preference: + matchExpressions: + - key: beta.kubernetes.io/arch + operator: In + values: + - s390x + + +--- +# Source: istio/charts/gateways/templates/autoscale.yaml + +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: istio-egressgateway + labels: + app: egressgateway + chart: gateways + heritage: Tiller + release: istio +spec: + maxReplicas: 5 + minReplicas: 1 + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: istio-egressgateway + metrics: + - type: Resource + resource: + name: cpu + targetAverageUtilization: 80 +--- +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: istio-ingressgateway + labels: + app: ingressgateway + chart: gateways + heritage: Tiller + release: istio +spec: + maxReplicas: 5 + minReplicas: 1 + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: istio-ingressgateway + metrics: + - type: Resource + resource: + name: cpu + targetAverageUtilization: 80 +--- + +--- +# Source: istio/charts/mixer/templates/autoscale.yaml + +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: istio-policy + labels: + app: mixer + chart: mixer + heritage: Tiller + release: istio +spec: + maxReplicas: 5 + minReplicas: 1 + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: istio-policy + metrics: + - type: Resource + resource: + name: cpu + targetAverageUtilization: 80 +--- +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: istio-telemetry + labels: + app: mixer + chart: mixer + heritage: Tiller + release: istio +spec: + maxReplicas: 5 + minReplicas: 1 + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: istio-telemetry + metrics: + - type: Resource + resource: + name: cpu + targetAverageUtilization: 80 +--- + +--- +# Source: istio/charts/pilot/templates/autoscale.yaml + +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: istio-pilot + labels: + app: pilot + chart: pilot + heritage: Tiller + release: istio +spec: + maxReplicas: 5 + minReplicas: 1 + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: istio-pilot + metrics: + - type: Resource + resource: + name: cpu + targetAverageUtilization: 80 +--- + +--- +# Source: istio/charts/tracing/templates/service-jaeger.yaml + +apiVersion: v1 +kind: Service +metadata: + name: jaeger-query + annotations: + labels: + app: jaeger + jaeger-infra: jaeger-service + chart: tracing + heritage: Tiller + release: istio +spec: + ports: + - name: query-http + port: 16686 + protocol: TCP + targetPort: 16686 + selector: + app: jaeger + +--- + +apiVersion: v1 +kind: Service +metadata: + name: jaeger-collector + labels: + app: jaeger + jaeger-infra: collector-service + chart: tracing + heritage: Tiller + release: istio +spec: + ports: + - name: jaeger-collector-tchannel + port: 14267 + protocol: TCP + targetPort: 14267 + - name: jaeger-collector-http + port: 14268 + targetPort: 14268 + protocol: TCP + selector: + app: jaeger + type: ClusterIP +--- +apiVersion: v1 +kind: Service +metadata: + name: jaeger-agent + labels: + app: jaeger + jaeger-infra: agent-service + chart: tracing + heritage: Tiller + release: istio +spec: + ports: + - name: agent-zipkin-thrift + port: 5775 + protocol: UDP + targetPort: 5775 + - name: agent-compact + port: 6831 + protocol: UDP + targetPort: 6831 + - name: agent-binary + port: 6832 + protocol: UDP + targetPort: 6832 + clusterIP: None + selector: + app: jaeger + + + +--- +# Source: istio/charts/tracing/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: zipkin + labels: + app: jaeger + chart: tracing + heritage: Tiller + release: istio +spec: + type: ClusterIP + ports: + - port: 9411 + targetPort: 9411 + protocol: TCP + name: http + selector: + app: jaeger +--- +apiVersion: v1 +kind: Service +metadata: + name: tracing + annotations: + labels: + app: jaeger + chart: tracing + heritage: Tiller + release: istio +spec: + ports: + - name: http-query + port: 80 + protocol: TCP + + targetPort: 16686 + + selector: + app: jaeger + +--- +# Source: istio/charts/sidecarInjectorWebhook/templates/mutatingwebhook.yaml +apiVersion: admissionregistration.k8s.io/v1beta1 +kind: MutatingWebhookConfiguration +metadata: + name: istio-sidecar-injector + labels: + app: sidecarInjectorWebhook + chart: sidecarInjectorWebhook + heritage: Tiller + release: istio +webhooks: + - name: sidecar-injector.istio.io + clientConfig: + service: + name: istio-sidecar-injector + namespace: istio-system + path: "/inject" + caBundle: "" + rules: + - operations: [ "CREATE" ] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + failurePolicy: Fail + namespaceSelector: + matchLabels: + istio-injection: enabled + + +--- +# Source: istio/charts/galley/templates/poddisruptionbudget.yaml + +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: istio-galley + labels: + app: galley + chart: galley + heritage: Tiller + release: istio + istio: galley +spec: + + minAvailable: 1 + selector: + matchLabels: + app: galley + release: istio + istio: galley + +--- +# Source: istio/charts/gateways/templates/poddisruptionbudget.yaml + +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: istio-egressgateway + labels: + chart: gateways + heritage: Tiller + release: istio + app: istio-egressgateway + istio: egressgateway +spec: + + minAvailable: 1 + selector: + matchLabels: + release: istio + app: istio-egressgateway + istio: egressgateway +--- +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: istio-ingressgateway + labels: + chart: gateways + heritage: Tiller + release: istio + app: istio-ingressgateway + istio: ingressgateway +spec: + + minAvailable: 1 + selector: + matchLabels: + release: istio + app: istio-ingressgateway + istio: ingressgateway +--- + +--- +# Source: istio/charts/mixer/templates/poddisruptionbudget.yaml + +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: istio-policy + labels: + app: policy + chart: mixer + heritage: Tiller + release: istio + version: 1.1.0 + istio: mixer + istio-mixer-type: policy +spec: + + minAvailable: 1 + selector: + matchLabels: + app: policy + release: istio + istio: mixer + istio-mixer-type: policy +--- +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: istio-telemetry + labels: + app: telemetry + chart: mixer + heritage: Tiller + release: istio + version: 1.1.0 + istio: mixer + istio-mixer-type: telemetry +spec: + + minAvailable: 1 + selector: + matchLabels: + app: telemetry + release: istio + istio: mixer + istio-mixer-type: telemetry +--- +# Source: istio/charts/pilot/templates/poddisruptionbudget.yaml + +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: istio-pilot + labels: + app: pilot + chart: pilot + heritage: Tiller + release: istio + istio: pilot +spec: + + minAvailable: 1 + selector: + matchLabels: + app: pilot + release: istio + istio: pilot + +--- +apiVersion: "config.istio.io/v1alpha2" +kind: attributemanifest +metadata: + name: istioproxy + labels: + app: mixer + chart: mixer + heritage: Tiller + release: istio +spec: + attributes: + origin.ip: + valueType: IP_ADDRESS + origin.uid: + valueType: STRING + origin.user: + valueType: STRING + request.headers: + valueType: STRING_MAP + request.id: + valueType: STRING + request.host: + valueType: STRING + request.method: + valueType: STRING + request.path: + valueType: STRING + request.url_path: + valueType: STRING + request.query_params: + valueType: STRING_MAP + request.reason: + valueType: STRING + request.referer: + valueType: STRING + request.scheme: + valueType: STRING + request.total_size: + valueType: INT64 + request.size: + valueType: INT64 + request.time: + valueType: TIMESTAMP + request.useragent: + valueType: STRING + response.code: + valueType: INT64 + response.duration: + valueType: DURATION + response.headers: + valueType: STRING_MAP + response.total_size: + valueType: INT64 + response.size: + valueType: INT64 + response.time: + valueType: TIMESTAMP + response.grpc_status: + valueType: STRING + response.grpc_message: + valueType: STRING + source.uid: + valueType: STRING + source.user: # DEPRECATED + valueType: STRING + source.principal: + valueType: STRING + destination.uid: + valueType: STRING + destination.principal: + valueType: STRING + destination.port: + valueType: INT64 + connection.event: + valueType: STRING + connection.id: + valueType: STRING + connection.received.bytes: + valueType: INT64 + connection.received.bytes_total: + valueType: INT64 + connection.sent.bytes: + valueType: INT64 + connection.sent.bytes_total: + valueType: INT64 + connection.duration: + valueType: DURATION + connection.mtls: + valueType: BOOL + connection.requested_server_name: + valueType: STRING + context.protocol: + valueType: STRING + context.proxy_error_code: + valueType: STRING + context.timestamp: + valueType: TIMESTAMP + context.time: + valueType: TIMESTAMP + # Deprecated, kept for compatibility + context.reporter.local: + valueType: BOOL + context.reporter.kind: + valueType: STRING + context.reporter.uid: + valueType: STRING + api.service: + valueType: STRING + api.version: + valueType: STRING + api.operation: + valueType: STRING + api.protocol: + valueType: STRING + request.auth.principal: + valueType: STRING + request.auth.audiences: + valueType: STRING + request.auth.presenter: + valueType: STRING + request.auth.claims: + valueType: STRING_MAP + request.auth.raw_claims: + valueType: STRING + request.api_key: + valueType: STRING + rbac.permissive.response_code: + valueType: STRING + rbac.permissive.effective_policy_id: + valueType: STRING + check.error_code: + valueType: INT64 + check.error_message: + valueType: STRING + check.cache_hit: + valueType: BOOL + quota.cache_hit: + valueType: BOOL + +--- +apiVersion: "config.istio.io/v1alpha2" +kind: attributemanifest +metadata: + name: kubernetes + labels: + app: mixer + chart: mixer + heritage: Tiller + release: istio +spec: + attributes: + source.ip: + valueType: IP_ADDRESS + source.labels: + valueType: STRING_MAP + source.metadata: + valueType: STRING_MAP + source.name: + valueType: STRING + source.namespace: + valueType: STRING + source.owner: + valueType: STRING + source.serviceAccount: + valueType: STRING + source.services: + valueType: STRING + source.workload.uid: + valueType: STRING + source.workload.name: + valueType: STRING + source.workload.namespace: + valueType: STRING + destination.ip: + valueType: IP_ADDRESS + destination.labels: + valueType: STRING_MAP + destination.metadata: + valueType: STRING_MAP + destination.owner: + valueType: STRING + destination.name: + valueType: STRING + destination.container.name: + valueType: STRING + destination.namespace: + valueType: STRING + destination.service.uid: + valueType: STRING + destination.service.name: + valueType: STRING + destination.service.namespace: + valueType: STRING + destination.service.host: + valueType: STRING + destination.serviceAccount: + valueType: STRING + destination.workload.uid: + valueType: STRING + destination.workload.name: + valueType: STRING + destination.workload.namespace: + valueType: STRING +--- +apiVersion: "config.istio.io/v1alpha2" +kind: handler +metadata: + name: stdio + labels: + app: mixer + chart: mixer + heritage: Tiller + release: istio +spec: + compiledAdapter: stdio + params: + outputAsJson: true +--- +apiVersion: "config.istio.io/v1alpha2" +kind: logentry +metadata: + name: accesslog + labels: + app: mixer + chart: mixer + heritage: Tiller + release: istio +spec: + severity: '"Info"' + timestamp: request.time + variables: + sourceIp: source.ip | ip("0.0.0.0") + sourceApp: source.labels["app"] | "" + sourcePrincipal: source.principal | "" + sourceName: source.name | "" + sourceWorkload: source.workload.name | "" + sourceNamespace: source.namespace | "" + sourceOwner: source.owner | "" + destinationApp: destination.labels["app"] | "" + destinationIp: destination.ip | ip("0.0.0.0") + destinationServiceHost: destination.service.host | "" + destinationWorkload: destination.workload.name | "" + destinationName: destination.name | "" + destinationNamespace: destination.namespace | "" + destinationOwner: destination.owner | "" + destinationPrincipal: destination.principal | "" + apiClaims: request.auth.raw_claims | "" + apiKey: request.api_key | request.headers["x-api-key"] | "" + protocol: request.scheme | context.protocol | "http" + method: request.method | "" + url: request.path | "" + responseCode: response.code | 0 + responseFlags: context.proxy_error_code | "" + responseSize: response.size | 0 + permissiveResponseCode: rbac.permissive.response_code | "none" + permissiveResponsePolicyID: rbac.permissive.effective_policy_id | "none" + requestSize: request.size | 0 + requestId: request.headers["x-request-id"] | "" + clientTraceId: request.headers["x-client-trace-id"] | "" + latency: response.duration | "0ms" + connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) + requestedServerName: connection.requested_server_name | "" + userAgent: request.useragent | "" + responseTimestamp: response.time + receivedBytes: request.total_size | 0 + sentBytes: response.total_size | 0 + referer: request.referer | "" + httpAuthority: request.headers[":authority"] | request.host | "" + xForwardedFor: request.headers["x-forwarded-for"] | "0.0.0.0" + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") + grpcStatus: response.grpc_status | "" + grpcMessage: response.grpc_message | "" + monitored_resource_type: '"global"' +--- +apiVersion: "config.istio.io/v1alpha2" +kind: logentry +metadata: + name: tcpaccesslog + labels: + app: mixer + chart: mixer + heritage: Tiller + release: istio +spec: + severity: '"Info"' + timestamp: context.time | timestamp("2017-01-01T00:00:00Z") + variables: + connectionEvent: connection.event | "" + sourceIp: source.ip | ip("0.0.0.0") + sourceApp: source.labels["app"] | "" + sourcePrincipal: source.principal | "" + sourceName: source.name | "" + sourceWorkload: source.workload.name | "" + sourceNamespace: source.namespace | "" + sourceOwner: source.owner | "" + destinationApp: destination.labels["app"] | "" + destinationIp: destination.ip | ip("0.0.0.0") + destinationServiceHost: destination.service.host | "" + destinationWorkload: destination.workload.name | "" + destinationName: destination.name | "" + destinationNamespace: destination.namespace | "" + destinationOwner: destination.owner | "" + destinationPrincipal: destination.principal | "" + protocol: context.protocol | "tcp" + connectionDuration: connection.duration | "0ms" + connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) + requestedServerName: connection.requested_server_name | "" + receivedBytes: connection.received.bytes | 0 + sentBytes: connection.sent.bytes | 0 + totalReceivedBytes: connection.received.bytes_total | 0 + totalSentBytes: connection.sent.bytes_total | 0 + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") + responseFlags: context.proxy_error_code | "" + monitored_resource_type: '"global"' +--- +apiVersion: "config.istio.io/v1alpha2" +kind: rule +metadata: + name: stdio + labels: + app: mixer + chart: mixer + heritage: Tiller + release: istio +spec: + match: context.protocol == "http" || context.protocol == "grpc" + actions: + - handler: stdio + instances: + - accesslog.logentry +--- +apiVersion: "config.istio.io/v1alpha2" +kind: rule +metadata: + name: stdiotcp + labels: + app: mixer + chart: mixer + heritage: Tiller + release: istio +spec: + match: context.protocol == "tcp" + actions: + - handler: stdio + instances: + - tcpaccesslog.logentry +--- +apiVersion: "config.istio.io/v1alpha2" +kind: metric +metadata: + name: requestcount + labels: + app: mixer + chart: mixer + heritage: Tiller + release: istio +spec: + value: "1" + dimensions: + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") + source_workload: source.workload.name | "unknown" + source_workload_namespace: source.workload.namespace | "unknown" + source_principal: source.principal | "unknown" + source_app: source.labels["app"] | "unknown" + source_version: source.labels["version"] | "unknown" + destination_workload: destination.workload.name | "unknown" + destination_workload_namespace: destination.workload.namespace | "unknown" + destination_principal: destination.principal | "unknown" + destination_app: destination.labels["app"] | "unknown" + destination_version: destination.labels["version"] | "unknown" + destination_service: destination.service.host | "unknown" + destination_service_name: destination.service.name | "unknown" + destination_service_namespace: destination.service.namespace | "unknown" + request_protocol: api.protocol | context.protocol | "unknown" + response_code: response.code | 200 + response_flags: context.proxy_error_code | "-" + permissive_response_code: rbac.permissive.response_code | "none" + permissive_response_policyid: rbac.permissive.effective_policy_id | "none" + connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) + monitored_resource_type: '"UNSPECIFIED"' +--- +apiVersion: "config.istio.io/v1alpha2" +kind: metric +metadata: + name: requestduration + labels: + app: mixer + chart: mixer + heritage: Tiller + release: istio +spec: + value: response.duration | "0ms" + dimensions: + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") + source_workload: source.workload.name | "unknown" + source_workload_namespace: source.workload.namespace | "unknown" + source_principal: source.principal | "unknown" + source_app: source.labels["app"] | "unknown" + source_version: source.labels["version"] | "unknown" + destination_workload: destination.workload.name | "unknown" + destination_workload_namespace: destination.workload.namespace | "unknown" + destination_principal: destination.principal | "unknown" + destination_app: destination.labels["app"] | "unknown" + destination_version: destination.labels["version"] | "unknown" + destination_service: destination.service.host | "unknown" + destination_service_name: destination.service.name | "unknown" + destination_service_namespace: destination.service.namespace | "unknown" + request_protocol: api.protocol | context.protocol | "unknown" + response_code: response.code | 200 + response_flags: context.proxy_error_code | "-" + permissive_response_code: rbac.permissive.response_code | "none" + permissive_response_policyid: rbac.permissive.effective_policy_id | "none" + connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) + monitored_resource_type: '"UNSPECIFIED"' +--- +apiVersion: "config.istio.io/v1alpha2" +kind: metric +metadata: + name: requestsize + labels: + app: mixer + chart: mixer + heritage: Tiller + release: istio +spec: + value: request.size | 0 + dimensions: + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") + source_workload: source.workload.name | "unknown" + source_workload_namespace: source.workload.namespace | "unknown" + source_principal: source.principal | "unknown" + source_app: source.labels["app"] | "unknown" + source_version: source.labels["version"] | "unknown" + destination_workload: destination.workload.name | "unknown" + destination_workload_namespace: destination.workload.namespace | "unknown" + destination_principal: destination.principal | "unknown" + destination_app: destination.labels["app"] | "unknown" + destination_version: destination.labels["version"] | "unknown" + destination_service: destination.service.host | "unknown" + destination_service_name: destination.service.name | "unknown" + destination_service_namespace: destination.service.namespace | "unknown" + request_protocol: api.protocol | context.protocol | "unknown" + response_code: response.code | 200 + response_flags: context.proxy_error_code | "-" + permissive_response_code: rbac.permissive.response_code | "none" + permissive_response_policyid: rbac.permissive.effective_policy_id | "none" + connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) + monitored_resource_type: '"UNSPECIFIED"' +--- +apiVersion: "config.istio.io/v1alpha2" +kind: metric +metadata: + name: responsesize + labels: + app: mixer + chart: mixer + heritage: Tiller + release: istio +spec: + value: response.size | 0 + dimensions: + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") + source_workload: source.workload.name | "unknown" + source_workload_namespace: source.workload.namespace | "unknown" + source_principal: source.principal | "unknown" + source_app: source.labels["app"] | "unknown" + source_version: source.labels["version"] | "unknown" + destination_workload: destination.workload.name | "unknown" + destination_workload_namespace: destination.workload.namespace | "unknown" + destination_principal: destination.principal | "unknown" + destination_app: destination.labels["app"] | "unknown" + destination_version: destination.labels["version"] | "unknown" + destination_service: destination.service.host | "unknown" + destination_service_name: destination.service.name | "unknown" + destination_service_namespace: destination.service.namespace | "unknown" + request_protocol: api.protocol | context.protocol | "unknown" + response_code: response.code | 200 + response_flags: context.proxy_error_code | "-" + permissive_response_code: rbac.permissive.response_code | "none" + permissive_response_policyid: rbac.permissive.effective_policy_id | "none" + connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) + monitored_resource_type: '"UNSPECIFIED"' +--- +apiVersion: "config.istio.io/v1alpha2" +kind: metric +metadata: + name: tcpbytesent + labels: + app: mixer + chart: mixer + heritage: Tiller + release: istio +spec: + value: connection.sent.bytes | 0 + dimensions: + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") + source_workload: source.workload.name | "unknown" + source_workload_namespace: source.workload.namespace | "unknown" + source_principal: source.principal | "unknown" + source_app: source.labels["app"] | "unknown" + source_version: source.labels["version"] | "unknown" + destination_workload: destination.workload.name | "unknown" + destination_workload_namespace: destination.workload.namespace | "unknown" + destination_principal: destination.principal | "unknown" + destination_app: destination.labels["app"] | "unknown" + destination_version: destination.labels["version"] | "unknown" + destination_service: destination.service.host | "unknown" + destination_service_name: destination.service.name | "unknown" + destination_service_namespace: destination.service.namespace | "unknown" + connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) + response_flags: context.proxy_error_code | "-" + monitored_resource_type: '"UNSPECIFIED"' +--- +apiVersion: "config.istio.io/v1alpha2" +kind: metric +metadata: + name: tcpbytereceived + labels: + app: mixer + chart: mixer + heritage: Tiller + release: istio +spec: + value: connection.received.bytes | 0 + dimensions: + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") + source_workload: source.workload.name | "unknown" + source_workload_namespace: source.workload.namespace | "unknown" + source_principal: source.principal | "unknown" + source_app: source.labels["app"] | "unknown" + source_version: source.labels["version"] | "unknown" + destination_workload: destination.workload.name | "unknown" + destination_workload_namespace: destination.workload.namespace | "unknown" + destination_principal: destination.principal | "unknown" + destination_app: destination.labels["app"] | "unknown" + destination_version: destination.labels["version"] | "unknown" + destination_service: destination.service.host | "unknown" + destination_service_name: destination.service.name | "unknown" + destination_service_namespace: destination.service.namespace | "unknown" + connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) + response_flags: context.proxy_error_code | "-" + monitored_resource_type: '"UNSPECIFIED"' +--- +apiVersion: "config.istio.io/v1alpha2" +kind: metric +metadata: + name: tcpconnectionsopened + labels: + app: mixer + chart: mixer + heritage: Tiller + release: istio +spec: + value: "1" + dimensions: + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") + source_workload: source.workload.name | "unknown" + source_workload_namespace: source.workload.namespace | "unknown" + source_principal: source.principal | "unknown" + source_app: source.labels["app"] | "unknown" + source_version: source.labels["version"] | "unknown" + destination_workload: destination.workload.name | "unknown" + destination_workload_namespace: destination.workload.namespace | "unknown" + destination_principal: destination.principal | "unknown" + destination_app: destination.labels["app"] | "unknown" + destination_version: destination.labels["version"] | "unknown" + destination_service: destination.service.name | "unknown" + destination_service_name: destination.service.name | "unknown" + destination_service_namespace: destination.service.namespace | "unknown" + connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) + response_flags: context.proxy_error_code | "-" + monitored_resource_type: '"UNSPECIFIED"' +--- +apiVersion: "config.istio.io/v1alpha2" +kind: metric +metadata: + name: tcpconnectionsclosed + labels: + app: mixer + chart: mixer + heritage: Tiller + release: istio +spec: + value: "1" + dimensions: + reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") + source_workload: source.workload.name | "unknown" + source_workload_namespace: source.workload.namespace | "unknown" + source_principal: source.principal | "unknown" + source_app: source.labels["app"] | "unknown" + source_version: source.labels["version"] | "unknown" + destination_workload: destination.workload.name | "unknown" + destination_workload_namespace: destination.workload.namespace | "unknown" + destination_principal: destination.principal | "unknown" + destination_app: destination.labels["app"] | "unknown" + destination_version: destination.labels["version"] | "unknown" + destination_service: destination.service.name | "unknown" + destination_service_name: destination.service.name | "unknown" + destination_service_namespace: destination.service.namespace | "unknown" + connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) + response_flags: context.proxy_error_code | "-" + monitored_resource_type: '"UNSPECIFIED"' +--- +apiVersion: "config.istio.io/v1alpha2" +kind: handler +metadata: + name: prometheus + labels: + app: mixer + chart: mixer + heritage: Tiller + release: istio +spec: + compiledAdapter: prometheus + params: + metricsExpirationPolicy: + metricsExpiryDuration: "10m" + metrics: + - name: requests_total + instance_name: requestcount.metric.istio-system + kind: COUNTER + label_names: + - reporter + - source_app + - source_principal + - source_workload + - source_workload_namespace + - source_version + - destination_app + - destination_principal + - destination_workload + - destination_workload_namespace + - destination_version + - destination_service + - destination_service_name + - destination_service_namespace + - request_protocol + - response_code + - response_flags + - permissive_response_code + - permissive_response_policyid + - connection_security_policy + - name: request_duration_seconds + instance_name: requestduration.metric.istio-system + kind: DISTRIBUTION + label_names: + - reporter + - source_app + - source_principal + - source_workload + - source_workload_namespace + - source_version + - destination_app + - destination_principal + - destination_workload + - destination_workload_namespace + - destination_version + - destination_service + - destination_service_name + - destination_service_namespace + - request_protocol + - response_code + - response_flags + - permissive_response_code + - permissive_response_policyid + - connection_security_policy + buckets: + explicit_buckets: + bounds: [0.005, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1, 2.5, 5, 10] + - name: request_bytes + instance_name: requestsize.metric.istio-system + kind: DISTRIBUTION + label_names: + - reporter + - source_app + - source_principal + - source_workload + - source_workload_namespace + - source_version + - destination_app + - destination_principal + - destination_workload + - destination_workload_namespace + - destination_version + - destination_service + - destination_service_name + - destination_service_namespace + - request_protocol + - response_code + - response_flags + - permissive_response_code + - permissive_response_policyid + - connection_security_policy + buckets: + exponentialBuckets: + numFiniteBuckets: 8 + scale: 1 + growthFactor: 10 + - name: response_bytes + instance_name: responsesize.metric.istio-system + kind: DISTRIBUTION + label_names: + - reporter + - source_app + - source_principal + - source_workload + - source_workload_namespace + - source_version + - destination_app + - destination_principal + - destination_workload + - destination_workload_namespace + - destination_version + - destination_service + - destination_service_name + - destination_service_namespace + - request_protocol + - response_code + - response_flags + - permissive_response_code + - permissive_response_policyid + - connection_security_policy + buckets: + exponentialBuckets: + numFiniteBuckets: 8 + scale: 1 + growthFactor: 10 + - name: tcp_sent_bytes_total + instance_name: tcpbytesent.metric.istio-system + kind: COUNTER + label_names: + - reporter + - source_app + - source_principal + - source_workload + - source_workload_namespace + - source_version + - destination_app + - destination_principal + - destination_workload + - destination_workload_namespace + - destination_version + - destination_service + - destination_service_name + - destination_service_namespace + - connection_security_policy + - response_flags + - name: tcp_received_bytes_total + instance_name: tcpbytereceived.metric.istio-system + kind: COUNTER + label_names: + - reporter + - source_app + - source_principal + - source_workload + - source_workload_namespace + - source_version + - destination_app + - destination_principal + - destination_workload + - destination_workload_namespace + - destination_version + - destination_service + - destination_service_name + - destination_service_namespace + - connection_security_policy + - response_flags + - name: tcp_connections_opened_total + instance_name: tcpconnectionsopened.metric.istio-system + kind: COUNTER + label_names: + - reporter + - source_app + - source_principal + - source_workload + - source_workload_namespace + - source_version + - destination_app + - destination_principal + - destination_workload + - destination_workload_namespace + - destination_version + - destination_service + - destination_service_name + - destination_service_namespace + - connection_security_policy + - response_flags + - name: tcp_connections_closed_total + instance_name: tcpconnectionsclosed.metric.istio-system + kind: COUNTER + label_names: + - reporter + - source_app + - source_principal + - source_workload + - source_workload_namespace + - source_version + - destination_app + - destination_principal + - destination_workload + - destination_workload_namespace + - destination_version + - destination_service + - destination_service_name + - destination_service_namespace + - connection_security_policy + - response_flags +--- +apiVersion: "config.istio.io/v1alpha2" +kind: rule +metadata: + name: promhttp + labels: + app: mixer + chart: mixer + heritage: Tiller + release: istio +spec: + match: (context.protocol == "http" || context.protocol == "grpc") && (match((request.useragent | "-"), "kube-probe*") == false) + actions: + - handler: prometheus + instances: + - requestcount.metric + - requestduration.metric + - requestsize.metric + - responsesize.metric +--- +apiVersion: "config.istio.io/v1alpha2" +kind: rule +metadata: + name: promtcp + labels: + app: mixer + chart: mixer + heritage: Tiller + release: istio +spec: + match: context.protocol == "tcp" + actions: + - handler: prometheus + instances: + - tcpbytesent.metric + - tcpbytereceived.metric +--- +apiVersion: "config.istio.io/v1alpha2" +kind: rule +metadata: + name: promtcpconnectionopen + labels: + app: mixer + chart: mixer + heritage: Tiller + release: istio +spec: + match: context.protocol == "tcp" && ((connection.event | "na") == "open") + actions: + - handler: prometheus + instances: + - tcpconnectionsopened.metric +--- +apiVersion: "config.istio.io/v1alpha2" +kind: rule +metadata: + name: promtcpconnectionclosed + labels: + app: mixer + chart: mixer + heritage: Tiller + release: istio +spec: + match: context.protocol == "tcp" && ((connection.event | "na") == "close") + actions: + - handler: prometheus + instances: + - tcpconnectionsclosed.metric +--- +apiVersion: "config.istio.io/v1alpha2" +kind: handler +metadata: + name: kubernetesenv + labels: + app: mixer + chart: mixer + heritage: Tiller + release: istio +spec: + compiledAdapter: kubernetesenv + params: + # when running from mixer root, use the following config after adding a + # symbolic link to a kubernetes config file via: + # + # $ ln -s ~/.kube/config mixer/adapter/kubernetes/kubeconfig + # + # kubeconfig_path: "mixer/adapter/kubernetes/kubeconfig" + +--- +apiVersion: "config.istio.io/v1alpha2" +kind: rule +metadata: + name: kubeattrgenrulerule + labels: + app: mixer + chart: mixer + heritage: Tiller + release: istio +spec: + actions: + - handler: kubernetesenv + instances: + - attributes.kubernetes +--- +apiVersion: "config.istio.io/v1alpha2" +kind: rule +metadata: + name: tcpkubeattrgenrulerule + labels: + app: mixer + chart: mixer + heritage: Tiller + release: istio +spec: + match: context.protocol == "tcp" + actions: + - handler: kubernetesenv + instances: + - attributes.kubernetes +--- +apiVersion: "config.istio.io/v1alpha2" +kind: kubernetes +metadata: + name: attributes + labels: + app: mixer + chart: mixer + heritage: Tiller + release: istio +spec: + # Pass the required attribute data to the adapter + source_uid: source.uid | "" + source_ip: source.ip | ip("0.0.0.0") # default to unspecified ip addr + destination_uid: destination.uid | "" + destination_port: destination.port | 0 + attribute_bindings: + # Fill the new attributes from the adapter produced output. + # $out refers to an instance of OutputTemplate message + source.ip: $out.source_pod_ip | ip("0.0.0.0") + source.uid: $out.source_pod_uid | "unknown" + source.labels: $out.source_labels | emptyStringMap() + source.name: $out.source_pod_name | "unknown" + source.namespace: $out.source_namespace | "default" + source.owner: $out.source_owner | "unknown" + source.serviceAccount: $out.source_service_account_name | "unknown" + source.workload.uid: $out.source_workload_uid | "unknown" + source.workload.name: $out.source_workload_name | "unknown" + source.workload.namespace: $out.source_workload_namespace | "unknown" + destination.ip: $out.destination_pod_ip | ip("0.0.0.0") + destination.uid: $out.destination_pod_uid | "unknown" + destination.labels: $out.destination_labels | emptyStringMap() + destination.name: $out.destination_pod_name | "unknown" + destination.container.name: $out.destination_container_name | "unknown" + destination.namespace: $out.destination_namespace | "default" + destination.owner: $out.destination_owner | "unknown" + destination.serviceAccount: $out.destination_service_account_name | "unknown" + destination.workload.uid: $out.destination_workload_uid | "unknown" + destination.workload.name: $out.destination_workload_name | "unknown" + destination.workload.namespace: $out.destination_workload_namespace | "unknown" +--- +# Configuration needed by Mixer. +# Mixer cluster is delivered via CDS +# Specify mixer cluster settings +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: istio-policy + labels: + app: mixer + chart: mixer + heritage: Tiller + release: istio +spec: + host: istio-policy.istio-system.svc.cluster.local + trafficPolicy: + connectionPool: + http: + http2MaxRequests: 10000 + maxRequestsPerConnection: 10000 +--- +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: istio-telemetry + labels: + app: mixer + chart: mixer + heritage: Tiller + release: istio +spec: + host: istio-telemetry.istio-system.svc.cluster.local + trafficPolicy: + connectionPool: + http: + http2MaxRequests: 10000 + maxRequestsPerConnection: 10000 +--- diff --git a/kustomize/istio-install/base/kustomization.yaml b/kustomize/istio-install/base/kustomization.yaml new file mode 100644 index 0000000..0073dc8 --- /dev/null +++ b/kustomize/istio-install/base/kustomization.yaml @@ -0,0 +1,39 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- istio-noauth.yaml +namespace: kubeflow +images: +- name: docker.io/istio/kubectl + newName: docker.io/istio/kubectl + newTag: 1.1.6 +- name: docker.io/istio/galley + newName: docker.io/istio/galley + newTag: 1.1.6 +- name: docker.io/istio/proxyv2 + newName: docker.io/istio/proxyv2 + newTag: 1.1.6 +- name: grafana/grafana + newName: grafana/grafana + newTag: 6.0.2 +- name: docker.io/kiali/kiali + newName: docker.io/kiali/kiali + newTag: v0.16 +- name: docker.io/istio/mixer + newName: docker.io/istio/mixer + newTag: 1.1.6 +- name: docker.io/istio/pilot + newName: docker.io/istio/pilot + newTag: 1.1.6 +- name: docker.io/prom/prometheus + newName: docker.io/prom/prometheus + newTag: v2.3.1 +- name: docker.io/istio/citadel + newName: docker.io/istio/citadel + newTag: 1.1.6 +- name: docker.io/istio/sidecar_injector + newName: docker.io/istio/sidecar_injector + newTag: 1.1.6 +- name: docker.io/jaegertracing/all-in-one + newName: docker.io/jaegertracing/all-in-one + newTag: '1.9' diff --git a/kustomize/istio-install/kustomization.yaml b/kustomize/istio-install/kustomization.yaml new file mode 100644 index 0000000..e907d64 --- /dev/null +++ b/kustomize/istio-install/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +bases: +- base +kind: Kustomization +namespace: istio-system diff --git a/kustomize/istio/base/README.md b/kustomize/istio/base/README.md new file mode 100644 index 0000000..861a387 --- /dev/null +++ b/kustomize/istio/base/README.md @@ -0,0 +1,7 @@ +# Manifest for Istio in Kubeflow + +- `install` dir contains the manifest to install Istio +- kf-istio-resources.yaml has + - Gateway for routing + - VirtualService for Grafana + - ServiceEntry and VirtualService for egress traffic diff --git a/kustomize/istio/base/cluster-roles.yaml b/kustomize/istio/base/cluster-roles.yaml new file mode 100644 index 0000000..14fedfc --- /dev/null +++ b/kustomize/istio/base/cluster-roles.yaml @@ -0,0 +1,51 @@ +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubeflow-istio-admin + labels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-admin: "true" +aggregationRule: + clusterRoleSelectors: + - matchLabels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-istio-admin: "true" +rules: [] + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubeflow-istio-edit + labels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-edit: "true" + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-istio-admin: "true" +rules: +- apiGroups: ["istio.io"] + resources: ["*"] + verbs: + - get + - list + - watch + - create + - delete + - deletecollection + - patch + - update + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubeflow-istio-view + labels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-view: "true" +rules: +- apiGroups: ["istio.io"] + resources: ["*"] + verbs: + - get + - list + - watch diff --git a/kustomize/istio/base/kf-istio-resources.yaml b/kustomize/istio/base/kf-istio-resources.yaml new file mode 100644 index 0000000..a89372c --- /dev/null +++ b/kustomize/istio/base/kf-istio-resources.yaml @@ -0,0 +1,110 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: kubeflow-gateway +spec: + selector: + istio: $(gatewaySelector) + servers: + - port: + number: 80 + name: http + protocol: HTTP + hosts: + - "*" +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: grafana-vs +spec: + hosts: + - "*" + gateways: + - "kubeflow-gateway" + http: + - match: + - uri: + prefix: "/istio/grafana/" + method: + exact: "GET" + rewrite: + uri: "/" + route: + - destination: + host: "grafana.istio-system.svc.cluster.local" + port: + number: 3000 +--- +apiVersion: networking.istio.io/v1alpha3 +kind: ServiceEntry +metadata: + name: google-api-entry +spec: + hosts: + - www.googleapis.com + ports: + - number: 443 + name: https + protocol: HTTPS + resolution: DNS + location: MESH_EXTERNAL +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: google-api-vs +spec: + hosts: + - www.googleapis.com + tls: + - match: + - port: 443 + sni_hosts: + - www.googleapis.com + route: + - destination: + host: www.googleapis.com + port: + number: 443 + weight: 100 +--- +apiVersion: networking.istio.io/v1alpha3 +kind: ServiceEntry +metadata: + name: google-storage-api-entry +spec: + hosts: + - storage.googleapis.com + ports: + - number: 443 + name: https + protocol: HTTPS + resolution: DNS + location: MESH_EXTERNAL +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: google-storage-api-vs +spec: + hosts: + - storage.googleapis.com + tls: + - match: + - port: 443 + sni_hosts: + - storage.googleapis.com + route: + - destination: + host: storage.googleapis.com + port: + number: 443 + weight: 100 +--- +apiVersion: rbac.istio.io/v1alpha1 +kind: ClusterRbacConfig +metadata: + name: default +spec: + mode: $(clusterRbacConfig) diff --git a/kustomize/istio/base/kustomization.yaml b/kustomize/istio/base/kustomization.yaml new file mode 100644 index 0000000..062807f --- /dev/null +++ b/kustomize/istio/base/kustomization.yaml @@ -0,0 +1,26 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- kf-istio-resources.yaml +- cluster-roles.yaml +namespace: kubeflow +configMapGenerator: +- name: istio-parameters + env: params.env +vars: +- name: clusterRbacConfig + objref: + kind: ConfigMap + name: istio-parameters + apiVersion: v1 + fieldref: + fieldpath: data.clusterRbacConfig +- name: gatewaySelector + objref: + kind: ConfigMap + name: istio-parameters + apiVersion: v1 + fieldref: + fieldpath: data.gatewaySelector +configurations: +- params.yaml diff --git a/kustomize/istio/base/params.env b/kustomize/istio/base/params.env new file mode 100644 index 0000000..5daead4 --- /dev/null +++ b/kustomize/istio/base/params.env @@ -0,0 +1,2 @@ +clusterRbacConfig=ON +gatewaySelector=ingressgateway diff --git a/kustomize/istio/base/params.yaml b/kustomize/istio/base/params.yaml new file mode 100644 index 0000000..df85a42 --- /dev/null +++ b/kustomize/istio/base/params.yaml @@ -0,0 +1,5 @@ +varReference: +- path: spec/mode + kind: ClusterRbacConfig +- path: spec/selector + kind: Gateway \ No newline at end of file diff --git a/kustomize/istio/kustomization.yaml b/kustomize/istio/kustomization.yaml new file mode 100644 index 0000000..4e745bd --- /dev/null +++ b/kustomize/istio/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +bases: +- base +kind: Kustomization +namespace: kubeflow diff --git a/kustomize/istio/overlays/https-gateway/kf-istio-resources.yaml b/kustomize/istio/overlays/https-gateway/kf-istio-resources.yaml new file mode 100644 index 0000000..0515bd3 --- /dev/null +++ b/kustomize/istio/overlays/https-gateway/kf-istio-resources.yaml @@ -0,0 +1,18 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: kubeflow-gateway +spec: + selector: + istio: $(gatewaySelector) + servers: + - hosts: + - '*' + port: + name: https + number: 443 + protocol: HTTPS + tls: + mode: SIMPLE + privateKey: /etc/istio/ingressgateway-certs/tls.key + serverCertificate: /etc/istio/ingressgateway-certs/tls.crt diff --git a/kustomize/istio/overlays/https-gateway/kustomization.yaml b/kustomize/istio/overlays/https-gateway/kustomization.yaml new file mode 100644 index 0000000..4a0e56c --- /dev/null +++ b/kustomize/istio/overlays/https-gateway/kustomization.yaml @@ -0,0 +1,13 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +bases: +- ../../base +patchesStrategicMerge: +- kf-istio-resources.yaml + +configMapGenerator: +- name: istio-parameters + behavior: merge + env: params.env +configurations: +- params.yaml diff --git a/kustomize/istio/overlays/https-gateway/params.env b/kustomize/istio/overlays/https-gateway/params.env new file mode 100644 index 0000000..bb0cded --- /dev/null +++ b/kustomize/istio/overlays/https-gateway/params.env @@ -0,0 +1 @@ +gatewaySelector=ingressgateway diff --git a/kustomize/istio/overlays/https-gateway/params.yaml b/kustomize/istio/overlays/https-gateway/params.yaml new file mode 100644 index 0000000..c8c2507 --- /dev/null +++ b/kustomize/istio/overlays/https-gateway/params.yaml @@ -0,0 +1,3 @@ +varReference: +- path: spec/selector + kind: Gateway diff --git a/kustomize/jupyter-web-app/base/cluster-role-binding.yaml b/kustomize/jupyter-web-app/base/cluster-role-binding.yaml new file mode 100644 index 0000000..f7fe51d --- /dev/null +++ b/kustomize/jupyter-web-app/base/cluster-role-binding.yaml @@ -0,0 +1,11 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: cluster-role-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-role +subjects: +- kind: ServiceAccount + name: service-account diff --git a/kustomize/jupyter-web-app/base/cluster-role.yaml b/kustomize/jupyter-web-app/base/cluster-role.yaml new file mode 100644 index 0000000..578f436 --- /dev/null +++ b/kustomize/jupyter-web-app/base/cluster-role.yaml @@ -0,0 +1,54 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: cluster-role +rules: +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - create + - delete +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +- apiGroups: + - kubeflow.org + resources: + - notebooks + - notebooks/finalizers + - poddefaults + verbs: + - get + - list + - create + - delete +- apiGroups: + - "" + resources: + - persistentvolumeclaims + verbs: + - create + - delete + - get + - list +- apiGroups: + - "" + resources: + - events + verbs: + - list +- apiGroups: + - storage.k8s.io + resources: + - storageclasses + verbs: + - get + - list + - watch diff --git a/kustomize/jupyter-web-app/base/config-map.yaml b/kustomize/jupyter-web-app/base/config-map.yaml new file mode 100644 index 0000000..b24ca7a --- /dev/null +++ b/kustomize/jupyter-web-app/base/config-map.yaml @@ -0,0 +1,127 @@ +apiVersion: v1 +data: + spawner_ui_config.yaml: | + # Configuration file for the Jupyter UI. + # + # Each Jupyter UI option is configured by two keys: 'value' and 'readOnly' + # - The 'value' key contains the default value + # - The 'readOnly' key determines if the option will be available to users + # + # If the 'readOnly' key is present and set to 'true', the respective option + # will be disabled for users and only set by the admin. Also when a + # Notebook is POSTED to the API if a necessary field is not present then + # the value from the config will be used. + # + # If the 'readOnly' key is missing (defaults to 'false'), the respective option + # will be available for users to edit. + # + # Note that some values can be templated. Such values are the names of the + # Volumes as well as their StorageClass + spawnerFormDefaults: + image: + # The container Image for the user's Jupyter Notebook + # If readonly, this value must be a member of the list below + value: gcr.io/kubeflow-images-public/tensorflow-1.14.0-notebook-cpu:v-base-ef41372-1177829795472347138 + # The list of available standard container Images + options: + - gcr.io/kubeflow-images-public/tensorflow-1.14.0-notebook-cpu:v0.7.0 + - gcr.io/kubeflow-images-public/tensorflow-1.14.0-notebook-gpu:v0.7.0 + - gcr.io/kubeflow-images-public/tensorflow-2.0.0a0-notebook-cpu:v0.7.0 + - gcr.io/kubeflow-images-public/tensorflow-2.0.0a0-notebook-gpu:v0.7.0 + # By default, custom container Images are allowed + # Uncomment the following line to only enable standard container Images + readOnly: false + cpu: + # CPU for user's Notebook + value: '0.5' + readOnly: false + memory: + # Memory for user's Notebook + value: 1.0Gi + readOnly: false + workspaceVolume: + # Workspace Volume to be attached to user's Notebook + # Each Workspace Volume is declared with the following attributes: + # Type, Name, Size, MountPath and Access Mode + value: + type: + # The Type of the Workspace Volume + # Supported values: 'New', 'Existing' + value: New + name: + # The Name of the Workspace Volume + # Note that this is a templated value. Special values: + # {notebook-name}: Replaced with the name of the Notebook. The frontend + # will replace this value as the user types the name + value: 'workspace-{notebook-name}' + size: + # The Size of the Workspace Volume (in Gi) + value: '10Gi' + mountPath: + # The Path that the Workspace Volume will be mounted + value: /home/jovyan + accessModes: + # The Access Mode of the Workspace Volume + # Supported values: 'ReadWriteOnce', 'ReadWriteMany', 'ReadOnlyMany' + value: ReadWriteOnce + class: + # The StrageClass the PVC will use if type is New. Special values are: + # {none}: default StorageClass + # {empty}: empty string "" + value: '{none}' + readOnly: false + dataVolumes: + # List of additional Data Volumes to be attached to the user's Notebook + value: [] + # Each Data Volume is declared with the following attributes: + # Type, Name, Size, MountPath and Access Mode + # + # For example, a list with 2 Data Volumes: + # value: + # - value: + # type: + # value: New + # name: + # value: '{notebook-name}-vol-1' + # size: + # value: '10Gi' + # class: + # value: standard + # mountPath: + # value: /home/jovyan/vol-1 + # accessModes: + # value: ReadWriteOnce + # class: + # value: {none} + # - value: + # type: + # value: New + # name: + # value: '{notebook-name}-vol-2' + # size: + # value: '10Gi' + # mountPath: + # value: /home/jovyan/vol-2 + # accessModes: + # value: ReadWriteMany + # class: + # value: {none} + readOnly: false + extraResources: + # Extra Resource Limits for user's Notebook + # e.x. "{'nvidia.com/gpu': 2}" + value: "{}" + readOnly: false + shm: + value: true + readOnly: false + configurations: + # List of labels to be selected, these are the labels from PodDefaults + # value: + # - add-gcp-secret + # - default-editor + value: [] + readOnly: false +kind: ConfigMap +metadata: + name: config diff --git a/kustomize/jupyter-web-app/base/deployment.yaml b/kustomize/jupyter-web-app/base/deployment.yaml new file mode 100644 index 0000000..6eb2cc4 --- /dev/null +++ b/kustomize/jupyter-web-app/base/deployment.yaml @@ -0,0 +1,37 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: deployment +spec: + replicas: 1 + template: + spec: + containers: + - env: + - name: ROK_SECRET_NAME + valueFrom: + configMapKeyRef: + name: parameters + key: ROK_SECRET_NAME + - name: UI + valueFrom: + configMapKeyRef: + name: parameters + key: UI + - name: USERID_HEADER + value: $(userid-header) + - name: USERID_PREFIX + value: $(userid-prefix) + image: gcr.io/kubeflow-images-public/jupyter-web-app:v0.5.0 + imagePullPolicy: $(policy) + name: jupyter-web-app + ports: + - containerPort: 5000 + volumeMounts: + - mountPath: /etc/config + name: config-volume + serviceAccountName: service-account + volumes: + - configMap: + name: config + name: config-volume diff --git a/kustomize/jupyter-web-app/base/kustomization.yaml b/kustomize/jupyter-web-app/base/kustomization.yaml new file mode 100644 index 0000000..2cfe2f5 --- /dev/null +++ b/kustomize/jupyter-web-app/base/kustomization.yaml @@ -0,0 +1,70 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- cluster-role-binding.yaml +- cluster-role.yaml +- config-map.yaml +- deployment.yaml +- role-binding.yaml +- role.yaml +- service-account.yaml +- service.yaml +namePrefix: jupyter-web-app- +namespace: kubeflow +commonLabels: + app: jupyter-web-app + kustomize.component: jupyter-web-app +images: +- name: gcr.io/kubeflow-images-public/jupyter-web-app + newName: gcr.io/kubeflow-images-public/jupyter-web-app + newTag: vmaster-ge8c85064 +configMapGenerator: +- env: params.env + name: parameters +generatorOptions: + disableNameSuffixHash: true +vars: +- fieldref: + fieldPath: data.policy + name: policy + objref: + apiVersion: v1 + kind: ConfigMap + name: parameters +- fieldref: + fieldPath: data.prefix + name: prefix + objref: + apiVersion: v1 + kind: ConfigMap + name: parameters +- fieldref: + fieldPath: data.clusterDomain + name: clusterDomain + objref: + apiVersion: v1 + kind: ConfigMap + name: parameters +- fieldref: + fieldPath: metadata.namespace + name: namespace + objref: + apiVersion: v1 + kind: Service + name: service +- fieldref: + fieldPath: data.userid-header + name: userid-header + objref: + apiVersion: v1 + kind: ConfigMap + name: parameters +- fieldref: + fieldPath: data.userid-prefix + name: userid-prefix + objref: + apiVersion: v1 + kind: ConfigMap + name: parameters +configurations: +- params.yaml diff --git a/kustomize/jupyter-web-app/base/params.env b/kustomize/jupyter-web-app/base/params.env new file mode 100644 index 0000000..c6a1a52 --- /dev/null +++ b/kustomize/jupyter-web-app/base/params.env @@ -0,0 +1,7 @@ +UI=default +ROK_SECRET_NAME=secret-rok-{username} +policy=Always +prefix=jupyter +clusterDomain=cluster.local +userid-header=kubeflow-userid +userid-prefix= diff --git a/kustomize/jupyter-web-app/base/params.yaml b/kustomize/jupyter-web-app/base/params.yaml new file mode 100644 index 0000000..65ff484 --- /dev/null +++ b/kustomize/jupyter-web-app/base/params.yaml @@ -0,0 +1,9 @@ +varReference: +- path: spec/template/spec/containers/imagePullPolicy + kind: Deployment +- path: metadata/annotations/getambassador.io\/config + kind: Service +- path: spec/template/spec/containers/0/env/2/value + kind: Deployment +- path: spec/template/spec/containers/0/env/3/value + kind: Deployment \ No newline at end of file diff --git a/kustomize/jupyter-web-app/base/role-binding.yaml b/kustomize/jupyter-web-app/base/role-binding.yaml new file mode 100644 index 0000000..5400a70 --- /dev/null +++ b/kustomize/jupyter-web-app/base/role-binding.yaml @@ -0,0 +1,11 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: RoleBinding +metadata: + name: jupyter-notebook-role-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: jupyter-notebook-role +subjects: +- kind: ServiceAccount + name: jupyter-notebook diff --git a/kustomize/jupyter-web-app/base/role.yaml b/kustomize/jupyter-web-app/base/role.yaml new file mode 100644 index 0000000..bcd601a --- /dev/null +++ b/kustomize/jupyter-web-app/base/role.yaml @@ -0,0 +1,35 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: Role +metadata: + name: jupyter-notebook-role +rules: +- apiGroups: + - "" + resources: + - pods + - pods/log + - secrets + - services + verbs: + - '*' +- apiGroups: + - "" + - apps + - extensions + resources: + - deployments + - replicasets + verbs: + - '*' +- apiGroups: + - kubeflow.org + resources: + - '*' + verbs: + - '*' +- apiGroups: + - batch + resources: + - jobs + verbs: + - '*' diff --git a/kustomize/jupyter-web-app/base/service-account.yaml b/kustomize/jupyter-web-app/base/service-account.yaml new file mode 100644 index 0000000..a36cbd8 --- /dev/null +++ b/kustomize/jupyter-web-app/base/service-account.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: service-account diff --git a/kustomize/jupyter-web-app/base/service.yaml b/kustomize/jupyter-web-app/base/service.yaml new file mode 100644 index 0000000..d22b9ed --- /dev/null +++ b/kustomize/jupyter-web-app/base/service.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Service +metadata: + annotations: + getambassador.io/config: |- + --- + apiVersion: ambassador/v0 + kind: Mapping + name: webapp_mapping + prefix: /$(prefix)/ + service: jupyter-web-app-service.$(namespace) + add_request_headers: + x-forwarded-prefix: /jupyter + labels: + run: jupyter-web-app + name: service +spec: + ports: + - name: http + port: 80 + protocol: TCP + targetPort: 5000 + type: ClusterIP diff --git a/kustomize/jupyter-web-app/kustomization.yaml b/kustomize/jupyter-web-app/kustomization.yaml new file mode 100644 index 0000000..3bd60b4 --- /dev/null +++ b/kustomize/jupyter-web-app/kustomization.yaml @@ -0,0 +1,15 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +bases: +- base +- overlays/istio +commonLabels: + app.kubernetes.io/component: jupyter-web-app + app.kubernetes.io/instance: jupyter-web-app-v0.7.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/name: jupyter-web-app + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: v0.7.0 +kind: Kustomization +namespace: kubeflow +resources: +- overlays/application/application.yaml diff --git a/kustomize/jupyter-web-app/overlays/application/application.yaml b/kustomize/jupyter-web-app/overlays/application/application.yaml new file mode 100644 index 0000000..403e269 --- /dev/null +++ b/kustomize/jupyter-web-app/overlays/application/application.yaml @@ -0,0 +1,49 @@ +apiVersion: app.k8s.io/v1beta1 +kind: Application +metadata: + name: jupyter-web-app +spec: + selector: + matchLabels: + app.kubernetes.io/name: jupyter-web-app + app.kubernetes.io/instance: jupyter-web-app-v0.7.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/component: jupyter-web-app + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: v0.7.0 + componentKinds: + - group: core + kind: ConfigMap + - group: apps + kind: Deployment + - group: rbac.authorization.k8s.io + kind: RoleBinding + - group: rbac.authorization.k8s.io + kind: Role + - group: core + kind: ServiceAccount + - group: core + kind: Service + - group: networking.istio.io + kind: VirtualService + descriptor: + type: jupyter-web-app + version: v1beta1 + description: Provides a UI which allows the user to create/conect/delete jupyter notebooks. + maintainers: + - name: Kimonas Sotirchos + email: kimwnasptd@arrikto.com + owners: + - name: Kimonas Sotirchos + email: kimwnasptd@arrikto.com + keywords: + - jupyterhub + - jupyter ui + - notebooks + links: + - description: About + url: https://github.com/kubeflow/kubeflow/tree/master/components/jupyter-web-app + - description: Docs + url: https://www.kubeflow.org/docs/notebooks + addOwnerRef: true + diff --git a/kustomize/jupyter-web-app/overlays/application/kustomization.yaml b/kustomize/jupyter-web-app/overlays/application/kustomization.yaml new file mode 100644 index 0000000..0c1f073 --- /dev/null +++ b/kustomize/jupyter-web-app/overlays/application/kustomization.yaml @@ -0,0 +1,13 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +bases: +- ../../base +resources: +- application.yaml +commonLabels: + app.kubernetes.io/name: jupyter-web-app + app.kubernetes.io/instance: jupyter-web-app-v0.7.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/component: jupyter-web-app + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: v0.7.0 diff --git a/kustomize/jupyter-web-app/overlays/istio/kustomization.yaml b/kustomize/jupyter-web-app/overlays/istio/kustomization.yaml new file mode 100644 index 0000000..0991e8f --- /dev/null +++ b/kustomize/jupyter-web-app/overlays/istio/kustomization.yaml @@ -0,0 +1,6 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- virtual-service.yaml +configurations: +- params.yaml diff --git a/kustomize/jupyter-web-app/overlays/istio/params.yaml b/kustomize/jupyter-web-app/overlays/istio/params.yaml new file mode 100644 index 0000000..eea869e --- /dev/null +++ b/kustomize/jupyter-web-app/overlays/istio/params.yaml @@ -0,0 +1,3 @@ +varReference: +- path: spec/http/route/destination/host + kind: VirtualService diff --git a/kustomize/jupyter-web-app/overlays/istio/virtual-service.yaml b/kustomize/jupyter-web-app/overlays/istio/virtual-service.yaml new file mode 100644 index 0000000..589a8ee --- /dev/null +++ b/kustomize/jupyter-web-app/overlays/istio/virtual-service.yaml @@ -0,0 +1,24 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: jupyter-web-app +spec: + gateways: + - kubeflow-gateway + hosts: + - '*' + http: + - headers: + request: + add: + x-forwarded-prefix: /jupyter + match: + - uri: + prefix: /jupyter/ + rewrite: + uri: / + route: + - destination: + host: jupyter-web-app-service.$(namespace).svc.$(clusterDomain) + port: + number: 80 diff --git a/kustomize/katib-controller/base/katib-configmap.yaml b/kustomize/katib-controller/base/katib-configmap.yaml new file mode 100644 index 0000000..9037c01 --- /dev/null +++ b/kustomize/katib-controller/base/katib-configmap.yaml @@ -0,0 +1,38 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: katib-config +data: + metrics-collector-sidecar: |- + { + "StdOut": { + "image": "gcr.io/kubeflow-images-public/katib/v1alpha3/file-metrics-collector:v0.7.0" + }, + "File": { + "image": "gcr.io/kubeflow-images-public/katib/v1alpha3/file-metrics-collector:v0.7.0" + }, + "TensorFlowEvent": { + "image": "gcr.io/kubeflow-images-public/katib/v1alpha3/tfevent-metrics-collector:v0.7.0" + } + } + suggestion: |- + { + "random": { + "image": "gcr.io/kubeflow-images-public/katib/v1alpha3/suggestion-hyperopt:v0.7.0" + }, + "grid": { + "image": "gcr.io/kubeflow-images-public/katib/v1alpha3/suggestion-chocolate:v0.7.0" + }, + "hyperband": { + "image": "gcr.io/kubeflow-images-public/katib/v1alpha3/suggestion-hyperband:v0.7.0" + }, + "bayesianoptimization": { + "image": "gcr.io/kubeflow-images-public/katib/v1alpha3/suggestion-skopt:v0.7.0" + }, + "tpe": { + "image": "gcr.io/kubeflow-images-public/katib/v1alpha3/suggestion-hyperopt:v0.7.0" + }, + "nasrl": { + "image": "gcr.io/kubeflow-images-public/katib/v1alpha3/suggestion-nasrl:v0.7.0" + } + } diff --git a/kustomize/katib-controller/base/katib-controller-deployment.yaml b/kustomize/katib-controller/base/katib-controller-deployment.yaml new file mode 100644 index 0000000..b1cb0a5 --- /dev/null +++ b/kustomize/katib-controller/base/katib-controller-deployment.yaml @@ -0,0 +1,40 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: katib-controller + labels: + app: katib-controller +spec: + replicas: 1 + selector: + matchLabels: + app: katib-controller + template: + metadata: + labels: + app: katib-controller + spec: + serviceAccountName: katib-controller + containers: + - name: katib-controller + image: gcr.io/kubeflow-images-public/katib/v1alpha3/katib-controller + imagePullPolicy: IfNotPresent + command: ["./katib-controller"] + ports: + - containerPort: 443 + name: webhook + protocol: TCP + env: + - name: KATIB_CORE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + volumeMounts: + - mountPath: /tmp/cert + name: cert + readOnly: true + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: katib-controller diff --git a/kustomize/katib-controller/base/katib-controller-rbac.yaml b/kustomize/katib-controller/base/katib-controller-rbac.yaml new file mode 100644 index 0000000..0e9160d --- /dev/null +++ b/kustomize/katib-controller/base/katib-controller-rbac.yaml @@ -0,0 +1,149 @@ +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: katib-controller +rules: +- apiGroups: + - "" + resources: + - configmaps + - serviceaccounts + - services + - secrets + - events + - namespaces + verbs: + - "*" +- apiGroups: + - "" + resources: + - pods + - pods/log + - pods/status + verbs: + - "*" +- apiGroups: + - apps + resources: + - deployments + verbs: + - "*" +- apiGroups: + - batch + resources: + - jobs + - cronjobs + verbs: + - "*" +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - create + - get +- apiGroups: + - admissionregistration.k8s.io + resources: + - validatingwebhookconfigurations + - mutatingwebhookconfigurations + verbs: + - '*' +- apiGroups: + - kubeflow.org + resources: + - experiments + - experiments/status + - experiments/finalizers + - trials + - trials/status + - trials/finalizers + - suggestions + - suggestions/status + - suggestions/finalizers + verbs: + - "*" +- apiGroups: + - kubeflow.org + resources: + - tfjobs + - pytorchjobs + verbs: + - "*" +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: katib-controller +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: katib-controller +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: katib-controller +subjects: +- kind: ServiceAccount + name: katib-controller + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubeflow-katib-admin + labels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-admin: "true" +aggregationRule: + clusterRoleSelectors: + - matchLabels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-katib-admin: "true" +rules: [] + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubeflow-katib-edit + labels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-edit: "true" + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-katib-admin: "true" +rules: +- apiGroups: + - kubeflow.org + resources: + - experiments + - trials + - suggestions + verbs: + - get + - list + - watch + - create + - delete + - deletecollection + - patch + - update + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubeflow-katib-view + labels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-view: "true" +rules: +- apiGroups: + - kubeflow.org + resources: + - experiments + - trials + - suggestions + verbs: + - get + - list + - watch diff --git a/kustomize/katib-controller/base/katib-controller-secret.yaml b/kustomize/katib-controller/base/katib-controller-secret.yaml new file mode 100644 index 0000000..8341a6a --- /dev/null +++ b/kustomize/katib-controller/base/katib-controller-secret.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Secret +metadata: + name: katib-controller diff --git a/kustomize/katib-controller/base/katib-controller-service.yaml b/kustomize/katib-controller/base/katib-controller-service.yaml new file mode 100644 index 0000000..e197738 --- /dev/null +++ b/kustomize/katib-controller/base/katib-controller-service.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Service +metadata: + name: katib-controller +spec: + ports: + - port: 443 + protocol: TCP + targetPort: 443 + selector: + app: katib-controller diff --git a/kustomize/katib-controller/base/katib-db-deployment.yaml b/kustomize/katib-controller/base/katib-db-deployment.yaml new file mode 100644 index 0000000..8734539 --- /dev/null +++ b/kustomize/katib-controller/base/katib-db-deployment.yaml @@ -0,0 +1,64 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: katib-db + labels: + app: katib + component: db +spec: + replicas: 1 + selector: + matchLabels: + app: katib + component: db + template: + metadata: + name: katib-db + labels: + app: katib + component: db + spec: + containers: + - name: katib-db + image: mysql:8 + args: + - --datadir + - /var/lib/mysql/datadir + env: + - name: MYSQL_ROOT_PASSWORD + valueFrom: + secretKeyRef: + name: katib-db-secrets + key: MYSQL_ROOT_PASSWORD + - name: MYSQL_ALLOW_EMPTY_PASSWORD + value: "true" + - name: MYSQL_DATABASE + value: "katib" + ports: + - name: dbapi + containerPort: 3306 + readinessProbe: + exec: + command: + - "/bin/bash" + - "-c" + - "mysql -D ${MYSQL_DATABASE} -p${MYSQL_ROOT_PASSWORD} -e 'SELECT 1'" + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 1 + livenessProbe: + exec: + command: + - "/bin/bash" + - "-c" + - "mysqladmin ping -u root -p${MYSQL_ROOT_PASSWORD}" + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 5 + volumeMounts: + - name: katib-mysql + mountPath: /var/lib/mysql + volumes: + - name: katib-mysql + persistentVolumeClaim: + claimName: katib-mysql diff --git a/kustomize/katib-controller/base/katib-db-pvc.yaml b/kustomize/katib-controller/base/katib-db-pvc.yaml new file mode 100644 index 0000000..d8f8a82 --- /dev/null +++ b/kustomize/katib-controller/base/katib-db-pvc.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: katib-mysql +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 10Gi diff --git a/kustomize/katib-controller/base/katib-db-secret.yaml b/kustomize/katib-controller/base/katib-db-secret.yaml new file mode 100644 index 0000000..8fca796 --- /dev/null +++ b/kustomize/katib-controller/base/katib-db-secret.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Secret +type: Opaque +metadata: + name: katib-db-secrets +data: + MYSQL_ROOT_PASSWORD: dGVzdA== # "test" diff --git a/kustomize/katib-controller/base/katib-db-service.yaml b/kustomize/katib-controller/base/katib-db-service.yaml new file mode 100644 index 0000000..5a7afd4 --- /dev/null +++ b/kustomize/katib-controller/base/katib-db-service.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Service +metadata: + name: katib-db + labels: + app: katib + component: db +spec: + type: ClusterIP + ports: + - port: 3306 + protocol: TCP + name: dbapi + selector: + app: katib + component: db diff --git a/kustomize/katib-controller/base/katib-manager-deployment.yaml b/kustomize/katib-controller/base/katib-manager-deployment.yaml new file mode 100644 index 0000000..27ed68b --- /dev/null +++ b/kustomize/katib-controller/base/katib-manager-deployment.yaml @@ -0,0 +1,47 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: katib-manager + labels: + app: katib + component: manager +spec: + replicas: 1 + selector: + matchLabels: + app: katib + component: manager + template: + metadata: + name: katib-manager + labels: + app: katib + component: manager + spec: + containers: + - name: katib-manager + image: gcr.io/kubeflow-images-public/katib/v1alpha3/katib-manager + imagePullPolicy: IfNotPresent + env: + - name : DB_NAME + value: "mysql" + - name: DB_PASSWORD + valueFrom: + secretKeyRef: + name: katib-db-secrets + key: MYSQL_ROOT_PASSWORD + command: + - './katib-manager' + ports: + - name: api + containerPort: 6789 + readinessProbe: + exec: + command: ["/bin/grpc_health_probe", "-addr=:6789"] + initialDelaySeconds: 5 + livenessProbe: + exec: + command: ["/bin/grpc_health_probe", "-addr=:6789"] + initialDelaySeconds: 10 + periodSeconds: 60 + failureThreshold: 5 diff --git a/kustomize/katib-controller/base/katib-manager-service.yaml b/kustomize/katib-controller/base/katib-manager-service.yaml new file mode 100644 index 0000000..f5477b0 --- /dev/null +++ b/kustomize/katib-controller/base/katib-manager-service.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Service +metadata: + name: katib-manager + labels: + app: katib + component: manager +spec: + type: ClusterIP + ports: + - port: 6789 + protocol: TCP + name: api + selector: + app: katib + component: manager diff --git a/kustomize/katib-controller/base/katib-ui-deployment.yaml b/kustomize/katib-controller/base/katib-ui-deployment.yaml new file mode 100644 index 0000000..38a5415 --- /dev/null +++ b/kustomize/katib-controller/base/katib-ui-deployment.yaml @@ -0,0 +1,35 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: katib-ui + labels: + app: katib + component: ui +spec: + replicas: 1 + selector: + matchLabels: + app: katib + component: ui + template: + metadata: + name: katib-ui + labels: + app: katib + component: ui + spec: + containers: + - name: katib-ui + image: gcr.io/kubeflow-images-public/katib/v1alpha3/katib-ui + imagePullPolicy: IfNotPresent + command: + - './katib-ui' + env: + - name: KATIB_CORE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + ports: + - name: ui + containerPort: 80 + serviceAccountName: katib-ui diff --git a/kustomize/katib-controller/base/katib-ui-rbac.yaml b/kustomize/katib-controller/base/katib-ui-rbac.yaml new file mode 100644 index 0000000..c155fcc --- /dev/null +++ b/kustomize/katib-controller/base/katib-ui-rbac.yaml @@ -0,0 +1,35 @@ +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: katib-ui +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - "*" +- apiGroups: + - kubeflow.org + resources: + - experiments + - trials + verbs: + - "*" +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: katib-ui +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: katib-ui +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: katib-ui +subjects: +- kind: ServiceAccount + name: katib-ui diff --git a/kustomize/katib-controller/base/katib-ui-service.yaml b/kustomize/katib-controller/base/katib-ui-service.yaml new file mode 100644 index 0000000..ee9e156 --- /dev/null +++ b/kustomize/katib-controller/base/katib-ui-service.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Service +metadata: + name: katib-ui + labels: + app: katib + component: ui +spec: + type: ClusterIP + ports: + - port: 80 + protocol: TCP + name: ui + selector: + app: katib + component: ui diff --git a/kustomize/katib-controller/base/kustomization.yaml b/kustomize/katib-controller/base/kustomization.yaml new file mode 100644 index 0000000..fd75ca3 --- /dev/null +++ b/kustomize/katib-controller/base/kustomization.yaml @@ -0,0 +1,52 @@ +namespace: kubeflow +resources: +- katib-configmap.yaml +- katib-controller-deployment.yaml +- katib-controller-rbac.yaml +- katib-controller-secret.yaml +- katib-controller-service.yaml +- katib-db-deployment.yaml +- katib-db-pvc.yaml +- katib-db-secret.yaml +- katib-db-service.yaml +- katib-manager-deployment.yaml +- katib-manager-service.yaml +- katib-ui-deployment.yaml +- katib-ui-rbac.yaml +- katib-ui-service.yaml +- trial-template-configmap.yaml +configMapGenerator: +- name: katib-parameters + env: params.env +generatorOptions: + disableNameSuffixHash: true +images: +- name: gcr.io/kubeflow-images-public/katib/v1alpha3/katib-controller + newTag: v0.7.0 + newName: gcr.io/kubeflow-images-public/katib/v1alpha3/katib-controller +- name: gcr.io/kubeflow-images-public/katib/v1alpha3/katib-manager + newTag: v0.7.0 + newName: gcr.io/kubeflow-images-public/katib/v1alpha3/katib-manager +- name: gcr.io/kubeflow-images-public/katib/v1alpha3/katib-ui + newTag: v0.7.0 + newName: gcr.io/kubeflow-images-public/katib/v1alpha3/katib-ui +- name: mysql + newTag: "8" + newName: mysql +vars: +- name: clusterDomain + objref: + kind: ConfigMap + name: katib-parameters + apiVersion: v1 + fieldref: + fieldpath: data.clusterDomain +- name: namespace + objref: + kind: Service + name: katib-ui + apiVersion: v1 + fieldref: + fieldpath: metadata.namespace +configurations: +- params.yaml diff --git a/kustomize/katib-controller/base/params.env b/kustomize/katib-controller/base/params.env new file mode 100644 index 0000000..bdd6604 --- /dev/null +++ b/kustomize/katib-controller/base/params.env @@ -0,0 +1 @@ +clusterDomain=cluster.local diff --git a/kustomize/katib-controller/base/params.yaml b/kustomize/katib-controller/base/params.yaml new file mode 100644 index 0000000..eade9a8 --- /dev/null +++ b/kustomize/katib-controller/base/params.yaml @@ -0,0 +1,7 @@ +varReference: +- path: data/config + kind: ConfigMap +- path: data/config + kind: Deployment +- path: metadata/annotations/getambassador.io\/config + kind: Service diff --git a/kustomize/katib-controller/base/trial-template-configmap.yaml b/kustomize/katib-controller/base/trial-template-configmap.yaml new file mode 100644 index 0000000..00c230c --- /dev/null +++ b/kustomize/katib-controller/base/trial-template-configmap.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: trial-template +data: + defaultTrialTemplate.yaml : |- + apiVersion: batch/v1 + kind: Job + metadata: + name: {{.Trial}} + namespace: {{.NameSpace}} + spec: + template: + spec: + containers: + - name: {{.Trial}} + image: docker.io/katib/mxnet-mnist-example + command: + - "python" + - "/mxnet/example/image-classification/train_mnist.py" + - "--batch-size=64" + {{- with .HyperParameters}} + {{- range .}} + - "{{.Name}}={{.Value}}" + {{- end}} + {{- end}} + restartPolicy: Never diff --git a/kustomize/katib-controller/kustomization.yaml b/kustomize/katib-controller/kustomization.yaml new file mode 100644 index 0000000..402b3e3 --- /dev/null +++ b/kustomize/katib-controller/kustomization.yaml @@ -0,0 +1,17 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +bases: +- base +commonLabels: + app.kubernetes.io/component: katib + app.kubernetes.io/instance: katib-controller-v0.7.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/name: katib-controller + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: v0.7.0 +configurations: +- overlays/istio/params.yaml +kind: Kustomization +namespace: kubeflow +resources: +- overlays/application/application.yaml +- overlays/istio/katib-ui-virtual-service.yaml diff --git a/kustomize/katib-controller/overlays/application/application.yaml b/kustomize/katib-controller/overlays/application/application.yaml new file mode 100644 index 0000000..ef73c19 --- /dev/null +++ b/kustomize/katib-controller/overlays/application/application.yaml @@ -0,0 +1,62 @@ +apiVersion: app.k8s.io/v1beta1 +kind: Application +metadata: + name: katib-controller +spec: + selector: + matchLabels: + app.kubernetes.io/name: katib-controller + app.kubernetes.io/instance: katib-controller-v0.7.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/component: katib + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: v0.7.0 + componentKinds: + - group: core + kind: Service + - group: apps + kind: Deployment + - group: core + kind: Secret + - group: core + kind: ServiceAccount + - group: kubeflow.org + kind: Experiment + - group: kubeflow.org + kind: Suggestion + - group: kubeflow.org + kind: Trial + descriptor: + type: "katib" + version: "v1alpha3" + description: "Katib is a service for hyperparameter tuning and neural architecture search." + maintainers: + - name: Ce Gao + email: gaoce@caicloud.io + - name: Johnu George + email: johnugeo@cisco.com + - name: Hougang Liu + email: liuhougang6@126.com + - name: Richard Liu + email: ricliu@google.com + - name: YujiOshima + email: yuji.oshima0x3fd@gmail.com + owners: + - name: Ce Gao + email: gaoce@caicloud.io + - name: Johnu George + email: johnugeo@cisco.com + - name: Hougang Liu + email: liuhougang6@126.com + - name: Richard Liu + email: ricliu@google.com + - name: YujiOshima + email: yuji.oshima0x3fd@gmail.com + keywords: + - katib + - katib-controller + - hyperparameter tuning + links: + - description: About + url: "https://github.com/kubeflow/katib" + addOwnerRef: true diff --git a/kustomize/katib-controller/overlays/application/kustomization.yaml b/kustomize/katib-controller/overlays/application/kustomization.yaml new file mode 100644 index 0000000..f777c91 --- /dev/null +++ b/kustomize/katib-controller/overlays/application/kustomization.yaml @@ -0,0 +1,13 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +bases: +- ../../base +resources: +- application.yaml +commonLabels: + app.kubernetes.io/name: katib-controller + app.kubernetes.io/instance: katib-controller-v0.7.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/component: katib + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: v0.7.0 diff --git a/kustomize/katib-controller/overlays/ibm-storage-config/katib-db-deployment.yaml b/kustomize/katib-controller/overlays/ibm-storage-config/katib-db-deployment.yaml new file mode 100644 index 0000000..3d8df89 --- /dev/null +++ b/kustomize/katib-controller/overlays/ibm-storage-config/katib-db-deployment.yaml @@ -0,0 +1,11 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: katib-db +spec: + template: + spec: + containers: + - name: katib-db + # Base's livenessProbe created some kernel errors on non-POSIX filesystem + livenessProbe: null diff --git a/kustomize/katib-controller/overlays/ibm-storage-config/kustomization.yaml b/kustomize/katib-controller/overlays/ibm-storage-config/kustomization.yaml new file mode 100644 index 0000000..d490407 --- /dev/null +++ b/kustomize/katib-controller/overlays/ibm-storage-config/kustomization.yaml @@ -0,0 +1,10 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +bases: +- ../../base +patchesStrategicMerge: +- katib-db-deployment.yaml +images: + - name: mysql + newTag: "5.6" + newName: mysql diff --git a/kustomize/katib-controller/overlays/istio/katib-ui-virtual-service.yaml b/kustomize/katib-controller/overlays/istio/katib-ui-virtual-service.yaml new file mode 100644 index 0000000..d13cca8 --- /dev/null +++ b/kustomize/katib-controller/overlays/istio/katib-ui-virtual-service.yaml @@ -0,0 +1,20 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: katib-ui +spec: + gateways: + - kubeflow-gateway + hosts: + - '*' + http: + - match: + - uri: + prefix: /katib/ + rewrite: + uri: /katib/ + route: + - destination: + host: katib-ui.$(namespace).svc.$(clusterDomain) + port: + number: 80 diff --git a/kustomize/katib-controller/overlays/istio/kustomization.yaml b/kustomize/katib-controller/overlays/istio/kustomization.yaml new file mode 100644 index 0000000..0f16884 --- /dev/null +++ b/kustomize/katib-controller/overlays/istio/kustomization.yaml @@ -0,0 +1,8 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +bases: +- ../../base +resources: +- katib-ui-virtual-service.yaml +configurations: +- params.yaml diff --git a/kustomize/katib-controller/overlays/istio/params.yaml b/kustomize/katib-controller/overlays/istio/params.yaml new file mode 100644 index 0000000..eea869e --- /dev/null +++ b/kustomize/katib-controller/overlays/istio/params.yaml @@ -0,0 +1,3 @@ +varReference: +- path: spec/http/route/destination/host + kind: VirtualService diff --git a/kustomize/katib-crds/base/experiment-crd.yaml b/kustomize/katib-crds/base/experiment-crd.yaml new file mode 100644 index 0000000..a6d5fb1 --- /dev/null +++ b/kustomize/katib-crds/base/experiment-crd.yaml @@ -0,0 +1,25 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: experiments.kubeflow.org +spec: + additionalPrinterColumns: + - JSONPath: .status.conditions[-1:].type + name: Status + type: string + - JSONPath: .metadata.creationTimestamp + name: Age + type: date + group: kubeflow.org + version: v1alpha3 + scope: Namespaced + subresources: + status: {} + names: + kind: Experiment + singular: experiment + plural: experiments + categories: + - all + - kubeflow + - katib diff --git a/kustomize/katib-crds/base/kustomization.yaml b/kustomize/katib-crds/base/kustomization.yaml new file mode 100644 index 0000000..a25fb65 --- /dev/null +++ b/kustomize/katib-crds/base/kustomization.yaml @@ -0,0 +1,7 @@ +namespace: kubeflow +resources: +- experiment-crd.yaml +- suggestion-crd.yaml +- trial-crd.yaml +generatorOptions: + disableNameSuffixHash: true diff --git a/kustomize/katib-crds/base/suggestion-crd.yaml b/kustomize/katib-crds/base/suggestion-crd.yaml new file mode 100644 index 0000000..0c725ab --- /dev/null +++ b/kustomize/katib-crds/base/suggestion-crd.yaml @@ -0,0 +1,34 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: suggestions.kubeflow.org +spec: + additionalPrinterColumns: + - JSONPath: .status.conditions[-1:].type + name: Type + type: string + - JSONPath: .status.conditions[-1:].status + name: Status + type: string + - JSONPath: .spec.requests + name: Requested + type: string + - JSONPath: .status.suggestionCount + name: Assigned + type: string + - JSONPath: .metadata.creationTimestamp + name: Age + type: date + group: kubeflow.org + version: v1alpha3 + scope: Namespaced + subresources: + status: {} + names: + kind: Suggestion + singular: suggestion + plural: suggestions + categories: + - all + - kubeflow + - katib diff --git a/kustomize/katib-crds/base/trial-crd.yaml b/kustomize/katib-crds/base/trial-crd.yaml new file mode 100644 index 0000000..f7cea34 --- /dev/null +++ b/kustomize/katib-crds/base/trial-crd.yaml @@ -0,0 +1,28 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: trials.kubeflow.org +spec: + additionalPrinterColumns: + - JSONPath: .status.conditions[-1:].type + name: Type + type: string + - JSONPath: .status.conditions[-1:].status + name: Status + type: string + - JSONPath: .metadata.creationTimestamp + name: Age + type: date + group: kubeflow.org + version: v1alpha3 + scope: Namespaced + subresources: + status: {} + names: + kind: Trial + singular: trial + plural: trials + categories: + - all + - kubeflow + - katib diff --git a/kustomize/katib-crds/kustomization.yaml b/kustomize/katib-crds/kustomization.yaml new file mode 100644 index 0000000..5ccd2a7 --- /dev/null +++ b/kustomize/katib-crds/kustomization.yaml @@ -0,0 +1,14 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +bases: +- base +commonLabels: + app.kubernetes.io/component: katib + app.kubernetes.io/instance: katib-crds-v0.7.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/name: katib-crds + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: v0.7.0 +kind: Kustomization +namespace: kubeflow +resources: +- overlays/application/application.yaml diff --git a/kustomize/katib-crds/overlays/application/application.yaml b/kustomize/katib-crds/overlays/application/application.yaml new file mode 100644 index 0000000..8b57899 --- /dev/null +++ b/kustomize/katib-crds/overlays/application/application.yaml @@ -0,0 +1,60 @@ +apiVersion: app.k8s.io/v1beta1 +kind: Application +metadata: + name: katib-crds +spec: + selector: + matchLabels: + app.kubernetes.io/name: katib-crds + app.kubernetes.io/instance: katib-crds-v0.7.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/component: katib + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: v0.7.0 + componentKinds: + - group: core + kind: Service + - group: apps + kind: Deployment + - group: core + kind: ServiceAccount + - group: kubeflow.org + kind: Experiment + - group: kubeflow.org + kind: Suggestion + - group: kubeflow.org + kind: Trial + descriptor: + type: "katib" + version: "v1alpha3" + description: "Katib is a service for hyperparameter tuning and neural architecture search." + maintainers: + - name: Ce Gao + email: gaoce@caicloud.io + - name: Johnu George + email: johnugeo@cisco.com + - name: Hougang Liu + email: liuhougang6@126.com + - name: Richard Liu + email: ricliu@google.com + - name: YujiOshima + email: yuji.oshima0x3fd@gmail.com + owners: + - name: Ce Gao + email: gaoce@caicloud.io + - name: Johnu George + email: johnugeo@cisco.com + - name: Hougang Liu + email: liuhougang6@126.com + - name: Richard Liu + email: ricliu@google.com + - name: YujiOshima + email: yuji.oshima0x3fd@gmail.com + keywords: + - katib + - katib-controller + - hyperparameter tuning + links: + - description: About + url: "https://github.com/kubeflow/katib" + addOwnerRef: true diff --git a/kustomize/katib-crds/overlays/application/kustomization.yaml b/kustomize/katib-crds/overlays/application/kustomization.yaml new file mode 100644 index 0000000..f654d48 --- /dev/null +++ b/kustomize/katib-crds/overlays/application/kustomization.yaml @@ -0,0 +1,13 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +bases: +- ../../base +resources: +- application.yaml +commonLabels: + app.kubernetes.io/name: katib-crds + app.kubernetes.io/instance: katib-crds-v0.7.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/component: katib + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: v0.7.0 diff --git a/kustomize/kfserving-crds/base/crd.yaml b/kustomize/kfserving-crds/base/crd.yaml new file mode 100644 index 0000000..5b7329b --- /dev/null +++ b/kustomize/kfserving-crds/base/crd.yaml @@ -0,0 +1,613 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + creationTimestamp: null + labels: + controller-tools.k8s.io: "1.0" + name: inferenceservices.serving.kubeflow.org +spec: + additionalPrinterColumns: + - JSONPath: .status.url + name: URL + type: string + - JSONPath: .status.conditions[?(@.type=='Ready')].status + name: Ready + type: string + - JSONPath: .status.traffic + name: Default Traffic + type: integer + - JSONPath: .status.canaryTraffic + name: Canary Traffic + type: integer + - JSONPath: .metadata.creationTimestamp + name: Age + type: date + group: serving.kubeflow.org + names: + kind: InferenceService + plural: inferenceservices + shortNames: + - inferenceservice + scope: Namespaced + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + canary: + description: Canary defines an alternate endpoints to route a percentage + of traffic. + properties: + explainer: + description: Explainer defines the model explanation service spec, + explainer service calls to predictor or transformer if it is specified. + properties: + alibi: + description: Spec for alibi explainer + properties: + config: + description: Inline custom parameter settings for explainer + type: object + resources: + description: Defaults to requests and limits of 1CPU, 2Gb + MEM. + type: object + runtimeVersion: + description: Defaults to latest Alibi Version + type: string + storageUri: + description: The location of a trained explanation model + type: string + type: + description: The type of Alibi explainer + type: string + required: + - type + type: object + custom: + description: Spec for a custom explainer + properties: + container: + type: object + required: + - container + type: object + logger: + description: Activate request/response logging + properties: + mode: + description: What payloads to log + type: string + url: + description: URL to send request logging CloudEvents + type: string + type: object + maxReplicas: + description: This is the up bound for autoscaler to scale to + format: int64 + type: integer + minReplicas: + description: Minimum number of replicas, pods won't scale down + to 0 in case of no traffic + format: int64 + type: integer + serviceAccountName: + description: ServiceAccountName is the name of the ServiceAccount + to use to run the service + type: string + type: object + predictor: + description: Predictor defines the model serving spec +required + properties: + custom: + description: Spec for a custom predictor + properties: + container: + type: object + required: + - container + type: object + logger: + description: Activate request/response logging + properties: + mode: + description: What payloads to log + type: string + url: + description: URL to send request logging CloudEvents + type: string + type: object + maxReplicas: + description: This is the up bound for autoscaler to scale to + format: int64 + type: integer + minReplicas: + description: Minimum number of replicas, pods won't scale down + to 0 in case of no traffic + format: int64 + type: integer + onnx: + description: Spec for ONNX runtime (https://github.com/microsoft/onnxruntime) + properties: + resources: + description: Defaults to requests and limits of 1CPU, 2Gb + MEM. + type: object + runtimeVersion: + description: Allowed runtime versions are specified in the + inferenceservice config map + type: string + storageUri: + description: The location of the trained model + type: string + required: + - storageUri + type: object + pytorch: + description: Spec for PyTorch predictor + properties: + modelClassName: + description: Defaults PyTorch model class name to 'PyTorchModel' + type: string + resources: + description: Defaults to requests and limits of 1CPU, 2Gb + MEM. + type: object + runtimeVersion: + description: Allowed runtime versions are specified in the + inferenceservice config map + type: string + storageUri: + description: The location of the trained model + type: string + required: + - storageUri + type: object + serviceAccountName: + description: ServiceAccountName is the name of the ServiceAccount + to use to run the service + type: string + sklearn: + description: Spec for SKLearn predictor + properties: + resources: + description: Defaults to requests and limits of 1CPU, 2Gb + MEM. + type: object + runtimeVersion: + description: Allowed runtime versions are specified in the + inferenceservice config map + type: string + storageUri: + description: The location of the trained model + type: string + required: + - storageUri + type: object + tensorflow: + description: Spec for Tensorflow Serving (https://github.com/tensorflow/serving) + properties: + resources: + description: Defaults to requests and limits of 1CPU, 2Gb + MEM. + type: object + runtimeVersion: + description: Allowed runtime versions are specified in the + inferenceservice config map. + type: string + storageUri: + description: The location of the trained model + type: string + required: + - storageUri + type: object + tensorrt: + description: Spec for TensorRT Inference Server (https://github.com/NVIDIA/tensorrt-inference-server) + properties: + resources: + description: Defaults to requests and limits of 1CPU, 2Gb + MEM. + type: object + runtimeVersion: + description: Allowed runtime versions are specified in the + inferenceservice config map + type: string + storageUri: + description: The location of the trained model + type: string + required: + - storageUri + type: object + xgboost: + description: Spec for XGBoost predictor + properties: + nthread: + description: Number of thread to be used by XGBoost + format: int64 + type: integer + resources: + description: Defaults to requests and limits of 1CPU, 2Gb + MEM. + type: object + runtimeVersion: + description: Allowed runtime versions are specified in the + inferenceservice config map + type: string + storageUri: + description: The location of the trained model + type: string + required: + - storageUri + type: object + type: object + transformer: + description: Transformer defines the pre/post processing before + and after the predictor call, transformer service calls to predictor + service. + properties: + custom: + description: Spec for a custom transformer + properties: + container: + type: object + required: + - container + type: object + logger: + description: Activate request/response logging + properties: + mode: + description: What payloads to log + type: string + url: + description: URL to send request logging CloudEvents + type: string + type: object + maxReplicas: + description: This is the up bound for autoscaler to scale to + format: int64 + type: integer + minReplicas: + description: Minimum number of replicas, pods won't scale down + to 0 in case of no traffic + format: int64 + type: integer + serviceAccountName: + description: ServiceAccountName is the name of the ServiceAccount + to use to run the service + type: string + type: object + required: + - predictor + type: object + canaryTrafficPercent: + description: CanaryTrafficPercent defines the percentage of traffic + going to canary InferenceService endpoints + format: int64 + type: integer + default: + description: Default defines default InferenceService endpoints +required + properties: + explainer: + description: Explainer defines the model explanation service spec, + explainer service calls to predictor or transformer if it is specified. + properties: + alibi: + description: Spec for alibi explainer + properties: + config: + description: Inline custom parameter settings for explainer + type: object + resources: + description: Defaults to requests and limits of 1CPU, 2Gb + MEM. + type: object + runtimeVersion: + description: Defaults to latest Alibi Version + type: string + storageUri: + description: The location of a trained explanation model + type: string + type: + description: The type of Alibi explainer + type: string + required: + - type + type: object + custom: + description: Spec for a custom explainer + properties: + container: + type: object + required: + - container + type: object + logger: + description: Activate request/response logging + properties: + mode: + description: What payloads to log + type: string + url: + description: URL to send request logging CloudEvents + type: string + type: object + maxReplicas: + description: This is the up bound for autoscaler to scale to + format: int64 + type: integer + minReplicas: + description: Minimum number of replicas, pods won't scale down + to 0 in case of no traffic + format: int64 + type: integer + serviceAccountName: + description: ServiceAccountName is the name of the ServiceAccount + to use to run the service + type: string + type: object + predictor: + description: Predictor defines the model serving spec +required + properties: + custom: + description: Spec for a custom predictor + properties: + container: + type: object + required: + - container + type: object + logger: + description: Activate request/response logging + properties: + mode: + description: What payloads to log + type: string + url: + description: URL to send request logging CloudEvents + type: string + type: object + maxReplicas: + description: This is the up bound for autoscaler to scale to + format: int64 + type: integer + minReplicas: + description: Minimum number of replicas, pods won't scale down + to 0 in case of no traffic + format: int64 + type: integer + onnx: + description: Spec for ONNX runtime (https://github.com/microsoft/onnxruntime) + properties: + resources: + description: Defaults to requests and limits of 1CPU, 2Gb + MEM. + type: object + runtimeVersion: + description: Allowed runtime versions are specified in the + inferenceservice config map + type: string + storageUri: + description: The location of the trained model + type: string + required: + - storageUri + type: object + pytorch: + description: Spec for PyTorch predictor + properties: + modelClassName: + description: Defaults PyTorch model class name to 'PyTorchModel' + type: string + resources: + description: Defaults to requests and limits of 1CPU, 2Gb + MEM. + type: object + runtimeVersion: + description: Allowed runtime versions are specified in the + inferenceservice config map + type: string + storageUri: + description: The location of the trained model + type: string + required: + - storageUri + type: object + serviceAccountName: + description: ServiceAccountName is the name of the ServiceAccount + to use to run the service + type: string + sklearn: + description: Spec for SKLearn predictor + properties: + resources: + description: Defaults to requests and limits of 1CPU, 2Gb + MEM. + type: object + runtimeVersion: + description: Allowed runtime versions are specified in the + inferenceservice config map + type: string + storageUri: + description: The location of the trained model + type: string + required: + - storageUri + type: object + tensorflow: + description: Spec for Tensorflow Serving (https://github.com/tensorflow/serving) + properties: + resources: + description: Defaults to requests and limits of 1CPU, 2Gb + MEM. + type: object + runtimeVersion: + description: Allowed runtime versions are specified in the + inferenceservice config map. + type: string + storageUri: + description: The location of the trained model + type: string + required: + - storageUri + type: object + tensorrt: + description: Spec for TensorRT Inference Server (https://github.com/NVIDIA/tensorrt-inference-server) + properties: + resources: + description: Defaults to requests and limits of 1CPU, 2Gb + MEM. + type: object + runtimeVersion: + description: Allowed runtime versions are specified in the + inferenceservice config map + type: string + storageUri: + description: The location of the trained model + type: string + required: + - storageUri + type: object + xgboost: + description: Spec for XGBoost predictor + properties: + nthread: + description: Number of thread to be used by XGBoost + format: int64 + type: integer + resources: + description: Defaults to requests and limits of 1CPU, 2Gb + MEM. + type: object + runtimeVersion: + description: Allowed runtime versions are specified in the + inferenceservice config map + type: string + storageUri: + description: The location of the trained model + type: string + required: + - storageUri + type: object + type: object + transformer: + description: Transformer defines the pre/post processing before + and after the predictor call, transformer service calls to predictor + service. + properties: + custom: + description: Spec for a custom transformer + properties: + container: + type: object + required: + - container + type: object + logger: + description: Activate request/response logging + properties: + mode: + description: What payloads to log + type: string + url: + description: URL to send request logging CloudEvents + type: string + type: object + maxReplicas: + description: This is the up bound for autoscaler to scale to + format: int64 + type: integer + minReplicas: + description: Minimum number of replicas, pods won't scale down + to 0 in case of no traffic + format: int64 + type: integer + serviceAccountName: + description: ServiceAccountName is the name of the ServiceAccount + to use to run the service + type: string + type: object + required: + - predictor + type: object + required: + - default + type: object + status: + properties: + canary: + description: Statuses for the canary endpoints of the InferenceService + type: object + canaryTraffic: + description: Traffic percentage that goes to canary services + format: int64 + type: integer + conditions: + description: Conditions the latest available observations of a resource's + current state. +patchMergeKey=type +patchStrategy=merge + items: + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition + transitioned from one status to another. We use VolatileTime + in place of metav1.Time to exclude this from creating equality.Semantic + differences (all other things held constant). + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + severity: + description: Severity with which to treat failures of this type + of condition. When this is not specified, it defaults to Error. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + +required + type: string + type: + description: Type of condition. +required + type: string + required: + - type + - status + type: object + type: array + default: + description: Statuses for the default endpoints of the InferenceService + type: object + observedGeneration: + description: ObservedGeneration is the 'Generation' of the Service that + was last processed by the controller. + format: int64 + type: integer + traffic: + description: Traffic percentage that goes to default services + format: int64 + type: integer + url: + description: URL of the InferenceService + type: string + type: object + version: v1alpha2 +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] \ No newline at end of file diff --git a/kustomize/kfserving-crds/base/kustomization.yaml b/kustomize/kfserving-crds/base/kustomization.yaml new file mode 100644 index 0000000..6e120e7 --- /dev/null +++ b/kustomize/kfserving-crds/base/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- crd.yaml diff --git a/kustomize/kfserving-crds/kustomization.yaml b/kustomize/kfserving-crds/kustomization.yaml new file mode 100644 index 0000000..8c49699 --- /dev/null +++ b/kustomize/kfserving-crds/kustomization.yaml @@ -0,0 +1,14 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +bases: +- base +commonLabels: + app.kubernetes.io/component: kfserving-crds + app.kubernetes.io/instance: kfserving-crds-v0.7.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/name: kfserving-crds + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: v0.7.0 +kind: Kustomization +namespace: kubeflow +resources: +- overlays/application/application.yaml diff --git a/kustomize/kfserving-crds/overlays/application/application.yaml b/kustomize/kfserving-crds/overlays/application/application.yaml new file mode 100644 index 0000000..2841aa9 --- /dev/null +++ b/kustomize/kfserving-crds/overlays/application/application.yaml @@ -0,0 +1,31 @@ +apiVersion: app.k8s.io/v1beta1 +kind: Application +metadata: + name: kfserving-crds +spec: + selector: + matchLabels: + app.kubernetes.io/name: kfserving-crds + app.kubernetes.io/instance: kfserving-crds-v0.7.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/component: kfserving-crds + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: v0.7.0 + componentKinds: + - group: core + kind: ConfigMap + - group: apps + kind: Deployment + descriptor: + type: kfserving-crds + version: v1beta1 + description: "" + maintainers: [] + owners: [] + keywords: + - kfserving-crds + - kubeflow + links: + - description: About + url: "" + addOwnerRef: true diff --git a/kustomize/kfserving-crds/overlays/application/kustomization.yaml b/kustomize/kfserving-crds/overlays/application/kustomization.yaml new file mode 100644 index 0000000..b3146ae --- /dev/null +++ b/kustomize/kfserving-crds/overlays/application/kustomization.yaml @@ -0,0 +1,13 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +bases: +- ../../base +resources: +- application.yaml +commonLabels: + app.kubernetes.io/name: kfserving-crds + app.kubernetes.io/instance: kfserving-crds-v0.7.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/component: kfserving-crds + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: v0.7.0 diff --git a/kustomize/kfserving-install/base/cluster-role-binding.yaml b/kustomize/kfserving-install/base/cluster-role-binding.yaml new file mode 100644 index 0000000..abb8b2c --- /dev/null +++ b/kustomize/kfserving-install/base/cluster-role-binding.yaml @@ -0,0 +1,25 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kfserving-proxy-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kfserving-proxy-role +subjects: +- kind: ServiceAccount + name: default +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + creationTimestamp: null + name: manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: manager-role +subjects: +- kind: ServiceAccount + name: default +--- diff --git a/kustomize/kfserving-install/base/cluster-role.yaml b/kustomize/kfserving-install/base/cluster-role.yaml new file mode 100644 index 0000000..2b851c6 --- /dev/null +++ b/kustomize/kfserving-install/base/cluster-role.yaml @@ -0,0 +1,209 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kfserving-proxy-role +rules: +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + name: manager-role +rules: +- apiGroups: + - serving.knative.dev + resources: + - services + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - serving.knative.dev + resources: + - services/status + verbs: + - get + - update + - patch +- apiGroups: + - networking.istio.io + resources: + - virtualservices + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - networking.istio.io + resources: + - virtualservices/status + verbs: + - get + - update + - patch +- apiGroups: + - serving.kubeflow.org + resources: + - inferenceservices + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - serving.kubeflow.org + resources: + - inferenceservices/status + verbs: + - get + - update + - patch +- apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch +- apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubeflow-kfserving-admin + labels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-admin: "true" +aggregationRule: + clusterRoleSelectors: + - matchLabels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-kfserving-admin: "true" +rules: [] + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubeflow-kfserving-edit + labels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-edit: "true" + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-kfserving-admin: "true" +rules: +- apiGroups: + - serving.kubeflow.org + resources: + - inferenceservices + verbs: + - get + - list + - watch + - create + - delete + - deletecollection + - patch + - update + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubeflow-kfserving-view + labels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-view: "true" +rules: +- apiGroups: + - serving.kubeflow.org + resources: + - inferenceservices + verbs: + - get + - list + - watch diff --git a/kustomize/kfserving-install/base/config-map.yaml b/kustomize/kfserving-install/base/config-map.yaml new file mode 100644 index 0000000..c152a45 --- /dev/null +++ b/kustomize/kfserving-install/base/config-map.yaml @@ -0,0 +1,102 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: inferenceservice-config +data: + predictors: |- + { + "tensorflow": { + "image": "tensorflow/serving", + "defaultImageVersion": "1.14.0", + "defaultGpuImageVersion": "1.14.0-gpu", + "allowedImageVersions": [ + "1.11.0", + "1.11.0-gpu", + "1.12.0", + "1.12.0-gpu", + "1.13.0", + "1.13.0-gpu", + "1.14.0", + "1.14.0-gpu" + ] + }, + "onnx": { + "image": "mcr.microsoft.com/onnxruntime/server", + "defaultImageVersion": "v0.5.1", + "allowedImageVersions": [ + "v0.5.1" + ] + }, + "sklearn": { + "image": "gcr.io/kfserving/sklearnserver", + "defaultImageVersion": "0.2.2", + "allowedImageVersions": [ + "0.2.2" + ] + }, + "xgboost": { + "image": "gcr.io/kfserving/xgbserver", + "defaultImageVersion": "0.2.2", + "allowedImageVersions": [ + "0.2.2" + ] + }, + "pytorch": { + "image": "gcr.io/kfserving/pytorchserver", + "defaultImageVersion": "0.2.2", + "allowedImageVersions": [ + "0.2.2" + ] + }, + "tensorrt": { + "image": "nvcr.io/nvidia/tensorrtserver", + "defaultImageVersion": "19.05-py3", + "allowedImageVersions": [ + "19.05-py3" + ] + } + } + transformers: |- + { + } + explainers: |- + { + "alibi": { + "image" : "gcr.io/kfserving/alibi-explainer", + "defaultImageVersion": "0.2.2", + "allowedImageVersions": [ + "0.2.2" + ] + } + } + storageInitializer: |- + { + "image" : "gcr.io/kfserving/storage-initializer:0.2.2", + "memoryRequest": "100Mi", + "memoryLimit": "1Gi", + "cpuRequest": "100m", + "cpuLimit": "1" + } + credentials: |- + { + "gcs": { + "gcsCredentialFileName": "gcloud-application-credentials.json" + }, + "s3": { + "s3AccessKeyIDName": "awsAccessKeyID", + "s3SecretAccessKeyName": "awsSecretAccessKey" + } + } + ingress: |- + { + "ingressGateway" : "knative-ingress-gateway.knative-serving", + "ingressService" : "istio-ingressgateway.istio-system.svc.cluster.local" + } + logger: |- + { + "image" : "gcr.io/kfserving/logger:0.2.2", + "memoryRequest": "100Mi", + "memoryLimit": "1Gi", + "cpuRequest": "100m", + "cpuLimit": "1" + } \ No newline at end of file diff --git a/kustomize/kfserving-install/base/kustomization.yaml b/kustomize/kfserving-install/base/kustomization.yaml new file mode 100644 index 0000000..f452fba --- /dev/null +++ b/kustomize/kfserving-install/base/kustomization.yaml @@ -0,0 +1,32 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: kubeflow +resources: +- cluster-role-binding.yaml +- cluster-role.yaml +- config-map.yaml +- secret.yaml +- statefulset.yaml +- service.yaml +commonLabels: + kustomize.component: kfserving +configMapGenerator: +- name: kfserving-parameters + env: params.env +vars: +- name: registry + objref: + kind: ConfigMap + name: kfserving-parameters + apiVersion: v1 + fieldref: + fieldpath: data.registry +configurations: +- params.yaml +images: +- name: gcr.io/kubebuilder/kube-rbac-proxy + newName: gcr.io/kubebuilder/kube-rbac-proxy + newTag: v0.4.0 +- name: $(registry)/kfserving-controller + newName: $(registry)/kfserving-controller + newTag: 0.2.2 diff --git a/kustomize/kfserving-install/base/params.env b/kustomize/kfserving-install/base/params.env new file mode 100644 index 0000000..ca48d46 --- /dev/null +++ b/kustomize/kfserving-install/base/params.env @@ -0,0 +1 @@ +registry=gcr.io/kfserving diff --git a/kustomize/kfserving-install/base/params.yaml b/kustomize/kfserving-install/base/params.yaml new file mode 100644 index 0000000..a7b94f6 --- /dev/null +++ b/kustomize/kfserving-install/base/params.yaml @@ -0,0 +1,5 @@ +varReference: +- path: spec/template/spec/containers/image + kind: StatefulSet +- path: data/frameworks + kind: ConfigMap diff --git a/kustomize/kfserving-install/base/secret.yaml b/kustomize/kfserving-install/base/secret.yaml new file mode 100644 index 0000000..6213658 --- /dev/null +++ b/kustomize/kfserving-install/base/secret.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Secret +metadata: + name: kfserving-webhook-server-secret diff --git a/kustomize/kfserving-install/base/service.yaml b/kustomize/kfserving-install/base/service.yaml new file mode 100644 index 0000000..29398ef --- /dev/null +++ b/kustomize/kfserving-install/base/service.yaml @@ -0,0 +1,34 @@ +apiVersion: v1 +kind: Service +metadata: + annotations: + prometheus.io/port: "8443" + prometheus.io/scheme: https + prometheus.io/scrape: "true" + labels: + control-plane: controller-manager + controller-tools.k8s.io: "1.0" + name: kfserving-controller-manager-metrics-service +spec: + ports: + - name: https + port: 8443 + targetPort: https + selector: + control-plane: controller-manager + controller-tools.k8s.io: "1.0" +--- +apiVersion: v1 +kind: Service +metadata: + labels: + control-plane: kfserving-controller-manager + controller-tools.k8s.io: "1.0" + name: kfserving-controller-manager-service +spec: + ports: + - port: 443 + selector: + control-plane: kfserving-controller-manager + controller-tools.k8s.io: "1.0" +--- diff --git a/kustomize/kfserving-install/base/statefulset.yaml b/kustomize/kfserving-install/base/statefulset.yaml new file mode 100644 index 0000000..1a1beec --- /dev/null +++ b/kustomize/kfserving-install/base/statefulset.yaml @@ -0,0 +1,70 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + labels: + control-plane: kfserving-controller-manager + controller-tools.k8s.io: "1.0" + name: kfserving-controller-manager +spec: + selector: + matchLabels: + control-plane: kfserving-controller-manager + controller-tools.k8s.io: "1.0" + serviceName: controller-manager-service + template: + metadata: + labels: + control-plane: kfserving-controller-manager + controller-tools.k8s.io: "1.0" + annotations: + sidecar.istio.io/inject: "false" + spec: + containers: + - args: + - --secure-listen-address=0.0.0.0:8443 + - --upstream=http://127.0.0.1:8080/ + - --logtostderr=true + - --v=10 + image: gcr.io/kubebuilder/kube-rbac-proxy:v0.4.0 + name: kube-rbac-proxy + ports: + - containerPort: 8443 + name: https + - args: + - --metrics-addr=127.0.0.1:8080 + command: + - /manager + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: SECRET_NAME + value: kfserving-webhook-server-secret + - name: ENABLE_WEBHOOK_NAMESPACE_SELECTOR + value: enabled + image: $(registry)/kfserving-controller:0.2.2 + imagePullPolicy: Always + name: manager + ports: + - containerPort: 9876 + name: webhook-server + protocol: TCP + resources: + limits: + cpu: 100m + memory: 300Mi + requests: + cpu: 100m + memory: 200Mi + volumeMounts: + - mountPath: /tmp/cert + name: cert + readOnly: true + terminationGracePeriodSeconds: 10 + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: kfserving-webhook-server-secret + volumeClaimTemplates: [] diff --git a/kustomize/kfserving-install/kustomization.yaml b/kustomize/kfserving-install/kustomization.yaml new file mode 100644 index 0000000..dabdee8 --- /dev/null +++ b/kustomize/kfserving-install/kustomization.yaml @@ -0,0 +1,14 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +bases: +- base +commonLabels: + app.kubernetes.io/component: kfserving-install + app.kubernetes.io/instance: kfserving-install-v0.7.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/name: kfserving-install + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: v0.7.0 +kind: Kustomization +namespace: kubeflow +resources: +- overlays/application/application.yaml diff --git a/kustomize/kfserving-install/overlays/application/application.yaml b/kustomize/kfserving-install/overlays/application/application.yaml new file mode 100644 index 0000000..c96444c --- /dev/null +++ b/kustomize/kfserving-install/overlays/application/application.yaml @@ -0,0 +1,40 @@ +apiVersion: app.k8s.io/v1beta1 +kind: Application +metadata: + name: "kfserving" +spec: + selector: + matchLabels: + app.kubernetes.io/name: kfserving-install + app.kubernetes.io/instance: kfserving-install-v0.7.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/component: kfserving-install + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: v0.7.0 + type: "kfserving" + componentKinds: + - group: apps/v1 + kind: StatefulSet + - group: v1 + kind: Service + - group: apps/v1 + kind: Deployment + - group: v1 + kind: Secret + - group: v1 + kind: ConfigMap + version: "v1alpha2" + description: "KFServing provides a Kubernetes Custom Resource Definition for serving ML Models on arbitrary frameworks" + icons: + maintainers: + - name: Johnu George + email: johnugeo@cisco.com + owners: + - name: Johnu George + email: johnugeo@cisco.com + keywords: + - "kfserving" + - "inference" + links: + - description: About + url: "https://github.com/kubeflow/kfserving" diff --git a/kustomize/kfserving-install/overlays/application/kustomization.yaml b/kustomize/kfserving-install/overlays/application/kustomization.yaml new file mode 100644 index 0000000..f98e870 --- /dev/null +++ b/kustomize/kfserving-install/overlays/application/kustomization.yaml @@ -0,0 +1,13 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +bases: +- ../../base +resources: +- application.yaml +commonLabels: + app.kubernetes.io/name: kfserving-install + app.kubernetes.io/instance: kfserving-install-v0.7.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/component: kfserving-install + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: v0.7.0 diff --git a/kustomize/knative-crds/base/crd.yaml b/kustomize/knative-crds/base/crd.yaml new file mode 100644 index 0000000..29ba272 --- /dev/null +++ b/kustomize/knative-crds/base/crd.yaml @@ -0,0 +1,396 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + labels: + knative.dev/crd-install: "true" + serving.knative.dev/release: "v0.8.0" + name: certificates.networking.internal.knative.dev +spec: + additionalPrinterColumns: + - JSONPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - JSONPath: .status.conditions[?(@.type=="Ready")].reason + name: Reason + type: string + group: networking.internal.knative.dev + names: + categories: + - knative-internal + - networking + kind: Certificate + plural: certificates + shortNames: + - kcert + singular: certificate + scope: Namespaced + subresources: + status: {} + version: v1alpha1 + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + labels: + knative.dev/crd-install: "true" + serving.knative.dev/release: "v0.8.0" + name: clusteringresses.networking.internal.knative.dev +spec: + additionalPrinterColumns: + - JSONPath: .status.conditions[?(@.type=='Ready')].status + name: Ready + type: string + - JSONPath: .status.conditions[?(@.type=='Ready')].reason + name: Reason + type: string + group: networking.internal.knative.dev + names: + categories: + - knative-internal + - networking + kind: ClusterIngress + plural: clusteringresses + singular: clusteringress + scope: Cluster + subresources: + status: {} + versions: + - name: v1alpha1 + served: true + storage: true + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + labels: + knative.dev/crd-install: "true" + name: images.caching.internal.knative.dev +spec: + group: caching.internal.knative.dev + names: + categories: + - knative-internal + - caching + kind: Image + plural: images + shortNames: + - img + singular: image + scope: Namespaced + subresources: + status: {} + version: v1alpha1 + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + labels: + knative.dev/crd-install: "true" + serving.knative.dev/release: "v0.8.0" + name: ingresses.networking.internal.knative.dev +spec: + additionalPrinterColumns: + - JSONPath: .status.conditions[?(@.type=='Ready')].status + name: Ready + type: string + - JSONPath: .status.conditions[?(@.type=='Ready')].reason + name: Reason + type: string + group: networking.internal.knative.dev + names: + categories: + - knative-internal + - networking + kind: Ingress + plural: ingresses + shortNames: + - ing + singular: ingress + scope: Namespaced + subresources: + status: {} + versions: + - name: v1alpha1 + served: true + storage: true + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + labels: + knative.dev/crd-install: "true" + serving.knative.dev/release: "v0.8.0" + name: metrics.autoscaling.internal.knative.dev +spec: + additionalPrinterColumns: + - JSONPath: .status.conditions[?(@.type=='Ready')].status + name: Ready + type: string + - JSONPath: .status.conditions[?(@.type=='Ready')].reason + name: Reason + type: string + group: autoscaling.internal.knative.dev + names: + categories: + - knative-internal + - autoscaling + kind: Metric + plural: metrics + singular: metric + scope: Namespaced + subresources: + status: {} + version: v1alpha1 + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + labels: + knative.dev/crd-install: "true" + serving.knative.dev/release: "v0.8.0" + name: podautoscalers.autoscaling.internal.knative.dev +spec: + additionalPrinterColumns: + - JSONPath: .status.conditions[?(@.type=='Ready')].status + name: Ready + type: string + - JSONPath: .status.conditions[?(@.type=='Ready')].reason + name: Reason + type: string + group: autoscaling.internal.knative.dev + names: + categories: + - knative-internal + - autoscaling + kind: PodAutoscaler + plural: podautoscalers + shortNames: + - kpa + - pa + singular: podautoscaler + scope: Namespaced + subresources: + status: {} + versions: + - name: v1alpha1 + served: true + storage: true + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + labels: + knative.dev/crd-install: "true" + serving.knative.dev/release: "v0.8.0" + name: serverlessservices.networking.internal.knative.dev +spec: + additionalPrinterColumns: + - JSONPath: .spec.mode + name: Mode + type: string + - JSONPath: .status.serviceName + name: ServiceName + type: string + - JSONPath: .status.privateServiceName + name: PrivateServiceName + type: string + - JSONPath: .status.conditions[?(@.type=='Ready')].status + name: Ready + type: string + - JSONPath: .status.conditions[?(@.type=='Ready')].reason + name: Reason + type: string + group: networking.internal.knative.dev + names: + categories: + - knative-internal + - networking + kind: ServerlessService + plural: serverlessservices + shortNames: + - sks + singular: serverlessservice + scope: Namespaced + subresources: + status: {} + versions: + - name: v1alpha1 + served: true + storage: true + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + labels: + knative.dev/crd-install: "true" + serving.knative.dev/release: "v0.8.0" + name: configurations.serving.knative.dev +spec: + additionalPrinterColumns: + - JSONPath: .status.latestCreatedRevisionName + name: LatestCreated + type: string + - JSONPath: .status.latestReadyRevisionName + name: LatestReady + type: string + - JSONPath: .status.conditions[?(@.type=='Ready')].status + name: Ready + type: string + - JSONPath: .status.conditions[?(@.type=='Ready')].reason + name: Reason + type: string + group: serving.knative.dev + names: + categories: + - all + - knative + - serving + kind: Configuration + plural: configurations + shortNames: + - config + - cfg + singular: configuration + scope: Namespaced + subresources: + status: {} + versions: + - name: v1alpha1 + served: true + storage: true + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + labels: + knative.dev/crd-install: "true" + serving.knative.dev/release: "v0.8.0" + name: revisions.serving.knative.dev +spec: + additionalPrinterColumns: + - JSONPath: .metadata.labels['serving\.knative\.dev/configuration'] + name: Config Name + type: string + - JSONPath: .status.serviceName + name: K8s Service Name + type: string + - JSONPath: .metadata.labels['serving\.knative\.dev/configurationGeneration'] + name: Generation + type: string + - JSONPath: .status.conditions[?(@.type=='Ready')].status + name: Ready + type: string + - JSONPath: .status.conditions[?(@.type=='Ready')].reason + name: Reason + type: string + group: serving.knative.dev + names: + categories: + - all + - knative + - serving + kind: Revision + plural: revisions + shortNames: + - rev + singular: revision + scope: Namespaced + subresources: + status: {} + versions: + - name: v1alpha1 + served: true + storage: true + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + labels: + knative.dev/crd-install: "true" + serving.knative.dev/release: "v0.8.0" + name: routes.serving.knative.dev +spec: + additionalPrinterColumns: + - JSONPath: .status.url + name: URL + type: string + - JSONPath: .status.conditions[?(@.type=='Ready')].status + name: Ready + type: string + - JSONPath: .status.conditions[?(@.type=='Ready')].reason + name: Reason + type: string + group: serving.knative.dev + names: + categories: + - all + - knative + - serving + kind: Route + plural: routes + shortNames: + - rt + singular: route + scope: Namespaced + subresources: + status: {} + versions: + - name: v1alpha1 + served: true + storage: true + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + labels: + knative.dev/crd-install: "true" + serving.knative.dev/release: "v0.8.0" + name: services.serving.knative.dev +spec: + additionalPrinterColumns: + - JSONPath: .status.url + name: URL + type: string + - JSONPath: .status.latestCreatedRevisionName + name: LatestCreated + type: string + - JSONPath: .status.latestReadyRevisionName + name: LatestReady + type: string + - JSONPath: .status.conditions[?(@.type=='Ready')].status + name: Ready + type: string + - JSONPath: .status.conditions[?(@.type=='Ready')].reason + name: Reason + type: string + group: serving.knative.dev + names: + categories: + - all + - knative + - serving + kind: Service + plural: services + shortNames: + - kservice + - ksvc + singular: service + scope: Namespaced + subresources: + status: {} + versions: + - name: v1alpha1 + served: true + storage: true + +--- diff --git a/kustomize/knative-crds/base/kustomization.yaml b/kustomize/knative-crds/base/kustomization.yaml new file mode 100644 index 0000000..ed2cb28 --- /dev/null +++ b/kustomize/knative-crds/base/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- namespace.yaml +- crd.yaml diff --git a/kustomize/knative-crds/base/namespace.yaml b/kustomize/knative-crds/base/namespace.yaml new file mode 100644 index 0000000..84a55c0 --- /dev/null +++ b/kustomize/knative-crds/base/namespace.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: Namespace +metadata: + labels: + istio-injection: enabled + serving.knative.dev/release: "v0.8.0" + name: knative-serving + diff --git a/kustomize/knative-crds/kustomization.yaml b/kustomize/knative-crds/kustomization.yaml new file mode 100644 index 0000000..5984d7d --- /dev/null +++ b/kustomize/knative-crds/kustomization.yaml @@ -0,0 +1,14 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +bases: +- base +commonLabels: + app.kubernetes.io/component: knative-serving-crds + app.kubernetes.io/instance: knative-serving-crds-v0.8.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/name: knative-serving-crds + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: v0.8.0 +kind: Kustomization +namespace: knative-serving +resources: +- overlays/application/application.yaml diff --git a/kustomize/knative-crds/overlays/application/application.yaml b/kustomize/knative-crds/overlays/application/application.yaml new file mode 100644 index 0000000..2d3a1b9 --- /dev/null +++ b/kustomize/knative-crds/overlays/application/application.yaml @@ -0,0 +1,31 @@ +apiVersion: app.k8s.io/v1beta1 +kind: Application +metadata: + name: knative-serving-crds +spec: + selector: + matchLabels: + app.kubernetes.io/name: knative-serving-crds + app.kubernetes.io/instance: knative-serving-crds-v0.8.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/component: knative-serving-crds + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: v0.8.0 + componentKinds: + - group: core + kind: ConfigMap + - group: apps + kind: Deployment + descriptor: + type: knative-serving-crds + version: v1beta1 + description: "" + maintainers: [] + owners: [] + keywords: + - knative-serving-crds + - kubeflow + links: + - description: About + url: "" + addOwnerRef: true diff --git a/kustomize/knative-crds/overlays/application/kustomization.yaml b/kustomize/knative-crds/overlays/application/kustomization.yaml new file mode 100644 index 0000000..cc55882 --- /dev/null +++ b/kustomize/knative-crds/overlays/application/kustomization.yaml @@ -0,0 +1,13 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +bases: +- ../../base +resources: +- application.yaml +commonLabels: + app.kubernetes.io/name: knative-serving-crds + app.kubernetes.io/instance: knative-serving-crds-v0.8.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/component: knative-serving-crds + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: v0.8.0 diff --git a/kustomize/knative-install/base/apiservice.yaml b/kustomize/knative-install/base/apiservice.yaml new file mode 100644 index 0000000..85c60ba --- /dev/null +++ b/kustomize/knative-install/base/apiservice.yaml @@ -0,0 +1,17 @@ +apiVersion: apiregistration.k8s.io/v1beta1 +kind: APIService +metadata: + labels: + autoscaling.knative.dev/metric-provider: custom-metrics + serving.knative.dev/release: "v0.8.0" + name: v1beta1.custom.metrics.k8s.io +spec: + group: custom.metrics.k8s.io + groupPriorityMinimum: 100 + insecureSkipTLSVerify: true + service: + name: autoscaler + namespace: knative-serving + version: v1beta1 + versionPriority: 100 + diff --git a/kustomize/knative-install/base/cluster-role-binding.yaml b/kustomize/knative-install/base/cluster-role-binding.yaml new file mode 100644 index 0000000..522a85d --- /dev/null +++ b/kustomize/knative-install/base/cluster-role-binding.yaml @@ -0,0 +1,50 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + autoscaling.knative.dev/metric-provider: custom-metrics + serving.knative.dev/release: "v0.8.0" + name: custom-metrics:system:auth-delegator +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:auth-delegator +subjects: +- kind: ServiceAccount + name: controller + namespace: knative-serving + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + autoscaling.knative.dev/metric-provider: custom-metrics + serving.knative.dev/release: "v0.8.0" + name: hpa-controller-custom-metrics +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: custom-metrics-server-resources +subjects: +- kind: ServiceAccount + name: horizontal-pod-autoscaler + namespace: kube-system + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + serving.knative.dev/release: "v0.8.0" + name: knative-serving-controller-admin +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: knative-serving-admin +subjects: +- kind: ServiceAccount + name: controller + namespace: knative-serving + +--- diff --git a/kustomize/knative-install/base/cluster-role.yaml b/kustomize/knative-install/base/cluster-role.yaml new file mode 100644 index 0000000..430efdb --- /dev/null +++ b/kustomize/knative-install/base/cluster-role.yaml @@ -0,0 +1,183 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + networking.knative.dev/ingress-provider: istio + serving.knative.dev/controller: "true" + serving.knative.dev/release: "v0.8.0" + name: knative-serving-istio +rules: +- apiGroups: + - networking.istio.io + resources: + - virtualservices + - gateways + verbs: + - get + - list + - create + - update + - delete + - patch + - watch + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + autoscaling.knative.dev/metric-provider: custom-metrics + serving.knative.dev/release: "v0.8.0" + name: custom-metrics-server-resources +rules: +- apiGroups: + - custom.metrics.k8s.io + resources: + - '*' + verbs: + - '*' + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + rbac.authorization.k8s.io/aggregate-to-admin: "true" + serving.knative.dev/release: "v0.8.0" + name: knative-serving-namespaced-admin +rules: +- apiGroups: + - serving.knative.dev + - networking.internal.knative.dev + - autoscaling.internal.knative.dev + resources: + - '*' + verbs: + - '*' + +--- +aggregationRule: + clusterRoleSelectors: + - matchLabels: + serving.knative.dev/controller: "true" +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + serving.knative.dev/release: "v0.8.0" + name: knative-serving-admin +rules: [] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + serving.knative.dev/controller: "true" + serving.knative.dev/release: "v0.8.0" + name: knative-serving-core +rules: +- apiGroups: + - "" + resources: + - pods + - namespaces + - secrets + - configmaps + - endpoints + - services + - events + - serviceaccounts + verbs: + - get + - list + - create + - update + - delete + - patch + - watch +- apiGroups: + - "" + resources: + - endpoints/restricted + verbs: + - create +- apiGroups: + - apps + resources: + - deployments + - deployments/finalizers + verbs: + - get + - list + - create + - update + - delete + - patch + - watch +- apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + verbs: + - get + - list + - create + - update + - delete + - patch + - watch +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - list + - create + - update + - delete + - patch + - watch +- apiGroups: + - autoscaling + resources: + - horizontalpodautoscalers + verbs: + - get + - list + - create + - update + - delete + - patch + - watch +- apiGroups: + - serving.knative.dev + - autoscaling.internal.knative.dev + - networking.internal.knative.dev + resources: + - '*' + - '*/status' + - '*/finalizers' + verbs: + - get + - list + - create + - update + - delete + - deletecollection + - patch + - watch +- apiGroups: + - caching.internal.knative.dev + resources: + - images + verbs: + - get + - list + - create + - update + - delete + - patch + - watch + +--- diff --git a/kustomize/knative-install/base/config-map.yaml b/kustomize/knative-install/base/config-map.yaml new file mode 100644 index 0000000..6664b0a --- /dev/null +++ b/kustomize/knative-install/base/config-map.yaml @@ -0,0 +1,633 @@ +apiVersion: v1 +data: + _example: | + ################################ + # # + # EXAMPLE CONFIGURATION # + # # + ################################ + + # This block is not actually functional configuration, + # but serves to illustrate the available configuration + # options and document them in a way that is accessible + # to users that kubectl edit this config map. + # + # These sample configuration options may be copied out of + # this example block and unindented to be in the data block + # to actually change the configuration. + + # The Revision ContainerConcurrency field specifies the maximum number + # of requests the Container can handle at once. Container concurrency + # target percentage is how much of that maximum to use in a stable + # state. E.g. if a Revision specifies ContainerConcurrency of 10, then + # the Autoscaler will try to maintain 7 concurrent connections per pod + # on average. + # Note: this limit will be applied to container concurrency set at every + # level (ConfigMap, Revision Spec or Annotation). + # For legacy and backwards compatibility reasons, this value also accepts + # fractional values in (0, 1] interval (i.e. 0.7 ⇒ 70%). + # Thus minimal percentage value must be greater than 1.0, or it will be + # treated as a fraction. + container-concurrency-target-percentage: "70" + + # The container concurrency target default is what the Autoscaler will + # try to maintain when the Revision specifies unlimited concurrency. + # Even when specifying unlimited concurrency, the autoscaler will + # horizontally scale the application based on this target concurrency. + container-concurrency-target-default: "100" + + # The target burst capacity specifies the size of burst in concurrent + # requests that the system operator expects the system will receive. + # Autoscaler will try to protect the system from queueing by introducing + # Activator in the request path if the current spare capacity of the + # service is less than this setting. + # If this setting is 0, then Activator will be in the request path only + # when the revision is scaled to 0. + # If this setting is > 0 and container-concurrency-target-percentage is + # 100% or 1.0, then activator will always be in the request path. + # -1 denotes unlimited target-burst-capacity and activator will always + # be in the request path. + # Other negative values are invalid. + target-burst-capacity: "0" + + # When operating in a stable mode, the autoscaler operates on the + # average concurrency over the stable window. + stable-window: "60s" + + # When observed average concurrency during the panic window reaches + # panic-threshold-percentage the target concurrency, the autoscaler + # enters panic mode. When operating in panic mode, the autoscaler + # scales on the average concurrency over the panic window which is + # panic-window-percentage of the stable-window. + panic-window-percentage: "10.0" + + # Absolute panic window duration. + # Deprecated in favor of panic-window-percentage. + # Existing revisions will continue to scale based on panic-window + # but new revisions will default to panic-window-percentage. + panic-window: "6s" + + # The percentage of the container concurrency target at which to + # enter panic mode when reached within the panic window. + panic-threshold-percentage: "200.0" + + # Max scale up rate limits the rate at which the autoscaler will + # increase pod count. It is the maximum ratio of desired pods versus + # observed pods. + max-scale-up-rate: "1000.0" + + # Scale to zero feature flag + enable-scale-to-zero: "true" + + # Tick interval is the time between autoscaling calculations. + tick-interval: "2s" + + # Dynamic parameters (take effect when config map is updated): + + # Scale to zero grace period is the time an inactive revision is left + # running before it is scaled to zero (min: 30s). + scale-to-zero-grace-period: "30s" +kind: ConfigMap +metadata: + labels: + serving.knative.dev/release: "v0.8.0" + name: config-autoscaler + namespace: knative-serving + +--- + +apiVersion: v1 +data: + _example: | + ################################ + # # + # EXAMPLE CONFIGURATION # + # # + ################################ + + # This block is not actually functional configuration, + # but serves to illustrate the available configuration + # options and document them in a way that is accessible + # to users that kubectl edit this config map. + # + # These sample configuration options may be copied out of + # this example block and unindented to be in the data block + # to actually change the configuration. + + # revision-timeout-seconds contains the default number of + # seconds to use for the revision's per-request timeout, if + # none is specified. + revision-timeout-seconds: "300" # 5 minutes + + # max-revision-timeout-seconds contains the maximum number of + # seconds that can be used for revision-timeout-seconds. + # This value must be greater than or equal to revision-timeout-seconds. + # If omitted, the system default is used (600 seconds). + max-revision-timeout-seconds: "600" # 10 minutes + + # revision-cpu-request contains the cpu allocation to assign + # to revisions by default. If omitted, no value is specified + # and the system default is used. + revision-cpu-request: "400m" # 0.4 of a CPU (aka 400 milli-CPU) + + # revision-memory-request contains the memory allocation to assign + # to revisions by default. If omitted, no value is specified + # and the system default is used. + revision-memory-request: "100M" # 100 megabytes of memory + + # revision-cpu-limit contains the cpu allocation to limit + # revisions to by default. If omitted, no value is specified + # and the system default is used. + revision-cpu-limit: "1000m" # 1 CPU (aka 1000 milli-CPU) + + # revision-memory-limit contains the memory allocation to limit + # revisions to by default. If omitted, no value is specified + # and the system default is used. + revision-memory-limit: "200M" # 200 megabytes of memory + + # container-name-template contains a template for the default + # container name, if none is specified. This field supports + # Go templating and is supplied with the ObjectMeta of the + # enclosing Service or Configuration, so values such as + # {{.Name}} are also valid. + container-name-template: "user-container" +kind: ConfigMap +metadata: + labels: + serving.knative.dev/release: "v0.8.0" + name: config-defaults + namespace: knative-serving + +--- +apiVersion: v1 +data: + _example: | + ################################ + # # + # EXAMPLE CONFIGURATION # + # # + ################################ + + # This block is not actually functional configuration, + # but serves to illustrate the available configuration + # options and document them in a way that is accessible + # to users that kubectl edit this config map. + # + # These sample configuration options may be copied out of + # this example block and unindented to be in the data block + # to actually change the configuration. + + # List of repositories for which tag to digest resolving should be skipped + registriesSkippingTagResolving: "ko.local,dev.local" + queueSidecarImage: gcr.io/knative-releases/knative.dev/serving/cmd/queue@sha256:e0654305370cf3bbbd0f56f97789c92cf5215f752b70902eba5d5fc0e88c5aca +kind: ConfigMap +metadata: + labels: + serving.knative.dev/release: "v0.8.0" + name: config-deployment + namespace: knative-serving + +--- +apiVersion: v1 +data: + _example: | + ################################ + # # + # EXAMPLE CONFIGURATION # + # # + ################################ + + # This block is not actually functional configuration, + # but serves to illustrate the available configuration + # options and document them in a way that is accessible + # to users that kubectl edit this config map. + # + # These sample configuration options may be copied out of + # this example block and unindented to be in the data block + # to actually change the configuration. + + # Default value for domain. + # Although it will match all routes, it is the least-specific rule so it + # will only be used if no other domain matches. + example.com: | + + # These are example settings of domain. + # example.org will be used for routes having app=nonprofit. + example.org: | + selector: + app: nonprofit + + # Routes having domain suffix of 'svc.cluster.local' will not be exposed + # through Ingress. You can define your own label selector to assign that + # domain suffix to your Route here, or you can set the label + # "serving.knative.dev/visibility=cluster-local" + # to achieve the same effect. This shows how to make routes having + # the label app=secret only exposed to the local cluster. + svc.cluster.local: | + selector: + app: secret +kind: ConfigMap +metadata: + labels: + serving.knative.dev/release: "v0.8.0" + name: config-domain + namespace: knative-serving + +--- +apiVersion: v1 +data: + _example: | + ################################ + # # + # EXAMPLE CONFIGURATION # + # # + ################################ + + # This block is not actually functional configuration, + # but serves to illustrate the available configuration + # options and document them in a way that is accessible + # to users that kubectl edit this config map. + # + # These sample configuration options may be copied out of + # this example block and unindented to be in the data block + # to actually change the configuration. + + # Delay after revision creation before considering it for GC + stale-revision-create-delay: "24h" + + # Duration since a route has been pointed at a revision before it should be GC'd + # This minus lastpinned-debounce be longer than the controller resync period (10 hours) + stale-revision-timeout: "15h" + + # Minimum number of generations of revisions to keep before considering for GC + stale-revision-minimum-generations: "1" + + # To avoid constant updates, we allow an existing annotation to be stale by this + # amount before we update the timestamp + stale-revision-lastpinned-debounce: "5h" +kind: ConfigMap +metadata: + labels: + serving.knative.dev/release: "v0.8.0" + name: config-gc + namespace: knative-serving + +--- +apiVersion: v1 +data: + _example: | + ################################ + # # + # EXAMPLE CONFIGURATION # + # # + ################################ + + # This block is not actually functional configuration, + # but serves to illustrate the available configuration + # options and document them in a way that is accessible + # to users that kubectl edit this config map. + # + # These sample configuration options may be copied out of + # this example block and unindented to be in the data block + # to actually change the configuration. + + # Default Knative Gateway after v0.3. It points to the Istio + # standard istio-ingressgateway, instead of a custom one that we + # used pre-0.3. + gateway.knative-ingress-gateway: "istio-ingressgateway.istio-system.svc.cluster.local" + + # A cluster local gateway to allow pods outside of the mesh to access + # Services and Routes not exposing through an ingress. If the users + # do have a service mesh setup, this isn't required and can be removed. + # + # An example use case is when users want to use Istio without any + # sidecar injection (like Knative's istio-lean.yaml). Since every pod + # is outside of the service mesh in that case, a cluster-local service + # will need to be exposed to a cluster-local gateway to be accessible. + local-gateway.cluster-local-gateway: "cluster-local-gateway.istio-system.svc.cluster.local" + + # To use only Istio service mesh and no cluster-local-gateway, replace + # all local-gateway.* entries the following entry. + local-gateway.mesh: "mesh" + + # Feature flag to enable reconciling external Istio Gateways. + # When auto TLS feature is turned on, reconcileExternalGateway will be automatically enforced. + # 1. true: enabling reconciling external gateways. + # 2. false: disabling reconciling external gateways. + reconcileExternalGateway: "false" +kind: ConfigMap +metadata: + labels: + networking.knative.dev/ingress-provider: istio + serving.knative.dev/release: "v0.8.0" + name: config-istio + namespace: knative-serving + +--- +apiVersion: v1 +data: + _example: | + ################################ + # # + # EXAMPLE CONFIGURATION # + # # + ################################ + + # This block is not actually functional configuration, + # but serves to illustrate the available configuration + # options and document them in a way that is accessible + # to users that kubectl edit this config map. + # + # These sample configuration options may be copied out of + # this example block and unindented to be in the data block + # to actually change the configuration. + + # Common configuration for all Knative codebase + zap-logger-config: | + { + "level": "info", + "development": false, + "outputPaths": ["stdout"], + "errorOutputPaths": ["stderr"], + "encoding": "json", + "encoderConfig": { + "timeKey": "ts", + "levelKey": "level", + "nameKey": "logger", + "callerKey": "caller", + "messageKey": "msg", + "stacktraceKey": "stacktrace", + "lineEnding": "", + "levelEncoder": "", + "timeEncoder": "iso8601", + "durationEncoder": "", + "callerEncoder": "" + } + } + + # Log level overrides + # For all components except the autoscaler and queue proxy, + # changes are be picked up immediately. + # For autoscaler and queue proxy, changes require recreation of the pods. + loglevel.controller: "info" + loglevel.autoscaler: "info" + loglevel.queueproxy: "info" + loglevel.webhook: "info" + loglevel.activator: "info" +kind: ConfigMap +metadata: + labels: + serving.knative.dev/release: "v0.8.0" + name: config-logging + namespace: knative-serving + +--- +apiVersion: v1 +data: + _example: | + ################################ + # # + # EXAMPLE CONFIGURATION # + # # + ################################ + + # This block is not actually functional configuration, + # but serves to illustrate the available configuration + # options and document them in a way that is accessible + # to users that kubectl edit this config map. + # + # These sample configuration options may be copied out of + # this example block and unindented to be in the data block + # to actually change the configuration. + + # istio.sidecar.includeOutboundIPRanges specifies the IP ranges that Istio sidecar + # will intercept. + # + # Replace this with the IP ranges of your cluster (see below for some examples). + # Separate multiple entries with a comma. + # Example: "10.4.0.0/14,10.7.240.0/20" + # + # If set to "*" Istio will intercept all traffic within + # the cluster as well as traffic that is going outside the cluster. + # Traffic going outside the cluster will be blocked unless + # necessary egress rules are created. + # + # If omitted or set to "", value of global.proxy.includeIPRanges + # provided at Istio deployment time is used. In default Knative serving + # deployment, global.proxy.includeIPRanges value is set to "*". + # + # If an invalid value is passed, "" is used instead. + # + # If valid set of IP address ranges are put into this value, + # Istio will no longer intercept traffic going to IP addresses + # outside the provided ranges and there is no need to specify + # egress rules. + # + # To determine the IP ranges of your cluster: + # IBM Cloud Private: cat cluster/config.yaml | grep service_cluster_ip_range + # IBM Cloud Kubernetes Service: "172.30.0.0/16,172.20.0.0/16,10.10.10.0/24" + # Google Container Engine (GKE): gcloud container clusters describe XXXXXXX --zone=XXXXXX | grep -e clusterIpv4Cidr -e servicesIpv4Cidr + # Azure Kubernetes Service (AKS): "10.0.0.0/16" + # Azure Container Service (ACS; deprecated): "10.244.0.0/16,10.240.0.0/16" + # Azure Container Service Engine (ACS-Engine; OSS): Configurable, but defaults to "10.0.0.0/16" + # Minikube: "10.0.0.1/24" + # + # For more information, visit + # https://istio.io/docs/tasks/traffic-management/egress/ + # + istio.sidecar.includeOutboundIPRanges: "*" + + # clusteringress.class specifies the default cluster ingress class + # to use when not dictated by Route annotation. + # + # If not specified, will use the Istio ingress. + # + # Note that changing the ClusterIngress class of an existing Route + # will result in undefined behavior. Therefore it is best to only + # update this value during the setup of Knative, to avoid getting + # undefined behavior. + clusteringress.class: "istio.ingress.networking.knative.dev" + + # certificate.class specifies the default Certificate class + # to use when not dictated by Route annotation. + # + # If not specified, will use the Cert-Manager Certificate. + # + # Note that changing the Certificate class of an existing Route + # will result in undefined behavior. Therefore it is best to only + # update this value during the setup of Knative, to avoid getting + # undefined behavior. + certificate.class: "cert-manager.certificate.networking.internal.knative.dev" + + # domainTemplate specifies the golang text template string to use + # when constructing the Knative service's DNS name. The default + # value is "{{.Name}}.{{.Namespace}}.{{.Domain}}". And those three + # values (Name, Namespace, Domain) are the only variables defined. + # + # Changing this value might be necessary when the extra levels in + # the domain name generated is problematic for wildcard certificates + # that only support a single level of domain name added to the + # certificate's domain. In those cases you might consider using a value + # of "{{.Name}}-{{.Namespace}}.{{.Domain}}", or removing the Namespace + # entirely from the template. When choosing a new value be thoughtful + # of the potential for conflicts - for example, when users choose to use + # characters such as - in their service, or namespace, names. + # {{.Annotations}} can be used for any customization in the go template if needed. + # We strongly recommend keeping namespace part of the template to avoid domain name clashes + # Example '{{.Name}}-{{.Namespace}}.{{ index .Annotations "sub"}}.{{.Domain}}' + # and you have an annotation {"sub":"foo"}, then the generated template would be {Name}-{Namespace}.foo.{Domain} + domainTemplate: "{{.Name}}.{{.Namespace}}.{{.Domain}}" + + # tagTemplate specifies the golang text template string to use + # when constructing the DNS name for "tags" within the traffic blocks + # of Routes and Configuration. This is used in conjunction with the + # domainTemplate above to determine the full URL for the tag. + tagTemplate: "{{.Name}}-{{.Tag}}" + + # Controls whether TLS certificates are automatically provisioned and + # installed in the Knative ingress to terminate external TLS connection. + # 1. Enabled: enabling auto-TLS feature. + # 2. Disabled: disabling auto-TLS feature. + autoTLS: "Disabled" + + # Controls the behavior of the HTTP endpoint for the Knative ingress. + # It requires autoTLS to be enabled. + # 1. Enabled: The Knative ingress will be able to serve HTTP connection. + # 2. Disabled: The Knative ingress ter will reject HTTP traffic. + # 3. Redirected: The Knative ingress will send a 302 redirect for all + # http connections, asking the clients to use HTTPS + httpProtocol: "Enabled" +kind: ConfigMap +metadata: + labels: + serving.knative.dev/release: "v0.8.0" + name: config-network + namespace: knative-serving + +--- +apiVersion: v1 +data: + _example: | + ################################ + # # + # EXAMPLE CONFIGURATION # + # # + ################################ + + # This block is not actually functional configuration, + # but serves to illustrate the available configuration + # options and document them in a way that is accessible + # to users that kubectl edit this config map. + # + # These sample configuration options may be copied out of + # this example block and unindented to be in the data block + # to actually change the configuration. + + # logging.enable-var-log-collection defaults to false. + # The fluentd daemon set will be set up to collect /var/log if + # this flag is true. + logging.enable-var-log-collection: false + + # logging.revision-url-template provides a template to use for producing the + # logging URL that is injected into the status of each Revision. + # This value is what you might use the the Knative monitoring bundle, and provides + # access to Kibana after setting up kubectl proxy. + logging.revision-url-template: | + http://localhost:8001/api/v1/namespaces/knative-monitoring/services/kibana-logging/proxy/app/kibana#/discover?_a=(query:(match:(kubernetes.labels.serving-knative-dev%2FrevisionUID:(query:'${REVISION_UID}',type:phrase)))) + + # If non-empty, this enables queue proxy writing request logs to stdout. + # The value determines the shape of the request logs and it must be a valid go text/template. + # It is important to keep this as a single line. Multiple lines are parsed as separate entities + # by most collection agents and will split the request logs into multiple records. + # + # The following fields and functions are available to the template: + # + # Request: An http.Request (see https://golang.org/pkg/net/http/#Request) + # representing an HTTP request received by the server. + # + # Response: + # struct { + # Code int // HTTP status code (see https://www.iana.org/assignments/http-status-codes/http-status-codes.xhtml) + # Size int // An int representing the size of the response. + # Latency float64 // A float64 representing the latency of the response in seconds. + # } + # + # Revision: + # struct { + # Name string // Knative revision name + # Namespace string // Knative revision namespace + # Service string // Knative service name + # Configuration string // Knative configuration name + # PodName string // Name of the pod hosting the revision + # PodIP string // IP of the pod hosting the revision + # } + # + logging.request-log-template: '{"httpRequest": {"requestMethod": "{{.Request.Method}}", "requestUrl": "{{js .Request.RequestURI}}", "requestSize": "{{.Request.ContentLength}}", "status": {{.Response.Code}}, "responseSize": "{{.Response.Size}}", "userAgent": "{{js .Request.UserAgent}}", "remoteIp": "{{js .Request.RemoteAddr}}", "serverIp": "{{.Revision.PodIP}}", "referer": "{{js .Request.Referer}}", "latency": "{{.Response.Latency}}s", "protocol": "{{.Request.Proto}}"}, "traceId": "{{index .Request.Header "X-B3-Traceid"}}"}' + + # metrics.backend-destination field specifies the system metrics destination. + # It supports either prometheus (the default) or stackdriver. + # Note: Using stackdriver will incur additional charges + metrics.backend-destination: prometheus + + # metrics.request-metrics-backend-destination specifies the request metrics + # destination. If non-empty, it enables queue proxy to send request metrics. + # Currently supported values: prometheus, stackdriver. + metrics.request-metrics-backend-destination: prometheus + + # metrics.stackdriver-project-id field specifies the stackdriver project ID. This + # field is optional. When running on GCE, application default credentials will be + # used if this field is not provided. + metrics.stackdriver-project-id: "" + + # metrics.allow-stackdriver-custom-metrics indicates whether it is allowed to send metrics to + # Stackdriver using "global" resource type and custom metric type if the + # metrics are not supported by "knative_revision" resource type. Setting this + # flag to "true" could cause extra Stackdriver charge. + # If metrics.backend-destination is not Stackdriver, this is ignored. + metrics.allow-stackdriver-custom-metrics: "false" +kind: ConfigMap +metadata: + labels: + serving.knative.dev/release: "v0.8.0" + name: config-observability + namespace: knative-serving + +--- +apiVersion: v1 +data: + _example: | + ################################ + # # + # EXAMPLE CONFIGURATION # + # # + ################################ + + # This block is not actually functional configuration, + # but serves to illustrate the available configuration + # options and document them in a way that is accessible + # to users that kubectl edit this config map. + # + # These sample configuration options may be copied out of + # this example block and unindented to be in the data block + # to actually change the configuration. + # + # If true we enable adding spans within our applications. + enable: "false" + + # URL to zipkin collector where traces are sent. + zipkin-endpoint: "http://zipkin.istio-system.svc.cluster.local:9411/api/v2/spans" + + # Enable zipkin debug mode. This allows all spans to be sent to the server + # bypassing sampling. + debug: "false" + + # Percentage (0-1) of requests to trace + sample-rate: "0.1" +kind: ConfigMap +metadata: + labels: + serving.knative.dev/release: "v0.8.0" + name: config-tracing + namespace: knative-serving + +--- diff --git a/kustomize/knative-install/base/deployment.yaml b/kustomize/knative-install/base/deployment.yaml new file mode 100644 index 0000000..fb451bd --- /dev/null +++ b/kustomize/knative-install/base/deployment.yaml @@ -0,0 +1,350 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + serving.knative.dev/release: "v0.8.0" + name: activator + namespace: knative-serving +spec: + selector: + matchLabels: + app: activator + role: activator + template: + metadata: + annotations: + cluster-autoscaler.kubernetes.io/safe-to-evict: "false" + sidecar.istio.io/inject: "true" + labels: + app: activator + role: activator + serving.knative.dev/release: "v0.8.0" + spec: + containers: + - args: + - -logtostderr=false + - -stderrthreshold=FATAL + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: SYSTEM_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: CONFIG_LOGGING_NAME + value: config-logging + - name: CONFIG_OBSERVABILITY_NAME + value: config-observability + - name: METRICS_DOMAIN + value: knative.dev/serving + image: gcr.io/knative-releases/knative.dev/serving/cmd/activator@sha256:88d864eb3c47881cf7ac058479d1c735cc3cf4f07a11aad0621cd36dcd9ae3c6 + livenessProbe: + httpGet: + httpHeaders: + - name: k-kubelet-probe + value: activator + path: /healthz + port: 8012 + name: activator + ports: + - containerPort: 8012 + name: http1-port + - containerPort: 8013 + name: h2c-port + - containerPort: 9090 + name: metrics-port + readinessProbe: + httpGet: + httpHeaders: + - name: k-kubelet-probe + value: activator + path: /healthz + port: 8012 + resources: + limits: + cpu: 1000m + memory: 600Mi + requests: + cpu: 300m + memory: 60Mi + securityContext: + allowPrivilegeEscalation: false + serviceAccountName: controller + terminationGracePeriodSeconds: 300 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + autoscaling.knative.dev/autoscaler-provider: hpa + serving.knative.dev/release: "v0.8.0" + name: autoscaler-hpa + namespace: knative-serving +spec: + replicas: 1 + selector: + matchLabels: + app: autoscaler-hpa + template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + labels: + app: autoscaler-hpa + serving.knative.dev/release: "v0.8.0" + spec: + containers: + - env: + - name: SYSTEM_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: CONFIG_LOGGING_NAME + value: config-logging + - name: CONFIG_OBSERVABILITY_NAME + value: config-observability + - name: METRICS_DOMAIN + value: knative.dev/serving + image: gcr.io/knative-releases/knative.dev/serving/cmd/autoscaler-hpa@sha256:a7801c3cf4edecfa51b7bd2068f97941f6714f7922cb4806245377c2b336b723 + name: autoscaler-hpa + ports: + - containerPort: 9090 + name: metrics + resources: + limits: + cpu: 1000m + memory: 1000Mi + requests: + cpu: 100m + memory: 100Mi + securityContext: + allowPrivilegeEscalation: false + serviceAccountName: controller + +--- + +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + serving.knative.dev/release: "v0.8.0" + name: autoscaler + namespace: knative-serving +spec: + replicas: 1 + selector: + matchLabels: + app: autoscaler + template: + metadata: + annotations: + cluster-autoscaler.kubernetes.io/safe-to-evict: "false" + sidecar.istio.io/inject: "true" + traffic.sidecar.istio.io/includeInboundPorts: 8080,9090 + labels: + app: autoscaler + serving.knative.dev/release: "v0.8.0" + spec: + containers: + - args: + - --secure-port=8443 + - --cert-dir=/tmp + env: + - name: SYSTEM_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: CONFIG_LOGGING_NAME + value: config-logging + - name: CONFIG_OBSERVABILITY_NAME + value: config-observability + - name: METRICS_DOMAIN + value: knative.dev/serving + image: gcr.io/knative-releases/knative.dev/serving/cmd/autoscaler@sha256:aeaacec4feedee309293ac21da13e71a05a2ad84b1d5fcc01ffecfa6cfbb2870 + livenessProbe: + httpGet: + httpHeaders: + - name: k-kubelet-probe + value: autoscaler + path: /healthz + port: 8080 + name: autoscaler + ports: + - containerPort: 8080 + name: websocket + - containerPort: 9090 + name: metrics + - containerPort: 8443 + name: custom-metrics + readinessProbe: + httpGet: + httpHeaders: + - name: k-kubelet-probe + value: autoscaler + path: /healthz + port: 8080 + resources: + limits: + cpu: 300m + memory: 400Mi + requests: + cpu: 30m + memory: 40Mi + securityContext: + allowPrivilegeEscalation: false + serviceAccountName: controller + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + networking.knative.dev/ingress-provider: istio + serving.knative.dev/release: "v0.8.0" + name: networking-istio + namespace: knative-serving +spec: + replicas: 1 + selector: + matchLabels: + app: networking-istio + template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + labels: + app: networking-istio + spec: + containers: + - env: + - name: SYSTEM_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: CONFIG_LOGGING_NAME + value: config-logging + - name: CONFIG_OBSERVABILITY_NAME + value: config-observability + - name: METRICS_DOMAIN + value: knative.dev/serving + image: gcr.io/knative-releases/knative.dev/serving/cmd/networking/istio@sha256:057c999bccfe32e9889616b571dc8d389c742ff66f0b5516bad651f05459b7bc + name: networking-istio + ports: + - containerPort: 9090 + name: metrics + resources: + limits: + cpu: 1000m + memory: 1000Mi + requests: + cpu: 100m + memory: 100Mi + securityContext: + allowPrivilegeEscalation: false + serviceAccountName: controller + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + serving.knative.dev/release: "v0.8.0" + name: webhook + namespace: knative-serving +spec: + replicas: 1 + selector: + matchLabels: + app: webhook + role: webhook + template: + metadata: + annotations: + cluster-autoscaler.kubernetes.io/safe-to-evict: "false" + sidecar.istio.io/inject: "false" + labels: + app: webhook + role: webhook + serving.knative.dev/release: "v0.8.0" + spec: + containers: + - env: + - name: SYSTEM_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: CONFIG_LOGGING_NAME + value: config-logging + - name: CONFIG_OBSERVABILITY_NAME + value: config-observability + - name: METRICS_DOMAIN + value: knative.dev/serving + image: gcr.io/knative-releases/knative.dev/serving/cmd/webhook@sha256:c2076674618933df53e90cf9ddd17f5ddbad513b8c95e955e45e37be7ca9e0e8 + name: webhook + ports: + - containerPort: 9090 + name: metrics-port + resources: + limits: + cpu: 200m + memory: 200Mi + requests: + cpu: 20m + memory: 20Mi + securityContext: + allowPrivilegeEscalation: false + serviceAccountName: controller + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + serving.knative.dev/release: "v0.8.0" + name: controller + namespace: knative-serving +spec: + replicas: 1 + selector: + matchLabels: + app: controller + template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + labels: + app: controller + serving.knative.dev/release: "v0.8.0" + spec: + containers: + - env: + - name: SYSTEM_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: CONFIG_LOGGING_NAME + value: config-logging + - name: CONFIG_OBSERVABILITY_NAME + value: config-observability + - name: METRICS_DOMAIN + value: knative.dev/serving + image: gcr.io/knative-releases/knative.dev/serving/cmd/controller@sha256:3b096e55fa907cff53d37dadc5d20c29cea9bb18ed9e921a588fee17beb937df + name: controller + ports: + - containerPort: 9090 + name: metrics + resources: + limits: + cpu: 1000m + memory: 1000Mi + requests: + cpu: 100m + memory: 100Mi + securityContext: + allowPrivilegeEscalation: false + serviceAccountName: controller + +--- + diff --git a/kustomize/knative-install/base/gateway.yaml b/kustomize/knative-install/base/gateway.yaml new file mode 100644 index 0000000..2836063 --- /dev/null +++ b/kustomize/knative-install/base/gateway.yaml @@ -0,0 +1,47 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + labels: + networking.knative.dev/ingress-provider: istio + serving.knative.dev/release: "v0.8.0" + name: knative-ingress-gateway + namespace: knative-serving +spec: + selector: + istio: ingressgateway + servers: + - hosts: + - '*' + port: + name: http + number: 80 + protocol: HTTP + - hosts: + - '*' + port: + name: https + number: 443 + protocol: HTTPS + tls: + mode: PASSTHROUGH + +--- +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + labels: + networking.knative.dev/ingress-provider: istio + serving.knative.dev/release: "v0.8.0" + name: cluster-local-gateway + namespace: knative-serving +spec: + selector: + istio: cluster-local-gateway + servers: + - hosts: + - '*' + port: + name: http + number: 80 + protocol: HTTP + diff --git a/kustomize/knative-install/base/hpa.yaml b/kustomize/knative-install/base/hpa.yaml new file mode 100644 index 0000000..2d295cf --- /dev/null +++ b/kustomize/knative-install/base/hpa.yaml @@ -0,0 +1,18 @@ +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: activator + namespace: knative-serving +spec: + maxReplicas: 20 + metrics: + - resource: + name: cpu + targetAverageUtilization: 100 + type: Resource + minReplicas: 1 + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: activator + diff --git a/kustomize/knative-install/base/image.yaml b/kustomize/knative-install/base/image.yaml new file mode 100644 index 0000000..0ac8cf5 --- /dev/null +++ b/kustomize/knative-install/base/image.yaml @@ -0,0 +1,10 @@ +apiVersion: caching.internal.knative.dev/v1alpha1 +kind: Image +metadata: + labels: + serving.knative.dev/release: "v0.8.0" + name: queue-proxy + namespace: knative-serving +spec: + image: gcr.io/knative-releases/knative.dev/serving/cmd/queue@sha256:e0654305370cf3bbbd0f56f97789c92cf5215f752b70902eba5d5fc0e88c5aca + diff --git a/kustomize/knative-install/base/kustomization.yaml b/kustomize/knative-install/base/kustomization.yaml new file mode 100644 index 0000000..4e00a2c --- /dev/null +++ b/kustomize/knative-install/base/kustomization.yaml @@ -0,0 +1,38 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: knative-serving +resources: +- gateway.yaml +- cluster-role.yaml +- cluster-role-binding.yaml +- service-role.yaml +- service-role-binding.yaml +- role-binding.yaml +- config-map.yaml +- deployment.yaml +- service-account.yaml +- service.yaml +- apiservice.yaml +- image.yaml +- hpa.yaml +commonLabels: + kustomize.component: knative +images: +- name: gcr.io/knative-releases/knative.dev/serving/cmd/activator + newName: gcr.io/knative-releases/knative.dev/serving/cmd/activator + digest: sha256:88d864eb3c47881cf7ac058479d1c735cc3cf4f07a11aad0621cd36dcd9ae3c6 +- name: gcr.io/knative-releases/knative.dev/serving/cmd/autoscaler-hpa + newName: gcr.io/knative-releases/knative.dev/serving/cmd/autoscaler-hpa + digest: sha256:a7801c3cf4edecfa51b7bd2068f97941f6714f7922cb4806245377c2b336b723 +- name: gcr.io/knative-releases/knative.dev/serving/cmd/autoscaler + newName: gcr.io/knative-releases/knative.dev/serving/cmd/autoscaler + digest: sha256:aeaacec4feedee309293ac21da13e71a05a2ad84b1d5fcc01ffecfa6cfbb2870 +- name: gcr.io/knative-releases/knative.dev/serving/cmd/networking/istio + newName: gcr.io/knative-releases/knative.dev/serving/cmd/networking/istio + digest: sha256:057c999bccfe32e9889616b571dc8d389c742ff66f0b5516bad651f05459b7bc +- name: gcr.io/knative-releases/knative.dev/serving/cmd/webhook + newName: gcr.io/knative-releases/knative.dev/serving/cmd/webhook + digest: sha256:c2076674618933df53e90cf9ddd17f5ddbad513b8c95e955e45e37be7ca9e0e8 +- name: gcr.io/knative-releases/knative.dev/serving/cmd/controller + newName: gcr.io/knative-releases/knative.dev/serving/cmd/controller + digest: sha256:3b096e55fa907cff53d37dadc5d20c29cea9bb18ed9e921a588fee17beb937df diff --git a/kustomize/knative-install/base/role-binding.yaml b/kustomize/knative-install/base/role-binding.yaml new file mode 100644 index 0000000..e5a6631 --- /dev/null +++ b/kustomize/knative-install/base/role-binding.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + autoscaling.knative.dev/metric-provider: custom-metrics + serving.knative.dev/release: "v0.8.0" + name: custom-metrics-auth-reader + namespace: kube-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: extension-apiserver-authentication-reader +subjects: +- kind: ServiceAccount + name: controller + namespace: knative-serving + diff --git a/kustomize/knative-install/base/service-account.yaml b/kustomize/knative-install/base/service-account.yaml new file mode 100644 index 0000000..9713d5b --- /dev/null +++ b/kustomize/knative-install/base/service-account.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + serving.knative.dev/release: "v0.8.0" + name: controller + namespace: knative-serving + diff --git a/kustomize/knative-install/base/service-role-binding.yaml b/kustomize/knative-install/base/service-role-binding.yaml new file mode 100644 index 0000000..3b131d1 --- /dev/null +++ b/kustomize/knative-install/base/service-role-binding.yaml @@ -0,0 +1,11 @@ +apiVersion: rbac.istio.io/v1alpha1 +kind: ServiceRoleBinding +metadata: + name: istio-service-role-binding + namespace: knative-serving +spec: + roleRef: + kind: ServiceRole + name: istio-service-role + subjects: + - user: '*' diff --git a/kustomize/knative-install/base/service-role.yaml b/kustomize/knative-install/base/service-role.yaml new file mode 100644 index 0000000..9a1591b --- /dev/null +++ b/kustomize/knative-install/base/service-role.yaml @@ -0,0 +1,13 @@ +apiVersion: rbac.istio.io/v1alpha1 +kind: ServiceRole +metadata: + name: istio-service-role + namespace: knative-serving +spec: + rules: + - methods: + - '*' + services: + - '*' + + diff --git a/kustomize/knative-install/base/service.yaml b/kustomize/knative-install/base/service.yaml new file mode 100644 index 0000000..efaab9d --- /dev/null +++ b/kustomize/knative-install/base/service.yaml @@ -0,0 +1,87 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + app: activator + serving.knative.dev/release: "v0.8.0" + name: activator-service + namespace: knative-serving +spec: + ports: + - name: http + port: 80 + protocol: TCP + targetPort: 8012 + - name: http2 + port: 81 + protocol: TCP + targetPort: 8013 + - name: metrics + port: 9090 + protocol: TCP + targetPort: 9090 + selector: + app: activator + type: ClusterIP + +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: controller + serving.knative.dev/release: "v0.8.0" + name: controller + namespace: knative-serving +spec: + ports: + - name: metrics + port: 9090 + protocol: TCP + targetPort: 9090 + selector: + app: controller + +--- +apiVersion: v1 +kind: Service +metadata: + labels: + role: webhook + serving.knative.dev/release: "v0.8.0" + name: webhook + namespace: knative-serving +spec: + ports: + - port: 443 + targetPort: 8443 + selector: + role: webhook + +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: autoscaler + serving.knative.dev/release: "v0.8.0" + name: autoscaler + namespace: knative-serving +spec: + ports: + - name: http + port: 8080 + protocol: TCP + targetPort: 8080 + - name: metrics + port: 9090 + protocol: TCP + targetPort: 9090 + - name: custom-metrics + port: 443 + protocol: TCP + targetPort: 8443 + selector: + app: autoscaler + +--- diff --git a/kustomize/knative-install/kustomization.yaml b/kustomize/knative-install/kustomization.yaml new file mode 100644 index 0000000..9e10e50 --- /dev/null +++ b/kustomize/knative-install/kustomization.yaml @@ -0,0 +1,14 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +bases: +- base +commonLabels: + app.kubernetes.io/component: knative-serving-install + app.kubernetes.io/instance: knative-serving-install-v0.8.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/name: knative-serving-install + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: v0.8.0 +kind: Kustomization +namespace: knative-serving +resources: +- overlays/application/application.yaml diff --git a/kustomize/knative-install/overlays/application/application.yaml b/kustomize/knative-install/overlays/application/application.yaml new file mode 100644 index 0000000..b8890c6 --- /dev/null +++ b/kustomize/knative-install/overlays/application/application.yaml @@ -0,0 +1,31 @@ +apiVersion: app.k8s.io/v1beta1 +kind: Application +metadata: + name: knative-serving-install +spec: + selector: + matchLabels: + app.kubernetes.io/name: knative-serving-install + app.kubernetes.io/instance: knative-serving-install-v0.8.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/component: knative-serving-install + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: v0.8.0 + componentKinds: + - group: core + kind: ConfigMap + - group: apps + kind: Deployment + descriptor: + type: knative-serving-install + version: v1beta1 + description: "" + maintainers: [] + owners: [] + keywords: + - knative-serving-install + - kubeflow + links: + - description: About + url: "" + addOwnerRef: true diff --git a/kustomize/knative-install/overlays/application/kustomization.yaml b/kustomize/knative-install/overlays/application/kustomization.yaml new file mode 100644 index 0000000..eaf725b --- /dev/null +++ b/kustomize/knative-install/overlays/application/kustomization.yaml @@ -0,0 +1,13 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +bases: +- ../../base +resources: +- application.yaml +commonLabels: + app.kubernetes.io/name: knative-serving-install + app.kubernetes.io/instance: knative-serving-install-v0.8.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/component: knative-serving-install + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: v0.8.0 diff --git a/kustomize/kubeflow-roles/OWNERS b/kustomize/kubeflow-roles/OWNERS new file mode 100644 index 0000000..08bb0d4 --- /dev/null +++ b/kustomize/kubeflow-roles/OWNERS @@ -0,0 +1,4 @@ +approvers: + - jlewi + - krishnadurai + - kunmingg diff --git a/kustomize/kubeflow-roles/README.md b/kustomize/kubeflow-roles/README.md new file mode 100644 index 0000000..cf75d02 --- /dev/null +++ b/kustomize/kubeflow-roles/README.md @@ -0,0 +1,70 @@ +# Default Kubeflow ClusterRoles + +This manifest package contains the default ClusterRoles Kubeflow uses for defining roles for Kubeflow user Profiles. +These roles are currently assigned to users by Profiles (profile-controller and kfam) Service with the help of Manage Users page in Central Dashboard. + +*Note*: `kfctl` assigns the default Kubernetes role `cluster-admin` to the user who deploys Kubeflow for the [GCP IAP configuration](https://github.com/kubeflow/manifests/blob/master/kfdef/kfctl_gcp_iap.yaml). + +## How to define role privileges for your Kubeflow application? +Each application defines its own ClusterRole for each role here in kubeflow-roles. We use [ClusterRole Aggregation](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles) for these application ClusterRoles to be aggregated to their corresponding Kubeflow roles. An example implementation showing the same can be found here: + +The example is taken from [istio manifests](istio/istio/base/cluster-roles.yaml). +``` +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubeflow-istio-admin + labels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-admin: "true" +aggregationRule: + clusterRoleSelectors: + - matchLabels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-istio-admin: "true" +rules: [] + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubeflow-istio-edit + labels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-edit: "true" + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-istio-admin: "true" +rules: +- apiGroups: ["istio.io"] + resources: ["*"] + verbs: + - get + - list + - watch + - create + - delete + - deletecollection + - patch + - update + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubeflow-istio-view + labels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-view: "true" +rules: +- apiGroups: ["istio.io"] + resources: ["*"] + verbs: + - get + - list + - watch +``` + +Note the usage of labels in each ClusterRole to indicate ClusterRole Aggregation with Kubeflow ClusterRoles for this application. + +## Reference Links + +- [Define Kubeflow cluster role and combine roles](https://github.com/kubeflow/kubeflow/issues/3938) diff --git a/kustomize/kubeflow-roles/base/cluster-roles.yaml b/kustomize/kubeflow-roles/base/cluster-roles.yaml new file mode 100644 index 0000000..0d90b46 --- /dev/null +++ b/kustomize/kubeflow-roles/base/cluster-roles.yaml @@ -0,0 +1,335 @@ +--- + +aggregationRule: + clusterRoleSelectors: + - matchLabels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-admin: "true" +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubeflow-admin +rules: [] + +--- + +aggregationRule: + clusterRoleSelectors: + - matchLabels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-edit: "true" +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubeflow-edit + labels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-admin: "true" +rules: [] + +--- + +aggregationRule: + clusterRoleSelectors: + - matchLabels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-view: "true" +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubeflow-view + labels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-edit: "true" +rules: [] + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubeflow-kubernetes-admin + labels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-admin: "true" +rules: +- apiGroups: + - authorization.k8s.io + resources: + - localsubjectaccessreviews + verbs: + - create +- apiGroups: + - rbac.authorization.k8s.io + resources: + - rolebindings + - roles + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-edit: "true" + name: kubeflow-kubernetes-edit +rules: +- apiGroups: + - "" + resources: + - pods/attach + - pods/exec + - pods/portforward + - pods/proxy + - secrets + - services/proxy + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - impersonate +- apiGroups: + - "" + resources: + - pods + - pods/attach + - pods/exec + - pods/portforward + - pods/proxy + verbs: + - create + - delete + - deletecollection + - patch + - update +- apiGroups: + - "" + resources: + - configmaps + - endpoints + - persistentvolumeclaims + - replicationcontrollers + - replicationcontrollers/scale + - secrets + - serviceaccounts + - services + - services/proxy + verbs: + - create + - delete + - deletecollection + - patch + - update +- apiGroups: + - apps + resources: + - daemonsets + - deployments + - deployments/rollback + - deployments/scale + - replicasets + - replicasets/scale + - statefulsets + - statefulsets/scale + verbs: + - create + - delete + - deletecollection + - patch + - update +- apiGroups: + - autoscaling + resources: + - horizontalpodautoscalers + verbs: + - create + - delete + - deletecollection + - patch + - update +- apiGroups: + - batch + resources: + - cronjobs + - jobs + verbs: + - create + - delete + - deletecollection + - patch + - update +- apiGroups: + - extensions + resources: + - daemonsets + - deployments + - deployments/rollback + - deployments/scale + - ingresses + - networkpolicies + - replicasets + - replicasets/scale + - replicationcontrollers/scale + verbs: + - create + - delete + - deletecollection + - patch + - update +- apiGroups: + - policy + resources: + - poddisruptionbudgets + verbs: + - create + - delete + - deletecollection + - patch + - update +- apiGroups: + - networking.k8s.io + resources: + - ingresses + - networkpolicies + verbs: + - create + - delete + - deletecollection + - patch + - update + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-view: "true" + name: kubeflow-kubernetes-view +rules: +- apiGroups: + - "" + resources: + - configmaps + - endpoints + - persistentvolumeclaims + - persistentvolumeclaims/status + - pods + - replicationcontrollers + - replicationcontrollers/scale + - serviceaccounts + - services + - services/status + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - bindings + - events + - limitranges + - namespaces/status + - pods/log + - pods/status + - replicationcontrollers/status + - resourcequotas + - resourcequotas/status + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch +- apiGroups: + - apps + resources: + - controllerrevisions + - daemonsets + - daemonsets/status + - deployments + - deployments/scale + - deployments/status + - replicasets + - replicasets/scale + - replicasets/status + - statefulsets + - statefulsets/scale + - statefulsets/status + verbs: + - get + - list + - watch +- apiGroups: + - autoscaling + resources: + - horizontalpodautoscalers + - horizontalpodautoscalers/status + verbs: + - get + - list + - watch +- apiGroups: + - batch + resources: + - cronjobs + - cronjobs/status + - jobs + - jobs/status + verbs: + - get + - list + - watch +- apiGroups: + - extensions + resources: + - daemonsets + - daemonsets/status + - deployments + - deployments/scale + - deployments/status + - ingresses + - ingresses/status + - networkpolicies + - replicasets + - replicasets/scale + - replicasets/status + - replicationcontrollers/scale + verbs: + - get + - list + - watch +- apiGroups: + - policy + resources: + - poddisruptionbudgets + - poddisruptionbudgets/status + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses + - ingresses/status + - networkpolicies + verbs: + - get + - list + - watch diff --git a/kustomize/kubeflow-roles/base/kustomization.yaml b/kustomize/kubeflow-roles/base/kustomization.yaml new file mode 100644 index 0000000..f71ad0a --- /dev/null +++ b/kustomize/kubeflow-roles/base/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- cluster-roles.yaml diff --git a/kustomize/kubeflow-roles/kustomization.yaml b/kustomize/kubeflow-roles/kustomization.yaml new file mode 100644 index 0000000..4e745bd --- /dev/null +++ b/kustomize/kubeflow-roles/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +bases: +- base +kind: Kustomization +namespace: kubeflow diff --git a/kustomize/metadata/OWNERS b/kustomize/metadata/OWNERS new file mode 100644 index 0000000..b8bf7ba --- /dev/null +++ b/kustomize/metadata/OWNERS @@ -0,0 +1,5 @@ +approvers: + - neuromage + - prodonjs + - rileyjbauer + - zhenghuiwang diff --git a/kustomize/metadata/base/grpc-params.env b/kustomize/metadata/base/grpc-params.env new file mode 100644 index 0000000..ce915f8 --- /dev/null +++ b/kustomize/metadata/base/grpc-params.env @@ -0,0 +1,2 @@ +METADATA_GRPC_SERVICE_HOST=metadata-grpc-service +METADATA_GRPC_SERVICE_PORT=8080 \ No newline at end of file diff --git a/kustomize/metadata/base/kustomization.yaml b/kustomize/metadata/base/kustomization.yaml new file mode 100644 index 0000000..21a5b86 --- /dev/null +++ b/kustomize/metadata/base/kustomization.yaml @@ -0,0 +1,66 @@ +namePrefix: metadata- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +commonLabels: + kustomize.component: metadata +configMapGenerator: +- name: ui-parameters + env: params.env +- name: metadata-grpc-configmap + env: grpc-params.env +resources: +- metadata-deployment.yaml +- metadata-service.yaml +- metadata-ui-deployment.yaml +- metadata-ui-role.yaml +- metadata-ui-rolebinding.yaml +- metadata-ui-sa.yaml +- metadata-ui-service.yaml +- metadata-envoy-deployment.yaml +- metadata-envoy-service.yaml +namespace: kubeflow +vars: +- name: ui-namespace + objref: + kind: Service + name: ui + apiVersion: v1 + fieldref: + fieldpath: metadata.namespace +- name: ui-clusterDomain + objref: + kind: ConfigMap + name: ui-parameters + version: v1 + fieldref: + fieldpath: data.uiClusterDomain +- name: service + objref: + kind: Service + name: ui + apiVersion: v1 + fieldref: + fieldpath: metadata.name +- name: metadata-envoy-service + objref: + kind: Service + name: envoy-service + apiVersion: v1 + fieldref: + fieldpath: metadata.name +images: +- name: gcr.io/kubeflow-images-public/metadata + newName: gcr.io/kubeflow-images-public/metadata + newTag: v0.1.11 +- name: gcr.io/tfx-oss-public/ml_metadata_store_server + newName: gcr.io/tfx-oss-public/ml_metadata_store_server + newTag: 0.15.1 +- name: gcr.io/ml-pipeline/envoy + newName: gcr.io/ml-pipeline/envoy + newTag: metadata-grpc +- name: mysql + newName: mysql + newTag: 8.0.3 +- name: gcr.io/kubeflow-images-public/metadata-frontend + newName: gcr.io/kubeflow-images-public/metadata-frontend + newTag: v0.1.8 diff --git a/kustomize/metadata/base/metadata-deployment.yaml b/kustomize/metadata/base/metadata-deployment.yaml new file mode 100644 index 0000000..68c502d --- /dev/null +++ b/kustomize/metadata/base/metadata-deployment.yaml @@ -0,0 +1,63 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: deployment + labels: + component: server +spec: + replicas: 1 + selector: + matchLabels: + component: server + template: + metadata: + labels: + component: server + spec: + containers: + - name: container + image: gcr.io/kubeflow-images-public/metadata:v0.1.11 + command: ["./server/server", + "--http_port=8080"] + ports: + - name: backendapi + containerPort: 8080 + + readinessProbe: + httpGet: + path: /api/v1alpha1/artifact_types + port: backendapi + httpHeaders: + - name: ContentType + value: application/json + initialDelaySeconds: 3 + periodSeconds: 5 + timeoutSeconds: 2 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: grpc-deployment + labels: + component: grpc-server +spec: + replicas: 1 + selector: + matchLabels: + component: grpc-server + template: + metadata: + labels: + component: grpc-server + spec: + containers: + - name: container + envFrom: + - configMapRef: + name: metadata-grpc-configmap + image: gcr.io/tfx-oss-public/ml_metadata_store_server:0.15.1 + command: ["/bin/metadata_store_server"] + args: ["--grpc_port=$(METADATA_GRPC_SERVICE_PORT)"] + ports: + - name: grpc-backendapi + containerPort: 8080 #The value of the port number needs to be in sync with value specified in grpc-params.env diff --git a/kustomize/metadata/base/metadata-envoy-deployment.yaml b/kustomize/metadata/base/metadata-envoy-deployment.yaml new file mode 100644 index 0000000..c388a60 --- /dev/null +++ b/kustomize/metadata/base/metadata-envoy-deployment.yaml @@ -0,0 +1,24 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: envoy-deployment + labels: + component: envoy +spec: + replicas: 1 + selector: + matchLabels: + component: envoy + template: + metadata: + labels: + component: envoy + spec: + containers: + - name: container + image: gcr.io/ml-pipeline/envoy:metadata-grpc + ports: + - name: md-envoy + containerPort: 9090 + - name: envoy-admin + containerPort: 9901 diff --git a/kustomize/metadata/base/metadata-envoy-service.yaml b/kustomize/metadata/base/metadata-envoy-service.yaml new file mode 100644 index 0000000..16beb98 --- /dev/null +++ b/kustomize/metadata/base/metadata-envoy-service.yaml @@ -0,0 +1,14 @@ +kind: Service +apiVersion: v1 +metadata: + labels: + app: metadata + name: envoy-service +spec: + selector: + component: envoy + type: ClusterIP + ports: + - port: 9090 + protocol: TCP + name: md-envoy diff --git a/kustomize/metadata/base/metadata-service.yaml b/kustomize/metadata/base/metadata-service.yaml new file mode 100644 index 0000000..63650b4 --- /dev/null +++ b/kustomize/metadata/base/metadata-service.yaml @@ -0,0 +1,29 @@ +kind: Service +apiVersion: v1 +metadata: + labels: + app: metadata + name: service +spec: + selector: + component: server + type: ClusterIP + ports: + - port: 8080 + protocol: TCP + name: backendapi +--- +kind: Service +apiVersion: v1 +metadata: + labels: + app: grpc-metadata + name: grpc-service +spec: + selector: + component: grpc-server + type: ClusterIP + ports: + - port: 8080 + protocol: TCP + name: grpc-backendapi diff --git a/kustomize/metadata/base/metadata-ui-deployment.yaml b/kustomize/metadata/base/metadata-ui-deployment.yaml new file mode 100644 index 0000000..bfd9112 --- /dev/null +++ b/kustomize/metadata/base/metadata-ui-deployment.yaml @@ -0,0 +1,24 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: ui + labels: + app: metadata-ui +spec: + selector: + matchLabels: + app: metadata-ui + template: + metadata: + name: ui + labels: + app: metadata-ui + spec: + containers: + - image: gcr.io/kubeflow-images-public/metadata-frontend:v0.1.8 + imagePullPolicy: IfNotPresent + name: metadata-ui + ports: + - containerPort: 3000 + serviceAccountName: ui + diff --git a/kustomize/metadata/base/metadata-ui-role.yaml b/kustomize/metadata/base/metadata-ui-role.yaml new file mode 100644 index 0000000..a0b45cd --- /dev/null +++ b/kustomize/metadata/base/metadata-ui-role.yaml @@ -0,0 +1,26 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: Role +metadata: + labels: + app: metadata-ui + name: ui +rules: +- apiGroups: + - "" + resources: + - pods + - pods/log + verbs: + - create + - get + - list +- apiGroups: + - "kubeflow.org" + resources: + - viewers + verbs: + - create + - get + - list + - watch + - delete diff --git a/kustomize/metadata/base/metadata-ui-rolebinding.yaml b/kustomize/metadata/base/metadata-ui-rolebinding.yaml new file mode 100644 index 0000000..23c5a0e --- /dev/null +++ b/kustomize/metadata/base/metadata-ui-rolebinding.yaml @@ -0,0 +1,14 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: RoleBinding +metadata: + labels: + app: metadata-ui + name: ui +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: ui +subjects: +- kind: ServiceAccount + name: ui + namespace: kubeflow diff --git a/kustomize/metadata/base/metadata-ui-sa.yaml b/kustomize/metadata/base/metadata-ui-sa.yaml new file mode 100644 index 0000000..8d7a53a --- /dev/null +++ b/kustomize/metadata/base/metadata-ui-sa.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: ui diff --git a/kustomize/metadata/base/metadata-ui-service.yaml b/kustomize/metadata/base/metadata-ui-service.yaml new file mode 100644 index 0000000..e7a4afa --- /dev/null +++ b/kustomize/metadata/base/metadata-ui-service.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Service +metadata: + name: ui + labels: + app: metadata-ui +spec: + ports: + - port: 80 + targetPort: 3000 + selector: + app: metadata-ui diff --git a/kustomize/metadata/base/params.env b/kustomize/metadata/base/params.env new file mode 100644 index 0000000..def9236 --- /dev/null +++ b/kustomize/metadata/base/params.env @@ -0,0 +1 @@ +uiClusterDomain=cluster.local diff --git a/kustomize/metadata/kustomization.yaml b/kustomize/metadata/kustomization.yaml new file mode 100644 index 0000000..e28c730 --- /dev/null +++ b/kustomize/metadata/kustomization.yaml @@ -0,0 +1,18 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +bases: +- base +commonLabels: + app.kubernetes.io/component: metadata + app.kubernetes.io/instance: metadata-v0.7.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/name: metadata + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: v0.7.0 +configurations: +- overlays/istio/params.yaml +kind: Kustomization +namespace: kubeflow +resources: +- overlays/istio/virtual-service.yaml +- overlays/istio/virtual-service-metadata-grpc.yaml +- overlays/application/application.yaml diff --git a/kustomize/metadata/overlays/application/application.yaml b/kustomize/metadata/overlays/application/application.yaml new file mode 100644 index 0000000..b2fec21 --- /dev/null +++ b/kustomize/metadata/overlays/application/application.yaml @@ -0,0 +1,40 @@ +apiVersion: app.k8s.io/v1beta1 +kind: Application +metadata: + name: metadata +spec: + selector: + matchLabels: + app.kubernetes.io/name: metadata + app.kubernetes.io/instance: metadata-v0.7.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/component: metadata + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: v0.7.0 + componentKinds: + - group: core + kind: Service + - group: apps + kind: Deployment + - group: core + kind: ConfigMap + - group: core + kind: ServiceAccount + descriptor: + type: "metadata" + version: "alpha" + description: "Tracking and managing metadata of machine learning workflows in Kubeflow." + maintainers: + - name: Zhenghui Wang + email: zhenghui@google.com + owners: + - name: Ajay Gopinathan + email: ajaygopinathan@google.com + - name: Zhenghui Wang + email: zhenghui@google.com + keywords: + - "metadata" + links: + - description: Docs + url: "https://www.kubeflow.org/docs/components/misc/metadata/" + addOwnerRef: true diff --git a/kustomize/metadata/overlays/application/kustomization.yaml b/kustomize/metadata/overlays/application/kustomization.yaml new file mode 100644 index 0000000..d42feb2 --- /dev/null +++ b/kustomize/metadata/overlays/application/kustomization.yaml @@ -0,0 +1,13 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +bases: +- ../../base +resources: +- application.yaml +commonLabels: + app.kubernetes.io/name: metadata + app.kubernetes.io/instance: metadata-v0.7.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/component: metadata + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: v0.7.0 diff --git a/kustomize/metadata/overlays/db/kustomization.yaml b/kustomize/metadata/overlays/db/kustomization.yaml new file mode 100644 index 0000000..32bb9f4 --- /dev/null +++ b/kustomize/metadata/overlays/db/kustomization.yaml @@ -0,0 +1,34 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +commonLabels: + kustomize.component: metadata +namespace: kubeflow +generatorOptions: + # name suffix hash is not propagated correctly to base resources + disableNameSuffixHash: true +configMapGenerator: +- name: metadata-db-parameters + env: params.env +secretGenerator: +- name: metadata-db-secrets + env: secrets.env +bases: +- ../../base +resources: +- metadata-db-pvc.yaml +- metadata-db-deployment.yaml +- metadata-db-service.yaml +patchesStrategicMerge: +- metadata-deployment.yaml +images: +- name: mysql + newName: mysql + newTag: 8.0.3 +vars: +- name: metadata-db-service + objref: + kind: Service + name: metadata-db + apiVersion: v1 + fieldref: + fieldpath: metadata.name \ No newline at end of file diff --git a/kustomize/metadata/overlays/db/metadata-db-deployment.yaml b/kustomize/metadata/overlays/db/metadata-db-deployment.yaml new file mode 100644 index 0000000..9a50a24 --- /dev/null +++ b/kustomize/metadata/overlays/db/metadata-db-deployment.yaml @@ -0,0 +1,47 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: metadata-db + labels: + component: db +spec: + selector: + matchLabels: + component: db + replicas: 1 + template: + metadata: + name: db + labels: + component: db + spec: + containers: + - name: db-container + image: mysql:8.0.3 + args: + - --datadir + - /var/lib/mysql/datadir + envFrom: + - configMapRef: + name: metadata-db-parameters + - secretRef: + name: metadata-db-secrets + ports: + - name: dbapi + containerPort: 3306 + readinessProbe: + exec: + command: + - "/bin/bash" + - "-c" + - "mysql -D $$MYSQL_DATABASE -p$$MYSQL_ROOT_PASSWORD -e 'SELECT 1'" + initialDelaySeconds: 5 + periodSeconds: 2 + timeoutSeconds: 1 + volumeMounts: + - name: metadata-mysql + mountPath: /var/lib/mysql + volumes: + - name: metadata-mysql + persistentVolumeClaim: + claimName: metadata-mysql diff --git a/kustomize/metadata/overlays/db/metadata-db-pvc.yaml b/kustomize/metadata/overlays/db/metadata-db-pvc.yaml new file mode 100644 index 0000000..b1c083d --- /dev/null +++ b/kustomize/metadata/overlays/db/metadata-db-pvc.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: metadata-mysql +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 10Gi diff --git a/kustomize/metadata/overlays/db/metadata-db-service.yaml b/kustomize/metadata/overlays/db/metadata-db-service.yaml new file mode 100644 index 0000000..b7a6401 --- /dev/null +++ b/kustomize/metadata/overlays/db/metadata-db-service.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Service +metadata: + name: metadata-db + labels: + component: db +spec: + type: ClusterIP + ports: + - port: 3306 + protocol: TCP + name: dbapi + selector: + component: db diff --git a/kustomize/metadata/overlays/db/metadata-deployment.yaml b/kustomize/metadata/overlays/db/metadata-deployment.yaml new file mode 100644 index 0000000..c517b04 --- /dev/null +++ b/kustomize/metadata/overlays/db/metadata-deployment.yaml @@ -0,0 +1,63 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: deployment + labels: + component: server +spec: + replicas: 1 + selector: + matchLabels: + component: server + template: + metadata: + labels: + component: server + spec: + containers: + - name: container + envFrom: + - configMapRef: + name: metadata-db-parameters + - secretRef: + name: metadata-db-secrets + command: ["./server/server", + "--http_port=8080", + "--mysql_service_host=$(metadata-db-service)", + "--mysql_service_port=$(MYSQL_PORT)", + "--mysql_service_user=$(MYSQL_USER_NAME)", + "--mysql_service_password=$(MYSQL_ROOT_PASSWORD)", + "--mlmd_db_name=$(MYSQL_DATABASE)"] +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: grpc-deployment + labels: + component: grpc-server +spec: + replicas: 1 + selector: + matchLabels: + component: grpc-server + template: + metadata: + labels: + component: grpc-server + spec: + containers: + - name: container + envFrom: + - configMapRef: + name: metadata-db-parameters + - secretRef: + name: metadata-db-secrets + - configMapRef: + name: metadata-grpc-configmap + args: ["--grpc_port=$(METADATA_GRPC_SERVICE_PORT)", + "--mysql_config_host=$(metadata-db-service)", + "--mysql_config_database=$(MYSQL_DATABASE)", + "--mysql_config_port=$(MYSQL_PORT)", + "--mysql_config_user=$(MYSQL_USER_NAME)", + "--mysql_config_password=$(MYSQL_ROOT_PASSWORD)" + ] \ No newline at end of file diff --git a/kustomize/metadata/overlays/db/params.env b/kustomize/metadata/overlays/db/params.env new file mode 100644 index 0000000..5ab2adb --- /dev/null +++ b/kustomize/metadata/overlays/db/params.env @@ -0,0 +1,3 @@ +MYSQL_DATABASE=metadb +MYSQL_PORT=3306 +MYSQL_ALLOW_EMPTY_PASSWORD=true \ No newline at end of file diff --git a/kustomize/metadata/overlays/db/secrets.env b/kustomize/metadata/overlays/db/secrets.env new file mode 100644 index 0000000..44ac2ee --- /dev/null +++ b/kustomize/metadata/overlays/db/secrets.env @@ -0,0 +1,2 @@ +MYSQL_USER_NAME=root +MYSQL_ROOT_PASSWORD=test \ No newline at end of file diff --git a/kustomize/metadata/overlays/ibm-storage-config/kustomization.yaml b/kustomize/metadata/overlays/ibm-storage-config/kustomization.yaml new file mode 100644 index 0000000..d9f7b8e --- /dev/null +++ b/kustomize/metadata/overlays/ibm-storage-config/kustomization.yaml @@ -0,0 +1,8 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +bases: +- ../../base +images: + - name: mysql + newTag: "5.6" + newName: mysql diff --git a/kustomize/metadata/overlays/istio/kustomization.yaml b/kustomize/metadata/overlays/istio/kustomization.yaml new file mode 100644 index 0000000..8ce7379 --- /dev/null +++ b/kustomize/metadata/overlays/istio/kustomization.yaml @@ -0,0 +1,9 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +bases: +- ../../base +resources: +- virtual-service.yaml +- virtual-service-metadata-grpc.yaml +configurations: +- params.yaml diff --git a/kustomize/metadata/overlays/istio/params.yaml b/kustomize/metadata/overlays/istio/params.yaml new file mode 100644 index 0000000..eea869e --- /dev/null +++ b/kustomize/metadata/overlays/istio/params.yaml @@ -0,0 +1,3 @@ +varReference: +- path: spec/http/route/destination/host + kind: VirtualService diff --git a/kustomize/metadata/overlays/istio/virtual-service-metadata-grpc.yaml b/kustomize/metadata/overlays/istio/virtual-service-metadata-grpc.yaml new file mode 100644 index 0000000..ee316ed --- /dev/null +++ b/kustomize/metadata/overlays/istio/virtual-service-metadata-grpc.yaml @@ -0,0 +1,21 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: metadata-grpc +spec: + gateways: + - kubeflow-gateway + hosts: + - '*' + http: + - match: + - uri: + prefix: /ml_metadata + rewrite: + uri: /ml_metadata + route: + - destination: + host: $(metadata-envoy-service).$(ui-namespace).svc.$(ui-clusterDomain) + port: + number: 9090 + timeout: 300s diff --git a/kustomize/metadata/overlays/istio/virtual-service.yaml b/kustomize/metadata/overlays/istio/virtual-service.yaml new file mode 100644 index 0000000..49b58fb --- /dev/null +++ b/kustomize/metadata/overlays/istio/virtual-service.yaml @@ -0,0 +1,21 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: metadata-ui +spec: + gateways: + - kubeflow-gateway + hosts: + - '*' + http: + - match: + - uri: + prefix: /metadata + rewrite: + uri: /metadata + route: + - destination: + host: $(service).$(ui-namespace).svc.$(ui-clusterDomain) + port: + number: 80 + timeout: 300s diff --git a/kustomize/minio/base/deployment.yaml b/kustomize/minio/base/deployment.yaml new file mode 100644 index 0000000..20da439 --- /dev/null +++ b/kustomize/minio/base/deployment.yaml @@ -0,0 +1,30 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: minio +spec: + strategy: + type: Recreate + template: + spec: + containers: + - name: minio + args: + - server + - /data + env: + - name: MINIO_ACCESS_KEY + value: minio + - name: MINIO_SECRET_KEY + value: minio123 + image: minio/minio:RELEASE.2018-02-09T22-40-05Z + ports: + - containerPort: 9000 + volumeMounts: + - mountPath: /data + name: data + subPath: minio + volumes: + - name: data + persistentVolumeClaim: + claimName: $(minioPvcName) diff --git a/kustomize/minio/base/kustomization.yaml b/kustomize/minio/base/kustomization.yaml new file mode 100644 index 0000000..fb5241d --- /dev/null +++ b/kustomize/minio/base/kustomization.yaml @@ -0,0 +1,28 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +commonLabels: + app: minio +resources: +- deployment.yaml +- secret.yaml +- service.yaml +- persistent-volume-claim.yaml +configMapGenerator: +- name: pipeline-minio-parameters + env: params.env +generatorOptions: + disableNameSuffixHash: true +vars: +- name: minioPvcName + objref: + kind: ConfigMap + name: pipeline-minio-parameters + apiVersion: v1 + fieldref: + fieldpath: data.minioPvcName +images: +- name: minio/minio + newTag: RELEASE.2018-02-09T22-40-05Z + newName: minio/minio +configurations: +- params.yaml diff --git a/kustomize/minio/base/params.env b/kustomize/minio/base/params.env new file mode 100644 index 0000000..b5b9a6f --- /dev/null +++ b/kustomize/minio/base/params.env @@ -0,0 +1 @@ +minioPvcName=minio-pv-claim diff --git a/kustomize/minio/base/params.yaml b/kustomize/minio/base/params.yaml new file mode 100644 index 0000000..5f19982 --- /dev/null +++ b/kustomize/minio/base/params.yaml @@ -0,0 +1,5 @@ +varReference: +- path: spec/template/spec/volumes/persistentVolumeClaim/claimName + kind: Deployment +- path: metadata/name + kind: PersistentVolumeClaim \ No newline at end of file diff --git a/kustomize/minio/base/persistent-volume-claim.yaml b/kustomize/minio/base/persistent-volume-claim.yaml new file mode 100644 index 0000000..4b4cf71 --- /dev/null +++ b/kustomize/minio/base/persistent-volume-claim.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: $(minioPvcName) +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 20Gi diff --git a/kustomize/minio/base/secret.yaml b/kustomize/minio/base/secret.yaml new file mode 100644 index 0000000..3ae64f1 --- /dev/null +++ b/kustomize/minio/base/secret.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + accesskey: bWluaW8= + secretkey: bWluaW8xMjM= +kind: Secret +metadata: + name: mlpipeline-minio-artifact +type: Opaque diff --git a/kustomize/minio/base/service.yaml b/kustomize/minio/base/service.yaml new file mode 100644 index 0000000..f49cf52 --- /dev/null +++ b/kustomize/minio/base/service.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Service +metadata: + name: minio-service +spec: + ports: + - port: 9000 + protocol: TCP + targetPort: 9000 + selector: + app: minio diff --git a/kustomize/minio/kustomization.yaml b/kustomize/minio/kustomization.yaml new file mode 100644 index 0000000..4531404 --- /dev/null +++ b/kustomize/minio/kustomization.yaml @@ -0,0 +1,14 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +bases: +- base +commonLabels: + app.kubernetes.io/component: minio + app.kubernetes.io/instance: minio-0.1.31 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/name: minio + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: 0.1.31 +kind: Kustomization +namespace: kubeflow +resources: +- overlays/application/application.yaml diff --git a/kustomize/minio/overlays/application/application.yaml b/kustomize/minio/overlays/application/application.yaml new file mode 100644 index 0000000..50a950c --- /dev/null +++ b/kustomize/minio/overlays/application/application.yaml @@ -0,0 +1,31 @@ +apiVersion: app.k8s.io/v1beta1 +kind: Application +metadata: + name: minio +spec: + selector: + matchLabels: + app.kubernetes.io/name: minio + app.kubernetes.io/instance: minio-0.1.31 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/component: minio + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: 0.1.31 + componentKinds: + - group: core + kind: ConfigMap + - group: apps + kind: Deployment + descriptor: + type: minio + version: v1beta1 + description: "" + maintainers: [] + owners: [] + keywords: + - minio + - kubeflow + links: + - description: About + url: "" + addOwnerRef: true diff --git a/kustomize/minio/overlays/application/kustomization.yaml b/kustomize/minio/overlays/application/kustomization.yaml new file mode 100644 index 0000000..17246b4 --- /dev/null +++ b/kustomize/minio/overlays/application/kustomization.yaml @@ -0,0 +1,13 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +bases: +- ../../base +resources: +- application.yaml +commonLabels: + app.kubernetes.io/name: minio + app.kubernetes.io/instance: minio-0.1.31 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/component: minio + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: 0.1.31 diff --git a/kustomize/minio/overlays/minioPd/kustomization.yaml b/kustomize/minio/overlays/minioPd/kustomization.yaml new file mode 100644 index 0000000..e4c0d3a --- /dev/null +++ b/kustomize/minio/overlays/minioPd/kustomization.yaml @@ -0,0 +1,31 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +bases: +- ../../base +resources: +- persistent-volume.yaml +patchesStrategicMerge: +- persistent-volume-claim.yaml +configMapGenerator: +- name: pipeline-minio-parameters + behavior: merge + env: params.env +generatorOptions: + disableNameSuffixHash: true +vars: +- name: minioPd + objref: + kind: ConfigMap + name: pipeline-minio-parameters + apiVersion: v1 + fieldref: + fieldpath: data.minioPd +- name: minioPvName + objref: + kind: ConfigMap + name: pipeline-minio-parameters + apiVersion: v1 + fieldref: + fieldpath: data.minioPvName +configurations: +- params.yaml diff --git a/kustomize/minio/overlays/minioPd/params.env b/kustomize/minio/overlays/minioPd/params.env new file mode 100644 index 0000000..cc3d9a5 --- /dev/null +++ b/kustomize/minio/overlays/minioPd/params.env @@ -0,0 +1,2 @@ +minioPd=dls-kf-storage-artifact-store +minioPvName= diff --git a/kustomize/minio/overlays/minioPd/params.yaml b/kustomize/minio/overlays/minioPd/params.yaml new file mode 100644 index 0000000..ab22818 --- /dev/null +++ b/kustomize/minio/overlays/minioPd/params.yaml @@ -0,0 +1,9 @@ +varReference: +- path: spec/gcePersistentDisk/pdName + kind: PersistentVolume +- path: metadata/name + kind: PersistentVolume +- path: spec/volumeName + kind: PersistentVolumeClaim +- path: metadata/name + kind: PersistentVolumeClaim diff --git a/kustomize/minio/overlays/minioPd/persistent-volume-claim.yaml b/kustomize/minio/overlays/minioPd/persistent-volume-claim.yaml new file mode 100644 index 0000000..44b1f68 --- /dev/null +++ b/kustomize/minio/overlays/minioPd/persistent-volume-claim.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: $(minioPvcName) +spec: + volumeName: $(minioPvName) + storageClassName: "" \ No newline at end of file diff --git a/kustomize/minio/overlays/minioPd/persistent-volume.yaml b/kustomize/minio/overlays/minioPd/persistent-volume.yaml new file mode 100644 index 0000000..e8edd40 --- /dev/null +++ b/kustomize/minio/overlays/minioPd/persistent-volume.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: PersistentVolume +metadata: + name: $(minioPvName) +spec: + capacity: + storage: 20Gi + accessModes: + - ReadWriteOnce + gcePersistentDisk: + pdName: $(minioPd) + fsType: ext4 diff --git a/kustomize/mysql/base/deployment.yaml b/kustomize/mysql/base/deployment.yaml new file mode 100644 index 0000000..185b12f --- /dev/null +++ b/kustomize/mysql/base/deployment.yaml @@ -0,0 +1,25 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: mysql +spec: + strategy: + type: Recreate + template: + spec: + containers: + - name: mysql + env: + - name: MYSQL_ALLOW_EMPTY_PASSWORD + value: "true" + image: mysql:5.6 + ports: + - containerPort: 3306 + name: mysql + volumeMounts: + - mountPath: /var/lib/mysql + name: mysql-persistent-storage + volumes: + - name: mysql-persistent-storage + persistentVolumeClaim: + claimName: $(mysqlPvcName) diff --git a/kustomize/mysql/base/kustomization.yaml b/kustomize/mysql/base/kustomization.yaml new file mode 100644 index 0000000..5133fdd --- /dev/null +++ b/kustomize/mysql/base/kustomization.yaml @@ -0,0 +1,27 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +commonLabels: + app: mysql +resources: +- deployment.yaml +- service.yaml +- persistent-volume-claim.yaml +configMapGenerator: +- name: pipeline-mysql-parameters + env: params.env +generatorOptions: + disableNameSuffixHash: true +vars: +- name: mysqlPvcName + objref: + kind: ConfigMap + name: pipeline-mysql-parameters + apiVersion: v1 + fieldref: + fieldpath: data.mysqlPvcName +images: +- name: mysql + newTag: '5.6' + newName: mysql +configurations: +- params.yaml diff --git a/kustomize/mysql/base/params.env b/kustomize/mysql/base/params.env new file mode 100644 index 0000000..683a665 --- /dev/null +++ b/kustomize/mysql/base/params.env @@ -0,0 +1 @@ +mysqlPvcName=mysql-pv-claim diff --git a/kustomize/mysql/base/params.yaml b/kustomize/mysql/base/params.yaml new file mode 100644 index 0000000..5f19982 --- /dev/null +++ b/kustomize/mysql/base/params.yaml @@ -0,0 +1,5 @@ +varReference: +- path: spec/template/spec/volumes/persistentVolumeClaim/claimName + kind: Deployment +- path: metadata/name + kind: PersistentVolumeClaim \ No newline at end of file diff --git a/kustomize/mysql/base/persistent-volume-claim.yaml b/kustomize/mysql/base/persistent-volume-claim.yaml new file mode 100644 index 0000000..7f0b916 --- /dev/null +++ b/kustomize/mysql/base/persistent-volume-claim.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: $(mysqlPvcName) +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 20Gi \ No newline at end of file diff --git a/kustomize/mysql/base/service.yaml b/kustomize/mysql/base/service.yaml new file mode 100644 index 0000000..65250ec --- /dev/null +++ b/kustomize/mysql/base/service.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Service +metadata: + name: mysql +spec: + ports: + - port: 3306 diff --git a/kustomize/mysql/kustomization.yaml b/kustomize/mysql/kustomization.yaml new file mode 100644 index 0000000..d386cc1 --- /dev/null +++ b/kustomize/mysql/kustomization.yaml @@ -0,0 +1,14 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +bases: +- base +commonLabels: + app.kubernetes.io/component: mysql + app.kubernetes.io/instance: mysql-0.1.31 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/name: mysql + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: 0.1.31 +kind: Kustomization +namespace: kubeflow +resources: +- overlays/application/application.yaml diff --git a/kustomize/mysql/overlays/application/application.yaml b/kustomize/mysql/overlays/application/application.yaml new file mode 100644 index 0000000..ff022ad --- /dev/null +++ b/kustomize/mysql/overlays/application/application.yaml @@ -0,0 +1,31 @@ +apiVersion: app.k8s.io/v1beta1 +kind: Application +metadata: + name: mysql +spec: + selector: + matchLabels: + app.kubernetes.io/name: mysql + app.kubernetes.io/instance: mysql-0.1.31 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/component: mysql + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: 0.1.31 + componentKinds: + - group: core + kind: ConfigMap + - group: apps + kind: Deployment + descriptor: + type: mysql + version: v1beta1 + description: "" + maintainers: [] + owners: [] + keywords: + - mysql + - kubeflow + links: + - description: About + url: "" + addOwnerRef: true diff --git a/kustomize/mysql/overlays/application/kustomization.yaml b/kustomize/mysql/overlays/application/kustomization.yaml new file mode 100644 index 0000000..a4f5b43 --- /dev/null +++ b/kustomize/mysql/overlays/application/kustomization.yaml @@ -0,0 +1,13 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +bases: +- ../../base +resources: +- application.yaml +commonLabels: + app.kubernetes.io/name: mysql + app.kubernetes.io/instance: mysql-0.1.31 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/component: mysql + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: 0.1.31 diff --git a/kustomize/mysql/overlays/mysqlPd/kustomization.yaml b/kustomize/mysql/overlays/mysqlPd/kustomization.yaml new file mode 100644 index 0000000..b0989f7 --- /dev/null +++ b/kustomize/mysql/overlays/mysqlPd/kustomization.yaml @@ -0,0 +1,31 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +bases: +- ../../base +resources: +- persistent-volume.yaml +patchesStrategicMerge: +- persistent-volume-claim.yaml +configMapGenerator: +- name: pipeline-mysql-parameters + behavior: merge + env: params.env +generatorOptions: + disableNameSuffixHash: true +vars: +- name: mysqlPd + objref: + kind: ConfigMap + name: pipeline-mysql-parameters + apiVersion: v1 + fieldref: + fieldpath: data.mysqlPd +- name: mysqlPvName + objref: + kind: ConfigMap + name: pipeline-mysql-parameters + apiVersion: v1 + fieldref: + fieldpath: data.mysqlPvName +configurations: +- params.yaml diff --git a/kustomize/mysql/overlays/mysqlPd/params.env b/kustomize/mysql/overlays/mysqlPd/params.env new file mode 100644 index 0000000..cb0ad4a --- /dev/null +++ b/kustomize/mysql/overlays/mysqlPd/params.env @@ -0,0 +1,2 @@ +mysqlPd=dls-kf-storage-metadata-store +mysqlPvName= diff --git a/kustomize/mysql/overlays/mysqlPd/params.yaml b/kustomize/mysql/overlays/mysqlPd/params.yaml new file mode 100644 index 0000000..00d90cb --- /dev/null +++ b/kustomize/mysql/overlays/mysqlPd/params.yaml @@ -0,0 +1,9 @@ +varReference: +- path: spec/gcePersistentDisk/pdName + kind: PersistentVolume +- path: metadata/name + kind: PersistentVolume +- path: metadata/name + kind: PersistentVolumeClaim +- path: spec/volumeName + kind: PersistentVolumeClaim diff --git a/kustomize/mysql/overlays/mysqlPd/persistent-volume-claim.yaml b/kustomize/mysql/overlays/mysqlPd/persistent-volume-claim.yaml new file mode 100644 index 0000000..719f7da --- /dev/null +++ b/kustomize/mysql/overlays/mysqlPd/persistent-volume-claim.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: $(mysqlPvcName) +spec: + storageClassName: "" + volumeName: $(mysqlPvName) diff --git a/kustomize/mysql/overlays/mysqlPd/persistent-volume.yaml b/kustomize/mysql/overlays/mysqlPd/persistent-volume.yaml new file mode 100644 index 0000000..0929775 --- /dev/null +++ b/kustomize/mysql/overlays/mysqlPd/persistent-volume.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: PersistentVolume +metadata: + name: $(mysqlPvName) +spec: + capacity: + storage: 20Gi + accessModes: + - ReadWriteOnce + gcePersistentDisk: + pdName: $(mysqlPd) + fsType: ext4 diff --git a/kustomize/notebook-controller/base/cluster-role-binding.yaml b/kustomize/notebook-controller/base/cluster-role-binding.yaml new file mode 100644 index 0000000..a1a3945 --- /dev/null +++ b/kustomize/notebook-controller/base/cluster-role-binding.yaml @@ -0,0 +1,11 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: role-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: role +subjects: +- kind: ServiceAccount + name: service-account diff --git a/kustomize/notebook-controller/base/cluster-role.yaml b/kustomize/notebook-controller/base/cluster-role.yaml new file mode 100644 index 0000000..16b6253 --- /dev/null +++ b/kustomize/notebook-controller/base/cluster-role.yaml @@ -0,0 +1,107 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: role +rules: +- apiGroups: + - apps + resources: + - statefulsets + - deployments + verbs: + - '*' +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - services + verbs: + - '*' +- apiGroups: + - "" + resources: + - events + verbs: + - get + - list + - watch + - create +- apiGroups: + - kubeflow.org + resources: + - notebooks + - notebooks/status + - notebooks/finalizers + verbs: + - '*' +- apiGroups: + - networking.istio.io + resources: + - virtualservices + verbs: + - '*' + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubeflow-notebooks-admin + labels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-admin: "true" +aggregationRule: + clusterRoleSelectors: + - matchLabels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-notebooks-admin: "true" +rules: [] + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubeflow-notebooks-edit + labels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-edit: "true" + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-notebooks-admin: "true" +rules: +- apiGroups: + - kubeflow.org + resources: + - notebooks + - notebooks/status + verbs: + - get + - list + - watch + - create + - delete + - deletecollection + - patch + - update + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubeflow-notebooks-view + labels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-view: "true" +rules: +- apiGroups: + - kubeflow.org + resources: + - notebooks + - notebooks/status + verbs: + - get + - list + - watch diff --git a/kustomize/notebook-controller/base/crd.yaml b/kustomize/notebook-controller/base/crd.yaml new file mode 100644 index 0000000..5d8f982 --- /dev/null +++ b/kustomize/notebook-controller/base/crd.yaml @@ -0,0 +1,68 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: notebooks.kubeflow.org +spec: + group: kubeflow.org + names: + kind: Notebook + plural: notebooks + singular: notebook + scope: Namespaced + subresources: + status: {} + versions: + - name: v1alpha1 + served: true + storage: false + - name: v1beta1 + served: true + storage: true + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + template: + description: 'INSERT ADDITIONAL SPEC FIELDS - desired state of cluster + Important: Run "make" to regenerate code after modifying this file' + properties: + spec: + type: object + type: object + type: object + status: + properties: + conditions: + description: Conditions is an array of current conditions + items: + properties: + type: + description: Type of the confition/ + type: string + required: + - type + type: object + type: array + required: + - conditions + type: object +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] + diff --git a/kustomize/notebook-controller/base/deployment.yaml b/kustomize/notebook-controller/base/deployment.yaml new file mode 100644 index 0000000..1b425c9 --- /dev/null +++ b/kustomize/notebook-controller/base/deployment.yaml @@ -0,0 +1,19 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: deployment +spec: + template: + spec: + containers: + - name: manager + image: gcr.io/kubeflow-images-public/notebook-controller:v20190614-v0-160-g386f2749-e3b0c4 + command: + - /manager + env: + - name: USE_ISTIO + value: "false" + - name: POD_LABELS + value: $(POD_LABELS) + imagePullPolicy: Always + serviceAccountName: service-account diff --git a/kustomize/notebook-controller/base/kustomization.yaml b/kustomize/notebook-controller/base/kustomization.yaml new file mode 100644 index 0000000..98d5e29 --- /dev/null +++ b/kustomize/notebook-controller/base/kustomization.yaml @@ -0,0 +1,45 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- cluster-role-binding.yaml +- cluster-role.yaml +- crd.yaml +- deployment.yaml +- service-account.yaml +- service.yaml +namePrefix: notebook-controller- +namespace: kubeflow +commonLabels: + app: notebook-controller + kustomize.component: notebook-controller +images: +- name: gcr.io/kubeflow-images-public/notebook-controller + newName: gcr.io/kubeflow-images-public/notebook-controller + digest: sha256:c40226ca344f9e7325622492de62a86ff2b8ba9cc0e49d36369dd9e613d8ef78 +configMapGenerator: +- name: parameters + env: params.env +generatorOptions: + disableNameSuffixHash: true +vars: +- name: POD_LABELS + objref: + kind: ConfigMap + name: parameters + apiVersion: v1 + fieldref: + fieldpath: data.POD_LABELS +- name: USE_ISTIO + objref: + kind: ConfigMap + name: parameters + apiVersion: v1 + fieldref: + fieldpath: data.USE_ISTIO +- name: ISTIO_GATEWAY + objref: + kind: ConfigMap + name: parameters + apiVersion: v1 + fieldref: + fieldpath: data.ISTIO_GATEWAY diff --git a/kustomize/notebook-controller/base/params.env b/kustomize/notebook-controller/base/params.env new file mode 100644 index 0000000..b746a4f --- /dev/null +++ b/kustomize/notebook-controller/base/params.env @@ -0,0 +1,3 @@ +POD_LABELS=gcp-cred-secret=user-gcp-sa,gcp-cred-secret-filename=user-gcp-sa.json +USE_ISTIO=false +ISTIO_GATEWAY=kubeflow/kubeflow-gateway diff --git a/kustomize/notebook-controller/base/service-account.yaml b/kustomize/notebook-controller/base/service-account.yaml new file mode 100644 index 0000000..a36cbd8 --- /dev/null +++ b/kustomize/notebook-controller/base/service-account.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: service-account diff --git a/kustomize/notebook-controller/base/service.yaml b/kustomize/notebook-controller/base/service.yaml new file mode 100644 index 0000000..c7368f9 --- /dev/null +++ b/kustomize/notebook-controller/base/service.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Service +metadata: + name: service +spec: + ports: + - port: 443 diff --git a/kustomize/notebook-controller/kustomization.yaml b/kustomize/notebook-controller/kustomization.yaml new file mode 100644 index 0000000..23f1956 --- /dev/null +++ b/kustomize/notebook-controller/kustomization.yaml @@ -0,0 +1,22 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +bases: +- base +commonLabels: + app.kubernetes.io/component: notebook-controller + app.kubernetes.io/instance: notebook-controller-v0.7.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/name: notebook-controller + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: v0.7.0 +configMapGenerator: +- behavior: merge + env: overlays/istio/params.env + name: parameters +generatorOptions: + disableNameSuffixHash: true +kind: Kustomization +namespace: kubeflow +patchesStrategicMerge: +- overlays/istio/deployment.yaml +resources: +- overlays/application/application.yaml diff --git a/kustomize/notebook-controller/overlays/application/application.yaml b/kustomize/notebook-controller/overlays/application/application.yaml new file mode 100644 index 0000000..af489e4 --- /dev/null +++ b/kustomize/notebook-controller/overlays/application/application.yaml @@ -0,0 +1,39 @@ +apiVersion: app.k8s.io/v1beta1 +kind: Application +metadata: + name: notebook-controller +spec: + selector: + matchLabels: + app.kubernetes.io/name: notebook-controller + app.kubernetes.io/instance: notebook-controller-v0.7.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/component: notebook-controller + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: v0.7.0 + componentKinds: + - group: core + kind: Service + - group: apps + kind: Deployment + - group: core + kind: ServiceAccount + descriptor: + type: notebook-controller + version: v1beta1 + description: Notebooks controller allows users to create a custom resource \"Notebook\" (jupyter notebook). + maintainers: + - name: Lun-kai Hsu + email: lunkai@google.com + owners: + - name: Lun-kai Hsu + email: lunkai@gogle.com + keywords: + - jupyter + - notebook + - notebook-controller + - jupyterhub + links: + - description: About + url: "https://github.com/kubeflow/kubeflow/tree/master/components/notebook-controller" + addOwnerRef: true diff --git a/kustomize/notebook-controller/overlays/application/kustomization.yaml b/kustomize/notebook-controller/overlays/application/kustomization.yaml new file mode 100644 index 0000000..c49b3ac --- /dev/null +++ b/kustomize/notebook-controller/overlays/application/kustomization.yaml @@ -0,0 +1,13 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +bases: +- ../../base +resources: +- application.yaml +commonLabels: + app.kubernetes.io/name: notebook-controller + app.kubernetes.io/instance: notebook-controller-v0.7.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/component: notebook-controller + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: v0.7.0 diff --git a/kustomize/notebook-controller/overlays/istio/deployment.yaml b/kustomize/notebook-controller/overlays/istio/deployment.yaml new file mode 100644 index 0000000..bd18f5d --- /dev/null +++ b/kustomize/notebook-controller/overlays/istio/deployment.yaml @@ -0,0 +1,14 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: deployment +spec: + template: + spec: + containers: + - name: manager + env: + - name: USE_ISTIO + value: $(USE_ISTIO) + - name: ISTIO_GATEWAY + value: $(ISTIO_GATEWAY) diff --git a/kustomize/notebook-controller/overlays/istio/kustomization.yaml b/kustomize/notebook-controller/overlays/istio/kustomization.yaml new file mode 100644 index 0000000..7184bcd --- /dev/null +++ b/kustomize/notebook-controller/overlays/istio/kustomization.yaml @@ -0,0 +1,12 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +bases: +- ../../base +patchesStrategicMerge: +- deployment.yaml +configMapGenerator: +- name: parameters + behavior: merge + env: params.env +generatorOptions: + disableNameSuffixHash: true diff --git a/kustomize/notebook-controller/overlays/istio/params.env b/kustomize/notebook-controller/overlays/istio/params.env new file mode 100644 index 0000000..5fa0007 --- /dev/null +++ b/kustomize/notebook-controller/overlays/istio/params.env @@ -0,0 +1,2 @@ +USE_ISTIO=true +ISTIO_GATEWAY=kubeflow/kubeflow-gateway diff --git a/kustomize/oidc-authservice/base/envoy-filter.yaml b/kustomize/oidc-authservice/base/envoy-filter.yaml new file mode 100644 index 0000000..eb2e141 --- /dev/null +++ b/kustomize/oidc-authservice/base/envoy-filter.yaml @@ -0,0 +1,32 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: authn-filter +spec: + workloadLabels: + istio: ingressgateway + filters: + - filterConfig: + httpService: + serverUri: + uri: http://authservice.$(namespace).svc.cluster.local + cluster: outbound|8080||authservice.$(namespace).svc.cluster.local + failureModeAllow: false + timeout: 10s + authorizationRequest: + allowedHeaders: + patterns: + - exact: "cookie" + - exact: "X-Auth-Token" + authorizationResponse: + allowedUpstreamHeaders: + patterns: + - exact: "kubeflow-userid" + statusOnError: + code: GatewayTimeout + filterName: envoy.ext_authz + filterType: HTTP + insertPosition: + index: FIRST + listenerMatch: + listenerType: GATEWAY diff --git a/kustomize/oidc-authservice/base/kustomization.yaml b/kustomize/oidc-authservice/base/kustomization.yaml new file mode 100644 index 0000000..d687359 --- /dev/null +++ b/kustomize/oidc-authservice/base/kustomization.yaml @@ -0,0 +1,87 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: +- service.yaml +- statefulset.yaml +- envoy-filter.yaml +- pvc.yaml + +namespace: istio-system + +configMapGenerator: +- name: oidc-authservice-parameters + env: params.env +generatorOptions: + disableNameSuffixHash: true + +vars: +- name: client_id + objref: + kind: ConfigMap + name: oidc-authservice-parameters + apiVersion: v1 + fieldref: + fieldpath: data.client_id +- name: oidc_provider + objref: + kind: ConfigMap + name: oidc-authservice-parameters + apiVersion: v1 + fieldref: + fieldpath: data.oidc_provider +- name: oidc_redirect_uri + objref: + kind: ConfigMap + name: oidc-authservice-parameters + apiVersion: v1 + fieldref: + fieldpath: data.oidc_redirect_uri +- name: oidc_auth_url + objref: + kind: ConfigMap + name: oidc-authservice-parameters + apiVersion: v1 + fieldref: + fieldpath: data.oidc_auth_url +- name: application_secret + objref: + kind: ConfigMap + name: oidc-authservice-parameters + apiVersion: v1 + fieldref: + fieldpath: data.application_secret +- name: skip_auth_uri + objref: + kind: ConfigMap + name: oidc-authservice-parameters + apiVersion: v1 + fieldref: + fieldpath: data.skip_auth_uri +- name: userid-header + objref: + kind: ConfigMap + name: oidc-authservice-parameters + apiVersion: v1 + fieldref: + fieldpath: data.userid-header +- name: userid-prefix + objref: + kind: ConfigMap + name: oidc-authservice-parameters + apiVersion: v1 + fieldref: + fieldpath: data.userid-prefix +- name: namespace + objref: + kind: ConfigMap + name: oidc-authservice-parameters + apiVersion: v1 + fieldref: + fieldpath: data.namespace +configurations: +- params.yaml +images: +- name: gcr.io/arrikto/kubeflow/oidc-authservice + newName: gcr.io/arrikto/kubeflow/oidc-authservice + newTag: 28c59ef diff --git a/kustomize/oidc-authservice/base/params.env b/kustomize/oidc-authservice/base/params.env new file mode 100644 index 0000000..eeaa18c --- /dev/null +++ b/kustomize/oidc-authservice/base/params.env @@ -0,0 +1,9 @@ +client_id=kubeflow-oidc-authservice +oidc_provider=http://dex.auth.svc.cluster.local:5556/dex +oidc_redirect_uri=/login/oidc +oidc_auth_url=/dex/auth +application_secret=pUBnBOY80SnXgjibTYM9ZWNzY2xreNGQok +skip_auth_uri=/dex +userid-header=kubeflow-userid +userid-prefix= +namespace=istio-system diff --git a/kustomize/oidc-authservice/base/params.yaml b/kustomize/oidc-authservice/base/params.yaml new file mode 100644 index 0000000..a988916 --- /dev/null +++ b/kustomize/oidc-authservice/base/params.yaml @@ -0,0 +1,7 @@ +varReference: +- path: spec/template/spec/containers/env/value + kind: StatefulSet +- path: spec/filters/filterConfig/httpService/serverUri/uri + kind: EnvoyFilter +- path: spec/filters/filterConfig/httpService/serverUri/cluster + kind: EnvoyFilter \ No newline at end of file diff --git a/kustomize/oidc-authservice/base/pvc.yaml b/kustomize/oidc-authservice/base/pvc.yaml new file mode 100644 index 0000000..da2f06b --- /dev/null +++ b/kustomize/oidc-authservice/base/pvc.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: authservice-pvc +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 10Gi \ No newline at end of file diff --git a/kustomize/oidc-authservice/base/service.yaml b/kustomize/oidc-authservice/base/service.yaml new file mode 100644 index 0000000..72dbda0 --- /dev/null +++ b/kustomize/oidc-authservice/base/service.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Service +metadata: + name: authservice +spec: + type: ClusterIP + selector: + app: authservice + ports: + - port: 8080 + name: http-authservice + targetPort: http-api + publishNotReadyAddresses: true \ No newline at end of file diff --git a/kustomize/oidc-authservice/base/statefulset.yaml b/kustomize/oidc-authservice/base/statefulset.yaml new file mode 100644 index 0000000..4a85d3d --- /dev/null +++ b/kustomize/oidc-authservice/base/statefulset.yaml @@ -0,0 +1,62 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: authservice +spec: + replicas: 1 + selector: + matchLabels: + app: authservice + serviceName: authservice + template: + metadata: + annotations: + sidecar.istio.io/inject: "false" + labels: + app: authservice + spec: + containers: + - name: authservice + image: gcr.io/arrikto/kubeflow/oidc-authservice:6ac9400 + imagePullPolicy: Always + ports: + - name: http-api + containerPort: 8080 + env: + - name: USERID_HEADER + value: $(userid-header) + - name: USERID_PREFIX + value: $(userid-prefix) + - name: USERID_CLAIM + value: email + - name: OIDC_PROVIDER + value: $(oidc_provider) + - name: OIDC_AUTH_URL + value: $(oidc_auth_url) + - name: OIDC_SCOPES + value: "profile email groups" + - name: REDIRECT_URL + value: $(oidc_redirect_uri) + - name: SKIP_AUTH_URI + value: $(skip_auth_uri) + - name: PORT + value: "8080" + - name: CLIENT_ID + value: $(client_id) + - name: CLIENT_SECRET + value: $(application_secret) + - name: STORE_PATH + value: /var/lib/authservice/data.db + volumeMounts: + - name: data + mountPath: /var/lib/authservice + readinessProbe: + httpGet: + path: / + port: 8081 + securityContext: + fsGroup: 111 + volumes: + - name: data + persistentVolumeClaim: + claimName: authservice-pvc diff --git a/kustomize/oidc-authservice/kustomization.yaml b/kustomize/oidc-authservice/kustomization.yaml new file mode 100644 index 0000000..0c7b2cc --- /dev/null +++ b/kustomize/oidc-authservice/kustomization.yaml @@ -0,0 +1,14 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +bases: +- base +commonLabels: + app.kubernetes.io/component: oidc-authservice + app.kubernetes.io/instance: oidc-authservice-v0.7.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/name: oidc-authservice + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: v0.7.0 +kind: Kustomization +namespace: istio-system +resources: +- overlays/application/application.yaml diff --git a/kustomize/oidc-authservice/overlays/application/application.yaml b/kustomize/oidc-authservice/overlays/application/application.yaml new file mode 100644 index 0000000..1f33ffc --- /dev/null +++ b/kustomize/oidc-authservice/overlays/application/application.yaml @@ -0,0 +1,43 @@ + +apiVersion: app.k8s.io/v1beta1 +kind: Application +metadata: + name: oidc-authservice +spec: + selector: + matchLabels: + app.kubernetes.io/name: oidc-authservice + app.kubernetes.io/instance: oidc-authservice-v0.7.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/component: oidc-authservice + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: v0.7.0 + componentKinds: + - group: apps + kind: StatefulSet + - group: core + kind: Service + - group: core + kind: PersistentVolumeClaim + - group: networking.istio.io + kind: EnvoyFilter + descriptor: + type: oidc-authservice + version: v1beta1 + description: Provides OIDC-based authentication for Kubeflow Applications, at the Istio Gateway. + maintainers: + - name: Yannis Zarkadas + email: yanniszark@arrikto.com + owners: + - name: Yannis Zarkadas + email: yanniszark@arrikto.com + keywords: + - oidc + - authservice + - authentication + links: + - description: About + url: https://github.com/kubeflow/kubeflow/tree/master/components/oidc-authservice + - description: Docs + url: https://www.kubeflow.org/docs/started/k8s/kfctl-existing-arrikto + addOwnerRef: true diff --git a/kustomize/oidc-authservice/overlays/application/kustomization.yaml b/kustomize/oidc-authservice/overlays/application/kustomization.yaml new file mode 100644 index 0000000..6d83a87 --- /dev/null +++ b/kustomize/oidc-authservice/overlays/application/kustomization.yaml @@ -0,0 +1,13 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +bases: +- ../../base +resources: +- application.yaml +commonLabels: + app.kubernetes.io/name: oidc-authservice + app.kubernetes.io/instance: oidc-authservice-v0.7.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/component: oidc-authservice + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: v0.7.0 \ No newline at end of file diff --git a/kustomize/oidc-authservice/overlays/ibm-storage-config/kustomization.yaml b/kustomize/oidc-authservice/overlays/ibm-storage-config/kustomization.yaml new file mode 100644 index 0000000..4da1926 --- /dev/null +++ b/kustomize/oidc-authservice/overlays/ibm-storage-config/kustomization.yaml @@ -0,0 +1,10 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +bases: +- ../../base +patchesStrategicMerge: +- statefulset.yaml +images: + - name: busybox + newTag: "latest" + newName: busybox diff --git a/kustomize/oidc-authservice/overlays/ibm-storage-config/statefulset.yaml b/kustomize/oidc-authservice/overlays/ibm-storage-config/statefulset.yaml new file mode 100644 index 0000000..2bf14f3 --- /dev/null +++ b/kustomize/oidc-authservice/overlays/ibm-storage-config/statefulset.yaml @@ -0,0 +1,15 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: authservice +spec: + template: + spec: + initContainers: + - name: fix-permission + image: busybox + command: ['sh', '-c'] + args: ['chmod -R 777 /var/lib/authservice;'] + volumeMounts: + - mountPath: /var/lib/authservice + name: data diff --git a/kustomize/persistent-agent/base/clusterrole-binding.yaml b/kustomize/persistent-agent/base/clusterrole-binding.yaml new file mode 100644 index 0000000..b7ec1a4 --- /dev/null +++ b/kustomize/persistent-agent/base/clusterrole-binding.yaml @@ -0,0 +1,11 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: persistenceagent +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: +- kind: ServiceAccount + name: persistenceagent diff --git a/kustomize/persistent-agent/base/clusterrole.yaml b/kustomize/persistent-agent/base/clusterrole.yaml new file mode 100644 index 0000000..0242d6f --- /dev/null +++ b/kustomize/persistent-agent/base/clusterrole.yaml @@ -0,0 +1,21 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: persistenceagent +rules: +- apiGroups: + - argoproj.io + resources: + - workflows + verbs: + - get + - list + - watch +- apiGroups: + - kubeflow.org + resources: + - scheduledworkflows + verbs: + - get + - list + - watch diff --git a/kustomize/persistent-agent/base/deployment.yaml b/kustomize/persistent-agent/base/deployment.yaml new file mode 100644 index 0000000..1e7aaaa --- /dev/null +++ b/kustomize/persistent-agent/base/deployment.yaml @@ -0,0 +1,17 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: persistenceagent +spec: + template: + spec: + containers: + - name: ml-pipeline-persistenceagent + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + image: gcr.io/ml-pipeline/persistenceagent + imagePullPolicy: IfNotPresent + serviceAccountName: ml-pipeline-persistenceagent diff --git a/kustomize/persistent-agent/base/kustomization.yaml b/kustomize/persistent-agent/base/kustomization.yaml new file mode 100644 index 0000000..e6c4a20 --- /dev/null +++ b/kustomize/persistent-agent/base/kustomization.yaml @@ -0,0 +1,14 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +nameprefix: ml-pipeline- +commonLabels: + app: ml-pipeline-persistenceagent +resources: +- clusterrole-binding.yaml +- clusterrole.yaml +- deployment.yaml +- service-account.yaml +images: +- name: gcr.io/ml-pipeline/persistenceagent + newTag: 0.1.31 + newName: gcr.io/ml-pipeline/persistenceagent diff --git a/kustomize/persistent-agent/base/service-account.yaml b/kustomize/persistent-agent/base/service-account.yaml new file mode 100644 index 0000000..3e2b988 --- /dev/null +++ b/kustomize/persistent-agent/base/service-account.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: persistenceagent diff --git a/kustomize/persistent-agent/kustomization.yaml b/kustomize/persistent-agent/kustomization.yaml new file mode 100644 index 0000000..92446dc --- /dev/null +++ b/kustomize/persistent-agent/kustomization.yaml @@ -0,0 +1,14 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +bases: +- base +commonLabels: + app.kubernetes.io/component: persistent-agent + app.kubernetes.io/instance: persistent-agent-0.1.31 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/name: persistent-agent + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: 0.1.31 +kind: Kustomization +namespace: kubeflow +resources: +- overlays/application/application.yaml diff --git a/kustomize/persistent-agent/overlays/application/application.yaml b/kustomize/persistent-agent/overlays/application/application.yaml new file mode 100644 index 0000000..0b497c8 --- /dev/null +++ b/kustomize/persistent-agent/overlays/application/application.yaml @@ -0,0 +1,31 @@ +apiVersion: app.k8s.io/v1beta1 +kind: Application +metadata: + name: persistent-agent +spec: + selector: + matchLabels: + app.kubernetes.io/name: persistent-agent + app.kubernetes.io/instance: persistent-agent-0.1.31 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/component: persistent-agent + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: 0.1.31 + componentKinds: + - group: core + kind: ConfigMap + - group: apps + kind: Deployment + descriptor: + type: persistent-agent + version: v1beta1 + description: "" + maintainers: [] + owners: [] + keywords: + - persistent-agent + - kubeflow + links: + - description: About + url: "" + addOwnerRef: true diff --git a/kustomize/persistent-agent/overlays/application/kustomization.yaml b/kustomize/persistent-agent/overlays/application/kustomization.yaml new file mode 100644 index 0000000..cfcd987 --- /dev/null +++ b/kustomize/persistent-agent/overlays/application/kustomization.yaml @@ -0,0 +1,13 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +bases: +- ../../base +resources: +- application.yaml +commonLabels: + app.kubernetes.io/name: persistent-agent + app.kubernetes.io/instance: persistent-agent-0.1.31 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/component: persistent-agent + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: 0.1.31 diff --git a/kustomize/pipeline-visualization-service/base/deployment.yaml b/kustomize/pipeline-visualization-service/base/deployment.yaml new file mode 100644 index 0000000..8df3056 --- /dev/null +++ b/kustomize/pipeline-visualization-service/base/deployment.yaml @@ -0,0 +1,21 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: ml-pipeline-visualizationserver + name: ml-pipeline-visualizationserver +spec: + selector: + matchLabels: + app: ml-pipeline-visualizationserver + template: + metadata: + labels: + app: ml-pipeline-visualizationserver + spec: + containers: + - image: gcr.io/ml-pipeline/visualization-server + imagePullPolicy: IfNotPresent + name: ml-pipeline-visualizationserver + ports: + - containerPort: 8888 diff --git a/kustomize/pipeline-visualization-service/base/kustomization.yaml b/kustomize/pipeline-visualization-service/base/kustomization.yaml new file mode 100644 index 0000000..bf4f7df --- /dev/null +++ b/kustomize/pipeline-visualization-service/base/kustomization.yaml @@ -0,0 +1,12 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +nameprefix: ml-pipeline- +commonLabels: + app: ml-pipeline-visualizationserver +resources: +- deployment.yaml +- service.yaml +images: +- name: gcr.io/ml-pipeline/visualization-server + newTag: 0.1.27 + newName: gcr.io/ml-pipeline/visualization-server diff --git a/kustomize/pipeline-visualization-service/base/service.yaml b/kustomize/pipeline-visualization-service/base/service.yaml new file mode 100644 index 0000000..a4c7e42 --- /dev/null +++ b/kustomize/pipeline-visualization-service/base/service.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Service +metadata: + name: ml-pipeline-visualizationserver +spec: + ports: + - name: http + port: 8888 + protocol: TCP + targetPort: 8888 + selector: + app: ml-pipeline-visualizationserver diff --git a/kustomize/pipeline-visualization-service/kustomization.yaml b/kustomize/pipeline-visualization-service/kustomization.yaml new file mode 100644 index 0000000..bab87a9 --- /dev/null +++ b/kustomize/pipeline-visualization-service/kustomization.yaml @@ -0,0 +1,14 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +bases: +- base +commonLabels: + app.kubernetes.io/component: pipeline-visualization-service + app.kubernetes.io/instance: pipeline-visualization-service-0.1.31 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/name: pipeline-visualization-service + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: 0.1.31 +kind: Kustomization +namespace: kubeflow +resources: +- overlays/application/application.yaml diff --git a/kustomize/pipeline-visualization-service/overlays/application/application.yaml b/kustomize/pipeline-visualization-service/overlays/application/application.yaml new file mode 100644 index 0000000..058004b --- /dev/null +++ b/kustomize/pipeline-visualization-service/overlays/application/application.yaml @@ -0,0 +1,31 @@ +apiVersion: app.k8s.io/v1beta1 +kind: Application +metadata: + name: pipeline-visualization-service +spec: + selector: + matchLabels: + app.kubernetes.io/name: pipeline-visualization-service + app.kubernetes.io/instance: pipeline-visualization-service-0.1.31 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/component: pipeline-visualization-service + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: 0.1.31 + componentKinds: + - group: core + kind: ConfigMap + - group: apps + kind: Deployment + descriptor: + type: pipeline-visualization-service + version: v1beta1 + description: "" + maintainers: [] + owners: [] + keywords: + - pipeline-visualization-service + - kubeflow + links: + - description: About + url: "" + addOwnerRef: true diff --git a/kustomize/pipeline-visualization-service/overlays/application/kustomization.yaml b/kustomize/pipeline-visualization-service/overlays/application/kustomization.yaml new file mode 100644 index 0000000..8d609b1 --- /dev/null +++ b/kustomize/pipeline-visualization-service/overlays/application/kustomization.yaml @@ -0,0 +1,13 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +bases: +- ../../base +resources: +- application.yaml +commonLabels: + app.kubernetes.io/name: pipeline-visualization-service + app.kubernetes.io/instance: pipeline-visualization-service-0.1.31 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/component: pipeline-visualization-service + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: 0.1.31 diff --git a/kustomize/pipelines-runner/base/cluster-role-binding.yaml b/kustomize/pipelines-runner/base/cluster-role-binding.yaml new file mode 100644 index 0000000..1f1c2c2 --- /dev/null +++ b/kustomize/pipelines-runner/base/cluster-role-binding.yaml @@ -0,0 +1,11 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: pipeline-runner +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: pipeline-runner +subjects: +- kind: ServiceAccount + name: pipeline-runner diff --git a/kustomize/pipelines-runner/base/cluster-role.yaml b/kustomize/pipelines-runner/base/cluster-role.yaml new file mode 100644 index 0000000..edb248e --- /dev/null +++ b/kustomize/pipelines-runner/base/cluster-role.yaml @@ -0,0 +1,76 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: pipeline-runner +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - watch + - list +- apiGroups: + - "" + resources: + - persistentvolumeclaims + verbs: + - create + - delete + - get +- apiGroups: + - snapshot.storage.k8s.io + resources: + - volumesnapshots + verbs: + - create + - delete + - get +- apiGroups: + - argoproj.io + resources: + - workflows + verbs: + - get + - list + - watch + - update + - patch +- apiGroups: + - "" + resources: + - pods + - pods/exec + - pods/log + - services + verbs: + - '*' +- apiGroups: + - "" + - apps + - extensions + resources: + - deployments + - replicasets + verbs: + - '*' +- apiGroups: + - kubeflow.org + - serving.kubeflow.org + resources: + - '*' + verbs: + - '*' +- apiGroups: + - batch + resources: + - jobs + verbs: + - '*' diff --git a/kustomize/pipelines-runner/base/kustomization.yaml b/kustomize/pipelines-runner/base/kustomization.yaml new file mode 100644 index 0000000..0c50f07 --- /dev/null +++ b/kustomize/pipelines-runner/base/kustomization.yaml @@ -0,0 +1,9 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: kubeflow +commonLabels: + app: pipeline-runner +resources: +- cluster-role-binding.yaml +- cluster-role.yaml +- service-account.yaml diff --git a/kustomize/pipelines-runner/base/service-account.yaml b/kustomize/pipelines-runner/base/service-account.yaml new file mode 100644 index 0000000..8cb2c66 --- /dev/null +++ b/kustomize/pipelines-runner/base/service-account.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: pipeline-runner diff --git a/kustomize/pipelines-runner/kustomization.yaml b/kustomize/pipelines-runner/kustomization.yaml new file mode 100644 index 0000000..e598e2a --- /dev/null +++ b/kustomize/pipelines-runner/kustomization.yaml @@ -0,0 +1,14 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +bases: +- base +commonLabels: + app.kubernetes.io/component: pipelines-runner + app.kubernetes.io/instance: pipelines-runner-0.1.31 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/name: pipelines-runner + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: 0.1.31 +kind: Kustomization +namespace: kubeflow +resources: +- overlays/application/application.yaml diff --git a/kustomize/pipelines-runner/overlays/application/application.yaml b/kustomize/pipelines-runner/overlays/application/application.yaml new file mode 100644 index 0000000..62a1fd6 --- /dev/null +++ b/kustomize/pipelines-runner/overlays/application/application.yaml @@ -0,0 +1,31 @@ +apiVersion: app.k8s.io/v1beta1 +kind: Application +metadata: + name: pipelines-runner +spec: + selector: + matchLabels: + app.kubernetes.io/name: pipelines-runner + app.kubernetes.io/instance: pipelines-runner-0.1.31 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/component: pipelines-runner + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: 0.1.31 + componentKinds: + - group: core + kind: ConfigMap + - group: apps + kind: Deployment + descriptor: + type: pipelines-runner + version: v1beta1 + description: "" + maintainers: [] + owners: [] + keywords: + - pipelines-runner + - kubeflow + links: + - description: About + url: "" + addOwnerRef: true diff --git a/kustomize/pipelines-runner/overlays/application/kustomization.yaml b/kustomize/pipelines-runner/overlays/application/kustomization.yaml new file mode 100644 index 0000000..5b55b37 --- /dev/null +++ b/kustomize/pipelines-runner/overlays/application/kustomization.yaml @@ -0,0 +1,13 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +bases: +- ../../base +resources: +- application.yaml +commonLabels: + app.kubernetes.io/name: pipelines-runner + app.kubernetes.io/instance: pipelines-runner-0.1.31 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/component: pipelines-runner + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: 0.1.31 diff --git a/kustomize/pipelines-ui/base/deployment.yaml b/kustomize/pipelines-ui/base/deployment.yaml new file mode 100644 index 0000000..e380ccb --- /dev/null +++ b/kustomize/pipelines-ui/base/deployment.yaml @@ -0,0 +1,22 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: ml-pipeline-ui + name: ml-pipeline-ui +spec: + selector: + matchLabels: + app: ml-pipeline-ui + template: + metadata: + labels: + app: ml-pipeline-ui + spec: + containers: + - name: ml-pipeline-ui + image: gcr.io/ml-pipeline/frontend + imagePullPolicy: IfNotPresent + ports: + - containerPort: 3000 + serviceAccountName: ml-pipeline-ui diff --git a/kustomize/pipelines-ui/base/kustomization.yaml b/kustomize/pipelines-ui/base/kustomization.yaml new file mode 100644 index 0000000..a1713b8 --- /dev/null +++ b/kustomize/pipelines-ui/base/kustomization.yaml @@ -0,0 +1,47 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: kubeflow +resources: +- deployment.yaml +- role-binding.yaml +- role.yaml +- service-account.yaml +- service.yaml +configMapGenerator: +- name: ui-parameters + env: params.env +images: +- name: gcr.io/ml-pipeline/frontend + newTag: 0.1.31 + newName: gcr.io/ml-pipeline/frontend +vars: +- name: ui-namespace + objref: + kind: Service + name: ml-pipeline-ui + apiVersion: v1 + fieldref: + fieldpath: metadata.namespace +- name: ui-clusterDomain + objref: + kind: ConfigMap + name: ui-parameters + version: v1 + fieldref: + fieldpath: data.uiClusterDomain +- name: service + objref: + kind: Service + name: ml-pipeline-ui + apiVersion: v1 + fieldref: + fieldpath: metadata.name +- name: tensorboard-service + objref: + kind: Service + name: ml-pipeline-tensorboard-ui + apiVersion: v1 + fieldref: + fieldpath: metadata.name +configurations: +- params.yaml diff --git a/kustomize/pipelines-ui/base/params.env b/kustomize/pipelines-ui/base/params.env new file mode 100644 index 0000000..def9236 --- /dev/null +++ b/kustomize/pipelines-ui/base/params.env @@ -0,0 +1 @@ +uiClusterDomain=cluster.local diff --git a/kustomize/pipelines-ui/base/params.yaml b/kustomize/pipelines-ui/base/params.yaml new file mode 100644 index 0000000..c8de9ba --- /dev/null +++ b/kustomize/pipelines-ui/base/params.yaml @@ -0,0 +1,3 @@ +varReference: +- path: metadata/annotations/getambassador.io\/config + kind: Service diff --git a/kustomize/pipelines-ui/base/role-binding.yaml b/kustomize/pipelines-ui/base/role-binding.yaml new file mode 100644 index 0000000..ab8654e --- /dev/null +++ b/kustomize/pipelines-ui/base/role-binding.yaml @@ -0,0 +1,13 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: RoleBinding +metadata: + labels: + app: ml-pipeline-ui + name: ml-pipeline-ui +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: ml-pipeline-ui +subjects: +- kind: ServiceAccount + name: ml-pipeline-ui diff --git a/kustomize/pipelines-ui/base/role.yaml b/kustomize/pipelines-ui/base/role.yaml new file mode 100644 index 0000000..1726f08 --- /dev/null +++ b/kustomize/pipelines-ui/base/role.yaml @@ -0,0 +1,26 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: Role +metadata: + labels: + app: ml-pipeline-ui + name: ml-pipeline-ui +rules: +- apiGroups: + - "" + resources: + - pods + - pods/log + verbs: + - create + - get + - list +- apiGroups: + - "kubeflow.org" + resources: + - viewers + verbs: + - create + - get + - list + - watch + - delete diff --git a/kustomize/pipelines-ui/base/service-account.yaml b/kustomize/pipelines-ui/base/service-account.yaml new file mode 100644 index 0000000..4c890a2 --- /dev/null +++ b/kustomize/pipelines-ui/base/service-account.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: ml-pipeline-ui diff --git a/kustomize/pipelines-ui/base/service.yaml b/kustomize/pipelines-ui/base/service.yaml new file mode 100644 index 0000000..8887a5c --- /dev/null +++ b/kustomize/pipelines-ui/base/service.yaml @@ -0,0 +1,48 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: ml-pipeline-ui + annotations: + getambassador.io/config: |- + --- + apiVersion: ambassador/v0 + kind: Mapping + name: pipelineui-mapping + prefix: /pipeline + rewrite: /pipeline + timeout_ms: 300000 + service: $(service).$(ui-namespace) + use_websocket: true + labels: + app: ml-pipeline-ui +spec: + ports: + - port: 80 + targetPort: 3000 + selector: + app: ml-pipeline-ui +--- +apiVersion: v1 +kind: Service +metadata: + name: ml-pipeline-tensorboard-ui + annotations: + getambassador.io/config: |- + --- + apiVersion: ambassador/v0 + kind: Mapping + name: pipeline-tensorboard-ui-mapping + prefix: /data + rewrite: /data + timeout_ms: 300000 + service: $(service).$(ui-namespace) + use_websocket: true + labels: + app: ml-pipeline-tensorboard-ui +spec: + ports: + - port: 80 + targetPort: 3000 + selector: + app: ml-pipeline-tensorboard-ui diff --git a/kustomize/pipelines-ui/kustomization.yaml b/kustomize/pipelines-ui/kustomization.yaml new file mode 100644 index 0000000..860103a --- /dev/null +++ b/kustomize/pipelines-ui/kustomization.yaml @@ -0,0 +1,17 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +bases: +- base +commonLabels: + app.kubernetes.io/component: pipelines-ui + app.kubernetes.io/instance: pipelines-ui-0.1.31 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/name: pipelines-ui + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: 0.1.31 +configurations: +- overlays/istio/params.yaml +kind: Kustomization +namespace: kubeflow +resources: +- overlays/istio/virtual-service.yaml +- overlays/application/application.yaml diff --git a/kustomize/pipelines-ui/overlays/application/application.yaml b/kustomize/pipelines-ui/overlays/application/application.yaml new file mode 100644 index 0000000..e8e171b --- /dev/null +++ b/kustomize/pipelines-ui/overlays/application/application.yaml @@ -0,0 +1,31 @@ +apiVersion: app.k8s.io/v1beta1 +kind: Application +metadata: + name: pipelines-ui +spec: + selector: + matchLabels: + app.kubernetes.io/name: pipelines-ui + app.kubernetes.io/instance: pipelines-ui-0.1.31 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/component: pipelines-ui + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: 0.1.31 + componentKinds: + - group: core + kind: ConfigMap + - group: apps + kind: Deployment + descriptor: + type: pipelines-ui + version: v1beta1 + description: "" + maintainers: [] + owners: [] + keywords: + - pipelines-ui + - kubeflow + links: + - description: About + url: "" + addOwnerRef: true diff --git a/kustomize/pipelines-ui/overlays/application/kustomization.yaml b/kustomize/pipelines-ui/overlays/application/kustomization.yaml new file mode 100644 index 0000000..031ff04 --- /dev/null +++ b/kustomize/pipelines-ui/overlays/application/kustomization.yaml @@ -0,0 +1,13 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +bases: +- ../../base +resources: +- application.yaml +commonLabels: + app.kubernetes.io/name: pipelines-ui + app.kubernetes.io/instance: pipelines-ui-0.1.31 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/component: pipelines-ui + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: 0.1.31 diff --git a/kustomize/pipelines-ui/overlays/gcp/deployment.yaml b/kustomize/pipelines-ui/overlays/gcp/deployment.yaml new file mode 100644 index 0000000..490d8d1 --- /dev/null +++ b/kustomize/pipelines-ui/overlays/gcp/deployment.yaml @@ -0,0 +1,20 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: ml-pipeline-ui +spec: + template: + spec: + volumes: + - name: gcp-sa-token + secret: + secretName: user-gcp-sa + containers: + - name: ml-pipeline-ui + env: + - name: GOOGLE_APPLICATION_CREDENTIALS + value: /etc/credentials/user-gcp-sa.json + volumeMounts: + - name: gcp-sa-token + mountPath: "/etc/credentials" + readOnly: true diff --git a/kustomize/pipelines-ui/overlays/gcp/kustomization.yaml b/kustomize/pipelines-ui/overlays/gcp/kustomization.yaml new file mode 100644 index 0000000..9080da8 --- /dev/null +++ b/kustomize/pipelines-ui/overlays/gcp/kustomization.yaml @@ -0,0 +1,6 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +bases: +- ../../base +patchesStrategicMerge: +- deployment.yaml diff --git a/kustomize/pipelines-ui/overlays/istio/kustomization.yaml b/kustomize/pipelines-ui/overlays/istio/kustomization.yaml new file mode 100644 index 0000000..fcd00db --- /dev/null +++ b/kustomize/pipelines-ui/overlays/istio/kustomization.yaml @@ -0,0 +1,8 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +bases: +- ../../base +resources: +- virtual-service.yaml +configurations: +- params.yaml diff --git a/kustomize/pipelines-ui/overlays/istio/params.yaml b/kustomize/pipelines-ui/overlays/istio/params.yaml new file mode 100644 index 0000000..eea869e --- /dev/null +++ b/kustomize/pipelines-ui/overlays/istio/params.yaml @@ -0,0 +1,3 @@ +varReference: +- path: spec/http/route/destination/host + kind: VirtualService diff --git a/kustomize/pipelines-ui/overlays/istio/virtual-service.yaml b/kustomize/pipelines-ui/overlays/istio/virtual-service.yaml new file mode 100644 index 0000000..1888b7c --- /dev/null +++ b/kustomize/pipelines-ui/overlays/istio/virtual-service.yaml @@ -0,0 +1,43 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: ml-pipeline-tensorboard-ui +spec: + gateways: + - kubeflow-gateway + hosts: + - '*' + http: + - match: + - uri: + prefix: /data + rewrite: + uri: /data + route: + - destination: + host: $(tensorboard-service).$(ui-namespace).svc.$(ui-clusterDomain) + port: + number: 80 + timeout: 300s +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: ml-pipeline-ui +spec: + gateways: + - kubeflow-gateway + hosts: + - '*' + http: + - match: + - uri: + prefix: /pipeline + rewrite: + uri: /pipeline + route: + - destination: + host: $(service).$(ui-namespace).svc.$(ui-clusterDomain) + port: + number: 80 + timeout: 300s diff --git a/kustomize/pipelines-viewer/base/cluster-role-binding.yaml b/kustomize/pipelines-viewer/base/cluster-role-binding.yaml new file mode 100644 index 0000000..91eaab5 --- /dev/null +++ b/kustomize/pipelines-viewer/base/cluster-role-binding.yaml @@ -0,0 +1,11 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: crd-role-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: controller-role +subjects: +- kind: ServiceAccount + name: crd-service-account diff --git a/kustomize/pipelines-viewer/base/cluster-role.yaml b/kustomize/pipelines-viewer/base/cluster-role.yaml new file mode 100644 index 0000000..f8b3e8f --- /dev/null +++ b/kustomize/pipelines-viewer/base/cluster-role.yaml @@ -0,0 +1,86 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: controller-role +rules: +- apiGroups: + - '*' + resources: + - deployments + - services + verbs: + - create + - get + - list + - watch + - update + - patch + - delete +- apiGroups: + - kubeflow.org + resources: + - viewers + verbs: + - create + - get + - list + - watch + - update + - patch + - delete + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubeflow-pipeline-viewers-admin + labels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-admin: "true" +aggregationRule: + clusterRoleSelectors: + - matchLabels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-pipeline-viewers-admin: "true" +rules: [] + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubeflow-pipeline-viewers-edit + labels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-edit: "true" + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-pipeline-viewers-admin: "true" +rules: +- apiGroups: + - kubeflow.org + resources: + - viewers + verbs: + - get + - list + - watch + - create + - delete + - deletecollection + - patch + - update + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubeflow-pipeline-viewers-view + labels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-view: "true" +rules: +- apiGroups: + - kubeflow.org + resources: + - viewers + verbs: + - get + - list + - watch diff --git a/kustomize/pipelines-viewer/base/crd.yaml b/kustomize/pipelines-viewer/base/crd.yaml new file mode 100644 index 0000000..dcb5db0 --- /dev/null +++ b/kustomize/pipelines-viewer/base/crd.yaml @@ -0,0 +1,18 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: viewers.kubeflow.org +spec: + group: kubeflow.org + names: + kind: Viewer + listKind: ViewerList + plural: viewers + shortNames: + - vi + singular: viewer + scope: Namespaced + versions: + - name: v1beta1 + served: true + storage: true diff --git a/kustomize/pipelines-viewer/base/deployment.yaml b/kustomize/pipelines-viewer/base/deployment.yaml new file mode 100644 index 0000000..bad9bdf --- /dev/null +++ b/kustomize/pipelines-viewer/base/deployment.yaml @@ -0,0 +1,17 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-deployment +spec: + template: + spec: + containers: + - env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + image: gcr.io/ml-pipeline/viewer-crd-controller:0.1.31 + imagePullPolicy: Always + name: ml-pipeline-viewer-controller + serviceAccountName: crd-service-account diff --git a/kustomize/pipelines-viewer/base/kustomization.yaml b/kustomize/pipelines-viewer/base/kustomization.yaml new file mode 100644 index 0000000..f29c65e --- /dev/null +++ b/kustomize/pipelines-viewer/base/kustomization.yaml @@ -0,0 +1,16 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: kubeflow +nameprefix: ml-pipeline-viewer- +commonLabels: + app: ml-pipeline-viewer-crd +resources: +- crd.yaml +- cluster-role-binding.yaml +- cluster-role.yaml +- deployment.yaml +- service-account.yaml +images: +- name: gcr.io/ml-pipeline/viewer-crd-controller + newTag: 0.1.31 + newName: gcr.io/ml-pipeline/viewer-crd-controller diff --git a/kustomize/pipelines-viewer/base/service-account.yaml b/kustomize/pipelines-viewer/base/service-account.yaml new file mode 100644 index 0000000..96b13b1 --- /dev/null +++ b/kustomize/pipelines-viewer/base/service-account.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: crd-service-account diff --git a/kustomize/pipelines-viewer/kustomization.yaml b/kustomize/pipelines-viewer/kustomization.yaml new file mode 100644 index 0000000..f67e962 --- /dev/null +++ b/kustomize/pipelines-viewer/kustomization.yaml @@ -0,0 +1,14 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +bases: +- base +commonLabels: + app.kubernetes.io/component: pipelines-viewer + app.kubernetes.io/instance: pipelines-viewer-0.1.31 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/name: pipelines-viewer + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: 0.1.31 +kind: Kustomization +namespace: kubeflow +resources: +- overlays/application/application.yaml diff --git a/kustomize/pipelines-viewer/overlays/application/application.yaml b/kustomize/pipelines-viewer/overlays/application/application.yaml new file mode 100644 index 0000000..d2a3bce --- /dev/null +++ b/kustomize/pipelines-viewer/overlays/application/application.yaml @@ -0,0 +1,31 @@ +apiVersion: app.k8s.io/v1beta1 +kind: Application +metadata: + name: pipelines-viewer +spec: + selector: + matchLabels: + app.kubernetes.io/name: pipelines-viewer + app.kubernetes.io/instance: pipelines-viewer-0.1.31 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/component: pipelines-viewer + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: 0.1.31 + componentKinds: + - group: core + kind: ConfigMap + - group: apps + kind: Deployment + descriptor: + type: pipelines-viewer + version: v1beta1 + description: "" + maintainers: [] + owners: [] + keywords: + - pipelines-viewer + - kubeflow + links: + - description: About + url: "" + addOwnerRef: true diff --git a/kustomize/pipelines-viewer/overlays/application/kustomization.yaml b/kustomize/pipelines-viewer/overlays/application/kustomization.yaml new file mode 100644 index 0000000..63d5c77 --- /dev/null +++ b/kustomize/pipelines-viewer/overlays/application/kustomization.yaml @@ -0,0 +1,13 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +bases: +- ../../base +resources: +- application.yaml +commonLabels: + app.kubernetes.io/name: pipelines-viewer + app.kubernetes.io/instance: pipelines-viewer-0.1.31 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/component: pipelines-viewer + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: 0.1.31 diff --git a/kustomize/profiles/base/README.md b/kustomize/profiles/base/README.md new file mode 100644 index 0000000..66cb68b --- /dev/null +++ b/kustomize/profiles/base/README.md @@ -0,0 +1,5 @@ +When profile-controller image updated, you can run below command to update it in manifest. + +``` +kustomize edit set image gcr.io/kubeflow-images-public/profile-controller:$NEW_TAG +``` diff --git a/kustomize/profiles/base/cluster-role-binding.yaml b/kustomize/profiles/base/cluster-role-binding.yaml new file mode 100644 index 0000000..9f55fc3 --- /dev/null +++ b/kustomize/profiles/base/cluster-role-binding.yaml @@ -0,0 +1,11 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: cluster-role-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: +- kind: ServiceAccount + name: controller-service-account diff --git a/kustomize/profiles/base/crd.yaml b/kustomize/profiles/base/crd.yaml new file mode 100644 index 0000000..f9adc14 --- /dev/null +++ b/kustomize/profiles/base/crd.yaml @@ -0,0 +1,157 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + creationTimestamp: null + name: profiles.kubeflow.org +spec: + group: kubeflow.org + names: + kind: Profile + plural: profiles + scope: Cluster + subresources: + status: {} + validation: + openAPIV3Schema: + description: Profile is the Schema for the profiles API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ProfileSpec defines the desired state of Profile + properties: + owner: + description: The profile owner + properties: + apiGroup: + description: APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" + for User and Group subjects. + type: string + kind: + description: Kind of object being referenced. Values defined by + this API group are "User", "Group", and "ServiceAccount". If the + Authorizer does not recognized the kind value, the Authorizer + should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + required: + - kind + - name + type: object + plugins: + items: + description: Plugin is for customize actions on different platform. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this + representation of an object. Servers should convert recognized + schemas to the latest internal value, and may reject unrecognized + values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource + this object represents. Servers may infer this from the endpoint + the client submits requests to. Cannot be updated. In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + type: string + spec: + type: object + type: object + type: array + resourceQuotaSpec: + description: Resourcequota that will be applied to target namespace + properties: + hard: + additionalProperties: + type: string + description: 'hard is the set of desired hard limits for each named + resource. More info: https://kubernetes.io/docs/concepts/policy/resource-quotas/' + type: object + scopeSelector: + description: scopeSelector is also a collection of filters like + scopes that must match each object tracked by a quota but expressed + using ScopeSelectorOperator in combination with possible values. + For a resource to match, both scopes AND scopeSelector (if specified + in spec), must be matched. + properties: + matchExpressions: + description: A list of scope selector requirements by scope + of the resources. + items: + description: A scoped-resource selector requirement is a selector + that contains values, a scope name, and an operator that + relates the scope name and values. + properties: + operator: + description: Represents a scope's relationship to a set + of values. Valid operators are In, NotIn, Exists, DoesNotExist. + type: string + scopeName: + description: The name of the scope that the selector applies + to. + type: string + values: + description: An array of string values. If the operator + is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - operator + - scopeName + type: object + type: array + type: object + scopes: + description: A collection of filters that must match each object + tracked by a quota. If not specified, the quota matches all objects. + items: + description: A ResourceQuotaScope defines a filter that must match + each object tracked by a quota + type: string + type: array + type: object + type: object + status: + description: ProfileStatus defines the observed state of Profile + properties: + conditions: + items: + properties: + message: + type: string + status: + type: string + type: + type: string + type: object + type: array + type: object + type: object + version: v1beta1 + versions: + - name: v1beta1 + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] \ No newline at end of file diff --git a/kustomize/profiles/base/deployment.yaml b/kustomize/profiles/base/deployment.yaml new file mode 100644 index 0000000..990cc9d --- /dev/null +++ b/kustomize/profiles/base/deployment.yaml @@ -0,0 +1,34 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: deployment +spec: + replicas: 1 + template: + spec: + containers: + - command: + - /manager + args: + - "-userid-header" + - $(userid-header) + - "-userid-prefix" + - $(userid-prefix) + - "-workload-identity" + - $(gcp-sa) + image: gcr.io/kubeflow-images-public/profile-controller:v20190619-v0-219-gbd3daa8c-dirty-1ced0e + imagePullPolicy: Always + name: manager + - command: + - /opt/kubeflow/access-management + args: + - "-cluster-admin" + - $(admin) + - "-userid-header" + - $(userid-header) + - "-userid-prefix" + - $(userid-prefix) + image: gcr.io/kubeflow-images-public/kfam:v20190612-v0-170-ga06cdb79-dirty-a33ee4 + imagePullPolicy: Always + name: kfam + serviceAccountName: controller-service-account diff --git a/kustomize/profiles/base/kustomization.yaml b/kustomize/profiles/base/kustomization.yaml new file mode 100644 index 0000000..acaeb04 --- /dev/null +++ b/kustomize/profiles/base/kustomization.yaml @@ -0,0 +1,59 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- cluster-role-binding.yaml +- crd.yaml +- deployment.yaml +- service.yaml +- service-account.yaml +namePrefix: profiles- +namespace: kubeflow +commonLabels: + kustomize.component: profiles +configMapGenerator: +- env: params.env + name: profiles-parameters +images: +- digest: sha256:3b0d4be7e59a3fa5ed1d80dccc832312caa94f3b2d36682524d3afc4e45164f0 + name: gcr.io/kubeflow-images-public/kfam +- name: gcr.io/kubeflow-images-public/profile-controller + newName: gcr.io/kubeflow-images-public/profile-controller + newTag: vmaster-gf8a30e02 +vars: +- fieldref: + fieldPath: data.admin + name: admin + objref: + apiVersion: v1 + kind: ConfigMap + name: profiles-parameters +- fieldref: + fieldPath: data.gcp-sa + name: gcp-sa + objref: + apiVersion: v1 + kind: ConfigMap + name: profiles-parameters +- fieldref: + fieldPath: data.userid-header + name: userid-header + objref: + apiVersion: v1 + kind: ConfigMap + name: profiles-parameters +- fieldref: + fieldPath: data.userid-prefix + name: userid-prefix + objref: + apiVersion: v1 + kind: ConfigMap + name: profiles-parameters +- fieldref: + fieldPath: metadata.namespace + name: namespace + objref: + apiVersion: v1 + kind: Service + name: kfam +configurations: +- params.yaml diff --git a/kustomize/profiles/base/params.env b/kustomize/profiles/base/params.env new file mode 100644 index 0000000..9759167 --- /dev/null +++ b/kustomize/profiles/base/params.env @@ -0,0 +1,4 @@ +admin=anonymous +gcp-sa= +userid-header=kubeflow-userid +userid-prefix= diff --git a/kustomize/profiles/base/params.yaml b/kustomize/profiles/base/params.yaml new file mode 100644 index 0000000..567144b --- /dev/null +++ b/kustomize/profiles/base/params.yaml @@ -0,0 +1,13 @@ +varReference: +- path: spec/template/spec/containers/0/args/1 + kind: Deployment +- path: spec/template/spec/containers/0/args/3 + kind: Deployment +- path: spec/template/spec/containers/0/args/5 + kind: Deployment +- path: spec/template/spec/containers/1/args/1 + kind: Deployment +- path: spec/template/spec/containers/1/args/3 + kind: Deployment +- path: spec/template/spec/containers/1/args/5 + kind: Deployment diff --git a/kustomize/profiles/base/service-account.yaml b/kustomize/profiles/base/service-account.yaml new file mode 100644 index 0000000..dde6b07 --- /dev/null +++ b/kustomize/profiles/base/service-account.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: controller-service-account diff --git a/kustomize/profiles/base/service.yaml b/kustomize/profiles/base/service.yaml new file mode 100644 index 0000000..9c0e659 --- /dev/null +++ b/kustomize/profiles/base/service.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Service +metadata: + name: kfam +spec: + ports: + - port: 8081 \ No newline at end of file diff --git a/kustomize/profiles/kustomization.yaml b/kustomize/profiles/kustomization.yaml new file mode 100644 index 0000000..4043733 --- /dev/null +++ b/kustomize/profiles/kustomization.yaml @@ -0,0 +1,17 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +bases: +- base +commonLabels: + app.kubernetes.io/component: profiles + app.kubernetes.io/instance: profiles-v0.7.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/name: profiles + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: v0.7.0 +configurations: +- overlays/istio/params.yaml +kind: Kustomization +namespace: kubeflow +resources: +- overlays/application/application.yaml +- overlays/istio/virtual-service.yaml diff --git a/kustomize/profiles/overlays/application/application.yaml b/kustomize/profiles/overlays/application/application.yaml new file mode 100644 index 0000000..d6b1dfb --- /dev/null +++ b/kustomize/profiles/overlays/application/application.yaml @@ -0,0 +1,39 @@ +apiVersion: app.k8s.io/v1beta1 +kind: Application +metadata: + name: profiles +spec: + selector: + matchLabels: + app.kubernetes.io/name: profiles + app.kubernetes.io/instance: profiles-v0.7.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/component: profiles + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: v0.7.0 + componentKinds: + - group: apps + kind: Deployment + - group: rbac.authorization.k8s.io + kind: RoleBinding + - group: rbac.authorization.k8s.io + kind: Role + - group: core + kind: ServiceAccount + - group: core + kind: Service + - group: kubeflow.org + kind: Profile + descriptor: + type: profiles + version: v1beta1 + description: "" + maintainers: [] + owners: [] + keywords: + - profiles + - kubeflow + links: + - description: About + url: "" + addOwnerRef: true diff --git a/kustomize/profiles/overlays/application/kustomization.yaml b/kustomize/profiles/overlays/application/kustomization.yaml new file mode 100644 index 0000000..ec7ab3c --- /dev/null +++ b/kustomize/profiles/overlays/application/kustomization.yaml @@ -0,0 +1,13 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +bases: +- ../../base +resources: +- application.yaml +commonLabels: + app.kubernetes.io/name: profiles + app.kubernetes.io/instance: profiles-v0.7.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/component: profiles + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: v0.7.0 diff --git a/kustomize/profiles/overlays/debug/deployment.yaml b/kustomize/profiles/overlays/debug/deployment.yaml new file mode 100644 index 0000000..6c007d7 --- /dev/null +++ b/kustomize/profiles/overlays/debug/deployment.yaml @@ -0,0 +1,22 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: deployment +spec: + template: + spec: + containers: + - name: manager + command: ["/go/bin/dlv"] + args: ["--listen=:2345", "--headless=true", "--api-version=2", "exec", "/go/src/github.com/kubeflow/kubeflow/components/profile-controller/manager"] + env: + - name: project + valueFrom: + configMapKeyRef: + name: parameters + key: project + image: gcr.io/$(project)/profile-controller:latest + ports: + - containerPort: 2345 + securityContext: + privileged: true diff --git a/kustomize/profiles/overlays/debug/kustomization.yaml b/kustomize/profiles/overlays/debug/kustomization.yaml new file mode 100644 index 0000000..f333a72 --- /dev/null +++ b/kustomize/profiles/overlays/debug/kustomization.yaml @@ -0,0 +1,25 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +bases: +- ../../base +patchesStrategicMerge: +- deployment.yaml +configMapGenerator: +- name: parameters + env: params.env +generatorOptions: + disableNameSuffixHash: true +vars: +- name: project + objref: + kind: ConfigMap + name: parameters + apiVersion: v1 + fieldref: + fieldpath: data.project +configurations: +- params.yaml +images: +- name: gcr.io/$(project)/profile-controller + newName: gcr.io/$(project)/profile-controller + newTag: latest diff --git a/kustomize/profiles/overlays/debug/params.env b/kustomize/profiles/overlays/debug/params.env new file mode 100644 index 0000000..8a76300 --- /dev/null +++ b/kustomize/profiles/overlays/debug/params.env @@ -0,0 +1 @@ +project= diff --git a/kustomize/profiles/overlays/debug/params.yaml b/kustomize/profiles/overlays/debug/params.yaml new file mode 100644 index 0000000..3d38939 --- /dev/null +++ b/kustomize/profiles/overlays/debug/params.yaml @@ -0,0 +1,3 @@ +varReference: +- path: spec/template/spec/containers/image + kind: Deployment diff --git a/kustomize/profiles/overlays/devices/deployment.yaml b/kustomize/profiles/overlays/devices/deployment.yaml new file mode 100644 index 0000000..6fd2207 --- /dev/null +++ b/kustomize/profiles/overlays/devices/deployment.yaml @@ -0,0 +1,16 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: deployment +spec: + template: + spec: + containers: + - name: manager + resources: + requests: + memory: "64Mi" + cpu: "250m" + limits: + memory: "128Mi" + cpu: "500m" diff --git a/kustomize/profiles/overlays/devices/kustomization.yaml b/kustomize/profiles/overlays/devices/kustomization.yaml new file mode 100644 index 0000000..9080da8 --- /dev/null +++ b/kustomize/profiles/overlays/devices/kustomization.yaml @@ -0,0 +1,6 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +bases: +- ../../base +patchesStrategicMerge: +- deployment.yaml diff --git a/kustomize/profiles/overlays/istio/kustomization.yaml b/kustomize/profiles/overlays/istio/kustomization.yaml new file mode 100644 index 0000000..fcd00db --- /dev/null +++ b/kustomize/profiles/overlays/istio/kustomization.yaml @@ -0,0 +1,8 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +bases: +- ../../base +resources: +- virtual-service.yaml +configurations: +- params.yaml diff --git a/kustomize/profiles/overlays/istio/params.yaml b/kustomize/profiles/overlays/istio/params.yaml new file mode 100644 index 0000000..eea869e --- /dev/null +++ b/kustomize/profiles/overlays/istio/params.yaml @@ -0,0 +1,3 @@ +varReference: +- path: spec/http/route/destination/host + kind: VirtualService diff --git a/kustomize/profiles/overlays/istio/virtual-service.yaml b/kustomize/profiles/overlays/istio/virtual-service.yaml new file mode 100644 index 0000000..daf2dec --- /dev/null +++ b/kustomize/profiles/overlays/istio/virtual-service.yaml @@ -0,0 +1,24 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: kfam +spec: + gateways: + - kubeflow-gateway + hosts: + - '*' + http: + - headers: + request: + add: + x-forwarded-prefix: /kfam + match: + - uri: + prefix: /kfam/ + rewrite: + uri: /kfam/ + route: + - destination: + host: profiles-kfam.$(namespace).svc.cluster.local + port: + number: 8081 diff --git a/kustomize/profiles/overlays/test/app_test.yaml b/kustomize/profiles/overlays/test/app_test.yaml new file mode 100644 index 0000000..345d067 --- /dev/null +++ b/kustomize/profiles/overlays/test/app_test.yaml @@ -0,0 +1,23 @@ +apiVersion: kfdef.apps.kubeflow.org/v1alpha1 +kind: KfDef +metadata: + name: plugin-test +spec: + appdir: . + componentParams: + profiles: + - name: overlay + value: debug + - name: overlay + value: devices + components: + - profiles + manifestsRepo: /Users/kdkasrav/plugin-test/.cache/manifests/pull/31/head + packageManager: kustomize@pull/31 + packages: + - profiles + repo: /Users/kdkasrav/plugin-test/.cache/kubeflow/master/kubeflow + useBasicAuth: false + useIstio: true + version: master +status: {} diff --git a/kustomize/profiles/overlays/test/kustomization.yaml b/kustomize/profiles/overlays/test/kustomization.yaml new file mode 100644 index 0000000..de10db8 --- /dev/null +++ b/kustomize/profiles/overlays/test/kustomization.yaml @@ -0,0 +1,6 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +bases: +- ../../base +#generators: +#- app_test.yaml diff --git a/kustomize/pytorch-job-crds/base/crd.yaml b/kustomize/pytorch-job-crds/base/crd.yaml new file mode 100644 index 0000000..4a8cf89 --- /dev/null +++ b/kustomize/pytorch-job-crds/base/crd.yaml @@ -0,0 +1,42 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: pytorchjobs.kubeflow.org +spec: + additionalPrinterColumns: + - JSONPath: .status.conditions[-1:].type + name: State + type: string + - JSONPath: .metadata.creationTimestamp + name: Age + type: date + group: kubeflow.org + names: + kind: PyTorchJob + plural: pytorchjobs + singular: pytorchjob + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + properties: + pytorchReplicaSpecs: + properties: + Master: + properties: + replicas: + maximum: 1 + minimum: 1 + type: integer + Worker: + properties: + replicas: + minimum: 1 + type: integer + versions: + - name: v1 + served: true + storage: true diff --git a/kustomize/pytorch-job-crds/base/kustomization.yaml b/kustomize/pytorch-job-crds/base/kustomization.yaml new file mode 100644 index 0000000..6e120e7 --- /dev/null +++ b/kustomize/pytorch-job-crds/base/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- crd.yaml diff --git a/kustomize/pytorch-job-crds/kustomization.yaml b/kustomize/pytorch-job-crds/kustomization.yaml new file mode 100644 index 0000000..90fb1b8 --- /dev/null +++ b/kustomize/pytorch-job-crds/kustomization.yaml @@ -0,0 +1,14 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +bases: +- base +commonLabels: + app.kubernetes.io/component: pytorch + app.kubernetes.io/instance: pytorch-job-crds-v0.7.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/name: pytorch-job-crds + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: v0.7.0 +kind: Kustomization +namespace: kubeflow +resources: +- overlays/application/application.yaml diff --git a/kustomize/pytorch-job-crds/overlays/application/application.yaml b/kustomize/pytorch-job-crds/overlays/application/application.yaml new file mode 100644 index 0000000..4946a1c --- /dev/null +++ b/kustomize/pytorch-job-crds/overlays/application/application.yaml @@ -0,0 +1,42 @@ +apiVersion: app.k8s.io/v1beta1 +kind: Application +metadata: + name: pytorch-job-crds +spec: + selector: + matchLabels: + app.kubernetes.io/name: pytorch-job-crds + app.kubernetes.io/instance: pytorch-job-crds-v0.7.0 + app.kubernetes.io/version: v0.7.0 + app.kubernetes.io/component: pytorch + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/managed-by: kfctl + componentKinds: + - group: core + kind: Service + - group: apps + kind: Deployment + - group: core + kind: ServiceAccount + - group: kubeflow.org + kind: PyTorchJob + descriptor: + type: "pytorch-job-crds" + version: "v1" + description: "Pytorch-job-crds contains the \"PyTorchJob\" custom resource definition." + maintainers: + - name: Johnu George + email: johnugeo@cisco.com + owners: + - name: Johnu George + email: johnugeo@cisco.com + keywords: + - "pytorchjob" + - "pytorch-operator" + - "pytorch-training" + links: + - description: About + url: "https://github.com/kubeflow/pytorch-operator" + - description: Docs + url: "https://www.kubeflow.org/docs/reference/pytorchjob/v1/pytorch/" + addOwnerRef: true diff --git a/kustomize/pytorch-job-crds/overlays/application/kustomization.yaml b/kustomize/pytorch-job-crds/overlays/application/kustomization.yaml new file mode 100644 index 0000000..ff7aef4 --- /dev/null +++ b/kustomize/pytorch-job-crds/overlays/application/kustomization.yaml @@ -0,0 +1,13 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +bases: +- ../../base +resources: +- application.yaml +commonLabels: + app.kubernetes.io/name: pytorch-job-crds + app.kubernetes.io/instance: pytorch-job-crds-v0.7.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/component: pytorch + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: v0.7.0 diff --git a/kustomize/pytorch-operator/base/cluster-role-binding.yaml b/kustomize/pytorch-operator/base/cluster-role-binding.yaml new file mode 100644 index 0000000..595f0fd --- /dev/null +++ b/kustomize/pytorch-operator/base/cluster-role-binding.yaml @@ -0,0 +1,13 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + labels: + app: pytorch-operator + name: pytorch-operator +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: pytorch-operator +subjects: +- kind: ServiceAccount + name: pytorch-operator diff --git a/kustomize/pytorch-operator/base/cluster-role.yaml b/kustomize/pytorch-operator/base/cluster-role.yaml new file mode 100644 index 0000000..1676c31 --- /dev/null +++ b/kustomize/pytorch-operator/base/cluster-role.yaml @@ -0,0 +1,86 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + labels: + app: pytorch-operator + name: pytorch-operator +rules: +- apiGroups: + - kubeflow.org + resources: + - pytorchjobs + - pytorchjobs/status + verbs: + - '*' +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - '*' +- apiGroups: + - "" + resources: + - pods + - services + - endpoints + - events + verbs: + - '*' +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubeflow-pytorchjobs-admin + labels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-admin: "true" +aggregationRule: + clusterRoleSelectors: + - matchLabels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-pytorchjobs-admin: "true" +rules: [] + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubeflow-pytorchjobs-edit + labels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-edit: "true" + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-pytorchjobs-admin: "true" +rules: +- apiGroups: + - kubeflow.org + resources: + - pytorchjobs + - pytorchjobs/status + verbs: + - get + - list + - watch + - create + - delete + - deletecollection + - patch + - update + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubeflow-pytorchjobs-view + labels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-view: "true" +rules: +- apiGroups: + - kubeflow.org + resources: + - pytorchjobs + - pytorchjobs/status + verbs: + - get + - list + - watch diff --git a/kustomize/pytorch-operator/base/deployment.yaml b/kustomize/pytorch-operator/base/deployment.yaml new file mode 100644 index 0000000..65ec3a2 --- /dev/null +++ b/kustomize/pytorch-operator/base/deployment.yaml @@ -0,0 +1,32 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: pytorch-operator +spec: + replicas: 1 + selector: + matchLabels: + name: pytorch-operator + template: + metadata: + labels: + name: pytorch-operator + spec: + containers: + - command: + - /pytorch-operator.v1 + - --alsologtostderr + - -v=1 + - --monitoring-port=8443 + env: + - name: MY_POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: MY_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + image: gcr.io/kubeflow-images-public/pytorch-operator:v0.6.0-18-g5e36a57 + name: pytorch-operator + serviceAccountName: pytorch-operator diff --git a/kustomize/pytorch-operator/base/kustomization.yaml b/kustomize/pytorch-operator/base/kustomization.yaml new file mode 100644 index 0000000..e56aead --- /dev/null +++ b/kustomize/pytorch-operator/base/kustomization.yaml @@ -0,0 +1,15 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: kubeflow +resources: +- cluster-role-binding.yaml +- cluster-role.yaml +- deployment.yaml +- service-account.yaml +- service.yaml +commonLabels: + kustomize.component: pytorch-operator +images: +- name: gcr.io/kubeflow-images-public/pytorch-operator + newName: gcr.io/kubeflow-images-public/pytorch-operator + newTag: v0.7.0 diff --git a/kustomize/pytorch-operator/base/params.env b/kustomize/pytorch-operator/base/params.env new file mode 100644 index 0000000..47e9d44 --- /dev/null +++ b/kustomize/pytorch-operator/base/params.env @@ -0,0 +1,3 @@ +pytorchDefaultImage=null +deploymentScope=cluster +deploymentNamespace=null diff --git a/kustomize/pytorch-operator/base/service-account.yaml b/kustomize/pytorch-operator/base/service-account.yaml new file mode 100644 index 0000000..3fe6033 --- /dev/null +++ b/kustomize/pytorch-operator/base/service-account.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: pytorch-operator + name: pytorch-operator diff --git a/kustomize/pytorch-operator/base/service.yaml b/kustomize/pytorch-operator/base/service.yaml new file mode 100644 index 0000000..c788ab2 --- /dev/null +++ b/kustomize/pytorch-operator/base/service.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Service +metadata: + annotations: + prometheus.io/path: /metrics + prometheus.io/port: "8443" + prometheus.io/scrape: "true" + labels: + app: pytorch-operator + name: pytorch-operator +spec: + ports: + - name: monitoring-port + port: 8443 + targetPort: 8443 + selector: + name: pytorch-operator + type: ClusterIP + diff --git a/kustomize/pytorch-operator/kustomization.yaml b/kustomize/pytorch-operator/kustomization.yaml new file mode 100644 index 0000000..6514c03 --- /dev/null +++ b/kustomize/pytorch-operator/kustomization.yaml @@ -0,0 +1,14 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +bases: +- base +commonLabels: + app.kubernetes.io/component: pytorch + app.kubernetes.io/instance: pytorch-operator-v0.7.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/name: pytorch-operator + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: v0.7.0 +kind: Kustomization +namespace: kubeflow +resources: +- overlays/application/application.yaml diff --git a/kustomize/pytorch-operator/overlays/application/application.yaml b/kustomize/pytorch-operator/overlays/application/application.yaml new file mode 100644 index 0000000..c2eb602 --- /dev/null +++ b/kustomize/pytorch-operator/overlays/application/application.yaml @@ -0,0 +1,44 @@ +apiVersion: app.k8s.io/v1beta1 +kind: Application +metadata: + name: pytorch-operator +spec: + selector: + matchLabels: + app.kubernetes.io/name: pytorch-operator + app.kubernetes.io/instance: pytorch-operator-v0.7.0 + app.kubernetes.io/version: v0.7.0 + app.kubernetes.io/component: pytorch + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/managed-by: kfctl + componentKinds: + - group: core + kind: Service + - group: apps + kind: Deployment + - group: core + kind: ConfigMap + - group: core + kind: ServiceAccount + - group: kubeflow.org + kind: PyTorchJob + descriptor: + type: "pytorch-operator" + version: "v1" + description: "Pytorch-operator allows users to create and manage the \"PyTorchJob\" custom resource." + maintainers: + - name: Johnu George + email: johnugeo@cisco.com + owners: + - name: Johnu George + email: johnugeo@cisco.com + keywords: + - "pytorchjob" + - "pytorch-operator" + - "pytorch-training" + links: + - description: About + url: "https://github.com/kubeflow/pytorch-operator" + - description: Docs + url: "https://www.kubeflow.org/docs/reference/pytorchjob/v1/pytorch/" + addOwnerRef: true diff --git a/kustomize/pytorch-operator/overlays/application/kustomization.yaml b/kustomize/pytorch-operator/overlays/application/kustomization.yaml new file mode 100644 index 0000000..c3d0637 --- /dev/null +++ b/kustomize/pytorch-operator/overlays/application/kustomization.yaml @@ -0,0 +1,13 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +bases: +- ../../base +resources: +- application.yaml +commonLabels: + app.kubernetes.io/name: pytorch-operator + app.kubernetes.io/instance: pytorch-operator-v0.7.0 + app.kubernetes.io/version: v0.7.0 + app.kubernetes.io/component: pytorch + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/managed-by: kfctl diff --git a/kustomize/scheduledworkflow/base/cluster-role.yaml b/kustomize/scheduledworkflow/base/cluster-role.yaml new file mode 100644 index 0000000..b33dd8c --- /dev/null +++ b/kustomize/scheduledworkflow/base/cluster-role.yaml @@ -0,0 +1,55 @@ +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubeflow-scheduledworkflows-admin + labels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-admin: "true" +aggregationRule: + clusterRoleSelectors: + - matchLabels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-scheduledworkflows-admin: "true" +rules: [] + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubeflow-scheduledworkflows-edit + labels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-edit: "true" + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-scheduledworkflows-admin: "true" +rules: +- apiGroups: + - kubeflow.org + resources: + - scheduledworkflows + verbs: + - get + - list + - watch + - create + - delete + - deletecollection + - patch + - update + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubeflow-scheduledworkflows-view + labels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-view: "true" +rules: +- apiGroups: + - kubeflow.org + resources: + - scheduledworkflows + verbs: + - get + - list + - watch diff --git a/kustomize/scheduledworkflow/base/crd.yaml b/kustomize/scheduledworkflow/base/crd.yaml new file mode 100644 index 0000000..22dc3c8 --- /dev/null +++ b/kustomize/scheduledworkflow/base/crd.yaml @@ -0,0 +1,18 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: scheduledworkflows.kubeflow.org +spec: + group: kubeflow.org + names: + kind: ScheduledWorkflow + listKind: ScheduledWorkflowList + plural: scheduledworkflows + shortNames: + - swf + singular: scheduledworkflow + scope: Namespaced + versions: + - name: v1beta1 + served: true + storage: true diff --git a/kustomize/scheduledworkflow/base/deployment.yaml b/kustomize/scheduledworkflow/base/deployment.yaml new file mode 100644 index 0000000..1664f8a --- /dev/null +++ b/kustomize/scheduledworkflow/base/deployment.yaml @@ -0,0 +1,17 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: ml-pipeline-scheduledworkflow +spec: + template: + spec: + containers: + - name: ml-pipeline-scheduledworkflow + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + image: gcr.io/ml-pipeline/scheduledworkflow + imagePullPolicy: IfNotPresent + serviceAccountName: ml-pipeline-scheduledworkflow diff --git a/kustomize/scheduledworkflow/base/kustomization.yaml b/kustomize/scheduledworkflow/base/kustomization.yaml new file mode 100644 index 0000000..3e5e6d5 --- /dev/null +++ b/kustomize/scheduledworkflow/base/kustomization.yaml @@ -0,0 +1,16 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: kubeflow +commonLabels: + app: ml-pipeline-scheduledworkflow +resources: +- cluster-role.yaml +- crd.yaml +- deployment.yaml +- role-binding.yaml +- role.yaml +- service-account.yaml +images: +- name: gcr.io/ml-pipeline/scheduledworkflow + newTag: 0.1.31 + newName: gcr.io/ml-pipeline/scheduledworkflow diff --git a/kustomize/scheduledworkflow/base/role-binding.yaml b/kustomize/scheduledworkflow/base/role-binding.yaml new file mode 100644 index 0000000..18ebc93 --- /dev/null +++ b/kustomize/scheduledworkflow/base/role-binding.yaml @@ -0,0 +1,11 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: ml-pipeline-scheduledworkflow +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: +- kind: ServiceAccount + name: ml-pipeline-scheduledworkflow diff --git a/kustomize/scheduledworkflow/base/role.yaml b/kustomize/scheduledworkflow/base/role.yaml new file mode 100644 index 0000000..e922eae --- /dev/null +++ b/kustomize/scheduledworkflow/base/role.yaml @@ -0,0 +1,29 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: Role +metadata: + name: ml-pipeline-scheduledworkflow +rules: +- apiGroups: + - argoproj.io + resources: + - workflows + verbs: + - create + - get + - list + - watch + - update + - patch + - delete +- apiGroups: + - kubeflow.org + resources: + - scheduledworkflows + verbs: + - create + - get + - list + - watch + - update + - patch + - delete diff --git a/kustomize/scheduledworkflow/base/service-account.yaml b/kustomize/scheduledworkflow/base/service-account.yaml new file mode 100644 index 0000000..285c137 --- /dev/null +++ b/kustomize/scheduledworkflow/base/service-account.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: ml-pipeline-scheduledworkflow diff --git a/kustomize/scheduledworkflow/kustomization.yaml b/kustomize/scheduledworkflow/kustomization.yaml new file mode 100644 index 0000000..13899f4 --- /dev/null +++ b/kustomize/scheduledworkflow/kustomization.yaml @@ -0,0 +1,14 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +bases: +- base +commonLabels: + app.kubernetes.io/component: scheduledworkflow + app.kubernetes.io/instance: scheduledworkflow-0.1.31 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/name: scheduledworkflow + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: 0.1.31 +kind: Kustomization +namespace: kubeflow +resources: +- overlays/application/application.yaml diff --git a/kustomize/scheduledworkflow/overlays/application/application.yaml b/kustomize/scheduledworkflow/overlays/application/application.yaml new file mode 100644 index 0000000..5774260 --- /dev/null +++ b/kustomize/scheduledworkflow/overlays/application/application.yaml @@ -0,0 +1,31 @@ +apiVersion: app.k8s.io/v1beta1 +kind: Application +metadata: + name: scheduledworkflow +spec: + selector: + matchLabels: + app.kubernetes.io/name: scheduledworkflow + app.kubernetes.io/instance: scheduledworkflow-0.1.31 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/component: scheduledworkflow + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: 0.1.31 + componentKinds: + - group: core + kind: ConfigMap + - group: apps + kind: Deployment + descriptor: + type: scheduledworkflow + version: v1beta1 + description: "" + maintainers: [] + owners: [] + keywords: + - scheduledworkflow + - kubeflow + links: + - description: About + url: "" + addOwnerRef: true diff --git a/kustomize/scheduledworkflow/overlays/application/kustomization.yaml b/kustomize/scheduledworkflow/overlays/application/kustomization.yaml new file mode 100644 index 0000000..fbe29e6 --- /dev/null +++ b/kustomize/scheduledworkflow/overlays/application/kustomization.yaml @@ -0,0 +1,13 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +bases: +- ../../base +resources: +- application.yaml +commonLabels: + app.kubernetes.io/name: scheduledworkflow + app.kubernetes.io/instance: scheduledworkflow-0.1.31 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/component: scheduledworkflow + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: 0.1.31 diff --git a/kustomize/seldon-core-operator/base/Kube-descriptor.yaml b/kustomize/seldon-core-operator/base/Kube-descriptor.yaml new file mode 100644 index 0000000..35bbd9f --- /dev/null +++ b/kustomize/seldon-core-operator/base/Kube-descriptor.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +description: Seldon Core CRD and controller helm chart for Kubernetes +keywords: +- kubernetes +- machine-learning +name: seldon-core-operator +sources: +- https://github.com/SeldonIO/seldon-core +version: 0.4.1 diff --git a/kustomize/seldon-core-operator/base/kustomization.yaml b/kustomize/seldon-core-operator/base/kustomization.yaml new file mode 100644 index 0000000..6f46a68 --- /dev/null +++ b/kustomize/seldon-core-operator/base/kustomization.yaml @@ -0,0 +1,16 @@ +# List of resource files that kustomize reads, modifies +# and emits as a YAML string +resources: +- seldon-config-cm.yaml +- seldon-manager-sa.yaml +- seldon-operator-controller-manager-service-svc.yaml +- seldon-operator-controller-manager-statefulset.yaml +- seldon-operator-manager-role-clusterrole.yaml +- seldon-operator-manager-rolebinding-crb.yaml +- seldon-operator-webhook-server-secret-secret.yaml +- seldondeployments.machinelearning.seldon.io-crd.yaml +- webhook-server-service-svc.yaml +images: +- name: docker.io/seldonio/seldon-core-operator + newName: docker.io/seldonio/seldon-core-operator + newTag: 0.4.1 diff --git a/kustomize/seldon-core-operator/base/seldon-config-cm.yaml b/kustomize/seldon-core-operator/base/seldon-config-cm.yaml new file mode 100644 index 0000000..abfe3c1 --- /dev/null +++ b/kustomize/seldon-core-operator/base/seldon-config-cm.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +data: + credentials: |- + { + "gcs" : { + "gcsCredentialFileName": "gcloud-application-credentials.json" + }, + "s3" : { + "s3AccessKeyIDName": "awsAccessKeyID", + "s3SecretAccessKeyName": "awsSecretAccessKey" + } + } +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/instance: seldon-core-operator + app.kubernetes.io/managed-by: Tiller + app.kubernetes.io/name: seldon-core-operator + helm.sh/chart: seldon-core-operator-0.4.1 + name: seldon-config + namespace: kubeflow diff --git a/kustomize/seldon-core-operator/base/seldon-manager-sa.yaml b/kustomize/seldon-core-operator/base/seldon-manager-sa.yaml new file mode 100644 index 0000000..24d6717 --- /dev/null +++ b/kustomize/seldon-core-operator/base/seldon-manager-sa.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/instance: seldon-core-operator + app.kubernetes.io/managed-by: Tiller + app.kubernetes.io/name: seldon-core-operator + helm.sh/chart: seldon-core-operator-0.4.1 + name: seldon-manager + namespace: kubeflow diff --git a/kustomize/seldon-core-operator/base/seldon-operator-controller-manager-service-svc.yaml b/kustomize/seldon-core-operator/base/seldon-operator-controller-manager-service-svc.yaml new file mode 100644 index 0000000..0191e23 --- /dev/null +++ b/kustomize/seldon-core-operator/base/seldon-operator-controller-manager-service-svc.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/instance: seldon-core-operator + app.kubernetes.io/managed-by: Tiller + app.kubernetes.io/name: seldon-core-operator + control-plane: seldon-controller-manager + controller-tools.k8s.io: "1.0" + helm.sh/chart: seldon-core-operator-0.4.1 + name: seldon-operator-controller-manager-service + namespace: kubeflow +spec: + ports: + - port: 443 + selector: + control-plane: seldon-controller-manager + controller-tools.k8s.io: "1.0" diff --git a/kustomize/seldon-core-operator/base/seldon-operator-controller-manager-statefulset.yaml b/kustomize/seldon-core-operator/base/seldon-operator-controller-manager-statefulset.yaml new file mode 100644 index 0000000..47f8d47 --- /dev/null +++ b/kustomize/seldon-core-operator/base/seldon-operator-controller-manager-statefulset.yaml @@ -0,0 +1,93 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + labels: + app.kubernetes.io/instance: seldon-core-operator + app.kubernetes.io/managed-by: Tiller + app.kubernetes.io/name: seldon-core-operator + control-plane: seldon-controller-manager + controller-tools.k8s.io: "1.0" + helm.sh/chart: seldon-core-operator-0.4.1 + name: seldon-operator-controller-manager + namespace: kubeflow +spec: + selector: + matchLabels: + app.kubernetes.io/instance: seldon-core-operator + app.kubernetes.io/name: seldon-core-operator + control-plane: seldon-controller-manager + controller-tools.k8s.io: "1.0" + serviceName: seldon-operator-controller-manager-service + template: + metadata: + annotations: + prometheus.io/scrape: "true" + sidecar.istio.io/inject: "false" + labels: + app.kubernetes.io/instance: seldon-core-operator + app.kubernetes.io/name: seldon-core-operator + control-plane: seldon-controller-manager + controller-tools.k8s.io: "1.0" + spec: + containers: + - command: + - /manager + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: SECRET_NAME + value: seldon-operator-webhook-server-secret + - name: AMBASSADOR_ENABLED + value: "true" + - name: AMBASSADOR_SINGLE_NAMESPACE + value: "false" + - name: ENGINE_CONTAINER_IMAGE_AND_VERSION + value: docker.io/seldonio/engine:0.4.1 + - name: ENGINE_CONTAINER_IMAGE_PULL_POLICY + value: IfNotPresent + - name: ENGINE_CONTAINER_SERVICE_ACCOUNT_NAME + value: default + - name: ENGINE_CONTAINER_USER + value: "8888" + - name: ENGINE_LOG_MESSAGES_EXTERNALLY + value: "false" + - name: PREDICTIVE_UNIT_SERVICE_PORT + value: "9000" + - name: ENGINE_SERVER_GRPC_PORT + value: "5001" + - name: ENGINE_SERVER_PORT + value: "8000" + - name: ENGINE_PROMETHEUS_PATH + value: prometheus + - name: ISTIO_ENABLED + value: "true" + - name: ISTIO_GATEWAY + value: kubeflow-gateway + image: docker.io/seldonio/seldon-core-operator:0.4.1 + imagePullPolicy: Always + name: manager + ports: + - containerPort: 8080 + name: metrics + protocol: TCP + - containerPort: 9876 + name: webhook-server + protocol: TCP + resources: + requests: + cpu: 100m + memory: 20Mi + volumeMounts: + - mountPath: /tmp/cert + name: cert + readOnly: true + serviceAccountName: seldon-manager + terminationGracePeriodSeconds: 10 + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: seldon-operator-webhook-server-secret + volumeClaimTemplates: [] diff --git a/kustomize/seldon-core-operator/base/seldon-operator-manager-role-clusterrole.yaml b/kustomize/seldon-core-operator/base/seldon-operator-manager-role-clusterrole.yaml new file mode 100644 index 0000000..4063fa8 --- /dev/null +++ b/kustomize/seldon-core-operator/base/seldon-operator-manager-role-clusterrole.yaml @@ -0,0 +1,191 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/instance: seldon-core-operator + app.kubernetes.io/managed-by: Tiller + app.kubernetes.io/name: seldon-core-operator + helm.sh/chart: seldon-core-operator-0.4.1 + name: seldon-operator-manager-role +rules: +- apiGroups: + - apps + resources: + - deployments + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - apps + resources: + - deployments/status + verbs: + - get + - update + - patch +- apiGroups: + - v1 + resources: + - services + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - v1 + resources: + - services/status + verbs: + - get + - update + - patch +- apiGroups: + - networking.istio.io + resources: + - virtualservices + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - networking.istio.io + resources: + - virtualservices/status + verbs: + - get + - update + - patch +- apiGroups: + - networking.istio.io + resources: + - destinationrules + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - networking.istio.io + resources: + - destinationrules/status + verbs: + - get + - update + - patch +- apiGroups: + - autoscaling + resources: + - horizontalpodautoscalers + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - autoscaling + resources: + - horizontalpodautoscalers/status + verbs: + - get + - update + - patch +- apiGroups: + - machinelearning.seldon.io + resources: + - seldondeployments + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - machinelearning.seldon.io + resources: + - seldondeployments/status + verbs: + - get + - update + - patch +- apiGroups: + - machinelearning.seldon.io + resources: + - seldondeployments/finalizers + verbs: + - get + - update + - patch +- apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch + - create + - update + - patch + - delete diff --git a/kustomize/seldon-core-operator/base/seldon-operator-manager-rolebinding-crb.yaml b/kustomize/seldon-core-operator/base/seldon-operator-manager-rolebinding-crb.yaml new file mode 100644 index 0000000..db7ca5d --- /dev/null +++ b/kustomize/seldon-core-operator/base/seldon-operator-manager-rolebinding-crb.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/instance: seldon-core-operator + app.kubernetes.io/managed-by: Tiller + app.kubernetes.io/name: seldon-core-operator + helm.sh/chart: seldon-core-operator-0.4.1 + name: seldon-operator-manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: seldon-operator-manager-role +subjects: +- kind: ServiceAccount + name: seldon-manager + namespace: kubeflow diff --git a/kustomize/seldon-core-operator/base/seldon-operator-webhook-server-secret-secret.yaml b/kustomize/seldon-core-operator/base/seldon-operator-webhook-server-secret-secret.yaml new file mode 100644 index 0000000..0ef6446 --- /dev/null +++ b/kustomize/seldon-core-operator/base/seldon-operator-webhook-server-secret-secret.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: Secret +metadata: + name: seldon-operator-webhook-server-secret + namespace: kubeflow diff --git a/kustomize/seldon-core-operator/base/seldondeployments.machinelearning.seldon.io-crd.yaml b/kustomize/seldon-core-operator/base/seldondeployments.machinelearning.seldon.io-crd.yaml new file mode 100644 index 0000000..3dc2052 --- /dev/null +++ b/kustomize/seldon-core-operator/base/seldondeployments.machinelearning.seldon.io-crd.yaml @@ -0,0 +1,3219 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: seldondeployments.machinelearning.seldon.io +spec: + group: machinelearning.seldon.io + names: + kind: SeldonDeployment + plural: seldondeployments + shortNames: + - sdep + singular: seldondeployment + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + properties: + annotations: + type: object + name: + type: string + oauth_key: + type: string + oauth_secret: + type: string + predictors: + items: + properties: + annotations: + type: object + componentSpecs: + items: + properties: + hpaSpec: + properties: + maxReplicas: + format: int32 + type: integer + metrics: + items: + properties: + external: + properties: + metricName: + type: string + metricSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + x-kubernetes-patch-merge-key: key + x-kubernetes-patch-strategy: merge + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + targetAverageValue: + type: string + targetValue: + type: string + required: + - metricName + type: object + object: + properties: + averageValue: + type: string + metricName: + type: string + selector: + properties: + matchExpressions: + items: + properties: + key: + type: string + x-kubernetes-patch-merge-key: key + x-kubernetes-patch-strategy: merge + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + target: + properties: + apiVersion: + type: string + kind: + type: string + name: + type: string + required: + - kind + - name + type: object + targetValue: + type: string + required: + - target + - metricName + - targetValue + type: object + pods: + properties: + metricName: + type: string + selector: + properties: + matchExpressions: + items: + properties: + key: + type: string + x-kubernetes-patch-merge-key: key + x-kubernetes-patch-strategy: merge + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + targetAverageValue: + type: string + required: + - metricName + - targetAverageValue + type: object + resource: + properties: + name: + type: string + targetAverageUtilization: + format: int32 + type: integer + targetAverageValue: + type: string + required: + - name + type: object + type: + type: string + required: + - type + type: object + type: array + minReplicas: + format: int32 + type: integer + type: object + metadata: + properties: + annotations: + additionalProperties: + type: string + type: object + clusterName: + type: string + creationTimestamp: + format: date-time + type: string + deletionGracePeriodSeconds: + format: int64 + type: integer + deletionTimestamp: + format: date-time + type: string + finalizers: + items: + type: string + type: array + x-kubernetes-patch-strategy: merge + generateName: + type: string + generation: + format: int64 + type: integer + labels: + additionalProperties: + type: string + type: object + managedFields: + items: + properties: + apiVersion: + type: string + fields: + type: object + manager: + type: string + operation: + type: string + time: + format: date-time + type: string + type: object + type: array + name: + type: string + namespace: + type: string + ownerReferences: + items: + properties: + apiVersion: + type: string + blockOwnerDeletion: + type: boolean + controller: + type: boolean + kind: + type: string + name: + type: string + uid: + type: string + required: + - apiVersion + - kind + - name + - uid + type: object + type: array + x-kubernetes-patch-merge-key: uid + x-kubernetes-patch-strategy: merge + resourceVersion: + type: string + selfLink: + type: string + uid: + type: string + type: object + spec: + properties: + activeDeadlineSeconds: + format: int64 + type: integer + affinity: + properties: + nodeAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + preference: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + weight: + format: int32 + type: integer + required: + - weight + - preference + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + properties: + nodeSelectorTerms: + items: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + type: array + required: + - nodeSelectorTerms + type: object + type: object + podAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + podAffinityTerm: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + x-kubernetes-patch-merge-key: key + x-kubernetes-patch-strategy: merge + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + namespaces: + items: + type: string + type: array + topologyKey: + type: string + required: + - topologyKey + type: object + weight: + format: int32 + type: integer + required: + - weight + - podAffinityTerm + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + x-kubernetes-patch-merge-key: key + x-kubernetes-patch-strategy: merge + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + namespaces: + items: + type: string + type: array + topologyKey: + type: string + required: + - topologyKey + type: object + type: array + type: object + podAntiAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + podAffinityTerm: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + x-kubernetes-patch-merge-key: key + x-kubernetes-patch-strategy: merge + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + namespaces: + items: + type: string + type: array + topologyKey: + type: string + required: + - topologyKey + type: object + weight: + format: int32 + type: integer + required: + - weight + - podAffinityTerm + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + x-kubernetes-patch-merge-key: key + x-kubernetes-patch-strategy: merge + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + namespaces: + items: + type: string + type: array + topologyKey: + type: string + required: + - topologyKey + type: object + type: array + type: object + type: object + automountServiceAccountToken: + type: boolean + containers: + items: + properties: + args: + items: + type: string + type: array + command: + items: + type: string + type: array + env: + items: + properties: + name: + type: string + value: + type: string + valueFrom: + properties: + configMapKeyRef: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + fieldRef: + properties: + apiVersion: + type: string + fieldPath: + type: string + required: + - fieldPath + type: object + resourceFieldRef: + properties: + containerName: + type: string + divisor: + type: string + resource: + type: string + required: + - resource + type: object + secretKeyRef: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + type: object + required: + - name + type: object + type: array + x-kubernetes-patch-merge-key: name + x-kubernetes-patch-strategy: merge + envFrom: + items: + properties: + configMapRef: + properties: + name: + type: string + optional: + type: boolean + type: object + prefix: + type: string + secretRef: + properties: + name: + type: string + optional: + type: boolean + type: object + type: object + type: array + image: + type: string + imagePullPolicy: + type: string + lifecycle: + properties: + postStart: + properties: + exec: + properties: + command: + items: + type: string + type: array + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + path: + type: string + port: + format: int-or-string + type: string + scheme: + type: string + required: + - port + type: object + tcpSocket: + properties: + host: + type: string + port: + format: int-or-string + type: string + required: + - port + type: object + type: object + preStop: + properties: + exec: + properties: + command: + items: + type: string + type: array + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + path: + type: string + port: + format: int-or-string + type: string + scheme: + type: string + required: + - port + type: object + tcpSocket: + properties: + host: + type: string + port: + format: int-or-string + type: string + required: + - port + type: object + type: object + type: object + livenessProbe: + properties: + exec: + properties: + command: + items: + type: string + type: array + type: object + failureThreshold: + format: int32 + type: integer + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + path: + type: string + port: + format: int-or-string + type: string + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + format: int32 + type: integer + periodSeconds: + format: int32 + type: integer + successThreshold: + format: int32 + type: integer + tcpSocket: + properties: + host: + type: string + port: + format: int-or-string + type: string + required: + - port + type: object + timeoutSeconds: + format: int32 + type: integer + type: object + name: + type: string + ports: + items: + properties: + containerPort: + format: int32 + type: integer + hostIP: + type: string + hostPort: + format: int32 + type: integer + name: + type: string + protocol: + type: string + required: + - containerPort + type: object + type: array + x-kubernetes-list-map-keys: + - containerPort + - protocol + x-kubernetes-list-type: map + x-kubernetes-patch-merge-key: containerPort + x-kubernetes-patch-strategy: merge + readinessProbe: + properties: + exec: + properties: + command: + items: + type: string + type: array + type: object + failureThreshold: + format: int32 + type: integer + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + path: + type: string + port: + format: int-or-string + type: string + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + format: int32 + type: integer + periodSeconds: + format: int32 + type: integer + successThreshold: + format: int32 + type: integer + tcpSocket: + properties: + host: + type: string + port: + format: int-or-string + type: string + required: + - port + type: object + timeoutSeconds: + format: int32 + type: integer + type: object + resources: + properties: + limits: + type: object + requests: + type: object + type: object + securityContext: + properties: + allowPrivilegeEscalation: + type: boolean + capabilities: + properties: + add: + items: + type: string + type: array + drop: + items: + type: string + type: array + type: object + privileged: + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + type: boolean + runAsGroup: + format: int64 + type: integer + runAsNonRoot: + type: boolean + runAsUser: + format: int64 + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + runAsUserName: + type: string + type: object + type: object + stdin: + type: boolean + stdinOnce: + type: boolean + terminationMessagePath: + type: string + terminationMessagePolicy: + type: string + tty: + type: boolean + volumeDevices: + items: + properties: + devicePath: + type: string + name: + type: string + required: + - name + - devicePath + type: object + type: array + x-kubernetes-patch-merge-key: devicePath + x-kubernetes-patch-strategy: merge + volumeMounts: + items: + properties: + mountPath: + type: string + mountPropagation: + type: string + name: + type: string + readOnly: + type: boolean + subPath: + type: string + subPathExpr: + type: string + required: + - name + - mountPath + type: object + type: array + x-kubernetes-patch-merge-key: mountPath + x-kubernetes-patch-strategy: merge + workingDir: + type: string + required: + - name + type: object + type: array + x-kubernetes-patch-merge-key: name + x-kubernetes-patch-strategy: merge + dnsConfig: + properties: + nameservers: + items: + type: string + type: array + options: + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + searches: + items: + type: string + type: array + type: object + dnsPolicy: + type: string + enableServiceLinks: + type: boolean + ephemeralContainers: + items: + properties: + args: + items: + type: string + type: array + command: + items: + type: string + type: array + env: + items: + properties: + name: + type: string + value: + type: string + valueFrom: + properties: + configMapKeyRef: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + fieldRef: + properties: + apiVersion: + type: string + fieldPath: + type: string + required: + - fieldPath + type: object + resourceFieldRef: + properties: + containerName: + type: string + divisor: + type: string + resource: + type: string + required: + - resource + type: object + secretKeyRef: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + type: object + required: + - name + type: object + type: array + x-kubernetes-patch-merge-key: name + x-kubernetes-patch-strategy: merge + envFrom: + items: + properties: + configMapRef: + properties: + name: + type: string + optional: + type: boolean + type: object + prefix: + type: string + secretRef: + properties: + name: + type: string + optional: + type: boolean + type: object + type: object + type: array + image: + type: string + imagePullPolicy: + type: string + lifecycle: + properties: + postStart: + properties: + exec: + properties: + command: + items: + type: string + type: array + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + path: + type: string + port: + format: int-or-string + type: string + scheme: + type: string + required: + - port + type: object + tcpSocket: + properties: + host: + type: string + port: + format: int-or-string + type: string + required: + - port + type: object + type: object + preStop: + properties: + exec: + properties: + command: + items: + type: string + type: array + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + path: + type: string + port: + format: int-or-string + type: string + scheme: + type: string + required: + - port + type: object + tcpSocket: + properties: + host: + type: string + port: + format: int-or-string + type: string + required: + - port + type: object + type: object + type: object + livenessProbe: + properties: + exec: + properties: + command: + items: + type: string + type: array + type: object + failureThreshold: + format: int32 + type: integer + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + path: + type: string + port: + format: int-or-string + type: string + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + format: int32 + type: integer + periodSeconds: + format: int32 + type: integer + successThreshold: + format: int32 + type: integer + tcpSocket: + properties: + host: + type: string + port: + format: int-or-string + type: string + required: + - port + type: object + timeoutSeconds: + format: int32 + type: integer + type: object + name: + type: string + ports: + items: + properties: + containerPort: + format: int32 + type: integer + hostIP: + type: string + hostPort: + format: int32 + type: integer + name: + type: string + protocol: + type: string + required: + - containerPort + type: object + type: array + readinessProbe: + properties: + exec: + properties: + command: + items: + type: string + type: array + type: object + failureThreshold: + format: int32 + type: integer + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + path: + type: string + port: + format: int-or-string + type: string + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + format: int32 + type: integer + periodSeconds: + format: int32 + type: integer + successThreshold: + format: int32 + type: integer + tcpSocket: + properties: + host: + type: string + port: + format: int-or-string + type: string + required: + - port + type: object + timeoutSeconds: + format: int32 + type: integer + type: object + resources: + properties: + limits: + type: object + requests: + type: object + type: object + securityContext: + properties: + allowPrivilegeEscalation: + type: boolean + capabilities: + properties: + add: + items: + type: string + type: array + drop: + items: + type: string + type: array + type: object + privileged: + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + type: boolean + runAsGroup: + format: int64 + type: integer + runAsNonRoot: + type: boolean + runAsUser: + format: int64 + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + runAsUserName: + type: string + type: object + type: object + stdin: + type: boolean + stdinOnce: + type: boolean + targetContainerName: + type: string + terminationMessagePath: + type: string + terminationMessagePolicy: + type: string + tty: + type: boolean + volumeDevices: + items: + properties: + devicePath: + type: string + name: + type: string + required: + - name + - devicePath + type: object + type: array + x-kubernetes-patch-merge-key: devicePath + x-kubernetes-patch-strategy: merge + volumeMounts: + items: + properties: + mountPath: + type: string + mountPropagation: + type: string + name: + type: string + readOnly: + type: boolean + subPath: + type: string + subPathExpr: + type: string + required: + - name + - mountPath + type: object + type: array + x-kubernetes-patch-merge-key: mountPath + x-kubernetes-patch-strategy: merge + workingDir: + type: string + required: + - name + type: object + type: array + x-kubernetes-patch-merge-key: name + x-kubernetes-patch-strategy: merge + hostAliases: + items: + properties: + hostnames: + items: + type: string + type: array + ip: + type: string + type: object + type: array + x-kubernetes-patch-merge-key: ip + x-kubernetes-patch-strategy: merge + hostIPC: + type: boolean + hostNetwork: + type: boolean + hostPID: + type: boolean + hostname: + type: string + imagePullSecrets: + items: + properties: + name: + type: string + type: object + type: array + x-kubernetes-patch-merge-key: name + x-kubernetes-patch-strategy: merge + initContainers: + items: + properties: + args: + items: + type: string + type: array + command: + items: + type: string + type: array + env: + items: + properties: + name: + type: string + value: + type: string + valueFrom: + properties: + configMapKeyRef: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + fieldRef: + properties: + apiVersion: + type: string + fieldPath: + type: string + required: + - fieldPath + type: object + resourceFieldRef: + properties: + containerName: + type: string + divisor: + type: string + resource: + type: string + required: + - resource + type: object + secretKeyRef: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + type: object + required: + - name + type: object + type: array + x-kubernetes-patch-merge-key: name + x-kubernetes-patch-strategy: merge + envFrom: + items: + properties: + configMapRef: + properties: + name: + type: string + optional: + type: boolean + type: object + prefix: + type: string + secretRef: + properties: + name: + type: string + optional: + type: boolean + type: object + type: object + type: array + image: + type: string + imagePullPolicy: + type: string + lifecycle: + properties: + postStart: + properties: + exec: + properties: + command: + items: + type: string + type: array + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + path: + type: string + port: + format: int-or-string + type: string + scheme: + type: string + required: + - port + type: object + tcpSocket: + properties: + host: + type: string + port: + format: int-or-string + type: string + required: + - port + type: object + type: object + preStop: + properties: + exec: + properties: + command: + items: + type: string + type: array + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + path: + type: string + port: + format: int-or-string + type: string + scheme: + type: string + required: + - port + type: object + tcpSocket: + properties: + host: + type: string + port: + format: int-or-string + type: string + required: + - port + type: object + type: object + type: object + livenessProbe: + properties: + exec: + properties: + command: + items: + type: string + type: array + type: object + failureThreshold: + format: int32 + type: integer + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + path: + type: string + port: + format: int-or-string + type: string + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + format: int32 + type: integer + periodSeconds: + format: int32 + type: integer + successThreshold: + format: int32 + type: integer + tcpSocket: + properties: + host: + type: string + port: + format: int-or-string + type: string + required: + - port + type: object + timeoutSeconds: + format: int32 + type: integer + type: object + name: + type: string + ports: + items: + properties: + containerPort: + format: int32 + type: integer + hostIP: + type: string + hostPort: + format: int32 + type: integer + name: + type: string + protocol: + type: string + required: + - containerPort + type: object + type: array + x-kubernetes-list-map-keys: + - containerPort + - protocol + x-kubernetes-list-type: map + x-kubernetes-patch-merge-key: containerPort + x-kubernetes-patch-strategy: merge + readinessProbe: + properties: + exec: + properties: + command: + items: + type: string + type: array + type: object + failureThreshold: + format: int32 + type: integer + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + path: + type: string + port: + format: int-or-string + type: string + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + format: int32 + type: integer + periodSeconds: + format: int32 + type: integer + successThreshold: + format: int32 + type: integer + tcpSocket: + properties: + host: + type: string + port: + format: int-or-string + type: string + required: + - port + type: object + timeoutSeconds: + format: int32 + type: integer + type: object + resources: + properties: + limits: + type: object + requests: + type: object + type: object + securityContext: + properties: + allowPrivilegeEscalation: + type: boolean + capabilities: + properties: + add: + items: + type: string + type: array + drop: + items: + type: string + type: array + type: object + privileged: + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + type: boolean + runAsGroup: + format: int64 + type: integer + runAsNonRoot: + type: boolean + runAsUser: + format: int64 + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + runAsUserName: + type: string + type: object + type: object + stdin: + type: boolean + stdinOnce: + type: boolean + terminationMessagePath: + type: string + terminationMessagePolicy: + type: string + tty: + type: boolean + volumeDevices: + items: + properties: + devicePath: + type: string + name: + type: string + required: + - name + - devicePath + type: object + type: array + x-kubernetes-patch-merge-key: devicePath + x-kubernetes-patch-strategy: merge + volumeMounts: + items: + properties: + mountPath: + type: string + mountPropagation: + type: string + name: + type: string + readOnly: + type: boolean + subPath: + type: string + subPathExpr: + type: string + required: + - name + - mountPath + type: object + type: array + x-kubernetes-patch-merge-key: mountPath + x-kubernetes-patch-strategy: merge + workingDir: + type: string + required: + - name + type: object + type: array + x-kubernetes-patch-merge-key: name + x-kubernetes-patch-strategy: merge + nodeName: + type: string + nodeSelector: + additionalProperties: + type: string + type: object + overhead: + type: object + preemptionPolicy: + type: string + priority: + format: int32 + type: integer + priorityClassName: + type: string + readinessGates: + items: + properties: + conditionType: + type: string + required: + - conditionType + type: object + type: array + restartPolicy: + type: string + runtimeClassName: + type: string + schedulerName: + type: string + securityContext: + properties: + fsGroup: + format: int64 + type: integer + runAsGroup: + format: int64 + type: integer + runAsNonRoot: + type: boolean + runAsUser: + format: int64 + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + supplementalGroups: + items: + format: int64 + type: integer + type: array + sysctls: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + runAsUserName: + type: string + type: object + type: object + serviceAccount: + type: string + serviceAccountName: + type: string + shareProcessNamespace: + type: boolean + subdomain: + type: string + terminationGracePeriodSeconds: + format: int64 + type: integer + tolerations: + items: + properties: + effect: + type: string + key: + type: string + operator: + type: string + tolerationSeconds: + format: int64 + type: integer + value: + type: string + type: object + type: array + topologySpreadConstraints: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + x-kubernetes-patch-merge-key: key + x-kubernetes-patch-strategy: merge + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + maxSkew: + format: int32 + type: integer + topologyKey: + type: string + whenUnsatisfiable: + type: string + required: + - maxSkew + - topologyKey + - whenUnsatisfiable + type: object + type: array + x-kubernetes-list-map-keys: + - topologyKey + - whenUnsatisfiable + x-kubernetes-list-type: map + x-kubernetes-patch-merge-key: topologyKey + x-kubernetes-patch-strategy: merge + volumes: + items: + properties: + awsElasticBlockStore: + properties: + fsType: + type: string + partition: + format: int32 + type: integer + readOnly: + type: boolean + volumeID: + type: string + required: + - volumeID + type: object + azureDisk: + properties: + cachingMode: + type: string + diskName: + type: string + diskURI: + type: string + fsType: + type: string + kind: + type: string + readOnly: + type: boolean + required: + - diskName + - diskURI + type: object + azureFile: + properties: + readOnly: + type: boolean + secretName: + type: string + shareName: + type: string + required: + - secretName + - shareName + type: object + cephfs: + properties: + monitors: + items: + type: string + type: array + path: + type: string + readOnly: + type: boolean + secretFile: + type: string + secretRef: + properties: + name: + type: string + type: object + user: + type: string + required: + - monitors + type: object + cinder: + properties: + fsType: + type: string + readOnly: + type: boolean + secretRef: + properties: + name: + type: string + type: object + volumeID: + type: string + required: + - volumeID + type: object + csi: + properties: + driver: + type: string + fsType: + type: string + nodePublishSecretRef: + properties: + name: + type: string + type: object + readOnly: + type: boolean + volumeAttributes: + additionalProperties: + type: string + type: object + required: + - driver + type: object + emptyDir: + properties: + medium: + type: string + sizeLimit: + type: string + type: object + fc: + properties: + fsType: + type: string + lun: + format: int32 + type: integer + readOnly: + type: boolean + targetWWNs: + items: + type: string + type: array + wwids: + items: + type: string + type: array + type: object + flexVolume: + properties: + driver: + type: string + fsType: + type: string + options: + additionalProperties: + type: string + type: object + readOnly: + type: boolean + secretRef: + properties: + name: + type: string + type: object + required: + - driver + type: object + flocker: + properties: + datasetName: + type: string + datasetUUID: + type: string + type: object + gcePersistentDisk: + properties: + fsType: + type: string + partition: + format: int32 + type: integer + pdName: + type: string + readOnly: + type: boolean + required: + - pdName + type: object + gitRepo: + properties: + directory: + type: string + repository: + type: string + revision: + type: string + required: + - repository + type: object + glusterfs: + properties: + endpoints: + type: string + path: + type: string + readOnly: + type: boolean + required: + - endpoints + - path + type: object + hostPath: + properties: + path: + type: string + type: + type: string + required: + - path + type: object + iscsi: + properties: + chapAuthDiscovery: + type: boolean + chapAuthSession: + type: boolean + fsType: + type: string + initiatorName: + type: string + iqn: + type: string + iscsiInterface: + type: string + lun: + format: int32 + type: integer + portals: + items: + type: string + type: array + readOnly: + type: boolean + secretRef: + properties: + name: + type: string + type: object + targetPortal: + type: string + required: + - targetPortal + - iqn + - lun + type: object + name: + type: string + nfs: + properties: + path: + type: string + readOnly: + type: boolean + server: + type: string + required: + - server + - path + type: object + persistentVolumeClaim: + properties: + claimName: + type: string + readOnly: + type: boolean + required: + - claimName + type: object + photonPersistentDisk: + properties: + fsType: + type: string + pdID: + type: string + required: + - pdID + type: object + portworxVolume: + properties: + fsType: + type: string + readOnly: + type: boolean + volumeID: + type: string + required: + - volumeID + type: object + projected: + properties: + defaultMode: + format: int32 + type: integer + sources: + items: + properties: + serviceAccountToken: + properties: + audience: + type: string + expirationSeconds: + format: int64 + type: integer + path: + type: string + required: + - path + type: object + type: object + type: array + required: + - sources + type: object + quobyte: + properties: + group: + type: string + readOnly: + type: boolean + registry: + type: string + tenant: + type: string + user: + type: string + volume: + type: string + required: + - registry + - volume + type: object + rbd: + properties: + fsType: + type: string + image: + type: string + keyring: + type: string + monitors: + items: + type: string + type: array + pool: + type: string + readOnly: + type: boolean + secretRef: + properties: + name: + type: string + type: object + user: + type: string + required: + - monitors + - image + type: object + scaleIO: + properties: + fsType: + type: string + gateway: + type: string + protectionDomain: + type: string + readOnly: + type: boolean + secretRef: + properties: + name: + type: string + type: object + sslEnabled: + type: boolean + storageMode: + type: string + storagePool: + type: string + system: + type: string + volumeName: + type: string + required: + - gateway + - system + - secretRef + type: object + storageos: + properties: + fsType: + type: string + readOnly: + type: boolean + secretRef: + properties: + name: + type: string + type: object + volumeName: + type: string + volumeNamespace: + type: string + type: object + vsphereVolume: + properties: + fsType: + type: string + storagePolicyID: + type: string + storagePolicyName: + type: string + volumePath: + type: string + required: + - volumePath + type: object + required: + - name + type: object + type: array + x-kubernetes-patch-merge-key: name + x-kubernetes-patch-strategy: merge,retainKeys + required: + - containers + type: object + type: object + type: array + explainer: + properties: + config: + additionalProperties: true + type: object + containerSpec: + properties: + args: + items: + type: string + type: array + command: + items: + type: string + type: array + env: + items: + properties: + name: + type: string + value: + type: string + valueFrom: + properties: + configMapKeyRef: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + fieldRef: + properties: + apiVersion: + type: string + fieldPath: + type: string + required: + - fieldPath + type: object + resourceFieldRef: + properties: + containerName: + type: string + divisor: + type: string + resource: + type: string + required: + - resource + type: object + secretKeyRef: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + type: object + required: + - name + type: object + type: array + x-kubernetes-patch-merge-key: name + x-kubernetes-patch-strategy: merge + envFrom: + items: + properties: + configMapRef: + properties: + name: + type: string + optional: + type: boolean + type: object + prefix: + type: string + secretRef: + properties: + name: + type: string + optional: + type: boolean + type: object + type: object + type: array + image: + type: string + imagePullPolicy: + type: string + lifecycle: + properties: + postStart: + properties: + exec: + properties: + command: + items: + type: string + type: array + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + path: + type: string + port: + format: int-or-string + type: string + scheme: + type: string + required: + - port + type: object + tcpSocket: + properties: + host: + type: string + port: + format: int-or-string + type: string + required: + - port + type: object + type: object + preStop: + properties: + exec: + properties: + command: + items: + type: string + type: array + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + path: + type: string + port: + format: int-or-string + type: string + scheme: + type: string + required: + - port + type: object + tcpSocket: + properties: + host: + type: string + port: + format: int-or-string + type: string + required: + - port + type: object + type: object + type: object + livenessProbe: + properties: + exec: + properties: + command: + items: + type: string + type: array + type: object + failureThreshold: + format: int32 + type: integer + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + path: + type: string + port: + format: int-or-string + type: string + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + format: int32 + type: integer + periodSeconds: + format: int32 + type: integer + successThreshold: + format: int32 + type: integer + tcpSocket: + properties: + host: + type: string + port: + format: int-or-string + type: string + required: + - port + type: object + timeoutSeconds: + format: int32 + type: integer + type: object + name: + type: string + ports: + items: + properties: + containerPort: + format: int32 + type: integer + hostIP: + type: string + hostPort: + format: int32 + type: integer + name: + type: string + protocol: + type: string + required: + - containerPort + type: object + type: array + x-kubernetes-list-map-keys: + - containerPort + - protocol + x-kubernetes-list-type: map + x-kubernetes-patch-merge-key: containerPort + x-kubernetes-patch-strategy: merge + readinessProbe: + properties: + exec: + properties: + command: + items: + type: string + type: array + type: object + failureThreshold: + format: int32 + type: integer + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + path: + type: string + port: + format: int-or-string + type: string + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + format: int32 + type: integer + periodSeconds: + format: int32 + type: integer + successThreshold: + format: int32 + type: integer + tcpSocket: + properties: + host: + type: string + port: + format: int-or-string + type: string + required: + - port + type: object + timeoutSeconds: + format: int32 + type: integer + type: object + resources: + properties: + limits: + type: object + requests: + type: object + type: object + securityContext: + properties: + allowPrivilegeEscalation: + type: boolean + capabilities: + properties: + add: + items: + type: string + type: array + drop: + items: + type: string + type: array + type: object + privileged: + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + type: boolean + runAsGroup: + format: int64 + type: integer + runAsNonRoot: + type: boolean + runAsUser: + format: int64 + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + runAsUserName: + type: string + type: object + type: object + stdin: + type: boolean + stdinOnce: + type: boolean + terminationMessagePath: + type: string + terminationMessagePolicy: + type: string + tty: + type: boolean + volumeDevices: + items: + properties: + devicePath: + type: string + name: + type: string + required: + - name + - devicePath + type: object + type: array + x-kubernetes-patch-merge-key: devicePath + x-kubernetes-patch-strategy: merge + volumeMounts: + items: + properties: + mountPath: + type: string + mountPropagation: + type: string + name: + type: string + readOnly: + type: boolean + subPath: + type: string + subPathExpr: + type: string + required: + - name + - mountPath + type: object + type: array + x-kubernetes-patch-merge-key: mountPath + x-kubernetes-patch-strategy: merge + workingDir: + type: string + required: + - name + type: object + endpoint: + properties: + service_host: + type: string + service_port: + type: integer + type: + enum: + - REST + - GRPC + type: string + envSecretRefName: + type: string + modelUri: + type: string + serviceAccountName: + type: string + type: + type: string + type: object + graph: + properties: + children: + items: + properties: + children: + items: + properties: + children: + items: {} + type: array + endpoint: + properties: + service_host: + type: string + service_port: + type: integer + type: + enum: + - REST + - GRPC + type: string + envSecretRefName: + type: string + implementation: + enum: + - UNKNOWN_IMPLEMENTATION + - SIMPLE_MODEL + - SIMPLE_ROUTER + - RANDOM_ABTEST + - AVERAGE_COMBINER + - SKLEARN_SERVER + - XGBOOST_SERVER + - TENSORFLOW_SERVER + - MLFLOW_SERVER + type: string + methods: + items: + enum: + - TRANSFORM_INPUT + - TRANSFORM_OUTPUT + - ROUTE + - AGGREGATE + - SEND_FEEDBACK + type: string + type: array + modelUri: + type: string + name: + type: string + serviceAccountName: + type: string + type: + enum: + - UNKNOWN_TYPE + - ROUTER + - COMBINER + - MODEL + - TRANSFORMER + - OUTPUT_TRANSFORMER + type: string + type: array + endpoint: + properties: + service_host: + type: string + service_port: + type: integer + type: + enum: + - REST + - GRPC + type: string + implementation: + enum: + - UNKNOWN_IMPLEMENTATION + - SIMPLE_MODEL + - SIMPLE_ROUTER + - RANDOM_ABTEST + - AVERAGE_COMBINER + - SKLEARN_SERVER + - XGBOOST_SERVER + - TENSORFLOW_SERVER + - MLFLOW_SERVER + type: string + methods: + items: + enum: + - TRANSFORM_INPUT + - TRANSFORM_OUTPUT + - ROUTE + - AGGREGATE + - SEND_FEEDBACK + type: string + type: array + name: + type: string + type: + enum: + - UNKNOWN_TYPE + - ROUTER + - COMBINER + - MODEL + - TRANSFORMER + - OUTPUT_TRANSFORMER + type: string + type: array + endpoint: + properties: + service_host: + type: string + service_port: + type: integer + type: + enum: + - REST + - GRPC + type: string + implementation: + enum: + - UNKNOWN_IMPLEMENTATION + - SIMPLE_MODEL + - SIMPLE_ROUTER + - RANDOM_ABTEST + - AVERAGE_COMBINER + - SKLEARN_SERVER + - XGBOOST_SERVER + - TENSORFLOW_SERVER + - MLFLOW_SERVER + type: string + methods: + items: + enum: + - TRANSFORM_INPUT + - TRANSFORM_OUTPUT + - ROUTE + - AGGREGATE + - SEND_FEEDBACK + type: string + type: array + name: + type: string + type: + enum: + - UNKNOWN_TYPE + - ROUTER + - COMBINER + - MODEL + - TRANSFORMER + - OUTPUT_TRANSFORMER + type: string + labels: + type: object + name: + type: string + replicas: + type: integer + svcOrchSpec: + properties: + env: + items: + properties: + name: + type: string + value: + type: string + valueFrom: + properties: + configMapKeyRef: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + fieldRef: + properties: + apiVersion: + type: string + fieldPath: + type: string + required: + - fieldPath + resourceFieldRef: + properties: + containerName: + type: string + divisor: + type: string + resource: + type: string + required: + - resource + secretKeyRef: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + required: + - name + type: array + x-kubernetes-patch-merge-key: name + x-kubernetes-patch-strategy: merge + resources: + properties: + limits: + additionalProperties: true + type: object + requests: + additionalProperties: true + type: object + type: object + type: array + version: v1alpha2 + versions: + - name: v1alpha2 + served: true + storage: true + - name: v1alpha3 + served: true + storage: false + diff --git a/kustomize/seldon-core-operator/base/webhook-server-service-svc.yaml b/kustomize/seldon-core-operator/base/webhook-server-service-svc.yaml new file mode 100644 index 0000000..653b735 --- /dev/null +++ b/kustomize/seldon-core-operator/base/webhook-server-service-svc.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/instance: seldon-core-operator + app.kubernetes.io/managed-by: Tiller + app.kubernetes.io/name: seldon-core-operator + control-plane: seldon-controller-manager + controller-tools.k8s.io: "1.0" + helm.sh/chart: seldon-core-operator-0.4.1 + name: webhook-server-service + namespace: kubeflow +spec: + ports: + - port: 443 + targetPort: 9876 + selector: + control-plane: seldon-controller-manager diff --git a/kustomize/seldon-core-operator/kustomization.yaml b/kustomize/seldon-core-operator/kustomization.yaml new file mode 100644 index 0000000..da5904f --- /dev/null +++ b/kustomize/seldon-core-operator/kustomization.yaml @@ -0,0 +1,14 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +bases: +- base +commonLabels: + app.kubernetes.io/component: seldon + app.kubernetes.io/instance: seldon-core-operator-v0.7.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/name: seldon-core-operator + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: v0.7.0 +kind: Kustomization +namespace: kubeflow +resources: +- overlays/application/application.yaml diff --git a/kustomize/seldon-core-operator/overlays/application/application.yaml b/kustomize/seldon-core-operator/overlays/application/application.yaml new file mode 100644 index 0000000..34bbd81 --- /dev/null +++ b/kustomize/seldon-core-operator/overlays/application/application.yaml @@ -0,0 +1,32 @@ +apiVersion: app.k8s.io/v1beta1 +kind: Application +metadata: + name: "seldon-core-operator" +spec: + type: "seldon-core-operator" + componentKinds: + - group: apps/v1 + kind: StatefulSet + - group: v1 + kind: Service + - group: apps/v1 + kind: Deployment + - group: v1 + kind: Secret + - group: v1 + kind: ConfigMap + version: "v1alpha2" + description: "Seldon allows users to create ML Inference Graphs to deploy their models and serve predictions" + icons: + maintainers: + - name: Seldon + email: dev@seldon.io + owners: + - name: Seldon + email: dev@seldon.io + keywords: + - "seldon" + - "inference" + links: + - description: Docs + url: "https://docs.seldon.io/projects/seldon-core/en/v0.3.0/" diff --git a/kustomize/seldon-core-operator/overlays/application/kustomization.yaml b/kustomize/seldon-core-operator/overlays/application/kustomization.yaml new file mode 100644 index 0000000..749f4a9 --- /dev/null +++ b/kustomize/seldon-core-operator/overlays/application/kustomization.yaml @@ -0,0 +1,13 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +bases: +- ../../base +resources: +- application.yaml +commonLabels: + app.kubernetes.io/name: seldon-core-operator + app.kubernetes.io/instance: seldon-core-operator-v0.7.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/component: seldon + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: v0.7.0 diff --git a/kustomize/spark-operator/base/Kube-descriptor.yaml b/kustomize/spark-operator/base/Kube-descriptor.yaml new file mode 100644 index 0000000..19d4000 --- /dev/null +++ b/kustomize/spark-operator/base/Kube-descriptor.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +appVersion: v1beta2-1.0.0-2.4.4 +description: Spark operator based on https://github.com/GoogleCloudPlatform/spark-on-k8s-operator +home: https://github.com/kubeflow/manifests/spark-operator +keywords: +- spark +kubeVersion: '>=1.8.0-0' +maintainers: +- email: holden.karau@gmail.com + name: holdenk +name: sparkoperator +version: 0.4.0 diff --git a/kustomize/spark-operator/base/cr-clusterrole.yaml b/kustomize/spark-operator/base/cr-clusterrole.yaml new file mode 100644 index 0000000..3fe2993 --- /dev/null +++ b/kustomize/spark-operator/base/cr-clusterrole.yaml @@ -0,0 +1,70 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: operator-cr +rules: +- apiGroups: + - "" + resources: + - pods + verbs: + - '*' +- apiGroups: + - "" + resources: + - services + - configmaps + - secrets + verbs: + - create + - get + - delete + - update +- apiGroups: + - extensions + - networking.k8s.io + resources: + - ingresses + verbs: + - create + - get + - delete +- apiGroups: + - "" + resources: + - nodes + verbs: + - get +- apiGroups: + - "" + resources: + - events + verbs: + - create + - update + - patch +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - create + - get + - update + - delete +- apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + verbs: + - create + - get + - update + - delete +- apiGroups: + - sparkoperator.k8s.io + resources: + - sparkapplications + - scheduledsparkapplications + verbs: + - '*' diff --git a/kustomize/spark-operator/base/crb.yaml b/kustomize/spark-operator/base/crb.yaml new file mode 100644 index 0000000..13ff668 --- /dev/null +++ b/kustomize/spark-operator/base/crb.yaml @@ -0,0 +1,11 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: sparkoperator-crb +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: operator-cr +subjects: +- kind: ServiceAccount + name: operator-sa diff --git a/kustomize/spark-operator/base/crd-cleanup-job.yaml b/kustomize/spark-operator/base/crd-cleanup-job.yaml new file mode 100644 index 0000000..860e662 --- /dev/null +++ b/kustomize/spark-operator/base/crd-cleanup-job.yaml @@ -0,0 +1,27 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: crd-cleanup + namespace: default +spec: + template: + spec: + containers: + - command: + - /bin/sh + - -c + - 'curl -ik -X DELETE -H "Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" + -H "Accept: application/json" -H "Content-Type: application/json" https://kubernetes.default.svc/apis/apiextensions.k8s.io/v1beta1/customresourcedefinitions/sparkapplications.sparkoperator.k8s.io' + image: gcr.io/spark-operator/spark-operator:v1beta2-1.0.0-2.4.4 + imagePullPolicy: IfNotPresent + name: delete-sparkapp-crd + - command: + - /bin/sh + - -c + - 'curl -ik -X DELETE -H "Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" + -H "Accept: application/json" -H "Content-Type: application/json" https://kubernetes.default.svc/apis/apiextensions.k8s.io/v1beta1/customresourcedefinitions/scheduledsparkapplications.sparkoperator.k8s.io' + image: gcr.io/spark-operator/spark-operator:v1beta2-1.0.0-2.4.4 + imagePullPolicy: IfNotPresent + name: delete-scheduledsparkapp-crd + restartPolicy: OnFailure + serviceAccountName: operator-sa diff --git a/kustomize/spark-operator/base/deploy.yaml b/kustomize/spark-operator/base/deploy.yaml new file mode 100644 index 0000000..7178a43 --- /dev/null +++ b/kustomize/spark-operator/base/deploy.yaml @@ -0,0 +1,43 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: sparkoperator +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: sparkoperator + app.kubernetes.io/version: v1beta2-1.0.0-2.4.4 + strategy: + type: Recreate + template: + metadata: + annotations: + prometheus.io/path: /metrics + prometheus.io/port: "10254" + prometheus.io/scrape: "true" + initializers: + pending: [] + labels: + app.kubernetes.io/name: sparkoperator + app.kubernetes.io/version: v1beta2-1.0.0-2.4.4 + spec: + containers: + - args: + - -v=2 + - -namespace= + - -ingress-url-format= + - -controller-threads=10 + - -resync-interval=30 + - -logtostderr + - -enable-metrics=true + - -metrics-labels=app_type + - -metrics-port=10254 + - -metrics-endpoint=/metrics + - -metrics-prefix= + image: gcr.io/spark-operator/spark-operator:v1beta2-1.0.0-2.4.4 + imagePullPolicy: IfNotPresent + name: sparkoperator + ports: + - containerPort: 10254 + serviceAccountName: operator-sa diff --git a/kustomize/spark-operator/base/kustomization.yaml b/kustomize/spark-operator/base/kustomization.yaml new file mode 100644 index 0000000..2cf67cd --- /dev/null +++ b/kustomize/spark-operator/base/kustomization.yaml @@ -0,0 +1,31 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: kubeflow +# Labels to add to all resources and selectors. +commonLabels: + kustomize.component: spark-operator + app.kubernetes.io/instance: spark-operator + app.kubernetes.io/name: sparkoperator + +# Images modify the tags for images without +# creating patches. +images: +- name: gcr.io/spark-operator/spark-operator + newTag: v1beta2-1.0.0-2.4.4 + +# Value of this field is prepended to the +# names of all resources + newName: gcr.io/spark-operator/spark-operator +namePrefix: spark-operator + +# List of resource files that kustomize reads, modifies +# and emits as a YAML string +resources: +- spark-sa.yaml +- cr-clusterrole.yaml +- crb.yaml +- crd-cleanup-job.yaml +- deploy.yaml +- operator-sa.yaml +- sparkapplications.sparkoperator.k8s.io-crd.yaml +- scheduledsparkapplications.sparkoperator.k8s.io-crd.yaml diff --git a/kustomize/spark-operator/base/operator-sa.yaml b/kustomize/spark-operator/base/operator-sa.yaml new file mode 100644 index 0000000..a0754ee --- /dev/null +++ b/kustomize/spark-operator/base/operator-sa.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: operator-sa diff --git a/kustomize/spark-operator/base/scheduledsparkapplications.sparkoperator.k8s.io-crd.yaml b/kustomize/spark-operator/base/scheduledsparkapplications.sparkoperator.k8s.io-crd.yaml new file mode 100644 index 0000000..1ad615a --- /dev/null +++ b/kustomize/spark-operator/base/scheduledsparkapplications.sparkoperator.k8s.io-crd.yaml @@ -0,0 +1,2550 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: scheduledsparkapplications.sparkoperator.k8s.io +spec: + group: sparkoperator.k8s.io + names: + kind: ScheduledSparkApplication + listKind: ScheduledSparkApplicationList + plural: scheduledsparkapplications + shortNames: + - scheduledsparkapp + singular: scheduledsparkapplication + scope: Namespaced + validation: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + properties: + concurrencyPolicy: + type: string + failedRunHistoryLimit: + format: int32 + type: integer + schedule: + type: string + successfulRunHistoryLimit: + format: int32 + type: integer + suspend: + type: boolean + template: + properties: + arguments: + items: + type: string + type: array + batchScheduler: + type: string + batchSchedulerOptions: + properties: + priorityClassName: + type: string + queue: + type: string + type: object + deps: + properties: + downloadTimeout: + format: int32 + minimum: 1 + type: integer + files: + items: + type: string + type: array + filesDownloadDir: + type: string + jars: + items: + type: string + type: array + jarsDownloadDir: + type: string + maxSimultaneousDownloads: + format: int32 + minimum: 1 + type: integer + pyFiles: + items: + type: string + type: array + type: object + driver: + properties: + affinity: + properties: + nodeAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + preference: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + weight: + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + properties: + nodeSelectorTerms: + items: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + type: array + required: + - nodeSelectorTerms + type: object + type: object + podAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + podAffinityTerm: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + namespaces: + items: + type: string + type: array + topologyKey: + type: string + required: + - topologyKey + type: object + weight: + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + namespaces: + items: + type: string + type: array + topologyKey: + type: string + required: + - topologyKey + type: object + type: array + type: object + podAntiAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + podAffinityTerm: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + namespaces: + items: + type: string + type: array + topologyKey: + type: string + required: + - topologyKey + type: object + weight: + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + namespaces: + items: + type: string + type: array + topologyKey: + type: string + required: + - topologyKey + type: object + type: array + type: object + type: object + annotations: + additionalProperties: + type: string + type: object + configMaps: + items: + properties: + name: + type: string + path: + type: string + required: + - name + - path + type: object + type: array + coreLimit: + type: string + cores: + format: int32 + minimum: 1 + type: integer + dnsConfig: + properties: + nameservers: + items: + type: string + type: array + options: + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + searches: + items: + type: string + type: array + type: object + envSecretKeyRefs: + additionalProperties: + properties: + key: + type: string + name: + type: string + required: + - key + - name + type: object + type: object + envVars: + additionalProperties: + type: string + type: object + gpu: + properties: + name: + type: string + quantity: + format: int64 + type: integer + required: + - name + - quantity + type: object + hostNetwork: + type: boolean + image: + type: string + javaOptions: + type: string + labels: + additionalProperties: + type: string + type: object + memory: + type: string + memoryOverhead: + type: string + nodeSelector: + additionalProperties: + type: string + type: object + podName: + pattern: '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*' + type: string + schedulerName: + type: string + secrets: + items: + properties: + name: + type: string + path: + type: string + secretType: + type: string + required: + - name + - path + - secretType + type: object + type: array + securityContext: + properties: + fsGroup: + format: int64 + type: integer + runAsGroup: + format: int64 + type: integer + runAsNonRoot: + type: boolean + runAsUser: + format: int64 + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + supplementalGroups: + items: + format: int64 + type: integer + type: array + sysctls: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + type: object + serviceAccount: + type: string + sidecars: + items: + properties: + args: + items: + type: string + type: array + command: + items: + type: string + type: array + env: + items: + properties: + name: + type: string + value: + type: string + valueFrom: + properties: + configMapKeyRef: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + fieldRef: + properties: + apiVersion: + type: string + fieldPath: + type: string + required: + - fieldPath + type: object + resourceFieldRef: + properties: + containerName: + type: string + divisor: + type: string + resource: + type: string + required: + - resource + type: object + secretKeyRef: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + type: object + required: + - name + type: object + type: array + envFrom: + items: + properties: + configMapRef: + properties: + name: + type: string + optional: + type: boolean + type: object + prefix: + type: string + secretRef: + properties: + name: + type: string + optional: + type: boolean + type: object + type: object + type: array + image: + type: string + imagePullPolicy: + type: string + lifecycle: + properties: + postStart: + properties: + exec: + properties: + command: + items: + type: string + type: array + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + path: + type: string + port: + anyOf: + - type: string + - type: integer + scheme: + type: string + required: + - port + type: object + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: string + - type: integer + required: + - port + type: object + type: object + preStop: + properties: + exec: + properties: + command: + items: + type: string + type: array + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + path: + type: string + port: + anyOf: + - type: string + - type: integer + scheme: + type: string + required: + - port + type: object + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: string + - type: integer + required: + - port + type: object + type: object + type: object + livenessProbe: + properties: + exec: + properties: + command: + items: + type: string + type: array + type: object + failureThreshold: + format: int32 + type: integer + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + path: + type: string + port: + anyOf: + - type: string + - type: integer + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + format: int32 + type: integer + periodSeconds: + format: int32 + type: integer + successThreshold: + format: int32 + type: integer + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: string + - type: integer + required: + - port + type: object + timeoutSeconds: + format: int32 + type: integer + type: object + name: + type: string + ports: + items: + properties: + containerPort: + format: int32 + type: integer + hostIP: + type: string + hostPort: + format: int32 + type: integer + name: + type: string + protocol: + type: string + required: + - containerPort + type: object + type: array + readinessProbe: + properties: + exec: + properties: + command: + items: + type: string + type: array + type: object + failureThreshold: + format: int32 + type: integer + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + path: + type: string + port: + anyOf: + - type: string + - type: integer + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + format: int32 + type: integer + periodSeconds: + format: int32 + type: integer + successThreshold: + format: int32 + type: integer + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: string + - type: integer + required: + - port + type: object + timeoutSeconds: + format: int32 + type: integer + type: object + resources: + properties: + limits: + additionalProperties: + type: string + type: object + requests: + additionalProperties: + type: string + type: object + type: object + securityContext: + properties: + allowPrivilegeEscalation: + type: boolean + capabilities: + properties: + add: + items: + type: string + type: array + drop: + items: + type: string + type: array + type: object + privileged: + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + type: boolean + runAsGroup: + format: int64 + type: integer + runAsNonRoot: + type: boolean + runAsUser: + format: int64 + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + type: object + stdin: + type: boolean + stdinOnce: + type: boolean + terminationMessagePath: + type: string + terminationMessagePolicy: + type: string + tty: + type: boolean + volumeDevices: + items: + properties: + devicePath: + type: string + name: + type: string + required: + - devicePath + - name + type: object + type: array + volumeMounts: + items: + properties: + mountPath: + type: string + mountPropagation: + type: string + name: + type: string + readOnly: + type: boolean + subPath: + type: string + required: + - mountPath + - name + type: object + type: array + workingDir: + type: string + required: + - name + type: object + type: array + tolerations: + items: + properties: + effect: + type: string + key: + type: string + operator: + type: string + tolerationSeconds: + format: int64 + type: integer + value: + type: string + type: object + type: array + volumeMounts: + items: + properties: + mountPath: + type: string + mountPropagation: + type: string + name: + type: string + readOnly: + type: boolean + subPath: + type: string + required: + - mountPath + - name + type: object + type: array + type: object + executor: + properties: + affinity: + properties: + nodeAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + preference: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + weight: + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + properties: + nodeSelectorTerms: + items: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + type: array + required: + - nodeSelectorTerms + type: object + type: object + podAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + podAffinityTerm: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + namespaces: + items: + type: string + type: array + topologyKey: + type: string + required: + - topologyKey + type: object + weight: + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + namespaces: + items: + type: string + type: array + topologyKey: + type: string + required: + - topologyKey + type: object + type: array + type: object + podAntiAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + podAffinityTerm: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + namespaces: + items: + type: string + type: array + topologyKey: + type: string + required: + - topologyKey + type: object + weight: + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + namespaces: + items: + type: string + type: array + topologyKey: + type: string + required: + - topologyKey + type: object + type: array + type: object + type: object + annotations: + additionalProperties: + type: string + type: object + configMaps: + items: + properties: + name: + type: string + path: + type: string + required: + - name + - path + type: object + type: array + coreLimit: + type: string + coreRequest: + type: string + cores: + format: int32 + minimum: 1 + type: integer + dnsConfig: + properties: + nameservers: + items: + type: string + type: array + options: + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + searches: + items: + type: string + type: array + type: object + envSecretKeyRefs: + additionalProperties: + properties: + key: + type: string + name: + type: string + required: + - key + - name + type: object + type: object + envVars: + additionalProperties: + type: string + type: object + gpu: + properties: + name: + type: string + quantity: + format: int64 + type: integer + required: + - name + - quantity + type: object + hostNetwork: + type: boolean + image: + type: string + instances: + format: int32 + minimum: 1 + type: integer + javaOptions: + type: string + labels: + additionalProperties: + type: string + type: object + memory: + type: string + memoryOverhead: + type: string + nodeSelector: + additionalProperties: + type: string + type: object + schedulerName: + type: string + secrets: + items: + properties: + name: + type: string + path: + type: string + secretType: + type: string + required: + - name + - path + - secretType + type: object + type: array + securityContext: + properties: + fsGroup: + format: int64 + type: integer + runAsGroup: + format: int64 + type: integer + runAsNonRoot: + type: boolean + runAsUser: + format: int64 + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + supplementalGroups: + items: + format: int64 + type: integer + type: array + sysctls: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + type: object + sidecars: + items: + properties: + args: + items: + type: string + type: array + command: + items: + type: string + type: array + env: + items: + properties: + name: + type: string + value: + type: string + valueFrom: + properties: + configMapKeyRef: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + fieldRef: + properties: + apiVersion: + type: string + fieldPath: + type: string + required: + - fieldPath + type: object + resourceFieldRef: + properties: + containerName: + type: string + divisor: + type: string + resource: + type: string + required: + - resource + type: object + secretKeyRef: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + type: object + required: + - name + type: object + type: array + envFrom: + items: + properties: + configMapRef: + properties: + name: + type: string + optional: + type: boolean + type: object + prefix: + type: string + secretRef: + properties: + name: + type: string + optional: + type: boolean + type: object + type: object + type: array + image: + type: string + imagePullPolicy: + type: string + lifecycle: + properties: + postStart: + properties: + exec: + properties: + command: + items: + type: string + type: array + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + path: + type: string + port: + anyOf: + - type: string + - type: integer + scheme: + type: string + required: + - port + type: object + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: string + - type: integer + required: + - port + type: object + type: object + preStop: + properties: + exec: + properties: + command: + items: + type: string + type: array + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + path: + type: string + port: + anyOf: + - type: string + - type: integer + scheme: + type: string + required: + - port + type: object + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: string + - type: integer + required: + - port + type: object + type: object + type: object + livenessProbe: + properties: + exec: + properties: + command: + items: + type: string + type: array + type: object + failureThreshold: + format: int32 + type: integer + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + path: + type: string + port: + anyOf: + - type: string + - type: integer + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + format: int32 + type: integer + periodSeconds: + format: int32 + type: integer + successThreshold: + format: int32 + type: integer + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: string + - type: integer + required: + - port + type: object + timeoutSeconds: + format: int32 + type: integer + type: object + name: + type: string + ports: + items: + properties: + containerPort: + format: int32 + type: integer + hostIP: + type: string + hostPort: + format: int32 + type: integer + name: + type: string + protocol: + type: string + required: + - containerPort + type: object + type: array + readinessProbe: + properties: + exec: + properties: + command: + items: + type: string + type: array + type: object + failureThreshold: + format: int32 + type: integer + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + path: + type: string + port: + anyOf: + - type: string + - type: integer + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + format: int32 + type: integer + periodSeconds: + format: int32 + type: integer + successThreshold: + format: int32 + type: integer + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: string + - type: integer + required: + - port + type: object + timeoutSeconds: + format: int32 + type: integer + type: object + resources: + properties: + limits: + additionalProperties: + type: string + type: object + requests: + additionalProperties: + type: string + type: object + type: object + securityContext: + properties: + allowPrivilegeEscalation: + type: boolean + capabilities: + properties: + add: + items: + type: string + type: array + drop: + items: + type: string + type: array + type: object + privileged: + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + type: boolean + runAsGroup: + format: int64 + type: integer + runAsNonRoot: + type: boolean + runAsUser: + format: int64 + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + type: object + stdin: + type: boolean + stdinOnce: + type: boolean + terminationMessagePath: + type: string + terminationMessagePolicy: + type: string + tty: + type: boolean + volumeDevices: + items: + properties: + devicePath: + type: string + name: + type: string + required: + - devicePath + - name + type: object + type: array + volumeMounts: + items: + properties: + mountPath: + type: string + mountPropagation: + type: string + name: + type: string + readOnly: + type: boolean + subPath: + type: string + required: + - mountPath + - name + type: object + type: array + workingDir: + type: string + required: + - name + type: object + type: array + tolerations: + items: + properties: + effect: + type: string + key: + type: string + operator: + type: string + tolerationSeconds: + format: int64 + type: integer + value: + type: string + type: object + type: array + volumeMounts: + items: + properties: + mountPath: + type: string + mountPropagation: + type: string + name: + type: string + readOnly: + type: boolean + subPath: + type: string + required: + - mountPath + - name + type: object + type: array + type: object + failureRetries: + format: int32 + type: integer + hadoopConf: + additionalProperties: + type: string + type: object + hadoopConfigMap: + type: string + image: + type: string + imagePullPolicy: + type: string + imagePullSecrets: + items: + type: string + type: array + initContainerImage: + type: string + mainApplicationFile: + type: string + mainClass: + type: string + memoryOverheadFactor: + type: string + mode: + enum: + - cluster + - client + type: string + monitoring: + properties: + exposeDriverMetrics: + type: boolean + exposeExecutorMetrics: + type: boolean + metricsProperties: + type: string + prometheus: + properties: + configFile: + type: string + configuration: + type: string + jmxExporterJar: + type: string + port: + format: int32 + maximum: 49151 + minimum: 1024 + type: integer + required: + - jmxExporterJar + type: object + required: + - exposeDriverMetrics + - exposeExecutorMetrics + type: object + nodeSelector: + additionalProperties: + type: string + type: object + pythonVersion: + enum: + - "2" + - "3" + type: string + restartPolicy: + properties: + onFailureRetries: + format: int32 + minimum: 0 + type: integer + onFailureRetryInterval: + format: int64 + minimum: 1 + type: integer + onSubmissionFailureRetries: + format: int32 + minimum: 0 + type: integer + onSubmissionFailureRetryInterval: + format: int64 + minimum: 1 + type: integer + type: + enum: + - Never + - Always + - OnFailure + type: string + type: object + retryInterval: + format: int64 + type: integer + sparkConf: + additionalProperties: + type: string + type: object + sparkConfigMap: + type: string + sparkVersion: + type: string + timeToLiveSeconds: + format: int64 + type: integer + type: + enum: + - Java + - Python + - Scala + - R + type: string + volumes: + items: + properties: + awsElasticBlockStore: + properties: + fsType: + type: string + partition: + format: int32 + type: integer + readOnly: + type: boolean + volumeID: + type: string + required: + - volumeID + type: object + azureDisk: + properties: + cachingMode: + type: string + diskName: + type: string + diskURI: + type: string + fsType: + type: string + kind: + type: string + readOnly: + type: boolean + required: + - diskName + - diskURI + type: object + azureFile: + properties: + readOnly: + type: boolean + secretName: + type: string + shareName: + type: string + required: + - secretName + - shareName + type: object + cephfs: + properties: + monitors: + items: + type: string + type: array + path: + type: string + readOnly: + type: boolean + secretFile: + type: string + secretRef: + properties: + name: + type: string + type: object + user: + type: string + required: + - monitors + type: object + cinder: + properties: + fsType: + type: string + readOnly: + type: boolean + secretRef: + properties: + name: + type: string + type: object + volumeID: + type: string + required: + - volumeID + type: object + configMap: + properties: + defaultMode: + format: int32 + type: integer + items: + items: + properties: + key: + type: string + mode: + format: int32 + type: integer + path: + type: string + required: + - key + - path + type: object + type: array + name: + type: string + optional: + type: boolean + type: object + downwardAPI: + properties: + defaultMode: + format: int32 + type: integer + items: + items: + properties: + fieldRef: + properties: + apiVersion: + type: string + fieldPath: + type: string + required: + - fieldPath + type: object + mode: + format: int32 + type: integer + path: + type: string + resourceFieldRef: + properties: + containerName: + type: string + divisor: + type: string + resource: + type: string + required: + - resource + type: object + required: + - path + type: object + type: array + type: object + emptyDir: + properties: + medium: + type: string + sizeLimit: + type: string + type: object + fc: + properties: + fsType: + type: string + lun: + format: int32 + type: integer + readOnly: + type: boolean + targetWWNs: + items: + type: string + type: array + wwids: + items: + type: string + type: array + type: object + flexVolume: + properties: + driver: + type: string + fsType: + type: string + options: + additionalProperties: + type: string + type: object + readOnly: + type: boolean + secretRef: + properties: + name: + type: string + type: object + required: + - driver + type: object + flocker: + properties: + datasetName: + type: string + datasetUUID: + type: string + type: object + gcePersistentDisk: + properties: + fsType: + type: string + partition: + format: int32 + type: integer + pdName: + type: string + readOnly: + type: boolean + required: + - pdName + type: object + gitRepo: + properties: + directory: + type: string + repository: + type: string + revision: + type: string + required: + - repository + type: object + glusterfs: + properties: + endpoints: + type: string + path: + type: string + readOnly: + type: boolean + required: + - endpoints + - path + type: object + hostPath: + properties: + path: + type: string + type: + type: string + required: + - path + type: object + iscsi: + properties: + chapAuthDiscovery: + type: boolean + chapAuthSession: + type: boolean + fsType: + type: string + initiatorName: + type: string + iqn: + type: string + iscsiInterface: + type: string + lun: + format: int32 + type: integer + portals: + items: + type: string + type: array + readOnly: + type: boolean + secretRef: + properties: + name: + type: string + type: object + targetPortal: + type: string + required: + - iqn + - lun + - targetPortal + type: object + name: + type: string + nfs: + properties: + path: + type: string + readOnly: + type: boolean + server: + type: string + required: + - path + - server + type: object + persistentVolumeClaim: + properties: + claimName: + type: string + readOnly: + type: boolean + required: + - claimName + type: object + photonPersistentDisk: + properties: + fsType: + type: string + pdID: + type: string + required: + - pdID + type: object + portworxVolume: + properties: + fsType: + type: string + readOnly: + type: boolean + volumeID: + type: string + required: + - volumeID + type: object + projected: + properties: + defaultMode: + format: int32 + type: integer + sources: + items: + properties: + configMap: + properties: + items: + items: + properties: + key: + type: string + mode: + format: int32 + type: integer + path: + type: string + required: + - key + - path + type: object + type: array + name: + type: string + optional: + type: boolean + type: object + downwardAPI: + properties: + items: + items: + properties: + fieldRef: + properties: + apiVersion: + type: string + fieldPath: + type: string + required: + - fieldPath + type: object + mode: + format: int32 + type: integer + path: + type: string + resourceFieldRef: + properties: + containerName: + type: string + divisor: + type: string + resource: + type: string + required: + - resource + type: object + required: + - path + type: object + type: array + type: object + secret: + properties: + items: + items: + properties: + key: + type: string + mode: + format: int32 + type: integer + path: + type: string + required: + - key + - path + type: object + type: array + name: + type: string + optional: + type: boolean + type: object + serviceAccountToken: + properties: + audience: + type: string + expirationSeconds: + format: int64 + type: integer + path: + type: string + required: + - path + type: object + type: object + type: array + required: + - sources + type: object + quobyte: + properties: + group: + type: string + readOnly: + type: boolean + registry: + type: string + user: + type: string + volume: + type: string + required: + - registry + - volume + type: object + rbd: + properties: + fsType: + type: string + image: + type: string + keyring: + type: string + monitors: + items: + type: string + type: array + pool: + type: string + readOnly: + type: boolean + secretRef: + properties: + name: + type: string + type: object + user: + type: string + required: + - image + - monitors + type: object + scaleIO: + properties: + fsType: + type: string + gateway: + type: string + protectionDomain: + type: string + readOnly: + type: boolean + secretRef: + properties: + name: + type: string + type: object + sslEnabled: + type: boolean + storageMode: + type: string + storagePool: + type: string + system: + type: string + volumeName: + type: string + required: + - gateway + - secretRef + - system + type: object + secret: + properties: + defaultMode: + format: int32 + type: integer + items: + items: + properties: + key: + type: string + mode: + format: int32 + type: integer + path: + type: string + required: + - key + - path + type: object + type: array + optional: + type: boolean + secretName: + type: string + type: object + storageos: + properties: + fsType: + type: string + readOnly: + type: boolean + secretRef: + properties: + name: + type: string + type: object + volumeName: + type: string + volumeNamespace: + type: string + type: object + vsphereVolume: + properties: + fsType: + type: string + storagePolicyID: + type: string + storagePolicyName: + type: string + volumePath: + type: string + required: + - volumePath + type: object + required: + - name + type: object + type: array + required: + - driver + - executor + - mainApplicationFile + - sparkVersion + - type + type: object + required: + - schedule + - template + type: object + required: + - metadata + - spec + type: object + version: v1beta2 + versions: + - name: v1beta2 + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/kustomize/spark-operator/base/spark-sa.yaml b/kustomize/spark-operator/base/spark-sa.yaml new file mode 100644 index 0000000..87f28ed --- /dev/null +++ b/kustomize/spark-operator/base/spark-sa.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: spark-sa diff --git a/kustomize/spark-operator/base/sparkapplications.sparkoperator.k8s.io-crd.yaml b/kustomize/spark-operator/base/sparkapplications.sparkoperator.k8s.io-crd.yaml new file mode 100644 index 0000000..0fbd52a --- /dev/null +++ b/kustomize/spark-operator/base/sparkapplications.sparkoperator.k8s.io-crd.yaml @@ -0,0 +1,2532 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: sparkapplications.sparkoperator.k8s.io +spec: + group: sparkoperator.k8s.io + names: + kind: SparkApplication + listKind: SparkApplicationList + plural: sparkapplications + shortNames: + - sparkapp + singular: sparkapplication + scope: Namespaced + validation: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + properties: + arguments: + items: + type: string + type: array + batchScheduler: + type: string + batchSchedulerOptions: + properties: + priorityClassName: + type: string + queue: + type: string + type: object + deps: + properties: + downloadTimeout: + format: int32 + minimum: 1 + type: integer + files: + items: + type: string + type: array + filesDownloadDir: + type: string + jars: + items: + type: string + type: array + jarsDownloadDir: + type: string + maxSimultaneousDownloads: + format: int32 + minimum: 1 + type: integer + pyFiles: + items: + type: string + type: array + type: object + driver: + properties: + affinity: + properties: + nodeAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + preference: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + weight: + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + properties: + nodeSelectorTerms: + items: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + type: array + required: + - nodeSelectorTerms + type: object + type: object + podAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + podAffinityTerm: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + namespaces: + items: + type: string + type: array + topologyKey: + type: string + required: + - topologyKey + type: object + weight: + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + namespaces: + items: + type: string + type: array + topologyKey: + type: string + required: + - topologyKey + type: object + type: array + type: object + podAntiAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + podAffinityTerm: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + namespaces: + items: + type: string + type: array + topologyKey: + type: string + required: + - topologyKey + type: object + weight: + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + namespaces: + items: + type: string + type: array + topologyKey: + type: string + required: + - topologyKey + type: object + type: array + type: object + type: object + annotations: + additionalProperties: + type: string + type: object + configMaps: + items: + properties: + name: + type: string + path: + type: string + required: + - name + - path + type: object + type: array + coreLimit: + type: string + cores: + format: int32 + minimum: 1 + type: integer + dnsConfig: + properties: + nameservers: + items: + type: string + type: array + options: + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + searches: + items: + type: string + type: array + type: object + envSecretKeyRefs: + additionalProperties: + properties: + key: + type: string + name: + type: string + required: + - key + - name + type: object + type: object + envVars: + additionalProperties: + type: string + type: object + gpu: + properties: + name: + type: string + quantity: + format: int64 + type: integer + required: + - name + - quantity + type: object + hostNetwork: + type: boolean + image: + type: string + javaOptions: + type: string + labels: + additionalProperties: + type: string + type: object + memory: + type: string + memoryOverhead: + type: string + nodeSelector: + additionalProperties: + type: string + type: object + podName: + pattern: '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*' + type: string + schedulerName: + type: string + secrets: + items: + properties: + name: + type: string + path: + type: string + secretType: + type: string + required: + - name + - path + - secretType + type: object + type: array + securityContext: + properties: + fsGroup: + format: int64 + type: integer + runAsGroup: + format: int64 + type: integer + runAsNonRoot: + type: boolean + runAsUser: + format: int64 + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + supplementalGroups: + items: + format: int64 + type: integer + type: array + sysctls: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + type: object + serviceAccount: + type: string + sidecars: + items: + properties: + args: + items: + type: string + type: array + command: + items: + type: string + type: array + env: + items: + properties: + name: + type: string + value: + type: string + valueFrom: + properties: + configMapKeyRef: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + fieldRef: + properties: + apiVersion: + type: string + fieldPath: + type: string + required: + - fieldPath + type: object + resourceFieldRef: + properties: + containerName: + type: string + divisor: + type: string + resource: + type: string + required: + - resource + type: object + secretKeyRef: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + type: object + required: + - name + type: object + type: array + envFrom: + items: + properties: + configMapRef: + properties: + name: + type: string + optional: + type: boolean + type: object + prefix: + type: string + secretRef: + properties: + name: + type: string + optional: + type: boolean + type: object + type: object + type: array + image: + type: string + imagePullPolicy: + type: string + lifecycle: + properties: + postStart: + properties: + exec: + properties: + command: + items: + type: string + type: array + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + path: + type: string + port: + anyOf: + - type: string + - type: integer + scheme: + type: string + required: + - port + type: object + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: string + - type: integer + required: + - port + type: object + type: object + preStop: + properties: + exec: + properties: + command: + items: + type: string + type: array + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + path: + type: string + port: + anyOf: + - type: string + - type: integer + scheme: + type: string + required: + - port + type: object + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: string + - type: integer + required: + - port + type: object + type: object + type: object + livenessProbe: + properties: + exec: + properties: + command: + items: + type: string + type: array + type: object + failureThreshold: + format: int32 + type: integer + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + path: + type: string + port: + anyOf: + - type: string + - type: integer + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + format: int32 + type: integer + periodSeconds: + format: int32 + type: integer + successThreshold: + format: int32 + type: integer + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: string + - type: integer + required: + - port + type: object + timeoutSeconds: + format: int32 + type: integer + type: object + name: + type: string + ports: + items: + properties: + containerPort: + format: int32 + type: integer + hostIP: + type: string + hostPort: + format: int32 + type: integer + name: + type: string + protocol: + type: string + required: + - containerPort + type: object + type: array + readinessProbe: + properties: + exec: + properties: + command: + items: + type: string + type: array + type: object + failureThreshold: + format: int32 + type: integer + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + path: + type: string + port: + anyOf: + - type: string + - type: integer + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + format: int32 + type: integer + periodSeconds: + format: int32 + type: integer + successThreshold: + format: int32 + type: integer + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: string + - type: integer + required: + - port + type: object + timeoutSeconds: + format: int32 + type: integer + type: object + resources: + properties: + limits: + additionalProperties: + type: string + type: object + requests: + additionalProperties: + type: string + type: object + type: object + securityContext: + properties: + allowPrivilegeEscalation: + type: boolean + capabilities: + properties: + add: + items: + type: string + type: array + drop: + items: + type: string + type: array + type: object + privileged: + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + type: boolean + runAsGroup: + format: int64 + type: integer + runAsNonRoot: + type: boolean + runAsUser: + format: int64 + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + type: object + stdin: + type: boolean + stdinOnce: + type: boolean + terminationMessagePath: + type: string + terminationMessagePolicy: + type: string + tty: + type: boolean + volumeDevices: + items: + properties: + devicePath: + type: string + name: + type: string + required: + - devicePath + - name + type: object + type: array + volumeMounts: + items: + properties: + mountPath: + type: string + mountPropagation: + type: string + name: + type: string + readOnly: + type: boolean + subPath: + type: string + required: + - mountPath + - name + type: object + type: array + workingDir: + type: string + required: + - name + type: object + type: array + tolerations: + items: + properties: + effect: + type: string + key: + type: string + operator: + type: string + tolerationSeconds: + format: int64 + type: integer + value: + type: string + type: object + type: array + volumeMounts: + items: + properties: + mountPath: + type: string + mountPropagation: + type: string + name: + type: string + readOnly: + type: boolean + subPath: + type: string + required: + - mountPath + - name + type: object + type: array + type: object + executor: + properties: + affinity: + properties: + nodeAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + preference: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + weight: + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + properties: + nodeSelectorTerms: + items: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + type: array + required: + - nodeSelectorTerms + type: object + type: object + podAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + podAffinityTerm: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + namespaces: + items: + type: string + type: array + topologyKey: + type: string + required: + - topologyKey + type: object + weight: + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + namespaces: + items: + type: string + type: array + topologyKey: + type: string + required: + - topologyKey + type: object + type: array + type: object + podAntiAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + podAffinityTerm: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + namespaces: + items: + type: string + type: array + topologyKey: + type: string + required: + - topologyKey + type: object + weight: + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + namespaces: + items: + type: string + type: array + topologyKey: + type: string + required: + - topologyKey + type: object + type: array + type: object + type: object + annotations: + additionalProperties: + type: string + type: object + configMaps: + items: + properties: + name: + type: string + path: + type: string + required: + - name + - path + type: object + type: array + coreLimit: + type: string + coreRequest: + type: string + cores: + format: int32 + minimum: 1 + type: integer + dnsConfig: + properties: + nameservers: + items: + type: string + type: array + options: + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + searches: + items: + type: string + type: array + type: object + envSecretKeyRefs: + additionalProperties: + properties: + key: + type: string + name: + type: string + required: + - key + - name + type: object + type: object + envVars: + additionalProperties: + type: string + type: object + gpu: + properties: + name: + type: string + quantity: + format: int64 + type: integer + required: + - name + - quantity + type: object + hostNetwork: + type: boolean + image: + type: string + instances: + format: int32 + minimum: 1 + type: integer + javaOptions: + type: string + labels: + additionalProperties: + type: string + type: object + memory: + type: string + memoryOverhead: + type: string + nodeSelector: + additionalProperties: + type: string + type: object + schedulerName: + type: string + secrets: + items: + properties: + name: + type: string + path: + type: string + secretType: + type: string + required: + - name + - path + - secretType + type: object + type: array + securityContext: + properties: + fsGroup: + format: int64 + type: integer + runAsGroup: + format: int64 + type: integer + runAsNonRoot: + type: boolean + runAsUser: + format: int64 + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + supplementalGroups: + items: + format: int64 + type: integer + type: array + sysctls: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + type: object + sidecars: + items: + properties: + args: + items: + type: string + type: array + command: + items: + type: string + type: array + env: + items: + properties: + name: + type: string + value: + type: string + valueFrom: + properties: + configMapKeyRef: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + fieldRef: + properties: + apiVersion: + type: string + fieldPath: + type: string + required: + - fieldPath + type: object + resourceFieldRef: + properties: + containerName: + type: string + divisor: + type: string + resource: + type: string + required: + - resource + type: object + secretKeyRef: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + type: object + required: + - name + type: object + type: array + envFrom: + items: + properties: + configMapRef: + properties: + name: + type: string + optional: + type: boolean + type: object + prefix: + type: string + secretRef: + properties: + name: + type: string + optional: + type: boolean + type: object + type: object + type: array + image: + type: string + imagePullPolicy: + type: string + lifecycle: + properties: + postStart: + properties: + exec: + properties: + command: + items: + type: string + type: array + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + path: + type: string + port: + anyOf: + - type: string + - type: integer + scheme: + type: string + required: + - port + type: object + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: string + - type: integer + required: + - port + type: object + type: object + preStop: + properties: + exec: + properties: + command: + items: + type: string + type: array + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + path: + type: string + port: + anyOf: + - type: string + - type: integer + scheme: + type: string + required: + - port + type: object + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: string + - type: integer + required: + - port + type: object + type: object + type: object + livenessProbe: + properties: + exec: + properties: + command: + items: + type: string + type: array + type: object + failureThreshold: + format: int32 + type: integer + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + path: + type: string + port: + anyOf: + - type: string + - type: integer + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + format: int32 + type: integer + periodSeconds: + format: int32 + type: integer + successThreshold: + format: int32 + type: integer + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: string + - type: integer + required: + - port + type: object + timeoutSeconds: + format: int32 + type: integer + type: object + name: + type: string + ports: + items: + properties: + containerPort: + format: int32 + type: integer + hostIP: + type: string + hostPort: + format: int32 + type: integer + name: + type: string + protocol: + type: string + required: + - containerPort + type: object + type: array + readinessProbe: + properties: + exec: + properties: + command: + items: + type: string + type: array + type: object + failureThreshold: + format: int32 + type: integer + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + path: + type: string + port: + anyOf: + - type: string + - type: integer + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + format: int32 + type: integer + periodSeconds: + format: int32 + type: integer + successThreshold: + format: int32 + type: integer + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: string + - type: integer + required: + - port + type: object + timeoutSeconds: + format: int32 + type: integer + type: object + resources: + properties: + limits: + additionalProperties: + type: string + type: object + requests: + additionalProperties: + type: string + type: object + type: object + securityContext: + properties: + allowPrivilegeEscalation: + type: boolean + capabilities: + properties: + add: + items: + type: string + type: array + drop: + items: + type: string + type: array + type: object + privileged: + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + type: boolean + runAsGroup: + format: int64 + type: integer + runAsNonRoot: + type: boolean + runAsUser: + format: int64 + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + type: object + stdin: + type: boolean + stdinOnce: + type: boolean + terminationMessagePath: + type: string + terminationMessagePolicy: + type: string + tty: + type: boolean + volumeDevices: + items: + properties: + devicePath: + type: string + name: + type: string + required: + - devicePath + - name + type: object + type: array + volumeMounts: + items: + properties: + mountPath: + type: string + mountPropagation: + type: string + name: + type: string + readOnly: + type: boolean + subPath: + type: string + required: + - mountPath + - name + type: object + type: array + workingDir: + type: string + required: + - name + type: object + type: array + tolerations: + items: + properties: + effect: + type: string + key: + type: string + operator: + type: string + tolerationSeconds: + format: int64 + type: integer + value: + type: string + type: object + type: array + volumeMounts: + items: + properties: + mountPath: + type: string + mountPropagation: + type: string + name: + type: string + readOnly: + type: boolean + subPath: + type: string + required: + - mountPath + - name + type: object + type: array + type: object + failureRetries: + format: int32 + type: integer + hadoopConf: + additionalProperties: + type: string + type: object + hadoopConfigMap: + type: string + image: + type: string + imagePullPolicy: + type: string + imagePullSecrets: + items: + type: string + type: array + initContainerImage: + type: string + mainApplicationFile: + type: string + mainClass: + type: string + memoryOverheadFactor: + type: string + mode: + enum: + - cluster + - client + type: string + monitoring: + properties: + exposeDriverMetrics: + type: boolean + exposeExecutorMetrics: + type: boolean + metricsProperties: + type: string + prometheus: + properties: + configFile: + type: string + configuration: + type: string + jmxExporterJar: + type: string + port: + format: int32 + maximum: 49151 + minimum: 1024 + type: integer + required: + - jmxExporterJar + type: object + required: + - exposeDriverMetrics + - exposeExecutorMetrics + type: object + nodeSelector: + additionalProperties: + type: string + type: object + pythonVersion: + enum: + - "2" + - "3" + type: string + restartPolicy: + properties: + onFailureRetries: + format: int32 + minimum: 0 + type: integer + onFailureRetryInterval: + format: int64 + minimum: 1 + type: integer + onSubmissionFailureRetries: + format: int32 + minimum: 0 + type: integer + onSubmissionFailureRetryInterval: + format: int64 + minimum: 1 + type: integer + type: + enum: + - Never + - Always + - OnFailure + type: string + type: object + retryInterval: + format: int64 + type: integer + sparkConf: + additionalProperties: + type: string + type: object + sparkConfigMap: + type: string + sparkVersion: + type: string + timeToLiveSeconds: + format: int64 + type: integer + type: + enum: + - Java + - Python + - Scala + - R + type: string + volumes: + items: + properties: + awsElasticBlockStore: + properties: + fsType: + type: string + partition: + format: int32 + type: integer + readOnly: + type: boolean + volumeID: + type: string + required: + - volumeID + type: object + azureDisk: + properties: + cachingMode: + type: string + diskName: + type: string + diskURI: + type: string + fsType: + type: string + kind: + type: string + readOnly: + type: boolean + required: + - diskName + - diskURI + type: object + azureFile: + properties: + readOnly: + type: boolean + secretName: + type: string + shareName: + type: string + required: + - secretName + - shareName + type: object + cephfs: + properties: + monitors: + items: + type: string + type: array + path: + type: string + readOnly: + type: boolean + secretFile: + type: string + secretRef: + properties: + name: + type: string + type: object + user: + type: string + required: + - monitors + type: object + cinder: + properties: + fsType: + type: string + readOnly: + type: boolean + secretRef: + properties: + name: + type: string + type: object + volumeID: + type: string + required: + - volumeID + type: object + configMap: + properties: + defaultMode: + format: int32 + type: integer + items: + items: + properties: + key: + type: string + mode: + format: int32 + type: integer + path: + type: string + required: + - key + - path + type: object + type: array + name: + type: string + optional: + type: boolean + type: object + downwardAPI: + properties: + defaultMode: + format: int32 + type: integer + items: + items: + properties: + fieldRef: + properties: + apiVersion: + type: string + fieldPath: + type: string + required: + - fieldPath + type: object + mode: + format: int32 + type: integer + path: + type: string + resourceFieldRef: + properties: + containerName: + type: string + divisor: + type: string + resource: + type: string + required: + - resource + type: object + required: + - path + type: object + type: array + type: object + emptyDir: + properties: + medium: + type: string + sizeLimit: + type: string + type: object + fc: + properties: + fsType: + type: string + lun: + format: int32 + type: integer + readOnly: + type: boolean + targetWWNs: + items: + type: string + type: array + wwids: + items: + type: string + type: array + type: object + flexVolume: + properties: + driver: + type: string + fsType: + type: string + options: + additionalProperties: + type: string + type: object + readOnly: + type: boolean + secretRef: + properties: + name: + type: string + type: object + required: + - driver + type: object + flocker: + properties: + datasetName: + type: string + datasetUUID: + type: string + type: object + gcePersistentDisk: + properties: + fsType: + type: string + partition: + format: int32 + type: integer + pdName: + type: string + readOnly: + type: boolean + required: + - pdName + type: object + gitRepo: + properties: + directory: + type: string + repository: + type: string + revision: + type: string + required: + - repository + type: object + glusterfs: + properties: + endpoints: + type: string + path: + type: string + readOnly: + type: boolean + required: + - endpoints + - path + type: object + hostPath: + properties: + path: + type: string + type: + type: string + required: + - path + type: object + iscsi: + properties: + chapAuthDiscovery: + type: boolean + chapAuthSession: + type: boolean + fsType: + type: string + initiatorName: + type: string + iqn: + type: string + iscsiInterface: + type: string + lun: + format: int32 + type: integer + portals: + items: + type: string + type: array + readOnly: + type: boolean + secretRef: + properties: + name: + type: string + type: object + targetPortal: + type: string + required: + - iqn + - lun + - targetPortal + type: object + name: + type: string + nfs: + properties: + path: + type: string + readOnly: + type: boolean + server: + type: string + required: + - path + - server + type: object + persistentVolumeClaim: + properties: + claimName: + type: string + readOnly: + type: boolean + required: + - claimName + type: object + photonPersistentDisk: + properties: + fsType: + type: string + pdID: + type: string + required: + - pdID + type: object + portworxVolume: + properties: + fsType: + type: string + readOnly: + type: boolean + volumeID: + type: string + required: + - volumeID + type: object + projected: + properties: + defaultMode: + format: int32 + type: integer + sources: + items: + properties: + configMap: + properties: + items: + items: + properties: + key: + type: string + mode: + format: int32 + type: integer + path: + type: string + required: + - key + - path + type: object + type: array + name: + type: string + optional: + type: boolean + type: object + downwardAPI: + properties: + items: + items: + properties: + fieldRef: + properties: + apiVersion: + type: string + fieldPath: + type: string + required: + - fieldPath + type: object + mode: + format: int32 + type: integer + path: + type: string + resourceFieldRef: + properties: + containerName: + type: string + divisor: + type: string + resource: + type: string + required: + - resource + type: object + required: + - path + type: object + type: array + type: object + secret: + properties: + items: + items: + properties: + key: + type: string + mode: + format: int32 + type: integer + path: + type: string + required: + - key + - path + type: object + type: array + name: + type: string + optional: + type: boolean + type: object + serviceAccountToken: + properties: + audience: + type: string + expirationSeconds: + format: int64 + type: integer + path: + type: string + required: + - path + type: object + type: object + type: array + required: + - sources + type: object + quobyte: + properties: + group: + type: string + readOnly: + type: boolean + registry: + type: string + user: + type: string + volume: + type: string + required: + - registry + - volume + type: object + rbd: + properties: + fsType: + type: string + image: + type: string + keyring: + type: string + monitors: + items: + type: string + type: array + pool: + type: string + readOnly: + type: boolean + secretRef: + properties: + name: + type: string + type: object + user: + type: string + required: + - image + - monitors + type: object + scaleIO: + properties: + fsType: + type: string + gateway: + type: string + protectionDomain: + type: string + readOnly: + type: boolean + secretRef: + properties: + name: + type: string + type: object + sslEnabled: + type: boolean + storageMode: + type: string + storagePool: + type: string + system: + type: string + volumeName: + type: string + required: + - gateway + - secretRef + - system + type: object + secret: + properties: + defaultMode: + format: int32 + type: integer + items: + items: + properties: + key: + type: string + mode: + format: int32 + type: integer + path: + type: string + required: + - key + - path + type: object + type: array + optional: + type: boolean + secretName: + type: string + type: object + storageos: + properties: + fsType: + type: string + readOnly: + type: boolean + secretRef: + properties: + name: + type: string + type: object + volumeName: + type: string + volumeNamespace: + type: string + type: object + vsphereVolume: + properties: + fsType: + type: string + storagePolicyID: + type: string + storagePolicyName: + type: string + volumePath: + type: string + required: + - volumePath + type: object + required: + - name + type: object + type: array + required: + - driver + - executor + - mainApplicationFile + - sparkVersion + - type + type: object + required: + - metadata + - spec + type: object + version: v1beta2 + versions: + - name: v1beta2 + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/kustomize/spark-operator/kustomization.yaml b/kustomize/spark-operator/kustomization.yaml new file mode 100644 index 0000000..c219335 --- /dev/null +++ b/kustomize/spark-operator/kustomization.yaml @@ -0,0 +1,14 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +bases: +- base +commonLabels: + app.kubernetes.io/component: spark-operator + app.kubernetes.io/instance: spark-operator-v0.7.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/name: sparkoperator + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: v0.7.0 +kind: Kustomization +namespace: kubeflow +resources: +- overlays/application/application.yaml diff --git a/kustomize/spark-operator/overlays/application/application.yaml b/kustomize/spark-operator/overlays/application/application.yaml new file mode 100644 index 0000000..3c6d8c3 --- /dev/null +++ b/kustomize/spark-operator/overlays/application/application.yaml @@ -0,0 +1,37 @@ +apiVersion: app.k8s.io/v1beta1 +kind: Application +metadata: + name: spark-operator +spec: + selector: + matchLabels: + app.kubernetes.io/name: sparkoperator + app.kubernetes.io/instance: spark-operator-v0.7.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/component: sppark-operator + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: v0.7.0 + componentKinds: + - group: core + kind: Service + - group: apps + kind: Deployment + - group: core + kind: ConfigMap + - group: core + kind: ServiceAccount + - group: kubeflow.org + kind: SparkOperator + descriptor: + type: "spark-operator" + version: "v1" + description: "Spark-operator allows users to create and manage the \"SparkApplication\" custom resource." + maintainers: + - name: Holden Karau + email: holden@pigscanfly.ca + owners: + - name: Holden Karau + email: holden@pigscanfly.ca + keywords: + - "spark" + addOwnerRef: true diff --git a/kustomize/spark-operator/overlays/application/kustomization.yaml b/kustomize/spark-operator/overlays/application/kustomization.yaml new file mode 100644 index 0000000..8830d46 --- /dev/null +++ b/kustomize/spark-operator/overlays/application/kustomization.yaml @@ -0,0 +1,13 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +bases: +- ../../base +resources: +- application.yaml +commonLabels: + app.kubernetes.io/name: sparkoperator + app.kubernetes.io/instance: spark-operator-v0.7.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/component: spark-operator + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: v0.7.0 diff --git a/kustomize/tensorboard/base/deployment.yaml b/kustomize/tensorboard/base/deployment.yaml new file mode 100644 index 0000000..ebafcbc --- /dev/null +++ b/kustomize/tensorboard/base/deployment.yaml @@ -0,0 +1,31 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: tensorboard + name: tensorboard +spec: + replicas: 1 + template: + metadata: + labels: + app: tensorboard + spec: + containers: + - args: + - --logdir=logs + - --port=6006 + command: + - /usr/local/bin/tensorboard + image: tensorflow/tensorflow:1.8.0 + imagePullPolicy: IfNotPresent + name: tensorboard + ports: + - containerPort: 6006 + resources: + limits: + cpu: "4" + memory: 4Gi + requests: + cpu: "1" + memory: 1Gi diff --git a/kustomize/tensorboard/base/kustomization.yaml b/kustomize/tensorboard/base/kustomization.yaml new file mode 100644 index 0000000..3cff0b6 --- /dev/null +++ b/kustomize/tensorboard/base/kustomization.yaml @@ -0,0 +1,32 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: kubeflow +resources: +- deployment.yaml +- service.yaml +commonLabels: + kustomize.component: tensorboard +configMapGenerator: +- name: parameters + env: params.env +vars: +- name: namespace + objref: + kind: Service + name: tensorboard + apiVersion: v1 + fieldref: + fieldpath: metadata.namespace +- name: clusterDomain + objref: + kind: ConfigMap + name: parameters + apiVersion: v1 + fieldref: + fieldpath: data.clusterDomain +configurations: +- params.yaml +images: +- name: tensorflow/tensorflow + newName: tensorflow/tensorflow + newTag: 1.8.0 diff --git a/kustomize/tensorboard/base/params.env b/kustomize/tensorboard/base/params.env new file mode 100644 index 0000000..4ba9119 --- /dev/null +++ b/kustomize/tensorboard/base/params.env @@ -0,0 +1,27 @@ +# GCP +# @optionalParam logDir string logs Name of the log directory holding the TF events file +# @optionalParam targetPort number 6006 Name of the targetPort +# @optionalParam servicePort number 9000 Name of the servicePort +# @optionalParam serviceType string ClusterIP The service type for Jupyterhub. +# @optionalParam defaultTbImage string tensorflow/tensorflow:1.8.0 default tensorboard image to use +# @optionalParam gcpCredentialSecretName string null Name of the k8s secrets containing gcp credentials +# AWS +# @optionalParam logDir string logs Name of the log directory holding the TF events file +# @optionalParam targetPort number 6006 Name of the targetPort +# @optionalParam servicePort number 9000 Name of the servicePort +# @optionalParam serviceType string ClusterIP The service type for tensorboard service +# @optionalParam defaultTbImage string tensorflow/tensorflow:1.8.0 default tensorboard image to use +# @optionalParam s3Enabled string false Whether or not to use S3 +# @optionalParam s3SecretName string null Name of the k8s secrets containing S3 credentials +# @optionalParam s3SecretAccesskeyidKeyName string null Name of the key in the k8s secret containing AWS_ACCESS_KEY_ID +# @optionalParam s3SecretSecretaccesskeyKeyName string null Name of the key in the k8s secret containing AWS_SECRET_ACCESS_KEY +# @optionalParam s3AwsRegion string us-west-1 S3 region +# @optionalParam s3UseHttps string true Whether or not to use https +# @optionalParam s3VerifySsl string true Whether or not to verify https certificates for S3 connections +# @optionalParam s3Endpoint string s3.us-west-1.amazonaws.com URL for your s3-compatible endpoint +# @optionalParam efsEnabled string false Whether or not to use EFS +# @optionalParam efsPvcName string null Name of the Persistent Volume Claim used for EFS +# @optionalParam efsVolumeName string null Name of the Volume to mount to the pod +# @optionalParam efsMountPath string null Where to mount the EFS Volume +namespace=kubeflow +clusterDomain=cluster.local diff --git a/kustomize/tensorboard/base/params.yaml b/kustomize/tensorboard/base/params.yaml new file mode 100644 index 0000000..c8de9ba --- /dev/null +++ b/kustomize/tensorboard/base/params.yaml @@ -0,0 +1,3 @@ +varReference: +- path: metadata/annotations/getambassador.io\/config + kind: Service diff --git a/kustomize/tensorboard/base/service.yaml b/kustomize/tensorboard/base/service.yaml new file mode 100644 index 0000000..086dd27 --- /dev/null +++ b/kustomize/tensorboard/base/service.yaml @@ -0,0 +1,24 @@ +apiVersion: v1 +kind: Service +metadata: + annotations: + getambassador.io/config: |- + --- + apiVersion: ambassador/v0 + kind: Mapping + name: tb-mapping-tensorboard-get + prefix: /tensorboard/ tensorboard/ + rewrite: / + method: GET + service: tensorboard.$(namespace):9000 + labels: + app: tensorboard + name: tensorboard +spec: + ports: + - name: tb + port: 9000 + targetPort: 6006 + selector: + app: tensorboard + type: ClusterIP diff --git a/kustomize/tensorboard/kustomization.yaml b/kustomize/tensorboard/kustomization.yaml new file mode 100644 index 0000000..b3ca804 --- /dev/null +++ b/kustomize/tensorboard/kustomization.yaml @@ -0,0 +1,9 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +bases: +- base +configurations: +- overlays/istio/params.yaml +kind: Kustomization +namespace: kubeflow +resources: +- overlays/istio/virtual-service.yaml diff --git a/kustomize/tensorboard/overlays/istio/kustomization.yaml b/kustomize/tensorboard/overlays/istio/kustomization.yaml new file mode 100644 index 0000000..fcd00db --- /dev/null +++ b/kustomize/tensorboard/overlays/istio/kustomization.yaml @@ -0,0 +1,8 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +bases: +- ../../base +resources: +- virtual-service.yaml +configurations: +- params.yaml diff --git a/kustomize/tensorboard/overlays/istio/params.yaml b/kustomize/tensorboard/overlays/istio/params.yaml new file mode 100644 index 0000000..eea869e --- /dev/null +++ b/kustomize/tensorboard/overlays/istio/params.yaml @@ -0,0 +1,3 @@ +varReference: +- path: spec/http/route/destination/host + kind: VirtualService diff --git a/kustomize/tensorboard/overlays/istio/virtual-service.yaml b/kustomize/tensorboard/overlays/istio/virtual-service.yaml new file mode 100644 index 0000000..b0068b6 --- /dev/null +++ b/kustomize/tensorboard/overlays/istio/virtual-service.yaml @@ -0,0 +1,20 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: tensorboard +spec: + gateways: + - kubeflow-gateway + hosts: + - '*' + http: + - match: + - uri: + prefix: /tensorboard/tensorboard/ + rewrite: + uri: / + route: + - destination: + host: tensorboard.$(namespace).svc.$(clusterDomain) + port: + number: 9000 diff --git a/kustomize/tf-job-crds/base/crd.yaml b/kustomize/tf-job-crds/base/crd.yaml new file mode 100644 index 0000000..b693c40 --- /dev/null +++ b/kustomize/tf-job-crds/base/crd.yaml @@ -0,0 +1,47 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: tfjobs.kubeflow.org +spec: + additionalPrinterColumns: + - JSONPath: .status.conditions[-1:].type + name: State + type: string + - JSONPath: .metadata.creationTimestamp + name: Age + type: date + group: kubeflow.org + names: + kind: TFJob + plural: tfjobs + singular: tfjob + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + properties: + spec: + properties: + tfReplicaSpecs: + properties: + Chief: + properties: + replicas: + maximum: 1 + minimum: 1 + type: integer + PS: + properties: + replicas: + minimum: 1 + type: integer + Worker: + properties: + replicas: + minimum: 1 + type: integer + versions: + - name: v1 + served: true + storage: true diff --git a/kustomize/tf-job-crds/base/kustomization.yaml b/kustomize/tf-job-crds/base/kustomization.yaml new file mode 100644 index 0000000..6e120e7 --- /dev/null +++ b/kustomize/tf-job-crds/base/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- crd.yaml diff --git a/kustomize/tf-job-crds/kustomization.yaml b/kustomize/tf-job-crds/kustomization.yaml new file mode 100644 index 0000000..e549ac8 --- /dev/null +++ b/kustomize/tf-job-crds/kustomization.yaml @@ -0,0 +1,14 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +bases: +- base +commonLabels: + app.kubernetes.io/component: tfjob + app.kubernetes.io/instance: tf-job-crds-v0.7.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/name: tf-job-crds + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: v0.7.0 +kind: Kustomization +namespace: kubeflow +resources: +- overlays/application/application.yaml diff --git a/kustomize/tf-job-crds/overlays/application/application.yaml b/kustomize/tf-job-crds/overlays/application/application.yaml new file mode 100644 index 0000000..fca72d2 --- /dev/null +++ b/kustomize/tf-job-crds/overlays/application/application.yaml @@ -0,0 +1,42 @@ +apiVersion: app.k8s.io/v1beta1 +kind: Application +metadata: + name: tf-job-crds +spec: + selector: + matchLabels: + app.kubernetes.io/name: tf-job-crds + app.kubernetes.io/instance: tf-job-crds-v0.7.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/component: tfjob + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: v0.7.0 + componentKinds: + - group: core + kind: Service + - group: apps + kind: Deployment + - group: core + kind: ServiceAccount + - group: kubeflow.org + kind: TFJob + descriptor: + type: "tf-job-crds" + version: "v1" + description: "Tf-job-crds contains the \"TFJob\" custom resource definition." + maintainers: + - name: Richard Liu + email: ricliu@google.com + owners: + - name: Richard Liu + email: ricliu@google.com + keywords: + - "tfjob" + - "tf-operator" + - "tf-training" + links: + - description: About + url: "https://github.com/kubeflow/tf-operator" + - description: Docs + url: "https://www.kubeflow.org/docs/reference/tfjob/v1/tensorflow/" + addOwnerRef: true diff --git a/kustomize/tf-job-crds/overlays/application/kustomization.yaml b/kustomize/tf-job-crds/overlays/application/kustomization.yaml new file mode 100644 index 0000000..c41f882 --- /dev/null +++ b/kustomize/tf-job-crds/overlays/application/kustomization.yaml @@ -0,0 +1,13 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +bases: +- ../../base +resources: +- application.yaml +commonLabels: + app.kubernetes.io/name: tf-job-crds + app.kubernetes.io/instance: tf-job-crds-v0.7.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/component: tfjob + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: v0.7.0 diff --git a/kustomize/tf-job-operator/base/cluster-role-binding.yaml b/kustomize/tf-job-operator/base/cluster-role-binding.yaml new file mode 100644 index 0000000..e05aad7 --- /dev/null +++ b/kustomize/tf-job-operator/base/cluster-role-binding.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + labels: + app: tf-job-operator + name: tf-job-operator +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: tf-job-operator +subjects: +- kind: ServiceAccount + name: tf-job-operator diff --git a/kustomize/tf-job-operator/base/cluster-role.yaml b/kustomize/tf-job-operator/base/cluster-role.yaml new file mode 100644 index 0000000..444db13 --- /dev/null +++ b/kustomize/tf-job-operator/base/cluster-role.yaml @@ -0,0 +1,96 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + labels: + app: tf-job-operator + name: tf-job-operator +rules: +- apiGroups: + - kubeflow.org + resources: + - tfjobs + - tfjobs/status + - tfjobs/finalizers + verbs: + - '*' +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - '*' +- apiGroups: + - "" + resources: + - pods + - services + - endpoints + - events + verbs: + - '*' +- apiGroups: + - apps + - extensions + resources: + - deployments + verbs: + - '*' + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubeflow-tfjobs-admin + labels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-admin: "true" +aggregationRule: + clusterRoleSelectors: + - matchLabels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-tfjobs-admin: "true" +rules: [] + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubeflow-tfjobs-edit + labels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-edit: "true" + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-tfjobs-admin: "true" +rules: +- apiGroups: + - kubeflow.org + resources: + - tfjobs + - tfjobs/status + verbs: + - get + - list + - watch + - create + - delete + - deletecollection + - patch + - update + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubeflow-tfjobs-view + labels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-view: "true" +rules: +- apiGroups: + - kubeflow.org + resources: + - tfjobs + - tfjobs/status + verbs: + - get + - list + - watch diff --git a/kustomize/tf-job-operator/base/deployment.yaml b/kustomize/tf-job-operator/base/deployment.yaml new file mode 100644 index 0000000..69afffa --- /dev/null +++ b/kustomize/tf-job-operator/base/deployment.yaml @@ -0,0 +1,32 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: tf-job-operator +spec: + replicas: 1 + template: + metadata: + labels: + name: tf-job-operator + annotations: + sidecar.istio.io/inject: "false" + spec: + containers: + - command: + - /opt/kubeflow/tf-operator.v1 + - --alsologtostderr + - -v=1 + - --monitoring-port=8443 + env: + - name: MY_POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: MY_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + image: gcr.io/kubeflow-images-public/tf_operator:kubeflow-tf-operator-postsubmit-v1-5adee6f-6109-a25c + name: tf-job-operator + serviceAccountName: tf-job-operator diff --git a/kustomize/tf-job-operator/base/kustomization.yaml b/kustomize/tf-job-operator/base/kustomization.yaml new file mode 100644 index 0000000..e245cac --- /dev/null +++ b/kustomize/tf-job-operator/base/kustomization.yaml @@ -0,0 +1,15 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: kubeflow +resources: +- cluster-role-binding.yaml +- cluster-role.yaml +- deployment.yaml +- service-account.yaml +- service.yaml +commonLabels: + kustomize.component: tf-job-operator +images: +- name: gcr.io/kubeflow-images-public/tf_operator + newName: gcr.io/kubeflow-images-public/tf_operator + newTag: v0.7.0 diff --git a/kustomize/tf-job-operator/base/params.env b/kustomize/tf-job-operator/base/params.env new file mode 100644 index 0000000..7816643 --- /dev/null +++ b/kustomize/tf-job-operator/base/params.env @@ -0,0 +1 @@ +namespace=kubeflow diff --git a/kustomize/tf-job-operator/base/service-account.yaml b/kustomize/tf-job-operator/base/service-account.yaml new file mode 100644 index 0000000..c7be4e3 --- /dev/null +++ b/kustomize/tf-job-operator/base/service-account.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: tf-job-dashboard + name: tf-job-dashboard +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: tf-job-operator + name: tf-job-operator diff --git a/kustomize/tf-job-operator/base/service.yaml b/kustomize/tf-job-operator/base/service.yaml new file mode 100644 index 0000000..97f92e3 --- /dev/null +++ b/kustomize/tf-job-operator/base/service.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: v1 +kind: Service +metadata: + annotations: + prometheus.io/path: /metrics + prometheus.io/scrape: "true" + prometheus.io/port: "8443" + labels: + app: tf-job-operator + name: tf-job-operator +spec: + ports: + - name: monitoring-port + port: 8443 + targetPort: 8443 + selector: + name: tf-job-operator + type: ClusterIP diff --git a/kustomize/tf-job-operator/kustomization.yaml b/kustomize/tf-job-operator/kustomization.yaml new file mode 100644 index 0000000..a8b934b --- /dev/null +++ b/kustomize/tf-job-operator/kustomization.yaml @@ -0,0 +1,14 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +bases: +- base +commonLabels: + app.kubernetes.io/component: tfjob + app.kubernetes.io/instance: tf-job-operator-v0.7.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/name: tf-job-operator + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: v0.7.0 +kind: Kustomization +namespace: kubeflow +resources: +- overlays/application/application.yaml diff --git a/kustomize/tf-job-operator/overlays/application/application.yaml b/kustomize/tf-job-operator/overlays/application/application.yaml new file mode 100644 index 0000000..7ca46fb --- /dev/null +++ b/kustomize/tf-job-operator/overlays/application/application.yaml @@ -0,0 +1,42 @@ +apiVersion: app.k8s.io/v1beta1 +kind: Application +metadata: + name: tf-job-operator +spec: + selector: + matchLabels: + app.kubernetes.io/name: tf-job-operator + app.kubernetes.io/instance: tf-job-operator-v0.7.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/component: tfjob + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: v0.7.0 + componentKinds: + - group: core + kind: Service + - group: apps + kind: Deployment + - group: core + kind: ServiceAccount + - group: kubeflow.org + kind: TFJob + descriptor: + type: "tf-job-operator" + version: "v1" + description: "Tf-operator allows users to create and manage the \"TFJob\" custom resource." + maintainers: + - name: Richard Liu + email: ricliu@google.com + owners: + - name: Richard Liu + email: ricliu@google.com + keywords: + - "tfjob" + - "tf-operator" + - "tf-training" + links: + - description: About + url: "https://github.com/kubeflow/tf-operator" + - description: Docs + url: "https://www.kubeflow.org/docs/reference/tfjob/v1/tensorflow/" + addOwnerRef: true diff --git a/kustomize/tf-job-operator/overlays/application/kustomization.yaml b/kustomize/tf-job-operator/overlays/application/kustomization.yaml new file mode 100644 index 0000000..414e408 --- /dev/null +++ b/kustomize/tf-job-operator/overlays/application/kustomization.yaml @@ -0,0 +1,13 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +bases: +- ../../base +resources: +- application.yaml +commonLabels: + app.kubernetes.io/name: tf-job-operator + app.kubernetes.io/instance: tf-job-operator-v0.7.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/component: tfjob + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: v0.7.0 diff --git a/kustomize/webhook/base/cluster-role-binding.yaml b/kustomize/webhook/base/cluster-role-binding.yaml new file mode 100644 index 0000000..f7fe51d --- /dev/null +++ b/kustomize/webhook/base/cluster-role-binding.yaml @@ -0,0 +1,11 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: cluster-role-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-role +subjects: +- kind: ServiceAccount + name: service-account diff --git a/kustomize/webhook/base/cluster-role.yaml b/kustomize/webhook/base/cluster-role.yaml new file mode 100644 index 0000000..df74fde --- /dev/null +++ b/kustomize/webhook/base/cluster-role.yaml @@ -0,0 +1,65 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: cluster-role +rules: +- apiGroups: + - kubeflow.org + resources: + - poddefaults + verbs: + - get + - watch + - list + - update + - create + - patch + - delete + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubeflow-poddefaults-admin + labels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-admin: "true" +aggregationRule: + clusterRoleSelectors: + - matchLabels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-poddefaults-admin: "true" +rules: [] + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubeflow-poddefaults-edit + labels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-edit: "true" +aggregationRule: + clusterRoleSelectors: + - matchLabels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-poddefaults-edit: "true" +rules: [] + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubeflow-poddefaults-view + labels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-poddefaults-admin: "true" + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-poddefaults-edit: "true" + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-view: "true" +rules: +- apiGroups: + - kubeflow.org + resources: + - poddefaults + verbs: + - get + - list + - watch diff --git a/kustomize/webhook/base/crd.yaml b/kustomize/webhook/base/crd.yaml new file mode 100644 index 0000000..df2b459 --- /dev/null +++ b/kustomize/webhook/base/crd.yaml @@ -0,0 +1,51 @@ +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + name: poddefaults.kubeflow.org +spec: + group: kubeflow.org + names: + kind: PodDefault + plural: poddefaults + singular: poddefault + scope: Namespaced + version: v1alpha1 + validation: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + properties: + desc: + type: string + serviceAccountName: + type: string + env: + items: + type: object + type: array + envFrom: + items: + type: object + type: array + selector: + type: object + volumeMounts: + items: + type: object + type: array + volumes: + items: + type: object + type: array + required: + - selector + type: object + status: + type: object + type: object diff --git a/kustomize/webhook/base/deployment.yaml b/kustomize/webhook/base/deployment.yaml new file mode 100644 index 0000000..fae67ec --- /dev/null +++ b/kustomize/webhook/base/deployment.yaml @@ -0,0 +1,19 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: deployment +spec: + template: + spec: + containers: + - image: gcr.io/kubeflow-images-public/admission-webhook:v20190520-v0-139-gcee39dbc-dirty-0d8f4c + name: admission-webhook + volumeMounts: + - mountPath: /etc/webhook/certs + name: webhook-cert + readOnly: true + volumes: + - name: webhook-cert + secret: + secretName: webhook-certs + serviceAccountName: service-account diff --git a/kustomize/webhook/base/kustomization.yaml b/kustomize/webhook/base/kustomization.yaml new file mode 100644 index 0000000..1be9e2b --- /dev/null +++ b/kustomize/webhook/base/kustomization.yaml @@ -0,0 +1,48 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- cluster-role-binding.yaml +- cluster-role.yaml +- deployment.yaml +- mutating-webhook-configuration.yaml +- service-account.yaml +- service.yaml +- crd.yaml +commonLabels: + app: admission-webhook + kustomize.component: admission-webhook +namePrefix: admission-webhook- +images: +- name: gcr.io/kubeflow-images-public/admission-webhook + newName: gcr.io/kubeflow-images-public/admission-webhook + newTag: vmaster-g6b987df8 +namespace: kubeflow +configMapGenerator: +- env: params.env + name: admission-webhook-parameters +generatorOptions: + disableNameSuffixHash: true +vars: +- fieldref: + fieldPath: data.namespace + name: namespace + objref: + apiVersion: v1 + kind: ConfigMap + name: admission-webhook-parameters +- fieldref: + fieldPath: metadata.name + name: serviceName + objref: + apiVersion: v1 + kind: Service + name: service +- fieldref: + fieldPath: metadata.name + name: deploymentName + objref: + apiVersion: apps/v1 + kind: Deployment + name: deployment +configurations: +- params.yaml diff --git a/kustomize/webhook/base/mutating-webhook-configuration.yaml b/kustomize/webhook/base/mutating-webhook-configuration.yaml new file mode 100644 index 0000000..0893ab8 --- /dev/null +++ b/kustomize/webhook/base/mutating-webhook-configuration.yaml @@ -0,0 +1,21 @@ +apiVersion: admissionregistration.k8s.io/v1beta1 +kind: MutatingWebhookConfiguration +metadata: + name: mutating-webhook-configuration +webhooks: +- clientConfig: + caBundle: "" + service: + name: $(serviceName) + namespace: $(namespace) + path: /apply-poddefault + name: $(deploymentName).kubeflow.org + rules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + resources: + - pods diff --git a/kustomize/webhook/base/params.env b/kustomize/webhook/base/params.env new file mode 100644 index 0000000..7816643 --- /dev/null +++ b/kustomize/webhook/base/params.env @@ -0,0 +1 @@ +namespace=kubeflow diff --git a/kustomize/webhook/base/params.yaml b/kustomize/webhook/base/params.yaml new file mode 100644 index 0000000..444edea --- /dev/null +++ b/kustomize/webhook/base/params.yaml @@ -0,0 +1,7 @@ +varReference: +- path: webhooks/clientConfig/service/namespace + kind: MutatingWebhookConfiguration +- path: webhooks/clientConfig/service/name + kind: MutatingWebhookConfiguration +- path: webhooks/name + kind: MutatingWebhookConfiguration diff --git a/kustomize/webhook/base/service-account.yaml b/kustomize/webhook/base/service-account.yaml new file mode 100644 index 0000000..a36cbd8 --- /dev/null +++ b/kustomize/webhook/base/service-account.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: service-account diff --git a/kustomize/webhook/base/service.yaml b/kustomize/webhook/base/service.yaml new file mode 100644 index 0000000..b772a6a --- /dev/null +++ b/kustomize/webhook/base/service.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: Service +metadata: + name: service +spec: + ports: + - port: 443 + targetPort: 443 diff --git a/kustomize/webhook/kustomization.yaml b/kustomize/webhook/kustomization.yaml new file mode 100644 index 0000000..4d90288 --- /dev/null +++ b/kustomize/webhook/kustomization.yaml @@ -0,0 +1,42 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +bases: +- base +commonLabels: + app.kubernetes.io/component: webhook + app.kubernetes.io/instance: webhook-v0.7.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/name: webhook + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: v0.7.0 +configMapGenerator: +- behavior: merge + env: overlays/cert-manager/params.env + name: admission-webhook-parameters +configurations: +- overlays/cert-manager/params.yaml +generatorOptions: + disableNameSuffixHash: true +kind: Kustomization +namespace: kubeflow +patchesStrategicMerge: +- overlays/cert-manager/mutating-webhook-configuration.yaml +- overlays/cert-manager/deployment.yaml +resources: +- overlays/cert-manager/certificate.yaml +- overlays/application/application.yaml +vars: +- fieldref: + fieldPath: data.issuer + name: issuer + objref: + apiVersion: v1 + kind: ConfigMap + name: admission-webhook-parameters +- fieldref: + fieldPath: metadata.name + name: cert_name + objref: + group: cert-manager.io + kind: Certificate + name: admission-webhook-cert + version: v1alpha2 diff --git a/kustomize/webhook/overlays/application/application.yaml b/kustomize/webhook/overlays/application/application.yaml new file mode 100644 index 0000000..4a90dc5 --- /dev/null +++ b/kustomize/webhook/overlays/application/application.yaml @@ -0,0 +1,38 @@ +apiVersion: app.k8s.io/v1beta1 +kind: Application +metadata: + name: webhook +spec: + selector: + matchLabels: + app.kubernetes.io/name: webhook + app.kubernetes.io/instance: webhook-v0.7.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/component: bootstrap + app.kubernetes.io/part-of: webhook + app.kubernetes.io/version: v0.7.0 + componentKinds: + - group: admissionregistration.k8s.io + kind: MutatingWebhookConfiguration + - group: core + kind: ConfigMap + - group: apps + kind: StatefulSet + - group: core + kind: Service + - group: core + kind: ServiceAccount + descriptor: + type: bootstrap + version: v1beta1 + description: injects volume, volume mounts, env vars into PodDefault + maintainers: [] + owners: [] + keywords: + - admission-webhook + - kubeflow + links: + - description: About + url: https://github.com/kubeflow/kubeflow/tree/master/components/admission-webhook + addOwnerRef: true + diff --git a/kustomize/webhook/overlays/application/kustomization.yaml b/kustomize/webhook/overlays/application/kustomization.yaml new file mode 100644 index 0000000..ec0bb41 --- /dev/null +++ b/kustomize/webhook/overlays/application/kustomization.yaml @@ -0,0 +1,13 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +bases: +- ../../base +resources: +- application.yaml +commonLabels: + app.kubernetes.io/name: webhook + app.kubernetes.io/instance: webhook-v0.7.0 + app.kubernetes.io/managed-by: kfctl + app.kubernetes.io/component: webhook + app.kubernetes.io/part-of: kubeflow + app.kubernetes.io/version: v0.7.0 diff --git a/kustomize/webhook/overlays/cert-manager/certificate.yaml b/kustomize/webhook/overlays/cert-manager/certificate.yaml new file mode 100644 index 0000000..fde317d --- /dev/null +++ b/kustomize/webhook/overlays/cert-manager/certificate.yaml @@ -0,0 +1,14 @@ +apiVersion: cert-manager.io/v1alpha2 +kind: Certificate +metadata: + name: admission-webhook-cert +spec: + isCA: true + commonName: $(serviceName).$(namespace).svc + dnsNames: + - $(serviceName).$(namespace).svc + - $(serviceName).$(namespace).svc.cluster.local + issuerRef: + kind: ClusterIssuer + name: $(issuer) + secretName: webhook-certs \ No newline at end of file diff --git a/kustomize/webhook/overlays/cert-manager/deployment.yaml b/kustomize/webhook/overlays/cert-manager/deployment.yaml new file mode 100644 index 0000000..af4c7b6 --- /dev/null +++ b/kustomize/webhook/overlays/cert-manager/deployment.yaml @@ -0,0 +1,12 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: deployment +spec: + template: + spec: + containers: + - name: admission-webhook + args: + - --tlsCertFile=/etc/webhook/certs/tls.crt + - --tlsKeyFile=/etc/webhook/certs/tls.key diff --git a/kustomize/webhook/overlays/cert-manager/kustomization.yaml b/kustomize/webhook/overlays/cert-manager/kustomization.yaml new file mode 100644 index 0000000..08d5bef --- /dev/null +++ b/kustomize/webhook/overlays/cert-manager/kustomization.yaml @@ -0,0 +1,36 @@ +bases: +- ../../base + +resources: +- certificate.yaml + +patchesStrategicMerge: +- mutating-webhook-configuration.yaml +- deployment.yaml + +configMapGenerator: +- name: admission-webhook-parameters + behavior: merge + env: params.env +generatorOptions: + disableNameSuffixHash: true + +vars: +- name: issuer + objref: + kind: ConfigMap + name: admission-webhook-parameters + apiVersion: v1 + fieldref: + fieldpath: data.issuer +- name: cert_name + objref: + kind: Certificate + group: cert-manager.io + version: v1alpha2 + name: admission-webhook-cert + fieldref: + fieldpath: metadata.name + +configurations: +- params.yaml \ No newline at end of file diff --git a/kustomize/webhook/overlays/cert-manager/mutating-webhook-configuration.yaml b/kustomize/webhook/overlays/cert-manager/mutating-webhook-configuration.yaml new file mode 100644 index 0000000..b5cc96c --- /dev/null +++ b/kustomize/webhook/overlays/cert-manager/mutating-webhook-configuration.yaml @@ -0,0 +1,7 @@ +apiVersion: admissionregistration.k8s.io/v1beta1 +kind: MutatingWebhookConfiguration +metadata: + name: mutating-webhook-configuration + annotations: + cert-manager.io/inject-ca-from: $(namespace)/$(cert_name) + \ No newline at end of file diff --git a/kustomize/webhook/overlays/cert-manager/params.env b/kustomize/webhook/overlays/cert-manager/params.env new file mode 100644 index 0000000..063c6aa --- /dev/null +++ b/kustomize/webhook/overlays/cert-manager/params.env @@ -0,0 +1 @@ +issuer=kubeflow-self-signing-issuer diff --git a/kustomize/webhook/overlays/cert-manager/params.yaml b/kustomize/webhook/overlays/cert-manager/params.yaml new file mode 100644 index 0000000..d082ffe --- /dev/null +++ b/kustomize/webhook/overlays/cert-manager/params.yaml @@ -0,0 +1,9 @@ +varReference: +- path: spec/commonName + kind: Certificate +- path: spec/dnsNames + kind: Certificate +- path: spec/issuerRef/name + kind: Certificate +- path: metadata/annotations + kind: MutatingWebhookConfiguration diff --git a/volvo-kustomize/dev/application-crds/kustomization.yaml b/volvo-kustomize/dev/application-crds/kustomization.yaml new file mode 100644 index 0000000..afae8e4 --- /dev/null +++ b/volvo-kustomize/dev/application-crds/kustomization.yaml @@ -0,0 +1,9 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +bases: +- ../../../kustomize/application-crds +kind: Kustomization +namespace: kubeflow + + + + diff --git a/volvo-kustomize/dev/application/kustomization.yaml b/volvo-kustomize/dev/application/kustomization.yaml new file mode 100644 index 0000000..2e955e3 --- /dev/null +++ b/volvo-kustomize/dev/application/kustomization.yaml @@ -0,0 +1,9 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +bases: +- ../../../kustomize/application +kind: Kustomization +namespace: kubeflow +namePrefix: application1 + + + diff --git a/volvo-kustomize/dev/jupyter-web-app/kustomization.yaml b/volvo-kustomize/dev/jupyter-web-app/kustomization.yaml new file mode 100644 index 0000000..3964980 --- /dev/null +++ b/volvo-kustomize/dev/jupyter-web-app/kustomization.yaml @@ -0,0 +1,9 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +bases: +- ../../../kustomize/jupyter-web-app +kind: Kustomization +namespace: kubeflow +patches: +- overlays/patch/config-map1.yaml + +namePrefix: jupyter1 diff --git a/volvo-kustomize/dev/jupyter-web-app/overlays/patch/config-map1.yaml b/volvo-kustomize/dev/jupyter-web-app/overlays/patch/config-map1.yaml new file mode 100644 index 0000000..c6445bc --- /dev/null +++ b/volvo-kustomize/dev/jupyter-web-app/overlays/patch/config-map1.yaml @@ -0,0 +1,73 @@ +apiVersion: v1 +data: + spawner_ui_config.yaml: | + # Configuration file for the Jupyter UI. + # + # Each Jupyter UI option is configured by two keys: 'value' and 'readOnly' + # - The 'value' key contains the default value + # - The 'readOnly' key determines if the option will be available to users + # + # If the 'readOnly' key is present and set to 'true', the respective option + # will be disabled for users and only set by the admin. Also when a + # Notebook is POSTED to the API if a necessary field is not present then + # the value from the config will be used. + # + # If the 'readOnly' key is missing (defaults to 'false'), the respective option + # will be available for users to edit. + # + # Note that some values can be templated. Such values are the names of the + # Volumes as well as their StorageClass + spawnerFormDefaults: + image: + # The container Image for the user's Jupyter Notebook + # If readonly, this value must be a member of the list below + value: gcr.io/kubeflow-images-public/tensorflow-1.14.0-notebook-cpu:v-base-ef41372-1177829795472347138 + # The list of available standard container Images + options: + - quay.io/volvocars/jupyter:scipy-notebook + - quay.io/volvocars/jupyter:r-notebook + - gcr.io/kubeflow-images-public/tensorflow-2.0.0a0-notebook-cpu:v0.7.0 + - gcr.io/kubeflow-images-public/tensorflow-2.0.0a0-notebook-gpu:v0.7.0 + # By default, custom container Images are allowed + # Uncomment the following line to only enable standard container Images + # will replace th + # The Size of the Workspace Volume (in Gi) + + # The Path that the Workspace Volume will be mounted + + # The Access Mode of the Workspace Volume + # Supported values: 'ReadWriteOnce', 'ReadWriteMany', 'ReadOnlyMany' + + # The StrageClass the PVC will use if type is New. Special values are: + # {none}: default StorageClass + # {empty}: empty string "" + + # List of additional Data Volumes to be attached to the use value: [] + # Each Data Volume is declared with the following attributes: + # Type, Name, Size, MountPath and Access Mode + # + # For example, a list with 2 Data Volumes: + # value: + # - value: + # type: + # value: New + # name: + # value: '{notebook-name}-vol-1' + # size: + # value: '10Gi' + # class: + # value: standard + # mountPath: + # value: /home/jovyan/vol-1 + # accessModes: + # value: ReadWriteOnce + # class: + # value: {none} + # - value: + # type: + # value: New + # name: + +kind: ConfigMap +metadata: + name: config diff --git a/volvo-kustomize/dev/kustomization.yaml b/volvo-kustomize/dev/kustomization.yaml new file mode 100644 index 0000000..0db9aba --- /dev/null +++ b/volvo-kustomize/dev/kustomization.yaml @@ -0,0 +1,21 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +bases: +# ../../kustomize/api-service/base +#- ../../kustomization.yaml +#- ../../kustomize/application-crds +#- ../../kustomize/argo +#- ../../kustomize/centraldashboard +#- ../../kustomize/cert-manager +#- ../../kustomize/cert-manager-crds +#- ../../kustomize/cert-manager-kube-system-resources +#- ../../kustomize/dex +#- ../../kustomize/istio +#- ../../kustomize/istio-crds +#- ../../kustomize/istio-install +- ./jupyter-web-app +- ../../kustomize/application +# ../../kustomize/minio + +#resources: +#- ../../kustomize/base diff --git a/volvo-kustomize/prod/jupyter-web-app/kustomization.yaml b/volvo-kustomize/prod/jupyter-web-app/kustomization.yaml new file mode 100644 index 0000000..5993c82 --- /dev/null +++ b/volvo-kustomize/prod/jupyter-web-app/kustomization.yaml @@ -0,0 +1,7 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +bases: +- ../../../kustomize/jupyter-web-app +kind: Kustomization +patches: +- overlays/patch/config-map1.yaml + diff --git a/volvo-kustomize/prod/jupyter-web-app/overlays/patch/config-map1.yaml b/volvo-kustomize/prod/jupyter-web-app/overlays/patch/config-map1.yaml new file mode 100644 index 0000000..c6445bc --- /dev/null +++ b/volvo-kustomize/prod/jupyter-web-app/overlays/patch/config-map1.yaml @@ -0,0 +1,73 @@ +apiVersion: v1 +data: + spawner_ui_config.yaml: | + # Configuration file for the Jupyter UI. + # + # Each Jupyter UI option is configured by two keys: 'value' and 'readOnly' + # - The 'value' key contains the default value + # - The 'readOnly' key determines if the option will be available to users + # + # If the 'readOnly' key is present and set to 'true', the respective option + # will be disabled for users and only set by the admin. Also when a + # Notebook is POSTED to the API if a necessary field is not present then + # the value from the config will be used. + # + # If the 'readOnly' key is missing (defaults to 'false'), the respective option + # will be available for users to edit. + # + # Note that some values can be templated. Such values are the names of the + # Volumes as well as their StorageClass + spawnerFormDefaults: + image: + # The container Image for the user's Jupyter Notebook + # If readonly, this value must be a member of the list below + value: gcr.io/kubeflow-images-public/tensorflow-1.14.0-notebook-cpu:v-base-ef41372-1177829795472347138 + # The list of available standard container Images + options: + - quay.io/volvocars/jupyter:scipy-notebook + - quay.io/volvocars/jupyter:r-notebook + - gcr.io/kubeflow-images-public/tensorflow-2.0.0a0-notebook-cpu:v0.7.0 + - gcr.io/kubeflow-images-public/tensorflow-2.0.0a0-notebook-gpu:v0.7.0 + # By default, custom container Images are allowed + # Uncomment the following line to only enable standard container Images + # will replace th + # The Size of the Workspace Volume (in Gi) + + # The Path that the Workspace Volume will be mounted + + # The Access Mode of the Workspace Volume + # Supported values: 'ReadWriteOnce', 'ReadWriteMany', 'ReadOnlyMany' + + # The StrageClass the PVC will use if type is New. Special values are: + # {none}: default StorageClass + # {empty}: empty string "" + + # List of additional Data Volumes to be attached to the use value: [] + # Each Data Volume is declared with the following attributes: + # Type, Name, Size, MountPath and Access Mode + # + # For example, a list with 2 Data Volumes: + # value: + # - value: + # type: + # value: New + # name: + # value: '{notebook-name}-vol-1' + # size: + # value: '10Gi' + # class: + # value: standard + # mountPath: + # value: /home/jovyan/vol-1 + # accessModes: + # value: ReadWriteOnce + # class: + # value: {none} + # - value: + # type: + # value: New + # name: + +kind: ConfigMap +metadata: + name: config diff --git a/volvo-kustomize/prod/kustomization.yaml b/volvo-kustomize/prod/kustomization.yaml new file mode 100644 index 0000000..08fb4f9 --- /dev/null +++ b/volvo-kustomize/prod/kustomization.yaml @@ -0,0 +1,6 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +bases: +- jupyter-web-app/ +kind: Kustomization + +